Differences

This shows you the differences between two versions of the page.

--- en:verejne:sit:wi-fi:linux [13.01.2018 01:34] – created Pavel Valach
+++ en:verejne:sit:wi-fi:linux [30.09.2024 20:02] (current) – suggest enabling ipv6 with iwd Karel Kopecký
@@ Line 1: / Line 1: @@
-===== Linux - Ubuntu, NetworkManager =====
+====== Set up Wi-Fi on Linux – Ubuntu, NetworkManager, wpa_supplicant ======
-//FIXME: add example configuration file for wpa_supplicant//
+===== Ubuntu, NetworkManager =====
-It is usually best to obey the instructions of your network manager. The connection settings might be a bit difficult to fill correctly; thus, the following settings for NetworkManager are recommended:
+When using a GUI, it is likely that you use NetworkManager for network configuration.
-  * **Security**: WPA2-Enterprise
+<note important>
-  * **Authentication mode**: Protected EAP (PEAP) or TTLS
+**It is important to set up RADIUS server identity verification, as it will give you protection against rogue Wi-Fi access points and protect your password as well.** That is why you should take the time to set your Wi-Fi connection properly. You will find verified walkthrough below.
-  * MSCHAPv2, or PAP for TTLS
+</note>
-  * **CA certificate** can be downloaded [[https://pki.cesnet.cz/en/ch-tcs-ssl-ca-3-crt-crl.html|from CESNET]] (you need **DigiCert Assured ID Root CA** in PEM format). //It is usually required for successful connection.//
-  * **User name** and **Password** - enter your SINIS credentials.
+  - Run command ''nm-connection-editor'' (Advanced Network Configuration).
+  - Expand the **Wi-Fi** category and look if you already have an existing Sincoolka profile - it might be a good idea to remove it with a **-** button (minus sign) if it does not work. \\ {{:en:verejne:sit:wi-fi:ubuntu-nm-step1.png?nolink|}}
+  - Then, click the **+** button (plus sign) in the bottom toolbar.
+  - In the **Choose a Connection Type** window, pick **Wi-Fi** from the list. Then click the **Create...** button \\ {{:en:verejne:sit:wi-fi:ubuntu-nm-step2.png?nolink|}}
+  - A window for describing network configuration will open.
+     * Fill out the name of the profile (can be anything, e.g. Sincoolka).
+     * Switch to the **Wi-Fi** tab and fill out these - **SSID**: ''Sincoolka'' or ''Sincoolka 5G''. From the **Devices** list, choose your Wi-Fi adapter. \\ {{:en:verejne:sit:wi-fi:ubuntu-nm-profile-wifi.png?nolink|}}
+     * Switch to the **Wi-Fi Security** tab and set up the following:
+       * **Security**: WPA2-Enterprise
+       * **Authentication**: Tunneled TLS
+       * **Anonymous identity**: ''anonymous@sin.cvut.cz''
+       * **Domain**: ''radius.sin.cvut.cz''
+       * **CA certificate**: either browse to ''/etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem'', or [[en:verejne:sit:cert|download and save it]] (download format PEM)
+       * **Inner authentication**: PAP
+       * **Username**: use your SIN username or SIN email (find it after logging in to [[https://sinis.sin.cvut.cz|SINIS]])
+       * **Password**: the same as for your SINIS login. \\ {{:en:verejne:sit:wi-fi:ubuntu-nm-profile-sec.png?nolink|}}
+     * Confirm your settings by pushing the **Save** button.
+<note important>The picture has the certificate wrong! It's for illustration purposes only.</note>
+Now, your connection should be all set for secure Wi-Fi browsing.
+===== wpa_supplicant =====
+WPA Supplicant is an utility which enables WPA security support for Wi-Fi in Linux. NetworkManager uses wpa_supplicant internally.
+In case you want to set up a wpa_supplicant profile manually, we have prepared a Sincoolka network definition below.
+To properly verify that you are using our server, the CA certificate is necessary. It should be already on your system at path ''/etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem'', so this configuration will use that. If you don't have it there, you may [[en:verejne:sit:cert|download it from us]] and save it. You will then enter the path to this file in the wpa_supplicant configuration profile.
+<file wpa_supplicant wpa_supplicant.conf>
+network={
+    ssid="Sincoolka"  # or Sincoolka 5G
+    scan_ssid=1
+    key_mgmt=WPA-EAP
+    eap=TTLS
+    # path to the downloaded CA certificate
+    ca_cert="/etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem"
+    domain_match="radius.sin.cvut.cz"
+    phase2="auth=PAP"
+    pairwise=CCMP
+    group=CCMP
+    # Your credentials
+    identity="jiri.novak@sin.cvut.cz"
+    anonymous_identity="anonymous@sin.cvut.cz"
+    password="YourStr0ngPa$$word"
+}
+</file>
+===== iwd =====
+//Contributed by our member Artem Poliakov (poliaart <at> fit.cvut.cz)! Thanks!//
+[[https://iwd.wiki.kernel.org/|iwd]] is a wireless daemon for Linux which aims to utilize features provided by the Linux Kernel to the maximum extent
+possible. It can work in standalone mode or in combination with comprehensive network managers.
+If you want to connect to Wi-Fi using iwd, you need to place file called ''Sincoolka.8021x'' or ''Sincoolka 5G.8021x''
+(depending on which network you'd like to connect) under ''/var/lib/iwd'' directory. The suggested contents can be found below.
+To properly verify that you are using our server, the CA certificate is necessary. It should be already on your system at path ''/etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem'', so this configuration will use that. If you don't have it there, you may [[en:verejne:sit:cert|download it from us]] and save it. You will then enter the path to this file in the wpa_supplicant configuration profile.
+<file iwd Sincoolka.8021x>
+[IPv6]
+Enabled=true
+[Security]
+EAP-Method=TTLS
+EAP-Identity=anonymous@sin.cvut.cz
+EAP-TTLS-ServerDomainMask=radius.sin.cvut.cz
+EAP-TTLS-CACert=/etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem
+EAP-TTLS-Phase2-Method=Tunneled-PAP
+EAP-TTLS-Phase2-Identity=your.username@sin.cvut.cz
+EAP-TTLS-Phase2-Password=YourStr0ngPa$$word
+[Settings]
+AutoConnect=true
+</file>