Technische Infrastruktur/WLAN: Unterschied zwischen den Versionen

K (Fingerprint von neuem Cert fuer connman)
(Updated the Linux Network Manager authentication manual)
Zeile 121: Zeile 121:
== Linux - NetworkManager ==
== Linux - NetworkManager ==
[[Datei:WiFi Settings - backspace 8021x.png|400px]]
* Download the [#certificate certificate]
* Select the "backspace 802.1x" network in your WiFi settings
* Select the previously downloaded certificate [[Datei:Linux NetMan Certificate.png|400px]]
* Select "TTLS" and "PAP" as the authentication and inner authentication method, respectively (see below)
* Fill in your username and password (see below)
Ignore the certificate warning as long as we don't provide a certificate.
[[Datei:Linux NetMan Authentication.png|400px]]
[[Datei:WiFi - Certificate-Warning.png|400px]]
== Mac OS X and IOS==
== Mac OS X and IOS==

Version vom 1. Juli 2017, 22:50 Uhr

We're moving our wifi infrastructure to an authenticated and encrypted ssid. At the moment it's hard to change our internal wifi password, because our door system depends on it. If you are not in our internal wifi you can't operate the door.

This is one reason why we want to use 802.1x with EAP-TTLS. Every member has it's own username/password combination which can be reset or changed through a webinterface. If a member quits the space, we just have to deactivate the account and the internal access is gone.

The other reason is: Every member has its own encrypted channel to our access points. In addition the member has the possibility to check, if the SSID can be trusted (avoid roque APs) with an ssl certificate


To check if you're connecting to the correct SSID, you can and should add the ssl certificate to your connection setting. You can download the SSL CA-Certificate from our Server.


Save config as /etc/netctl/$interfacename-backspace_8021x. You have to restart netctl-auto (e.g. systemctl restart netctl-auto@$interface)

Description='backspace WPA2 802.1X'
ESSID="backspace 802.1x"
    'ssid="backspace 802.1x"'
    'proto=RSN WPA'

FYI: Replace the interface name according to your system


Add to /etc/wpa_supplicant/wpa_supplicant.conf:

 ssid="backspace 802.1x"



Name="backspace 802.1x"
CACertFile = hash://server/sha256/d5d218433d7a94b562b58583998035a9526e263e809ac78ca777029c9e3a1bfb

Sailfish OS

Tested and working

Put the following into /var/lib/connman/wifi_bckspc-8021x.config


systemctl restart connman

Type = wifi
Name = backspace 802.1x
EAP = ttls
Phase2 = PAP
Identity = USERNAME
Passphrase = PASSWORD
CACertFile = hash://server/sha256/d5d218433d7a94b562b58583998035a9526e263e809ac78ca777029c9e3a1bfb


 ssid="backspace 802.1x"

Warning: This is not yet tested. ca_cert certificate checking should work as it does for netctl and wpa_supplicant. Adapted from 31c3 wiki


This is how you can connect with the android operating system to our 802.1x WIFI (WPA2 Enterprise)

  • Download our certificate at
  • Open downloaded certificate
  • Save certificate as backspace.crt and type "Wifi"
  • Modify/Configure your backspace 802.1x connection according to the screenshot below

8021x-android-1.png 8021x-android-2.png 8021x-android-3.png 8021x-android-4.png

Linux - NetworkManager

  • Download the [#certificate certificate]
  • Select the "backspace 802.1x" network in your WiFi settings
  • Select the previously downloaded certificate Linux NetMan Certificate.png
  • Select "TTLS" and "PAP" as the authentication and inner authentication method, respectively (see below)
  • Fill in your username and password (see below)

Linux NetMan Authentication.png

Mac OS X and IOS

The following procedure has been tested using Mac OS 10.11 El Capitan to macOs 10.12 Sierra

Earlier versions of OS X offered to specify the authentication protocol when connecting to a wireless network. However, in newer versions you'll have to install a configuration profile in order to connect to our network using 802.1x with EAP-TTLS/PAP. This configuration profile contains our certificate and all required settings.

It is fairly easy to generate a configuration file for your devices yourself with the added bonus of already including your username and password. This file can be used for all your Macs and IOS devices.

To generate the config file you need to download the Apple Configurator from the Mac App Store. [1]

Start the Configurator and choose File -> New Profile

In the General tab give the profile a name.

Then go down to Wi-Fi and configure the Payload: SSID: backspace 802.1x Security: Enterprise WPA2 EAP-TTLS you can add your username and password here Inner Authentification: PAP

Choose Save from the File menu and give the profile a name.

You can now install the profile on your Mac. (The installation only seems to work, if you have installed the Certificate under "Certificates" in the Configurator. But you must not click the certificate under "Trust" in the Wi-Fi payload, because that will fail the authentification. See below for trusting the RADIUS server.)

To install the file on your IOS device, simply send the file to yourself via Email. Tap the file in Mail App and install on your IOS device.

When installing your profiles the systems will tell you that the certificate is not signed and that you need to trust the RADIUS server. You just need to accept both and are ready.

Windows 7

Windows 7 does not support EAP-TTLS / PAP from scratch. The same is true for eduroam networks and this is why there are a lot of instructions from universities which use SecureW2 as an additional Software to enable EAP-TTLS:

Unfortunately, SecureW2 is not free (it used to be, but they revoked that).

Another option could be XSupplicant from the Open1X project; they were working towards Windows 7 support, but it seems that they didn't make it. (Latest news is from 25 Sept 2010 that version 2.2.2 should support it; I tried v2.2.2.504.x64, didn't work).

To summarize, right now we do not know a free option to connect with EAP-TTLS / PAP under Windows 7.

(read this article for a good discussion on the tool market and other commercial options)

Windows 8 and above

Since Windows 8 the system itself is capable of EAP-TTLS.

TODO: Someone with windows should do some screenshots.