DebConf5WirelessHowto

From Wiki
Jump to: navigation, search

Contents

[edit] Configuring wireless network at DebConf5

[edit] Prepare at home or with a wire

Either xsupplicant or wpasupplicant can be used. wpasupplicant may be easier to configure and use, and xsupplicant is deprecated upstream, has nice race conditions and it is an all-around ugly beast. So go with wpasupplicant, if you can.

[edit] wpasupplicant

 aptitude install wpasupplicant

Here's an example configuration (put it in /etc/wpa_supplicant.conf).

 ctrl_interface=/var/run/wpa_supplicant
 ctrl_interface_group=root
 network={
        ssid="debconf"
        scan_ssid=1
        key_mgmt=[[IEEE8021X]]
        eap=TTLS
        anonymous_identity="your_nick_for_example"
        identity="deb-XXXX"
        password="XXXXXXXX"
        ca_cert="/etc/xsupplicant/tls/ca.crt"
        phase2="auth=PAP"
 }

"identity", "password" and cert are in COMAS. See below for getting the etc/xsupplicant/tls/ca.crt file.

The daemon will not be started until you edit /etc/default/wpasupplicant.

Also, in order to use the open "aalto" wireless network in other parts of the campus, you should have a second clause like this:

 network={
       ssid="aalto"
       scan_ssid=0
       key_mgmt=NONE
 }

Otherwise wpa_supplicant may keep attempting to reset your ssid...

[edit] xsupplicant

 aptitude install xsupplicant

See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=317703 as well

This can break your network connection until you edit xsupplicant.conf deny_interfaces to contain your (wired) network interface.

RTFM: "man xsupplicant" and http://sourceforge.net/docman/display_doc.php?docid=24379&group_id=60236

To help in configuring /etc/xsupplicant/xsupplicant.conf, here's an example file: DebConf5XSupplicantExample

Or add this to end of /etc/xsupplicant/xsupplicant.conf

    debconf
    {
      eap-ttls {
          root_cert      = /etc/xsupplicant/tls/debconf-ca.crt
          cncheck        = radius.debconf5.net
          phase2_type    = pap

          pap {
            username = <BEGIN_UNAME>my-comas-net-user<END_UNAME>
            password = <BEGIN_PASS>my-comas-net-pass<END_PASS>
          }
      }
    }

Or do the following edits to the default Debian version:

 -#allow_interfaces = eth0, wlan0
 +allow_interfaces = yourwirelessinterfacehere
 -#deny_interfaces = eth1
 +deny_interfaces = yourwiredinterfacehere
 -  identity = <BEGIN_ID>debian-user<END_ID>
 +  identity = <BEGIN_ID>justputanyidhere<END_ID>
   eap-ttls {
 -      user_cert      = /etc/xsupplicant/tls/client.crt
 -      user_key       = /etc/xsupplicant/tls/client.key
 -      user_key_pass  = <BEGIN_PASS>password for key<END_PASS>
 +#      user_cert      = /etc/xsupplicant/tls/client.crt
 +#      user_key       = /etc/xsupplicant/tls/client.key
 +#      user_key_pass  = <BEGIN_PASS>password for key<END_PASS>
 -      cncheck        = myradius.radius.com
 +      cncheck        = radius.debconf5.net
       pap {
 -        username = <BEGIN_UNAME>papuser<END_UNAME>
 -        password = <BEGIN_PASS>pappasswd<END_PASS>
 +        username = <BEGIN_UNAME>comasnetworklogin<END_UNAME>
 +        password = <BEGIN_PASS>comasnetworkpassword<END_PASS>

[edit] Find your username, password and the root certificate from COMAS

https://comas.linux-aktivaattori.org/debconf5

Log in and see "Your network account information".

"Network login" goes to the section default { eap-ttls { pap { username = <BEGIN_UNAME>

"Network password" goes to the section default { eap-ttls { pap { password = <BEGIN_PASS>

The root certificate can be anywhere really, but should match the filename specified in the configuration file. It does not need any special mode, but since there are passwords in the supplicant configuration file you might want to consider making that mode 0400.

Note that the username and password will also be used for the Aalto login page if you use that wireless LAN in other parts of the campus.

[edit] Use at the dorm and Smökki

[edit] Associate with a wireless access point

 iwlist scan
 iwconfig ''wireless interface'' essid debconf
 iwconfig ''wireless interface'' enc ffff-ffff-ff

Check that iwconfig gives the MAC address of the access point. Make sure that iwconfig shows "Security mode: open". If it isn't, you will need to:

 iwconfig ''wireless interface'' enc open

Note that these steps may be optional with some wireless cards and/or with wpasupplicant.

[edit] Check that it is working

[edit] For wpasupplicant

 /usr/sbin/wpa_supplicant -c /etc/wpa_supplicant.conf -i eth1 -D ipw -d

Add multiple "d" option for more debugging. The argument to the "D" option might be "hostap", "madwifi", etc. for various different types of cards. You can see the list by:

 wpa_supplicant --help

If your driver is not specifically supported and you try the "wext" driver, you may need to add ap_scan=0 into your configuration file.

At the end of the debugging output you should see some lines something like:

    State: ASSOCIATED -> COMPLETED
    CTRL-EVENT-CONNECTED - Connection to 00:12:d9:42:a5:20 completed (reauth)
    EAPOL: SUPP_PAE entering state AUTHENTICATED
    EAPOL: startWhen --> 0
    EAPOL: authWhile --> 0
    EAPOL: idleWhile --> 0

As root you should be able to see the key that has been negotiated with iwconfig.

[edit] For xsupplicant

First bring up the interface without an IP address:

 ifconfig ''wireless interface'' up
 /etc/init.d/xsupplicant restart
 less /var/log/xsupplicant.log

If it works, you'll see a line "Authenticated!", if there's a problem with authentication you'll see a line "Failure!".

[edit] Bring up the interface using DHCP

 dhclient ''wireless interface''

That should be it, for a one-off connection.

[edit] Making it all permanent

With xsupplicant there is no need to enable the init script, but for wpasupplicant you will likely want to edit /etc/default/wpasupplicant to enable the daemon and set sensible options. Once you have done that you will be able to leave it running with:

 /etc/init.d/wpasupplicant start

[edit] Report hardware successess/failures

Please report working unworking wifi systems to DebConf5WirelessHardware . If a specific supplicant, driver, or a kernel was needed, please provide informations.


[edit] And the reason we make you jump thru these hoops is ...

Presumably most would agree that it is not a necessary prerequisite to being a useful member of the Debian community that one is comfortable with the necessary degree of networking savvy to get this all working. Why is it, I wonder, that all this security was not considered necessary at any of the other Linux conferences I have attended? I think the successful completion of this compulsory tutorial in wifi authentication should not be necessary to get networked at Debconf5. Let's say a member of the press decided to attend: Are we really saying she must be able to do all this? Or even that she must be running Debian? But disabuse me: What do we gain by all this? What say you?

Canned answer: Because the nice people running the HUT network wants us to. Live with it.

What choice do I have? I find I am faced by "nice" authoritarians everywhere. Next they'll be stopping you on the street asking for your identity card. Of course, if at the top of this page it said that the following security regime is imposed by HUT then I wouldn't have thought what's going wrong with the Debian community.


Personal tools