DebConf5WirelessHowto
Contents
|
[edit] Configuring wireless network at DebConf5
[edit] Prepare at home or with a wire
Either xsupplicant or wpasupplicant can be used. wpasupplicant may be easier to configure and use, and xsupplicant is deprecated upstream, has nice race conditions and it is an all-around ugly beast. So go with wpasupplicant, if you can.
[edit] wpasupplicant
aptitude install wpasupplicant
Here's an example configuration (put it in /etc/wpa_supplicant.conf).
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=root
network={
ssid="debconf"
scan_ssid=1
key_mgmt=[[IEEE8021X]]
eap=TTLS
anonymous_identity="your_nick_for_example"
identity="deb-XXXX"
password="XXXXXXXX"
ca_cert="/etc/xsupplicant/tls/ca.crt"
phase2="auth=PAP"
}
"identity", "password" and cert are in COMAS. See below for getting the etc/xsupplicant/tls/ca.crt file.
The daemon will not be started until you edit /etc/default/wpasupplicant.
Also, in order to use the open "aalto" wireless network in other parts of the campus, you should have a second clause like this:
network={
ssid="aalto"
scan_ssid=0
key_mgmt=NONE
}
Otherwise wpa_supplicant may keep attempting to reset your ssid...
[edit] xsupplicant
aptitude install xsupplicant
See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=317703 as well
This can break your network connection until you edit xsupplicant.conf deny_interfaces to contain your (wired) network interface.
RTFM: "man xsupplicant" and http://sourceforge.net/docman/display_doc.php?docid=24379&group_id=60236
To help in configuring /etc/xsupplicant/xsupplicant.conf, here's an example file: DebConf5XSupplicantExample
Or add this to end of /etc/xsupplicant/xsupplicant.conf
debconf
{
eap-ttls {
root_cert = /etc/xsupplicant/tls/debconf-ca.crt
cncheck = radius.debconf5.net
phase2_type = pap
pap {
username = <BEGIN_UNAME>my-comas-net-user<END_UNAME>
password = <BEGIN_PASS>my-comas-net-pass<END_PASS>
}
}
}
Or do the following edits to the default Debian version:
-#allow_interfaces = eth0, wlan0
+allow_interfaces = yourwirelessinterfacehere
-#deny_interfaces = eth1
+deny_interfaces = yourwiredinterfacehere
- identity = <BEGIN_ID>debian-user<END_ID>
+ identity = <BEGIN_ID>justputanyidhere<END_ID>
eap-ttls {
- user_cert = /etc/xsupplicant/tls/client.crt
- user_key = /etc/xsupplicant/tls/client.key
- user_key_pass = <BEGIN_PASS>password for key<END_PASS>
+# user_cert = /etc/xsupplicant/tls/client.crt
+# user_key = /etc/xsupplicant/tls/client.key
+# user_key_pass = <BEGIN_PASS>password for key<END_PASS>
- cncheck = myradius.radius.com
+ cncheck = radius.debconf5.net
pap {
- username = <BEGIN_UNAME>papuser<END_UNAME>
- password = <BEGIN_PASS>pappasswd<END_PASS>
+ username = <BEGIN_UNAME>comasnetworklogin<END_UNAME>
+ password = <BEGIN_PASS>comasnetworkpassword<END_PASS>
[edit] Find your username, password and the root certificate from COMAS
https://comas.linux-aktivaattori.org/debconf5
Log in and see "Your network account information".
"Network login" goes to the section default { eap-ttls { pap { username = <BEGIN_UNAME>
"Network password" goes to the section default { eap-ttls { pap { password = <BEGIN_PASS>
The root certificate can be anywhere really, but should match the filename specified in the configuration file. It does not need any special mode, but since there are passwords in the supplicant configuration file you might want to consider making that mode 0400.
Note that the username and password will also be used for the Aalto login page if you use that wireless LAN in other parts of the campus.
[edit] Use at the dorm and Smökki
[edit] Associate with a wireless access point
iwlist scan
iwconfig ''wireless interface'' essid debconf
iwconfig ''wireless interface'' enc ffff-ffff-ff
Check that iwconfig gives the MAC address of the access point. Make sure that iwconfig shows "Security mode: open". If it isn't, you will need to:
iwconfig ''wireless interface'' enc open
Note that these steps may be optional with some wireless cards and/or with wpasupplicant.
[edit] Check that it is working
[edit] For wpasupplicant
/usr/sbin/wpa_supplicant -c /etc/wpa_supplicant.conf -i eth1 -D ipw -d
Add multiple "d" option for more debugging. The argument to the "D" option might be "hostap", "madwifi", etc. for various different types of cards. You can see the list by:
wpa_supplicant --help
If your driver is not specifically supported and you try the "wext" driver, you may need to add ap_scan=0 into your configuration file.
At the end of the debugging output you should see some lines something like:
State: ASSOCIATED -> COMPLETED
CTRL-EVENT-CONNECTED - Connection to 00:12:d9:42:a5:20 completed (reauth)
EAPOL: SUPP_PAE entering state AUTHENTICATED
EAPOL: startWhen --> 0
EAPOL: authWhile --> 0
EAPOL: idleWhile --> 0
As root you should be able to see the key that has been negotiated with iwconfig.
[edit] For xsupplicant
First bring up the interface without an IP address:
ifconfig ''wireless interface'' up
/etc/init.d/xsupplicant restart
less /var/log/xsupplicant.log
If it works, you'll see a line "Authenticated!", if there's a problem with authentication you'll see a line "Failure!".
[edit] Bring up the interface using DHCP
dhclient ''wireless interface''
That should be it, for a one-off connection.
[edit] Making it all permanent
With xsupplicant there is no need to enable the init script, but for wpasupplicant you will likely want to edit /etc/default/wpasupplicant to enable the daemon and set sensible options. Once you have done that you will be able to leave it running with:
/etc/init.d/wpasupplicant start
[edit] Report hardware successess/failures
Please report working unworking wifi systems to DebConf5WirelessHardware . If a specific supplicant, driver, or a kernel was needed, please provide informations.
[edit] And the reason we make you jump thru these hoops is ...
Presumably most would agree that it is not a necessary prerequisite to being a useful member of the Debian community that one is comfortable with the necessary degree of networking savvy to get this all working. Why is it, I wonder, that all this security was not considered necessary at any of the other Linux conferences I have attended? I think the successful completion of this compulsory tutorial in wifi authentication should not be necessary to get networked at Debconf5. Let's say a member of the press decided to attend: Are we really saying she must be able to do all this? Or even that she must be running Debian? But disabuse me: What do we gain by all this? What say you?
Canned answer: Because the nice people running the HUT network wants us to. Live with it.
What choice do I have? I find I am faced by "nice" authoritarians everywhere. Next they'll be stopping you on the street asking for your identity card. Of course, if at the top of this page it said that the following security regime is imposed by HUT then I wouldn't have thought what's going wrong with the Debian community.
