DebConf5XSupplicantExample
From Wiki
# This is an example configuration file for xsupplicant versions after 0.8b.
##########################################################################
# GLOBAL SECTION #
##########################################################################
# List of configured networks to keep in memory, expressed as a comma
# seperated list or the keyword 'all'. For efficiency, keep only the
# networks you use in this list and make sure that it includes your
# default network.
#network_list = default, test1, test2
network_list = all
# Default network name to use when there is not an explicit match
#default_netname = my_defaults
default_netname = default
# When using the startup_command, first_auth_command, and reauth_command
# directives, "%i" will be expanded to the interface name. This allows a
# single network profile to work across different interfaces.
# The command to run when xsupplicant is first started.
#startup_command = <BEGIN_COMMAND>echo "xsupplicant startup"<END_COMMAND>
# The command to run when xsupplicant authenticates to a network for the
# first time. This will usually be used to start a DHCP client process.
#first_auth_command = <BEGIN_COMMAND>dhclient %i<END_COMMAND>
# The command to run when xsupplicant reauthenticates to a network.
#reauth_command = <BEGIN_COMMAND>echo "reauthenticated %i"<END_COMMAND>
# Where the supplicant should log to, (xsupplicant will create a new log
# file on each invocation).
logfile = /var/log/xsupplicant.log
# The auth_period, held_period, and max_starts directives modify the
# timers in the state machine. (Please reference the 802.1x spec for info
# on how they are used.) For most people, there is no reason to define
# these values, as the defaults should work.
#auth_period = 30
#held_period = 30
#max_starts = 3
# For most people, the default setting for "allmulti" will work just fine.
# In some cases however wireless cards have been known to not work when
# ALLMULTI is enabled, (such as certain Orinoco cards with older drivers).
# If allmulti is set to no, xsupplicant will not attempt to change the state
# of the setting in the driver so you should make sure to do an "ifconfig
# ethX -allmulti".
#allmulti = no
# Defining an interface in "allow_interfaces" will bypass the rules that
# xsupplicant uses to determine if an interface is valid. For most people
# this setting shouldn't be needed. It is useful for having xsupplicant
# attempt to authenticate on interfaces that don't appear to be true
# physical interfaces, (i.e. virtual interfaces such as eth0:1).
allow_interfaces = yourwirelessinterfacehere
# Defining an interface in "deny_interfaces" will prevent xsupplicant from
# attempting to authenticate on a given interface. This is useful if you
# know that you will never do 802.1x on a specific interface. However,
# allows will take priority over denies, so defining the same interface in
# the allow_interfaces, and deny_interfaces will result in the interface
# being used.
deny_interfaces = yourwiredinterfacehere
##########################################################################
# NETWORK SECTION #
##########################################################################
# the general format of the network section is a network name followed
# by a group of variables
# network names may contain the following characters: a-z, A-Z, 0-9, '-',
# '_', '\', and '/'. Those interested in having an SSID with ANY character
# in it can use the ssid tag within the network clause. Otherwise, your
# ssid will be the name of the network.
## The default network is not a network itself. These values are the
## default used for any network parameters not overridden in another
## section. If it's not in your network configuration and not in your
## default, it won't work!!
default
{
# The type of this network. wired or wireless, if this value is not set,
# xsupplicant will attempt to determine if the interface is wired or
# wireless. In general, you should only need to define this when
# xsupplicant incorrectly identifies your network interface.
#type = wireless
# If this profile is forced to wired, this will not do anything.
# However, if the interface is forced, or detected to be wireless
# xsupplicant will take control of re/setting WEP keys when the machine
# first starts, and when it jumps to a different AP. In general, you
# won't need to define, or set this value.
#wireless_control = yes
# Describes which EAP types this network will allow. The first type
# listed will be requested if the server tries to use something not in
# this list.
#allow_types = eap_tls, eap_md5, eap_gtc, eap-otp
allow_types = eap_ttls
# What to respond with when presented with an EAP Id Request. Typically,
# this is the username for this network. Since this can be an arbitrary
# string, enclose within <BEGIN_ID> and <END_ID>
identity = <BEGIN_ID>justputanyidhere<END_ID>
# Force xsupplicant to send it's packets to this destination MAC address.
# In most cases, this isn't needed, and shouldn't be defined.
#dest_mac = 00:aA:bB:cC:dD:eE
## Method-specific parameters are kept in the method
eap_tls {
user_cert = /etc/xsupplicant/tls/client.crt
user_key = /etc/xsupplicant/tls/client.key
user_key_pass = <BEGIN_PASS>password for key<END_PASS>
root_cert = /etc/xsupplicant/tls/ca.crt
#root_dir = /etc/xsupplicant/ca/
crl_dir = /etc/xsupplicant/tls
chunk_size = 1398
random_file = /etc/xsupplicant/tls/random
# To enable TLS session resumption, you need to set the following
# value to "yes". By default, session resumption is disabled.
#session_resume = yes
}
eap-md5 {
username = <BEGIN_UNAME>testuser<END_UNAME>
password = <BEGIN_PASS>testuserpass!<END_PASS>
}
eap-ttls {
# user_cert = /etc/xsupplicant/tls/client.crt
# user_key = /etc/xsupplicant/tls/client.key
# user_key_pass = <BEGIN_PASS>password for key<END_PASS>
root_cert = /etc/xsupplicant/tls/ca.crt
#root_dir = /etc/xsupplicant/ca/
crl_dir = /etc/xsupplicant/tls
chunk_size = 1398
random_file = /etc/xsupplicant/tls/random
# Verify the server certificate has this value in it's CN field.
cncheck = radius.debconf5.net
#session_resume = yes
# Should it be an exact match?
cnexact = yes
# phase2_type defines which phase2 to '''actually''' do. You MUST define
# one of these.
phase2_type = pap
## These are definitions for the different methods you might do at
## phase2. only the one specified above will be used but it is valid
## to leave more than one here for convenience and easy switching.
pap {
username = <BEGIN_UNAME>comasnetworklogin<END_UNAME>
password = <BEGIN_PASS>comasnetworkpassword<END_PASS>
}
chap {
username = <BEGIN_UNAME>chapuser<END_UNAME>
password = <BEGIN_PASS>chappasswd<END_PASS>
}
mschap {
username = <BEGIN_UNAME>mschapuser<END_UNAME>
password = <BEGIN_PASS>mschappasswd<END_PASS>
}
mschapv2 {
username = <BEGIN_UNAME>mschapv2user<END_UNAME>
password = <BEGIN_PASS>mschapv2passwd<END_PASS>
}
}
eap-leap {
username = <BEGIN_UNAME>leapuser<END_UNAME>
password = <BEGIN_PASS>leapuserpass!<END_PASS>
}
eap-mschapv2 {
username = <BEGIN_UNAME>eapmschapv2user<END_UNAME>
password = <BEGIN_PASS>eapmschapv2userpass!<END_PASS>
}
eap-peap {
user_cert = /etc/xsupplicant/tls/client.crt
user_key = /etc/xsupplicant/tls/client.key
user_key_pass = <BEGIN_PASS>password for key<END_PASS>
root_cert = /etc/xsupplicant/tls/ca.crt
#root_dir = /etc/xsupplicant/ca/
crl_dir = /etc/xsupplicant/tls
chunk_size = 1398
random_file = /etc/xsupplicant/tls/random
# Verify the server certificate has this value in it's CN field.
cncheck = myradius.radius.com
# Should it be an exact match?
cnexact = yes
session_resume = yes
# Currently 'all' is just mschapv2 If no allow_types is defined, all
# is assumed.
#allow_types = eap_mschapv2
allow_types = all # where all = [[MSCHAPv2]], [[MD5]], OTP, GTC, SIM
# Right now you can do any of these methods in PEAP.
eap-mschapv2 {
username = <BEGIN_UNAME>phase2mschapv2<END_UNAME>
password = <BEGIN_PASS>phase2mschapv2pass<END_PASS>
}
}
eap-sim {
# In order to obtain the IMSI from the SIM card, the password '''MUST'''
# be defined here! Otherwise, you need to specify your IMSI as the
# username below.
username = <BEGIN_UNAME>simuser<END_UNAME>
password = <BEGIN_PASS>simuserpass!<END_PASS>
auto_realm = yes
}
}
# In this network definition, "test1" is the friendly name. It can match
# the essid of the network, which means you won't have to set the "ssid"
# variable. However, if it doesn't match, you need to set the "ssid"
# variable in order for the network to be detected correctly.
#test1
#{
# type = wired
# # You should not define this unless you have characters other than those
# # specified above in the ssid of your network
# ssid = <BEGIN_SSID>mvemjsnp<END_SSID>
#
# allow_types = all
# identity = <BEGIN_ID>Check this out- any char!#$<END_ID>
#
#}
#test2
#{
# # You should not define this unless you have characters other than those
# # specified above in the ssid of your network
# ssid = <BEGIN_SSID>up to 32 character ASCII string<END_SSID>
# identity = <BEGIN_ID>testuser@testnet.com<END_ID>
#
# allow_types = eap-tls
# type = wireless
#}
#test3
#{
# # You should not define this unless you have characters other than those
# # specified above in the ssid of your network
# ssid = <BEGIN_SSID>foo-network!<END_SSID>
#
# type = wired
#
# identity= <BEGIN_ID>this will work too<END_ID>
#}
