https://wiki.archlinux.org/api.php?action=feedcontributions&user=Wildefyr&feedformat=atomArchWiki - User contributions [en]2024-03-29T05:40:37ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=WPA2_Enterprise&diff=401274WPA2 Enterprise2015-09-22T10:32:11Z<p>Wildefyr: Added mention of additional packages being needed for connectivity. I don't have an exhaustive list for packages required for what authentifcation. New section?</p>
<hr />
<div>[[Category:Wireless networking]]<br />
[[Category:Network configuration]]<br />
[[ja:WPA2 Enterprise]]<br />
{{Related articles start}}<br />
{{Related|Wireless configuration}}<br />
{{Related|Network configuration}}<br />
{{Related|Software access point}}<br />
{{Related|Ad-hoc networking}}<br />
{{Related articles end}}<br />
'''WPA2 Enterprise''' is a mode of [[Wikipedia:Wi-Fi_Protected_Access|Wi-Fi Protected Access]]. It provides better security and key management than ''WPA2 Personal'', and supports other enterprise-type functionality, such as VLANs and [[wikipedia:Network Access Protection|NAP]]. However, it requires an external authentication server, called [[wikipedia:RADIUS|RADIUS]] server to handle the authentication of users. This is in contrast to Personal mode which does not require anything beyond the wireless router or access points (APs), and uses a single passphrase or password for all users.<br />
<br />
The Enterprise mode enables users to log onto the Wi-Fi network with a username and password and/or a digital certificate. Since each user has a dynamic and unique encryption key, it also helps to prevent user-to-user snooping on the wireless network, and improves encryption strength.<br />
<br />
== Supported clients ==<br />
<br />
{{Note|[[NetworkManager]] can generate WPA2 Enterprise profiles with [[NetworkManager#Graphical_front-ends|graphical front ends]]. ''nmcli'' and ''nmtui'' do not support this, but may use existing profiles.}}<br />
<br />
See [[List of applications#Network managers]] for an overview.<br />
<br />
=== wpa_supplicant ===<br />
<br />
[[WPA supplicant#Advanced usage|WPA supplicant]] can be configured directly and used in combination with a dhcp client or with systemd, e.g. for a [[Wireless_network_configuration#Manual_wireless_connection_at_boot_using_systemd_and_dhcpcd|dynamic address]]. See the examples in {{ic|/etc/wpa_supplicant/wpa_supplicant.conf}} for configuring the connection details. <br />
<br />
Once the connection configuration is complete, you can use the dhcp client to test them. For example:<br />
<br />
# dhcpcd ''interface''<br />
<br />
will automatically invoke WPA supplicant to establish the connection before proceeding to acquire an IP address.<br />
<br />
== Usage ==<br />
<br />
This section describes the configuration of the alternative available network clients to connect to a wireless access point with WPA2 Enterprise mode. See [[Software access point#RADIUS]] for information on setting up an access point itself. <br />
<br />
Enterprise mode requires a more complex client configuration, whereas Personal mode only requires entering a passphrase when prompted. Clients likely need to install the server’s CA certificate (plus per-user certificates if using EAP-TLS), and then manually configure the wireless security and 802.1X authentication settings.<br />
<br />
For a comparison of protocols see the following [http://deployingradius.com/documents/protocols/compatibility.html table].<br />
<br />
{{Warning|It is possible to use WPA2 Enterprise without the client checking the server CA certificate. However, you should always seek to do so, because without authenticating the access point the connection can be subject to a man-in-the-middle attack. This may happen because while the connection handshake itself may be encrypted, the most widely used setups transmit the password itself either in plain text or the easily breakable [[#MS-CHAPv2]]. Hence, the client might send the password to a malicious access point which then proxies the connection.}}<br />
<br />
=== eduroam ===<br />
<br />
[[Wikipedia:eduroam|eduroam]] (education roaming) is an international roaming service for users in research, higher education and further education, based on WPA2 Enterprise. You may need additional packages, i.e {{Pkg|ppp}} for PEAP authentication for network you're trying to connect to.<br />
<br />
{{Warning|<br />
* Check connection details '''first''' with your institution before applying any profiles listed in this section. Example profiles are not guaranteed to work or match any security requirements.<br />
* When storing connection profiles unencrypted, restrict read access to the root account by specifying {{ic|chmod 600 ''profile''}} as root.}}<br />
<br />
==== connman ====<br />
<br />
[[connman]] needs a separate configuration file before [[Connman#Wi-Fi|connecting]]. While the connman git repository contains an [https://git.kernel.org/cgit/network/connman/connman.git/tree/src/eduroam.config example eduroam config], see below for a more extensive configuration:<br />
<br />
{{Note|<br />
* Create the {{ic|/var/lib/connman}} directory if it does not exist.<br />
* Options are case-sensitive. [https://together.jolla.com/question/55969/connman-fails-due-to-case-sensitive-settings/]<br />
}}<br />
<br />
{{hc|/var/lib/connman/wifi_eduroam.config|2=<br />
[service_eduroam]<br />
Type=wifi<br />
Name=eduroam<br />
EAP=ttls<br />
CACertFile=/etc/ssl/certs/ca-certificates.crt<br />
Phase2=PAP<br />
Identity=''username''@''domain.edu''<br />
Passphrase=''password''<br />
}}<br />
<br />
[[Restart]] {{ic|wpa_supplicant.service}} and {{ic|connman.service}} to connect to the new network.<br />
<br />
==== Wicd ====<br />
<br />
The {{AUR|wicd-eduroam}}{{Broken package link|{{aur-mirror|wicd-eduroam}}}} package contains configuration templates which will appear to wicd as ''eduroam''.<br />
<br />
Alternatively, see [https://gist.githubusercontent.com/anonymous/0fa3b2c2b2a34c68a6f1/raw/9b8fdb7301182d18b6cd5068a7dbdfc57e5ba430/gistfile1.txt] for an example of a '''TTLS''' profile. To activate the profile, run:<br />
<br />
# echo ttls-80211 >> /etc/wicd/encryption/templates/active<br />
<br />
Open ''wicd'', choose ''TTLS for Wireless'' and enter the appropriate settings. The format of the subject match should be similar to {{ic|1=/CN=server.example.com}}.<br />
<br />
==== netctl ====<br />
<br />
The {{AUR|netctl-eduroam}} package provides a template for easy configuration. Once installed, copy the template from {{ic|/etc/netctl/examples/eduroam}} to {{ic|/etc/netctl/eduroam}} and modify it according to your credentials.<br />
<br />
Alternatively, adapt an example configuration from [https://gist.githubusercontent.com/anonymous/ed16e3b191cf627814b3/raw/d476e0dddbc8920b855702737ff69c287e620c7b/eduroam-netctl] (plain) or [https://gist.githubusercontent.com/anonymous/3fd8f8808a22b3a96feb/raw/d9537016a8c9852561630e676c4cbf98553a1a48/eduroam-ttls-netctl] (TTLS and certified universities).<br />
<br />
{{Tip|<br />
* To prevent storing your password as plaintext, you can generate a password hash with {{ic|<nowiki>$ tr -d '\n' | iconv -t utf16le | openssl md4</nowiki>}}. Type your password, press {{ic|Enter}} and then {{ic|Ctrl+d}}. Store the hashed password as {{ic|1='password=hash:<hash>'}}. This password hash is only available for MSCHAPV2 or MSCHAP, when using PAP use a plaintext password.<br />
* Custom certificates can be specified by adding the line {{ic|1='ca_cert="/path/to/special/certificate.cer"'}} in {{ic|WPAConfigSection}}.<br />
}}<br />
<br />
== Troubleshooting ==<br />
<br />
=== MS-CHAPv2 ===<br />
<br />
WPA2-Enterprise wireless networks demanding MSCHAPv2 type-2 authentication with PEAP sometimes require {{AUR|ppp-mppe}}{{Broken package link|{{aur-mirror|ppp-mppe}}}} rather than the stock {{Pkg|ppp}} package. [[netctl]] seems to work out of the box without ppp-mppe, however. In either case, usage of MSCHAPv2 is discouraged as it is highly vulnerable, although using another method is usually not an option. See also [https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/] and [http://research.edm.uhasselt.be/~bbonne/docs/robyns14wpa2enterprise.pdf].</div>Wildefyrhttps://wiki.archlinux.org/index.php?title=User:Wildefyr&diff=399295User:Wildefyr2015-09-10T23:48:24Z<p>Wildefyr: First Commit</p>
<hr />
<div>[http://wildefyr.net/contact Contact]</div>Wildefyrhttps://wiki.archlinux.org/index.php?title=TeamSpeak&diff=398447TeamSpeak2015-09-05T23:43:31Z<p>Wildefyr: Edited out example hostname.</p>
<hr />
<div>[[Category:Telephony and voice]]<br />
From [[Wikipedia:TeamSpeak|Wikipedia, the free encyclopedia]]:<br />
<br />
:''TeamSpeak is proprietary Voice over IP software that allows computer users to speak on a chat channel with fellow computer users, much like a telephone conference call.''<br />
<br />
== Installation ==<br />
<br />
===Client===<br />
<br />
[[pacman|Install]] {{Pkg|teamspeak3}}, available in the [[official repositories]].<br />
<br />
===Server===<br />
<br />
Install {{AUR|teamspeak3-server}}, available in the [[AUR]].<br />
<br />
== Configuration and Startup ==<br />
<br />
=== Server ===<br />
<br />
==== Configuration ====<br />
<br />
* You can configure the TeamSpeak server. If you are using [[systemd]] please check {{ic|/usr/share/doc/teamspeak3-server/server_quickstart.txt}} for all available command line parameters.<br />
<br />
* If you possess a license file please copy it to {{ic|/var/lib/teamspeak3-server/licensekey.dat}}.<br />
<br />
==== First Startup ====<br />
<br />
With the first startup TeamSpeak creates the SQLite database at {{ic|/var/lib/teamspeak3-server/ts3server.sqlitedb}} and starts logging its standard output in files in: {{ic|/var/log/teamspeak3-server/}}. Teamspeak also creates the first ServerQuery administration account (the superuser) and the first virtual server including a privilege key for the server administrator of this virtual server. The privilege key is only displayed once on standard output.<br />
<br />
* Start the service with systemctl:<br />
$ systemctl start teamspeak3-service<br />
<br />
* To find the privilege key:<br />
$ systemctl status teamspeak3-server<br />
<br />
* Scan the output for the privilege key:<br />
{{hc|Example output:|<nowiki><br />
● teamspeak3-server.service - TeamSpeak3 Server<br />
Loaded: loaded (/usr/lib/systemd/system/teamspeak3-server.service; enabled; vendor preset: disabled)<br />
Active: active (running) since Sat 2015-09-05 23:34:42 BST; 49min ago<br />
Main PID: 20126 (teamspeak3-serv)<br />
CGroup: /system.slice/teamspeak3-server.service<br />
└─20126 /usr/bin/teamspeak3-server logpath=/var/log/teamspeak3-server/ dbsqlpath=/usr/share/teamspeak3-server/sql/<br />
<br />
Sep 05 23:34:45 Your-Hostname teamspeak3-server[20126]: serveradmin rights for your virtualserver. please<br />
Sep 05 23:34:45 Your-Hostname teamspeak3-server[20126]: also check the doc/privilegekey_guide.txt for details.<br />
Sep 05 23:34:45 Your-Hostname teamspeak3-server[20126]: token=lcUEBG5YVxnhzPcS5hAmOkW1Zb6KbTZbkntbPFca <br />
Sep 05 23:34:45 Your-Hostname teamspeak3-server[20126]: ------------------------------------------------------------------<br />
Sep 05 23:34:45 Your-Hostname teamspeak3-server[20126]: 2015-09-05 22:34:45.322567|INFO |CIDRManager | | updated query_ip_whitelist ips: 127.0.0.1,<br />
Sep 05 23:34:45 Your-Hostname teamspeak3-server[20126]: 2015-09-05 22:34:45.323806|INFO |Query | | listening on 0.0.0.0:10011<br />
Sep 05 23:34:53 Your-Hostname systemd[1]: Started TeamSpeak3 Server.<br />
</nowiki>}}<br />
<br />
* The privilege key is what token is equal to.<br />
<br />
* Alternatively, you can navigate to the logs directory for teamspeak3-server and read the output log directly. (This is a persistent file and will still have the first startup output here even if you have restarted the server):<br />
{{Note| You have to be have either be logged in as root or as the teamspeak user to access this directory!}}<br />
$ cd /var/log/teamspeak3-server<br />
$ cat ts3server_*.log<br />
<br />
Open up a Teamspeak 3 client, connect to the server and copy and paste the privilege key into the client popup.<br />
<br />
==== Regular startup ====<br />
<br />
Simply enable teamspeak3-server with systemctl:<br />
$ systemctl enable teamspeak3-service<br />
<br />
See [[Daemon]] for more information.<br />
<br />
=== Re-Initialising Teamspeak === <br />
<br />
If you have used the initial privilege key and have lost server permissions (i.e. your teamspeak 3 client with superadmin rights was uninstalled) you will have to start from scratch!<br />
<br />
{{Warning|These steps delete your current configured TeamSpeak servers, your users, permissions and all settings.}}<br />
<br />
* Stop teamspeak3-server:<br />
$ systemctl stop teamspeak3-server<br />
<br />
* Remove {{ic|/var/lib/teamspeak3-server/ts3server.sqlitedb}}:<br />
<br />
$ rm /var/lib/teamspeak3-server/ts3server.sqlitedb<br />
<br />
* Clear {{ic|/var/log/teamspeak3-server/}}:<br />
$ rm /var/log/teamspeak3-server/*.log<br />
<br />
* Now follow the same instructions for a first time setup.<br />
<br />
== See also ==<br />
<br />
* [http://www.teamspeak.com/?page=literature Official documentation]</div>Wildefyrhttps://wiki.archlinux.org/index.php?title=TeamSpeak&diff=398446TeamSpeak2015-09-05T23:40:45Z<p>Wildefyr: There is no need for having the su -s /bin/bash method here, as systemd manages the service completely. For getting the automatically created privilege key, it is simply easier to read the logfile either with an editor or cat, or use systemctl status.</p>
<hr />
<div>[[Category:Telephony and voice]]<br />
From [[Wikipedia:TeamSpeak|Wikipedia, the free encyclopedia]]:<br />
<br />
:''TeamSpeak is proprietary Voice over IP software that allows computer users to speak on a chat channel with fellow computer users, much like a telephone conference call.''<br />
<br />
== Installation ==<br />
<br />
===Client===<br />
<br />
[[pacman|Install]] {{Pkg|teamspeak3}}, available in the [[official repositories]].<br />
<br />
===Server===<br />
<br />
Install {{AUR|teamspeak3-server}}, available in the [[AUR]].<br />
<br />
== Configuration and Startup ==<br />
<br />
=== Server ===<br />
<br />
==== Configuration ====<br />
<br />
* You can configure the TeamSpeak server. If you are using [[systemd]] please check {{ic|/usr/share/doc/teamspeak3-server/server_quickstart.txt}} for all available command line parameters.<br />
<br />
* If you possess a license file please copy it to {{ic|/var/lib/teamspeak3-server/licensekey.dat}}.<br />
<br />
==== First Startup ====<br />
<br />
With the first startup TeamSpeak creates the SQLite database at {{ic|/var/lib/teamspeak3-server/ts3server.sqlitedb}} and starts logging its standard output in files in: {{ic|/var/log/teamspeak3-server/}}. Teamspeak also creates the first ServerQuery administration account (the superuser) and the first virtual server including a privilege key for the server administrator of this virtual server. The privilege key is only displayed once on standard output.<br />
<br />
* Start the service with systemctl:<br />
$ systemctl start teamspeak3-service<br />
<br />
* To find the privilege key:<br />
$ systemctl status teamspeak3-server<br />
<br />
* Scan the output for the privilege key:<br />
{{hc|Example output:|<nowiki><br />
● teamspeak3-server.service - TeamSpeak3 Server<br />
Loaded: loaded (/usr/lib/systemd/system/teamspeak3-server.service; enabled; vendor preset: disabled)<br />
Active: active (running) since Sat 2015-09-05 23:34:42 BST; 49min ago<br />
Main PID: 20126 (teamspeak3-serv)<br />
CGroup: /system.slice/teamspeak3-server.service<br />
└─20126 /usr/bin/teamspeak3-server logpath=/var/log/teamspeak3-server/ dbsqlpath=/usr/share/teamspeak3-server/sql/<br />
<br />
Sep 05 23:34:45 Wildefyr-Server teamspeak3-server[20126]: serveradmin rights for your virtualserver. please<br />
Sep 05 23:34:45 Wildefyr-Server teamspeak3-server[20126]: also check the doc/privilegekey_guide.txt for details.<br />
Sep 05 23:34:45 Wildefyr-Server teamspeak3-server[20126]: token=lcUEBG5YVxnhzPcS5hAmOkW1Zb6KbTZbkntbPFca <br />
Sep 05 23:34:45 Wildefyr-Server teamspeak3-server[20126]: ------------------------------------------------------------------<br />
Sep 05 23:34:45 Wildefyr-Server teamspeak3-server[20126]: 2015-09-05 22:34:45.322567|INFO |CIDRManager | | updated query_ip_whitelist ips: 127.0.0.1,<br />
Sep 05 23:34:45 Wildefyr-Server teamspeak3-server[20126]: 2015-09-05 22:34:45.323806|INFO |Query | | listening on 0.0.0.0:10011<br />
Sep 05 23:34:53 Wildefyr-Server systemd[1]: Started TeamSpeak3 Server.<br />
</nowiki>}}<br />
<br />
* The privilege key is what token is equal to.<br />
<br />
* Alternatively, you can navigate to the logs directory for teamspeak3-server and read the output log directly. (This is a persistent file and will still have the first startup output here even if you have restarted the server):<br />
{{Note| You have to be have either be logged in as root or as the teamspeak user to access this directory!}}<br />
$ cd /var/log/teamspeak3-server<br />
$ cat ts3server_*.log<br />
<br />
Open up a Teamspeak 3 client, connect to the server and copy and paste the privilege key into the client popup.<br />
<br />
==== Regular startup ====<br />
<br />
Simply enable teamspeak3-server with systemctl:<br />
$ systemctl enable teamspeak3-service<br />
<br />
See [[Daemon]] for more information.<br />
<br />
=== Re-Initialising Teamspeak === <br />
<br />
If you have used the initial privilege key and have lost server permissions (i.e. your teamspeak 3 client with superadmin rights was uninstalled) you will have to start from scratch!<br />
<br />
{{Warning|These steps delete your current configured TeamSpeak servers, your users, permissions and all settings.}}<br />
<br />
* Stop teamspeak3-server:<br />
$ systemctl stop teamspeak3-server<br />
<br />
* Remove {{ic|/var/lib/teamspeak3-server/ts3server.sqlitedb}}:<br />
<br />
$ rm /var/lib/teamspeak3-server/ts3server.sqlitedb<br />
<br />
* Clear {{ic|/var/log/teamspeak3-server/}}:<br />
$ rm /var/log/teamspeak3-server/*.log<br />
<br />
* Now follow the same instructions for a first time setup.<br />
<br />
== See also ==<br />
<br />
* [http://www.teamspeak.com/?page=literature Official documentation]</div>Wildefyr