User Tools

Site Tools


networkconfigurationsettings

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revision Both sides next revision
networkconfigurationsettings [2020/11/19 06:33]
Andrew Zaborowski [802.1x (WPA/WPA2 Enterprise) settings] Readd formatting
networkconfigurationsettings [2021/01/26 10:25]
Andrew Zaborowski [802.1x (WPA/WPA2 Enterprise) settings] TLS certificate / private key settings update
Line 15: Line 15:
 | ''​AlwaysRandomizeAddress''​ | ''​true'',​ **''​false''​** | Always randomize MAC address on each new connection. Requires ''​AddressRandomization=network''​ in main.conf (optional) | | ''​AlwaysRandomizeAddress''​ | ''​true'',​ **''​false''​** | Always randomize MAC address on each new connection. Requires ''​AddressRandomization=network''​ in main.conf (optional) |
 | ''​AddressOverride''​ | ''​MAC Address''​ | Override the MAC address used for this network. Requires ''​AddressRandomization=network''​ in main.conf (optional) | | ''​AddressOverride''​ | ''​MAC Address''​ | Override the MAC address used for this network. Requires ''​AddressRandomization=network''​ in main.conf (optional) |
 +
 +===== IP configuration settings =====
 +
 +See [[ipconfiguration|IP configuration]].
  
 ===== Pre-Shared Key (WPA/WPA2 Personal/​SAE) network settings ===== ===== Pre-Shared Key (WPA/WPA2 Personal/​SAE) network settings =====
Line 28: Line 32:
 ^ Setting Key                                           ^ Values ​                                                                                                                   ^ Description ​                                                                                                                                                                                                                                                                                      ^ ^ Setting Key                                           ^ Values ​                                                                                                                   ^ Description ​                                                                                                                                                                                                                                                                                      ^
 | Group header: **''​[Security]''​** ​                                                                                                                                                                                                                                                                                                                                                                                                                                                   ||| | Group header: **''​[Security]''​** ​                                                                                                                                                                                                                                                                                                                                                                                                                                                   |||
-| ''​EAP-Method'' ​                                       | ''​AKA'',​ ''​%%AKA'​%%'',​ ''​GTC''​ (internal), ''​MD5''​ (internal), ''​MSCHAPV2'',​ ''​PEAP'',​ ''​PWD'',​ ''​SIM'',​ ''​TLS'',​ ''​TTLS'',​ ''​WSC''​ (internal) ​ | No default ​                                                                                                                                                                                                                                                                                       |+| ''​EAP-Method'' ​                                       | ''​AKA'',​ ''​%%AKA'​%%'',​ ''​GTC''​ (*), ''​MD5''​ (*), ''​MSCHAPV2'',​ ''​PEAP'',​ ''​PWD'',​ ''​SIM'',​ ''​TLS'',​ ''​TTLS'',​ ''​WSC''​ (internal) ​ | No default ​                                                                                                                                                                                                                                                                                       |
 |  Applies to: **EAP-SIM**,​ **EAP-AKA**,​ **EAP-AKA'​** ​                                                                                                                                                                                                                                                                                                                                                                                                                                ||| |  Applies to: **EAP-SIM**,​ **EAP-AKA**,​ **EAP-AKA'​** ​                                                                                                                                                                                                                                                                                                                                                                                                                                |||
 | ''​EAP-Identity'' ​                                     | //​text// ​                                                                                                                 | EAP identity string transmitted in plaintext, if any (optional) ​                                                                                                                                                                                                                                  | | ''​EAP-Identity'' ​                                     | //​text// ​                                                                                                                 | EAP identity string transmitted in plaintext, if any (optional) ​                                                                                                                                                                                                                                  |
Line 46: Line 50:
 | ''​EAP-Identity'' ​                                     | //​text// ​                                                                                                                 | EAP identity/​username string transmitted in plaintext. ​ No default, if not provided IWD will request a username at connection time.  See [[https://​tools.ietf.org/​html/​rfc5216#​section-5.2|RFC 5216 Section 5.2]] for requirements on peer identity with regards to client certificate contents. ​ | | ''​EAP-Identity'' ​                                     | //​text// ​                                                                                                                 | EAP identity/​username string transmitted in plaintext. ​ No default, if not provided IWD will request a username at connection time.  See [[https://​tools.ietf.org/​html/​rfc5216#​section-5.2|RFC 5216 Section 5.2]] for requirements on peer identity with regards to client certificate contents. ​ |
 | ''​EAP-TLS-CACert'',​\\ ''​EAP-TTLS-CACert'',​\\ ''​EAP-PEAP-CACert''​ | //file path// or //embedded pem// | Path to a PEM-formatted X.509 root certificate list to use for trust verification,​ both for the server'​s certificate chain and the chain specified with ''​ClientCert''​ (if any).  IWD will require that the root in the verified certificate chains is trusted by at least one CA in the list.  If not provided IWD will have no way to authenticate the server -- discouraged. (optional) | | ''​EAP-TLS-CACert'',​\\ ''​EAP-TTLS-CACert'',​\\ ''​EAP-PEAP-CACert''​ | //file path// or //embedded pem// | Path to a PEM-formatted X.509 root certificate list to use for trust verification,​ both for the server'​s certificate chain and the chain specified with ''​ClientCert''​ (if any).  IWD will require that the root in the verified certificate chains is trusted by at least one CA in the list.  If not provided IWD will have no way to authenticate the server -- discouraged. (optional) |
-| ''​EAP-TLS-ClientCert'',​\\ ''​EAP-TTLS-ClientCert'',​\\ ''​EAP-PEAP-ClientCert'' ​| //file path// or //embedded pem// | Path to a PEM-formatted ​client X.509 certificate or certificate chain to send on server request. ​ For some networks this is mandatory, for others optional. | +| ''​EAP-TLS-ClientCert'',​ | //file path// or //embedded pem// | Path to the client X.509 certificate or certificate chain to send on server request. ​ For some networks this is mandatory, for others optional.  Supported formats include PEM, DER and PKCS#12. | 
-| ''​EAP-TLS-ClientKey'',​\\ ''​EAP-TTLS-ClientKey'',​\\ ''​EAP-PEAP-ClientKey''​ | //file path// or //embedded pem// | Path to a PEM-formatted PKCS #8 private key corresponding to the certified client public key to authenticate ourselves to the server with.  For some networks this is manadatory, for others optional. | +| ''​EAP-TLS-ClientKey''​ | //file path// or //embedded pem// | Path to a private key corresponding to the certified client public key to authenticate ourselves to the server with.  For some networks this is manadatory, for others optional.  Various PEM-based formats and binary PKCS#12 are supported, PKCS#8 is the recommended format. | 
-| ''​EAP-TLS-ClientKeyPassphrase''​,\\ ''​EAP-TTLS-ClientKeyPassphrase''​,\\ ''​EAP-PEAP-ClientKeyPassphrase''​ | //text// | Decryption key for the client private key file.  Must be present iff the private key under ''​ClientKey'' ​is encrypted. |+| ''​EAP-TLS-ClientKeyBundle'' ​| //file path// | Path to a container fail to load both the certificate(s) and the private key from.  Either this or ''​EAP-TLS-ClientCert'' ​''​EAP-TLS-ClientKey''​ can be present but not both.  Supported formats include PKCS#12 and concatenated PEM payloads. | 
 +| ''​EAP-TLS-ClientKeyPassphrase''​ | //text// | Decryption key for the client private key file.  Must be present iff the private key or the certificate ​under one of the three settings above is encrypted. | 
 +''​EAP-TTLS-ClientCert''​,\\ ''​EAP-PEAP-ClientCert'',​\\ ''​EAP-TTLS-ClientCert'',​\\ ''​EAP-PEAP-ClientCert'',​\\ ''​EAP-TTLS-ClientKeyPassphrase'',​\\ ''​EAP-PEAP-ClientKeyPassphrase''​ | //ignored// | Removed in 1.12 |
 | ''​EAP-TLS-ServerDomainMask'',​\\ ''​EAP-TTLS-ServerDomainMask'',​\\ ''​EAP-PEAP-ServerDomainMask''​ | //text// | A mask for the domain names contained in the server'​s certificate. ​ At least one of the domain names present in the certificate'​s Subject Alternative Name extension'​s DNS Name fields or the Common Name has to match at least one mask, or authentication will fail.  Multiple masks can be given separated by semicolons. ​ The masks are split into segments at the dots.  Each segment has to match its corresponding label in the domain name.  An asterisk segment in the mask matches any label. ​ An asterisk segment at the beginning of the mask matches one or more consecutive labels from the beginning of the domain string. | | ''​EAP-TLS-ServerDomainMask'',​\\ ''​EAP-TTLS-ServerDomainMask'',​\\ ''​EAP-PEAP-ServerDomainMask''​ | //text// | A mask for the domain names contained in the server'​s certificate. ​ At least one of the domain names present in the certificate'​s Subject Alternative Name extension'​s DNS Name fields or the Common Name has to match at least one mask, or authentication will fail.  Multiple masks can be given separated by semicolons. ​ The masks are split into segments at the dots.  Each segment has to match its corresponding label in the domain name.  An asterisk segment in the mask matches any label. ​ An asterisk segment at the beginning of the mask matches one or more consecutive labels from the beginning of the domain string. |
 | ''​EAP-TTLS-Phase2-Method''​ | ''​Tunneled-CHAP'',​\\ ''​Tunneled-MSCHAP'',​\\ ''​Tunneled-MSCHAPv2'',​\\ ''​Tunneled-PAP''​ or\\ a valid EAP method name (see ''​EAP-Method''​) | Phase 2 authentication method for EAP-TTLS. ​ Can be either one of the TTLS-specific non-EAP methods (//​Tunneled-//​*),​ or any EAP method documented here.  The following two settings are used if any of the non-EAP methods is used.  No default value. | | ''​EAP-TTLS-Phase2-Method''​ | ''​Tunneled-CHAP'',​\\ ''​Tunneled-MSCHAP'',​\\ ''​Tunneled-MSCHAPv2'',​\\ ''​Tunneled-PAP''​ or\\ a valid EAP method name (see ''​EAP-Method''​) | Phase 2 authentication method for EAP-TTLS. ​ Can be either one of the TTLS-specific non-EAP methods (//​Tunneled-//​*),​ or any EAP method documented here.  The following two settings are used if any of the non-EAP methods is used.  No default value. |
Line 54: Line 60:
 | ''​EAP-TTLS-Phase2-Password''​ | //text// | Password string for the TTLS non-EAP Phase 2 methods. ​ No default, if not provided IWD will request a passphrase at connection time. | | ''​EAP-TTLS-Phase2-Password''​ | //text// | Password string for the TTLS non-EAP Phase 2 methods. ​ No default, if not provided IWD will request a passphrase at connection time. |
 | ''​EAP-TTLS-Phase2-*''​ | | Any settings to be used for the inner EAP method if one was specified as ''​EAP-TTLS-Phase2-Method'',​ rather than a TTLS-specific method. ​ The prefix ''​EAP-TTLS-Phase2-''​ replaces the ''​EAP-''​ prefix in the setting keys and their usage is unchanged. ​ Since the inner method'​s negotiation is encrypted, a secure identity string can be provided. | | ''​EAP-TTLS-Phase2-*''​ | | Any settings to be used for the inner EAP method if one was specified as ''​EAP-TTLS-Phase2-Method'',​ rather than a TTLS-specific method. ​ The prefix ''​EAP-TTLS-Phase2-''​ replaces the ''​EAP-''​ prefix in the setting keys and their usage is unchanged. ​ Since the inner method'​s negotiation is encrypted, a secure identity string can be provided. |
 +| ''​EAP-PEAP-Phase2-Method''​ | see ''​EAP-Method''​ | Phase 2 authentication method for EAP-PEAP. ​ No default value. ​ The PEAP phase 1 with no phase 2 (rare) is not supported. |
 | ''​EAP-PEAP-Phase2-*''​ | | Any settings to be used for the inner EAP method with EAP-PEAP as the outer method. ​ The prefix ''​EAP-PEAP-Phase2-''​ replaces the ''​EAP-''​ prefix in the setting keys and their usage is unchanged. ​ Since the inner method'​s negotiation is encrypted, a secure identity string can be provided. | | ''​EAP-PEAP-Phase2-*''​ | | Any settings to be used for the inner EAP method with EAP-PEAP as the outer method. ​ The prefix ''​EAP-PEAP-Phase2-''​ replaces the ''​EAP-''​ prefix in the setting keys and their usage is unchanged. ​ Since the inner method'​s negotiation is encrypted, a secure identity string can be provided. |
 |  Applies to: **EAP-PWD** ​                                                                                                                                                                                                                                                                                                                                                                                                                                                           ||| |  Applies to: **EAP-PWD** ​                                                                                                                                                                                                                                                                                                                                                                                                                                                           |||
networkconfigurationsettings.txt · Last modified: 2021/05/25 23:45 by Andrew Zaborowski