You are not logged in.

#1 2022-10-01 15:15:37

MiracleDinner
Member
Registered: 2022-06-30
Posts: 5

[SOLVED] How can I tell iwd to not need a CA Certificate

I am trying to connect to my university's WiFi within the Arch installation medium (I have a laptop with an Intel AX200 WiFi chip) but I cannot connect to the Wifi via iwd because it will just say "not configured". I have read the Arch Wiki page on iwd and especially the section on EAP-PEAP

https://wiki.archlinux.org/title/Iwd#EAP-PEAP

and created a file /var/lib/iwd/[name of the SSID].8021x

with the contents here https://pastebin.com/N52WAGRX


I then run iwctl but I am a little concerned it says "NetworkConfigurationEnabled: disabled"
I then proceed to type inside the iwd prompt
device list
(shows wlan0 as the only network adapter)
station wlan0 scan
station wlan0 get-networks
station wlan0 connect [SSID]

Which then outputs "Not configured"

I then try to debug this by tying journalctl -u iwd.service which gives an error message (with a timestamp at the exact moment I tried connecting) saying "EAP-PEAP-ServerDomainMask was set but no CA Certificates given"

I don't know how to proceed, but I feel I might be able to connect without a certificate. This is because I have an existing Ubuntu 20.04 installation on the laptop which is able to connect perfectly fine to the exact same WiFi with these settings:

https://i.imgur.com/cu4wZEF.png

(note that I also seem to be able to connect fine if I select PEAP)

My Live USB has on it many Linux distributions and all of them but Arch work with the WiFi using these settings - this includes Debian 11+GNOME, Fedora 36+XFCE, Fedora 36+Plasma, Mint 21 Cinnamon, Mint 21 XFCE, and Ubuntu 20.04 and 22.04.

Please could I have advise on how to connect to the WiFi on the installation medium. If there is any more information needed to help me connect I would be happy to provide it.

Last edited by MiracleDinner (2022-10-01 15:47:55)

Offline

#2 2022-10-01 15:19:42

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: [SOLVED] How can I tell iwd to not need a CA Certificate

You'll have to remove EAP-PEAP-ServerDomainMask if you do not want to check the certificate.
The iwd developers are of the opinion that this mask doesn't matter without a certificate or CA. An attacker could it easily create a certificate with that name when you do not have a trust anchor or certificate: https://github.com/s0lst1c3/eaphammer

Last edited by progandy (2022-10-01 15:26:09)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#3 2022-10-01 15:22:54

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,442
Website

Re: [SOLVED] How can I tell iwd to not need a CA Certificate

I'm pretty sure that PEAP by definition requires a certificate.  What leads you to believe the network is EAP-PEAP rather than EAP-PWD or one of the other variants?  Or that it's even EAP at all (your screenshot from Ubuntu says its not).

Are you using iwd on other distros, or wpa_supplicant?  If the latter, why not use the same on arch?

Last edited by Trilby (2022-10-01 15:23:35)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#4 2022-10-01 15:34:15

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: [SOLVED] How can I tell iwd to not need a CA Certificate

PEAP does send the certificate during the connection attempt. iwd allows you to use that, but it doesn't allow you to pretent you can have any security by checking the certificate domain. (MSCHAPv2 is not secure either, so without a secure verified PEAP tunnel you have no security at all)

If your univeristy will not provide you with the certificate, then you could extract the certificate using wpa_supplicant and wireshark to at least have TOFU (trust on first use). That can be automated with e.g. python-pyshark (AUR) and https://github.com/InfamousSYN/wifipem The extracted certificate can be used with iwd as well, but the university may have different certs for different APs or rotate them frequently, so it may not work well.

Last edited by progandy (2022-10-01 15:41:38)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#5 2022-10-01 15:47:21

MiracleDinner
Member
Registered: 2022-06-30
Posts: 5

Re: [SOLVED] How can I tell iwd to not need a CA Certificate

FIXED: Using the /var/lib/iwd/[name of SSID].8021x file here: https://pastebin.com/M41WUfea

Offline

#6 2022-10-01 15:53:36

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: [SOLVED] How can I tell iwd to not need a CA Certificate

You should really find the certificate and use it. If the university won*t provide one, be aware that some newer android 11 / android 12 devices, especially Google Pixels, require the certificate or won't connect at all. That might get them moving if they try to tell you that it is no problem with windows / their supported linux flavor. https://support.google.com/pixelphone/t … able?hl=en

Edit: Maybe your university uses certificates signed by a well-known authority, so you could try e.g.

EAP-PEAP-CACert=/etc/ca-certificates/extracted/ca-bundle.trust.crt
or
EAP-PEAP-CACert=/etc/ca-certificates/extracted//tls-ca-bundle.pem

If you know the specific CA, choose it from /etc/ca-certificates/extracted/cadir

Last edited by progandy (2022-10-01 16:11:45)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

Board footer

Powered by FluxBB