Network/802.1X client settings

Android

App

You can use our Android App to configure the correct WiFi settings on your Android device. Download it here:

• From Google Playstore: https://play.google.com/store/apps/details?id=nl.eventinfra.wifisetup
• Source-code: https://github.com/EventInfra/wifisetup
• APK download: https://eventinfra.org/mch2022/app-release.apk

Manually

If you don't want to use the app, download the ISRG Root X1, and install it into your device's Wi-Fi certificate store, giving it any name you like. Then connect to the MCH2022 network using the following information:

EAP method	TTLS (not TLS)
Phase 2 authentication	PAP
CA certificate	(whatever name you gave the ISRG Root X1)
Domain	radius.eventinfra.org
Identity	mch
Password	mch

It's fine to leave Online Certificate status as "Do not validate", and leave the Anonymous identity blank.

Linux, etc.

Network Manager

You can use the following config file:

Please note that some versions of NM are buggy and will only work with 802.1X using MSCHAPv2, or not at all. If that affects you, it may be easiest to use wpa_supplicant.

/etc/NetworkManager/system-connections/MCH2022:

Hint: chmod 600 this file to make the connection work.

[connection]
id=MCH2022
uuid=c80101e2-7b99-4511-846b-2388eb86a5ad
type=wifi
permissions=
secondaries=

[wifi]
mac-address=42:23:42:23:42:23 <- !! Please change this !!
mac-address-blacklist=
mode=infrastructure
seen-bssids=
ssid=MCH2022

[wifi-security]
auth-alg=open
group=
key-mgmt=wpa-eap
pairwise=
proto=

[802-1x]
altsubject-matches=DNS:radius.eventinfra.org
ca-cert=/etc/ssl/certs/ISRG_Root_X1.pem
eap=ttls;
identity=mch
password=mch
phase2-altsubject-matches=
phase2-auth=pap

[ipv4]
dns-search=
method=auto

[ipv6]
dns-search=
method=auto

WiCD

You need an additional crypto setting for WiCD. Put this file into /etc/wicd/encryption/templates/eap-ttls (debian systems, might be different with other *nix flavours):

 name = EAP-TTLS MCH2022
 author = Felicitus
 require identity *Identity password *password
 -----
 ctrl_interface=/var/run/wpa_supplicant
 network={
  ssid="MCH2022"
  scan_ssid=$_SCAN
  identity="mch"
  password="mch"
  proto=WPA2
  key_mgmt=WPA-EAP
  group=CCMP
  pairwise=CCMP
  eap=TTLS
  ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"
  altsubject_match="DNS:radius.eventinfra.org"
  anonymous_identity="$_ANONYMOUS_IDENTITY"
  phase2="auth=PAP"
  #priority=2
 }

Edit /etc/wicd/encryption/templates/active to include the eap-ttls config template. Restart the WiCD daemon, choose the proper encryption (EAP-TTLS MCH2022) and enter a random username/password.

Jolla/connman

/var/lib/connman/MCH2022wifi.config :

 [service_MCH2022]
 Type=wifi
 Name=MCH2022-legacy
 EAP=ttls
 Phase2=PAP
 Identity=mch
 Passphrase=mch

wpa_supplicant

This is the default option on Raspberry Pi OS. Edit /etc/wpa_supplicant/wpa_supplicant.conf and add the network:

network={
	ssid="MCH2022"
	key_mgmt=WPA-EAP
	eap=TTLS
	identity="mch"
	password="mch"
	# ca path on debian 7.x and raspberry pi OS, modify accordingly
	ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"
	altsubject_match="DNS:radius.eventinfra.org"
	phase2="auth=PAP"
}

Interfaces

As an alternative, you can specify the wpa_supplicant config options directly in /etc/network/interfaces:

 iface wlan0 inet dhcp
 	wpa-ssid MCH2022
 	wpa-identity mch
 	wpa-password mch
 	wpa-proto WPA2
 	wpa-key_mgmt WPA-EAP
 	wpa-group CCMP
 	wpa-pairwise CCMP
 	wpa-eap TTLS
 	wpa-phase2 "auth=PAP"
 	wpa-ca_cert "/etc/ssl/certs/ISRG_Root_X1.pem"
 	wpa-altsubject_match DNS:radius.eventinfra.org

Netctl

Description='MCH2022 secure WPA2 802.1X config'
Interface=wls1
Connection=wireless
Security=wpa-configsection
IP=dhcp
ESSID=MCH2022
WPAConfigSection=(
    'ssid="MCH2022"'
    'proto=RSN WPA'
    'key_mgmt=WPA-EAP'
    'eap=TTLS'
    'identity="mch"'
    'password="mch"'
    'ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"'
    'altsubject_match="DNS:radius.eventinfra.org"'
    'phase2="auth=PAP"'
)

IWD

[Security]
EAP-Method=PEAP
EAP-Identity=anonymous@MCH2022
EAP-PEAP-CACert=/etc/ssl/certs/ISRG_Root_X1.pem
EAP-PEAP-ServerDomainMask=radius.eventinfra.org
EAP-PEAP-Phase2-Method=MSCHAPV2
EAP-PEAP-Phase2-Identity=mch
EAP-PEAP-Phase2-Password=mch

[Settings]
AutoConnect=true

NixOS

networking.wireless.networks."MCH2022".auth = ''
  key_mgmt=WPA-EAP
  eap=TTLS
  identity="mch"
  password="mch"
  ca_cert="${builtins.fetchurl {
    url = "https://letsencrypt.org/certs/isrgrootx1.pem";
    sha256 = "sha256:1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92";
  }}"
  altsubject_match="DNS:radius.eventinfra.org"
  phase2="auth=PAP"
'';

Apple MacOS/iOS

You can use one of these profiles for the correct WiFi-settings for Apple MacOS / iOS:

• MCH2022 (2.4GHz+5GHz, mch user)

Windows

Import one of these profiles for the correct WiFi-settings for Windows:

• MCH2022 (2.4GHz+5GHz)

To import and connect follow these steps:

1. Open a command prompt and execute: netsh wlan add profile filename=mch2022.xml
2. Connect to the MCH2022 network; use "mch/mch" as the username/password when prompted. Alternatively, use "outboundonly/outboundonly" as the username/password to enable inbound traffic firewalling.