Wpa supplicant: Difference between revisions
imported>Oddlama m Fix indenting |
imported>Joeriexelmans Add example of setting OpenSSL's SECLEVEL=0 |
||
Line 111: | Line 111: | ||
''; | ''; | ||
}; | }; | ||
</syntaxHighlight> | |||
== Fixing "legacy sigalg disallowed or unsupported" == | |||
When connecting to an institutional network fails, and something similar to following lines appear in the system log: | |||
<syntaxHighlight> | |||
mrt 31 17:17:19 t14 wpa_supplicant[727029]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:internal error | |||
mrt 31 17:17:19 t14 wpa_supplicant[727029]: OpenSSL: openssl_handshake - SSL_connect error:0A00014D:SSL routines::legacy sigalg disallowed or unsupported | |||
</syntaxHighlight> | |||
The cause is probably an outdated RADIUS server that uses an old (insecure) signature algorithm. A workaround can be to reduce OpenSSL's security setting to allow insecure ciphers. Add the following to your NixOS configuration: | |||
<syntaxHighlight lang=nixos> | |||
networking.wireless.extraConfig = '' | |||
openssl_ciphers=DEFAULT@SECLEVEL=0 | |||
''; | |||
</syntaxHighlight> | </syntaxHighlight> | ||
Revision as of 15:46, 31 March 2023
General
wpa_supplicant can be enabled on NixOS with networking.wireless.enable = true
.
Extra configuration can be specified inside networking.wireless.extraConfig
.
wpa_supplicant_gui
To be able to use wpa_gui
or wpa_cli
as user put the following in your configuration.nix
file:
networking.wireless.userControlled.enable = true;
Also your user must be part of the wheel
group (replace USER with your username):
users.extraUsers.USER.extraGroups = [ "wheel" ];
Using wpa_supplicant from within the configuration file
You can configure your networks with the option networks
. You have to fill the name(s) of your wifi(s) after the option and the preshared-key(s) (usually called psk
). If you do not want to have your secret key in plaintext, you can use pskRaw, generated with wpa_passphrase SSID password
. An example of using networks :
networking.wireless.networks.Wifi_name.pskRaw = "pskRaw generated";
If you have multiple networks, and you want to set the priority, you can use networking.wireless.networks.Wifi_name.priority = <value>;
A full example to connect to a university or similar network that uses MSCHAPV2 (like UWF):
networking.wireless.networks."uwf-argo-air" = {
hidden = true;
auth = ''
key_mgmt=WPA-EAP
eap=PEAP
phase2="auth=MSCHAPV2"
identity="unx42"
password="p@$$w0rd"
'';
};
To avoid having your network password in accessible plaintext on your system or in your version control consider using networking.wireless.environmentFile.
Switching Network
From the shell terminal, use the wpa_cli
command line tool and specify the network interface device with -g
wpa_cli -g /run/wpa_supplicant/wlp3s0
list_network
select_network 2
As a means to debug if things are working, open another terminal and examine the logs by:
journalctl -u wpa_supplicant -f
MAC spoofing
Since there is no option to randomize your MAC address for wpa supplicant, you can instead create your own service using GNU's macchanger:
let
change-mac = pkgs.writeShellScript "change-mac" ''
card=$1
tmp=$(mktemp)
${pkgs.macchanger}/bin/macchanger "$card" -s | grep -oP "[a-zA-Z0-9]{2}:[a-zA-Z0-9]{2}:[^ ]*" > "$tmp"
mac1=$(cat "$tmp" | head -n 1)
mac2=$(cat "$tmp" | tail -n 1)
if [ "$mac1" = "$mac2" ]; then
if [ "$(cat /sys/class/net/"$card"/operstate)" = "up" ]; then
${pkgs.iproute2}/bin/ip link set "$card" down &&
${pkgs.macchanger}/bin/macchanger -r "$card"
${pkgs.iproute2}/bin/ip link set "$card" up
else
${pkgs.macchanger}/bin/macchanger -r "$card"
fi
fi
'';
in
systemd.services.macchanger = {
enable = true;
description = "macchanger on wlan0";
wants = [ "network-pre.target" ];
before = [ "network-pre.target" ];
bindsTo = [ "sys-subsystem-net-devices-wlan0.device" ];
after = [ "sys-subsystem-net-devices-wlan0.device" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
ExecStart = "${change-mac} wlan0";
};
};
Where you need to change the wlan0
with your own wifi network interface. You can list your interfaces by running ip link
, your wifi network interface should have "wl" prepended. Note that the above snippet fully randomizes your MAC address, for more information you can read macchanger's manpage. This obviously requires you to have the macchanger
package installed.
Eduroam
Nowadays, using EAP-PWD is preferred over MSCHAPv2 when connecting to eduroam or other institutional networks. It provides stronger security claims and is simpler to set up. It also never transmits your password, doesn't require certificates and needs less authentication roundtrips. The identity and password should be given to you by your institution.
networking.wireless.networks.eduroam = {
auth = ''
key_mgmt=WPA-EAP
eap=PWD
identity="youruser@yourinstitution.edu"
password="p@$$w0rd"
'';
};
Fixing "legacy sigalg disallowed or unsupported"
When connecting to an institutional network fails, and something similar to following lines appear in the system log:
mrt 31 17:17:19 t14 wpa_supplicant[727029]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:internal error
mrt 31 17:17:19 t14 wpa_supplicant[727029]: OpenSSL: openssl_handshake - SSL_connect error:0A00014D:SSL routines::legacy sigalg disallowed or unsupported
The cause is probably an outdated RADIUS server that uses an old (insecure) signature algorithm. A workaround can be to reduce OpenSSL's security setting to allow insecure ciphers. Add the following to your NixOS configuration:
networking.wireless.extraConfig = ''
openssl_ciphers=DEFAULT@SECLEVEL=0
'';
External links
(german) article eduroam meets NixOS (with configuration) (instance University of Applied Sciences Dresden: The eduroam installer for GNU/Linux works for example for Ubuntu but not NixOS)