「Iwd」の版間の差分
Kusanaginoturugi (トーク | 投稿記録) (→参照: add == Troubleshooting ==) |
Kusanaginoturugi (トーク | 投稿記録) (→WPA Enterprise: replace == Network configuration ==) |
||
109行目: | 109行目: | ||
[iwd]# known-networks ''SSID'' forget |
[iwd]# known-networks ''SSID'' forget |
||
− | == |
+ | == Network configuration == |
+ | By default, ''iwd'' stores the network configuration in the directory {{ic|/var/lib/iwd}}. The configuration file is named as {{ic|''network''.''type''}}, where ''network'' is the network SSID and ''.type'' is the network type, either ''.open'', ''.wep'', ''.psk'' or ''.8021x''. The file is used to store the encrypted {{ic|PreSharedKey}} and optionally the cleartext {{ic|Passphrase}} and can also be created by the user without invoking {{ic|iwctl}}. The file can be used for other configuration pertaining to that network SSID as well. For more settings, see {{man|5|iwd.network}}. |
||
− | === EAP-PWD === |
||
+ | === WPA-PSK === |
||
− | EAP-PWD で保護されたエンタープライズアクセスポイントに接続するには {{ic|/var/lib/iwd}} フォルダに以下の内容で {{ic|''essid''.8021x}} という名前のファイルを作成する必要があります: |
||
+ | |||
+ | A minimal example file to connect to a WPA-PSK or WPA2-PSK secured network with SSID "spaceship" and passphrase "test1234": |
||
+ | |||
+ | {{hc|/var/lib/iwd/spaceship.psk|2= |
||
+ | [Security] |
||
+ | PreSharedKey=aafb192ce2da24d8c7805c956136f45dd612103f086034c402ed266355297295}} |
||
+ | |||
+ | {{Note|The SSID of the network is used as a filename only when it contains only alphanumeric characters or one of {{ic|- _}}. If it contains any other characters, the name will instead be an {{ic|1==}}-character followed by the hex-encoded version of the SSID. |
||
+ | }} |
||
+ | |||
+ | To calculate the presharedkey from the passphrase, one of these two methods can be used: |
||
+ | * Enter the passphrase in cleartext in the configuration file: |
||
+ | {{hc|/var/lib/iwd/spaceship.psk|2= |
||
+ | [Security] |
||
+ | Passphrase=test1234}} |
||
+ | The presharedkey will be appended to the file at the first connect: |
||
+ | {{hc|/var/lib/iwd/spaceship.psk|2= |
||
+ | [Security] |
||
+ | Passphrase=test1234 |
||
+ | PreSharedKey=aafb192ce2da24d8c7805c956136f45dd612103f086034c402ed266355297295}} |
||
+ | |||
+ | * Or the presharedkey can be calculated from the SSID and the passphrase using ''wpa_passphrase'' (from {{Pkg|wpa_supplicant}}) or {{AUR|wpa-psk}}. See [[wpa_supplicant#Connecting with wpa_passphrase]] for more details. |
||
+ | |||
+ | === WPA Enterprise === |
||
+ | |||
+ | ==== EAP-PWD ==== |
||
+ | |||
+ | For connecting to a EAP-PWD protected enterprise access point you need to create a file called: {{ic|''essid''.8021x}} in the folder {{ic|/var/lib/iwd}} with the following content: |
||
{{hc|/var/lib/iwd/''essid''.8021x|2= |
{{hc|/var/lib/iwd/''essid''.8021x|2= |
||
119行目: | 147行目: | ||
EAP-Method=PWD |
EAP-Method=PWD |
||
EAP-Identity=''your_enterprise_email'' |
EAP-Identity=''your_enterprise_email'' |
||
− | EAP |
+ | EAP-Password=''your_password'' |
[Settings] |
[Settings] |
||
− | + | AutoConnect=True |
|
}} |
}} |
||
+ | If you do not want autoconnect to the AP you can set the option to False and connect manually to the access point via {{ic|iwctl}}. The same applies to the password, if you do not want to store it plaintext leave the option out of the file and just connect to the enterprise AP. |
||
− | アクセスポイントに自動接続したくない場合、Autoconnect オプションを False に設定して {{ic|iwctl}} で手動でアクセスポイントに接続してください。パスワードを平文で保存したくない場合は、ファイルからパスワードの設定を外してください。 |
||
+ | |||
+ | ==== EAP-PEAP ==== |
||
+ | |||
+ | Like EAP-PWD, you also need to create a {{ic|''essid''.8021x}} in the folder. Before you proceed to write the configuration file, this is also a good time to find out which CA certificate your organization uses. For MSCHAPv2 to work you also need to install {{Pkg|ppp}}. Please see [[Network_configuration/Wireless#MS-CHAPv2|MS-CHAPv2]] for more infos. This is an example configuration file that uses MSCHAPv2 password authentication: |
||
+ | |||
+ | {{hc|/var/lib/iwd/''essid''.8021x|2= |
||
+ | [Security] |
||
+ | EAP-Method=PEAP |
||
+ | EAP-Identity=anonymous@realm.edu |
||
+ | EAP-PEAP-CACert=/path/to/root.crt |
||
+ | EAP-PEAP-ServerDomainMask=radius.realm.edu |
||
+ | EAP-PEAP-Phase2-Method=MSCHAPV2 |
||
+ | EAP-PEAP-Phase2-Identity=johndoe@realm.edu |
||
+ | EAP-PEAP-Phase2-Password=hunter2 |
||
+ | |||
+ | [Settings] |
||
+ | AutoConnect=true |
||
+ | }} |
||
+ | |||
+ | {{Tip|If you are planning on using ''eduroam'', see also [[#Eduroam]].}} |
||
+ | |||
+ | ==== TTLS-PAP ==== |
||
+ | |||
+ | Like EAP-PWD, you also need to create a {{ic|''essid''.8021x}} in the folder. Before you proceed to write the configuration file, this is also a good time to find out which CA certificate your organization uses. This is an example configuration file that uses PAP password authentication: |
||
+ | |||
+ | {{hc|/var/lib/iwd/''essid''.8021x|2= |
||
+ | [Security] |
||
+ | EAP-Method=TTLS |
||
+ | EAP-Identity=anonymous@uni-test.de |
||
+ | EAP-TTLS-CACert=cert.pem |
||
+ | EAP-TTLS-ServerDomainMask=*.uni-test.de |
||
+ | EAP-TTLS-Phase2-Method=Tunneled-PAP |
||
+ | EAP-TTLS-Phase2-Identity=user |
||
+ | EAP-TTLS-Phase2-Password=password |
||
+ | |||
+ | [Settings] |
||
+ | AutoConnect=true |
||
+ | }} |
||
+ | |||
+ | ==== Eduroam ==== |
||
+ | |||
+ | Eduroam offers a [https://cat.eduroam.org/ configuration assistant tool (CAT)], which unfortunately does not support iwd. However, the installer, which you can download by clicking on the download button then selecting your university, is just a Python script. It is easy to extract the necessary configuration options, including the certificate and server domain mask. |
||
+ | |||
+ | The following table contains a mapping of iwd configuration options to eduroam CAT install script variables. |
||
+ | |||
+ | {| class="wikitable |
||
+ | ! Iwd Configuration Option !! CAT Script Variable |
||
+ | |- |
||
+ | | file name || one of {{ic|Config.ssids}} |
||
+ | |- |
||
+ | | {{ic|EAP-Method}} || {{ic|Config.eap_outer}} |
||
+ | |- |
||
+ | | {{ic|EAP-Identity}} || {{ic|Config.anonymous_identity}} |
||
+ | |- |
||
+ | | {{ic|EAP-PEAP-CACert}} || {{ic|Config.CA}} |
||
+ | |- |
||
+ | | {{ic|EAP-PEAP-ServerDomainMask}} || one of {{ic|Config.servers}} |
||
+ | |- |
||
+ | | {{ic|EAP-PEAP-Phase2-Method}} || {{ic|Config.eap_inner}} |
||
+ | |- |
||
+ | | {{ic|EAP-PEAP-Phase2-Identity}} || username@{{ic|Config.user_realm}} |
||
+ | |} |
||
+ | |||
+ | {{Note| |
||
+ | * {{ic|EAP-Identity}} may not be required by your Eduroam provider, in which case you can use {{ic|anonymous}} in this field. |
||
+ | * If your {{ic|EAP-PEAP-ServerDomainMask}} starts with {{ic|DNS:}}, use only the part after {{ic|DNS:}}. |
||
+ | }} |
||
+ | |||
+ | ==== Other cases ==== |
||
+ | |||
+ | More example tests can be [https://git.kernel.org/pub/scm/network/wireless/iwd.git/tree/autotests found in the test cases] of the upstream repository. |
||
== 任意設定 == |
== 任意設定 == |
2021年2月15日 (月) 22:33時点における版
IWD (iNet wireless daemon) は Intel によって書かれた Linux 用の無線デーモンで、WPA supplicant を置き換えることを目指しています [1]。IWD はスタンドアロンでも動作しますが ConnMan や NetworkManager と組み合わせて使うこともできます。
IWD には ELL という名前の独自の暗号ライブラリが付属しており、Linux カーネルの暗号機能と直接繋がるなど様々な改良がされています。IWD はシンプルかつセキュアで新しいアプローチを取っています。
インストール
使用方法
iwd パッケージにはクライアントプログラムの iwctl
とデーモンの iwd
、そして Wi-Fi 監視ツールの iwmon
が含まれています。
iwd デーモンを実行したら (iwd.service
を起動・有効化)、iwctl
コマンドを使って制御することができます。
iwctl
To get an interactive prompt do:
$ iwctl
The interactive prompt is then displayed with a prefix of [iwd]#
.
To list all available commands:
[iwd]# help
Connect to a network
First, if you do not know your wireless device name, list all Wi-Fi devices:
[iwd]# device list
Then, to scan for networks:
[iwd]# station device scan
You can then list all available networks:
[iwd]# station device get-networks
Finally, to connect to a network:
[iwd]# station device connect SSID
If a passphrase is required, you will be prompted to enter it. Alternatively, you can supply it as a command line argument:
$ iwctl --passphrase passphrase station device connect SSID
Connect to a network using WPS/WSC
If your network is configured such that you can connect to it by pressing a button (Wikipedia:Wi-Fi Protected Setup), check first that your network device is also capable of using this setup procedure.
[iwd]# wsc list
Then, provided that your device appeared in the above list,
[iwd]# wsc device push-button
and push the button on your router. The procedure works also if the button was pushed beforehand, less than 2 minutes earlier.
If your network requires to validate a PIN number to connect that way, check the help
command output to see how to provide the right options to the wsc
command.
Disconnect from a network
To disconnect from a network:
[iwd]# station device disconnect
Show device and connection information
To display the details of a WiFi device, like MAC address:
[iwd]# device device show
To display the connection state, including the connected network of a Wi-Fi device:
[iwd]# station device show
Manage known networks
To list networks you have connected to previously:
[iwd]# known-networks list
To forget a known network:
[iwd]# known-networks SSID forget
Network configuration
By default, iwd stores the network configuration in the directory /var/lib/iwd
. The configuration file is named as network.type
, where network is the network SSID and .type is the network type, either .open, .wep, .psk or .8021x. The file is used to store the encrypted PreSharedKey
and optionally the cleartext Passphrase
and can also be created by the user without invoking iwctl
. The file can be used for other configuration pertaining to that network SSID as well. For more settings, see iwd.network(5).
WPA-PSK
A minimal example file to connect to a WPA-PSK or WPA2-PSK secured network with SSID "spaceship" and passphrase "test1234":
/var/lib/iwd/spaceship.psk
[Security] PreSharedKey=aafb192ce2da24d8c7805c956136f45dd612103f086034c402ed266355297295
To calculate the presharedkey from the passphrase, one of these two methods can be used:
- Enter the passphrase in cleartext in the configuration file:
/var/lib/iwd/spaceship.psk
[Security] Passphrase=test1234
The presharedkey will be appended to the file at the first connect:
/var/lib/iwd/spaceship.psk
[Security] Passphrase=test1234 PreSharedKey=aafb192ce2da24d8c7805c956136f45dd612103f086034c402ed266355297295
- Or the presharedkey can be calculated from the SSID and the passphrase using wpa_passphrase (from wpa_supplicant) or wpa-pskAUR. See wpa_supplicant#Connecting with wpa_passphrase for more details.
WPA Enterprise
EAP-PWD
For connecting to a EAP-PWD protected enterprise access point you need to create a file called: essid.8021x
in the folder /var/lib/iwd
with the following content:
/var/lib/iwd/essid.8021x
[Security] EAP-Method=PWD EAP-Identity=your_enterprise_email EAP-Password=your_password [Settings] AutoConnect=True
If you do not want autoconnect to the AP you can set the option to False and connect manually to the access point via iwctl
. The same applies to the password, if you do not want to store it plaintext leave the option out of the file and just connect to the enterprise AP.
EAP-PEAP
Like EAP-PWD, you also need to create a essid.8021x
in the folder. Before you proceed to write the configuration file, this is also a good time to find out which CA certificate your organization uses. For MSCHAPv2 to work you also need to install ppp. Please see MS-CHAPv2 for more infos. This is an example configuration file that uses MSCHAPv2 password authentication:
/var/lib/iwd/essid.8021x
[Security] EAP-Method=PEAP EAP-Identity=anonymous@realm.edu EAP-PEAP-CACert=/path/to/root.crt EAP-PEAP-ServerDomainMask=radius.realm.edu EAP-PEAP-Phase2-Method=MSCHAPV2 EAP-PEAP-Phase2-Identity=johndoe@realm.edu EAP-PEAP-Phase2-Password=hunter2 [Settings] AutoConnect=true
TTLS-PAP
Like EAP-PWD, you also need to create a essid.8021x
in the folder. Before you proceed to write the configuration file, this is also a good time to find out which CA certificate your organization uses. This is an example configuration file that uses PAP password authentication:
/var/lib/iwd/essid.8021x
[Security] EAP-Method=TTLS EAP-Identity=anonymous@uni-test.de EAP-TTLS-CACert=cert.pem EAP-TTLS-ServerDomainMask=*.uni-test.de EAP-TTLS-Phase2-Method=Tunneled-PAP EAP-TTLS-Phase2-Identity=user EAP-TTLS-Phase2-Password=password [Settings] AutoConnect=true
Eduroam
Eduroam offers a configuration assistant tool (CAT), which unfortunately does not support iwd. However, the installer, which you can download by clicking on the download button then selecting your university, is just a Python script. It is easy to extract the necessary configuration options, including the certificate and server domain mask.
The following table contains a mapping of iwd configuration options to eduroam CAT install script variables.
Iwd Configuration Option | CAT Script Variable |
---|---|
file name | one of Config.ssids
|
EAP-Method |
Config.eap_outer
|
EAP-Identity |
Config.anonymous_identity
|
EAP-PEAP-CACert |
Config.CA
|
EAP-PEAP-ServerDomainMask |
one of Config.servers
|
EAP-PEAP-Phase2-Method |
Config.eap_inner
|
EAP-PEAP-Phase2-Identity |
username@Config.user_realm
|
Other cases
More example tests can be found in the test cases of the upstream repository.
任意設定
メインの設定は /etc/iwd/main.conf
ファイルで行います。
ネットワーク (SSID) の設定は /var/lib/iwd
ディレクトリを使用します。
特定のネットワークで自動接続を無効化
/var/lib/iwd/network.type
ファイルを作成・編集してください (network はネットワークの SSID に、type は "open", "wep", "psk", "8021x" のどれかのネットワークタイプに置き換えてください)。そしてファイルに以下のセクションを追加してください:
/var/lib/iwd/spaceship.psk
[Settings] Autoconnect=false
コンソール (ローカル) ユーザーが設定を変えられないようにする
デフォルトでは iwd
の D-Bus インターフェイスは (たとえユーザーが "root" でなくても) 誰でも iwd
デーモンに接続して設定を変更できるようになっています。
コンソールユーザーが設定を編集できないようにしたい場合、以下のように D-Bus 設定ファイルを作成してください:
/etc/dbus-1/system.d/iwd-strict.conf
<!-- prevent local users from changing iwd settings, but allow reading status information. overrides some part of /usr/share/dbus-1/system.d/iwd-dbus.conf. --> <!-- This configuration file specifies the required security policies for iNet Wireless Daemon to work. --> <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> <busconfig> <policy at_console="true"> <deny send_destination="net.connman.iwd"/> <allow send_destination="net.connman.iwd" send_interface="org.freedesktop.DBus.Properties" send_member="GetAll" /> <allow send_destination="net.connman.iwd" send_interface="org.freedesktop.DBus.Properties" send_member="Get" /> <allow send_destination="net.connman.iwd" send_interface="org.freedesktop.DBus.ObjectManager" send_member="GetManagedObjects" /> <allow send_destination="net.connman.iwd" send_interface="net.connman.iwd.Device" send_member="RegisterSignalLevelAgent" /> <allow send_destination="net.connman.iwd" send_interface="net.connman.iwd.Device" send_member="UnregisterSignalLevelAgent" /> </policy> </busconfig>
Troubleshooting
Verbose TLS debugging
This can be useful, if you have trouble setting up MSCHAPv2 or TTLS. You can set the following environment variable via a drop-in snippet:
/etc/systemd/system/iwd.service.d/tls-debug.conf
[Service] Environment=IWD_TLS_DEBUG=TRUE
Check the iwd logs afterwards via journalctl -u iwd.service
Connect issues after reboot
A low entropy pool can cause connection problems in particular noticeable after reboot. See Random number generation for suggestions to increase the entropy pool.
Wireless device is not renamed by udev
Since version 1.0, iwd disables predictable renaming of wireless device. It installs the following systemd network link configuration file which prevents udev from renaming the interface to wlp#s#
:
/usr/lib/systemd/network/80-iwd.link
[Match] Type=wlan [Link] NamePolicy=keep kernel
As a result the wireless link name wlan#
is kept after boot. This resolved a race condition between iwd and udev on interface renaming as explained in iwd udev interface renaming.
If this results in issues try masking it with:
# ln -s /dev/null /etc/systemd/network/80-iwd.link