Re: What is needed for NetworkManager and WPA2 Enterprise?

[Paul Menzel <pmenzel molgen mpg de>]

Dear Andrew,


On 25.09.19 12:54, Andrew Zaborowski wrote:
> On Wed, 25 Sep 2019 at 12:33, Paul Menzel <pmenzel molgen mpg de> wrote:
> > On 25.09.19 12:27, Andrew Zaborowski wrote:
> > > I replied to that issue but provisioning EAP networks other than
> > > through the config files is not currently on IWD's todo list.  You
> > > didn't really explain your use case.  The logic is that the user
> > > shouldn't have to touch that configuration, it should be enough for
> > > them or their admin to drop the network's configuration file into
> > > /var/lib/iwd.  There is specific code in the NM iwd-backend to make
> > > sure no extra NM-side configuration is required after this is done
> > > correctly.
> > >
> > > ...
> >
> > There are self-managed devices. In our case these are scientists using
> > the Eduroam net. It was possible to configure such a network before
> > using the GNOME WiFi dialog, and I think it should continue to be supported.
>
> So I know Eduroam admins may not be very cooperative but they still
> have to provide users with the certificate file, the private key and
> hopefully some instructions on the site's Eduroam configuration (the
> EAP methods and other details vary between campuses) so it'd actually
> be easier for them to provide the config file directly, and it'd also
> be easier for their users.  This can also be done by one your users
> provided everyone has their certificate and private key already.
>
> I believe there's now also an auto-configuration tool for eduroam
> called CAT.  Maybe you should also address proposals to that project.
> When I was an eduroam user myself I didn't use CAT, I actually used
> the GNOME nm-applet's wifi dialog to configure access but it took me
> many attempts and was far from the ideal way to do this.  I remember
> the admins did provide mac-compatible config files and today I'd much
> prefer to simply convert that using our script (in
> tools/ios_convert.py) than to have to guess individual eap settings.
>
> I don't believe the script has been tested with eduroam yet.

I can agree, but it’s not user friendly at all. So you want to teach the 
users again, how to copy a text file to `/var/lib/iwd`? What about if 
the user does not want to share that connection system wide? The admin 
should not be able to read the password, as it’s often shared.

Configuration files would be useful, but the GUI program should load 
them, and use them to configure the system.

I can only urge you to take the view point from a ignorant user. Please 
test your suggestions with your parents or even grand parents and see if 
it works. I doubt it. Please work together with the GUI folks how to 
integrate this properly. Managed devices are not always a reality.

(I second, that a missing common configuration file format for WiFi is a 
problem.)

> > Also it looks like, the password is stored in plain text in the iwd
> > configuration file (in some examples).
>
> While this is not recommended the password can be stored in the config
> file so that you don't have to type it through the secrets dialog
> every time, it's your or the admin's choice.

Every time, or would it be stored in some keyring?


Kind regards,

Paul