Configuring WPA supplicant

You can use the example files on the devices to configure the WPA supplicant: /setup/scep/wpa.conf.*

  1. Create an individual wpa.conf configuration file.

    By default, the file contains the following information:

    Copy 
    ctrl_interface=/var/run/wpa_supplicant
    ctrl_interface_group=0
    ap_scan=0
    network={
        key_mgmt=IEEE8021X
        eapol_flags=0
        eap=TLS
        identity="<Common Name as specified in certificate>"
        priority=6
        ca_cert="/setup/cacerts/scep/serverca.pem"
        client_cert="/setup/cacerts/scep/client.pem"
        private_key="/setup/cacerts/scep/client.key"
            }

    Add further entries according to your CA implementation.

    You can specify the certificate file and path in one of the following ways, for example if you access an external root certification authority. Note that only one file may be referenced via ca_cert. However, this file may contain several certificate entries.

    Copy 
    ca_cert="/setup/cacerts/<root_extern>.pem"
    ca_cert="/setup/cacerts/<subordinate_int>.pem"
    ca_cert="/setup/cacerts/<radius>.ssl"     

    If the RADIUS certificate contains the NetBIOS name instead of the FQDN, you may use the following entry:

    Copy 
    ca_cert="/setup/cacerts/<root>.pem"

    The spelling and case-sensitivity of the certificate file names must be identical to the names of the transferred certificate files.

  2. If you want to use TPM 2.0 via WLAN, add the following engine parameters for the network:1

    Copy 
    ...
    network={
        ssid="WLAN-ABC"
        scan_ssid=1
        key_mgmt=WPA-EAP
        proto=WPA2
        eap=TLS
        engine=1            # Value must always be 1
        engine_id="tpm2tss"    # Private Key is taken from TPM 2.0 module
        dentity="__IDENTITY__"
        priority=6
        ca_cert="/setup/cacerts/scep/serverca.pem"
        client_cert="/setup/cacerts/scep/client.pem"
        private_key="/setup/cacerts/scep/client.key"    # Public part
    }

  3. To transfer the wpa.conf file to the devices, use the Scout feature Files configured for transfer. Use the following destination:

    LAN setup/scep/
    WLAN setup/wlan/

    For further information, see Advanced device configuration > Files in the Scout guide.

Use of multiple WiFi networks

Example:

Copy 
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
ap_scan=1
network=
{ ssid="" scan_ssid=1 key_mgmt=WPA-EAP eap=TLS identity="" priority=5 ca_cert="" ca_cert="" client_cert="" private_key="" }
network=
{ ssid="" scan_ssid=1 key_mgmt=WPA-EAP eap=TLS identity="" priority=6 ca_cert="" ca_cert="" client_cert="" private_key="" }

Use of variables

For identity and host name, you can alternatively set variables:

Spelling Description Other
%IDENTITY% Common name from certificate For compatibility reasons, the legacy spelling before eLux RP 6.9.100 (variable name in uppercase letters and 2 x 2 underscores is still supported. Example: __IDENTITY__
%HOSTNAME% Hostname from terminal.ini

Variables may also be used for a part of a value. Prefixes and suffixes of a variable are pure strings that are passed through.
Example: identity="host/%HOSTNAME%"

For further information on configuring 802.1X for WLANs, see WPA support in the Scout guide.