## Generic settings
```
SSID: Camp2023

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.c3noc.net
CA = ISRG Root X1

SHA256 Fingerprint = 6C:5E:71:4F:1E:AD:3A:D5:FE:1A:F6:F3:67:17:FD:63:13:2F:CA:9C:51:36:92:5E:1B:3A:D2:DF:5F:A8:D2:D7
```
Make sure you check the certificate in order to know you are connecting to the correct network (you should check on both the CN and the CA).

## Android 
You can use our Android app to automatically configure the most secure WiFi settings on your Android device:

* [Download on Google Play Store](https://play.google.com/store/apps/details?id=nl.eventinfra.wifisetup)
* [APK download](https://eventinfra.org/Camp2023/app-release.apk)
* [Source code](https://github.com/EventInfra/wifisetup)

This app installs the certificate and WiFi profile which will allow your device to automatically connect. You can do it manually, as shown below, but it's a bit more hassle.

### Manual configuration
If you don't want to use the app, download the [ISRG Root X1](https://letsencrypt.org/certs/isrgrootx1.pem) certificate, and [install it](https://support.google.com/pixelphone/answer/2844832) into your device's **Wi-Fi certificate** store, giving it any name you like. Then connect to the **Camp2023** network using the following information:

* EAP method: TTLS *(not TLS)*
* CA certificate: *(whatever name you gave the ISRG Root X1)*
* Domain: radius.c3noc.net
* Identity: camp
* Password: camp

It's fine to leave **Online Certificate status** as "Do not validate", and leave the **Anonymous identity** blank.

## Linux, etc. 
### Network Manager 
You can use the following config file:

Please note that some versions of NM are buggy and will only work with 802.1X using MSCHAPv2, or not at all. If that affects you, it may be easiest to use wpa_supplicant.

/etc/NetworkManager/system-connections/Camp2023:

Hint: chmod 600 this file to make the connection work.

```
[connection]
id=Camp2023
uuid=c80101e2-7b99-4511-846b-2388eb86a5ad
type=wifi
permissions=
secondaries=

[wifi]
mac-address=42:23:42:23:42:23 <- !! Please change this !!
mac-address-blacklist=
mode=infrastructure
seen-bssids=
ssid=Camp2023

[wifi-security]
auth-alg=open
group=
key-mgmt=wpa-eap
pairwise=
proto=

[802-1x]
altsubject-matches=DNS:radius.c3noc.net
ca-cert=/etc/ssl/certs/ISRG_Root_X1.pem
eap=ttls;
identity=camp
password=camp
phase2-altsubject-matches=
phase2-auth=pap

[ipv4]
dns-search=
method=auto

[ipv6]
dns-search=
method=auto
```

### WiCD 
You need an additional crypto setting for WiCD. Put this file into /etc/wicd/encryption/templates/eap-ttls (debian systems, might be different with other *nix flavours):

```
 name = EAP-TTLS Camp2023
 author = Felicitus
 require identity *Identity password *password
 -----
 ctrl_interface=/var/run/wpa_supplicant
 network={
  ssid="Camp2023"
  scan_ssid=$_SCAN
  identity="camp"
  password="camp"
  proto=WPA2
  key_mgmt=WPA-EAP
  group=CCMP
  pairwise=CCMP
  eap=TTLS
  ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"
  altsubject_match="DNS:radius.c3noc.net"
  anonymous_identity="$_ANONYMOUS_IDENTITY"
  phase2="auth=PAP"
  #priority=2
 }
```
Edit /etc/wicd/encryption/templates/active to include the eap-ttls config template. Restart the WiCD daemon, choose the proper encryption (EAP-TTLS Camp2023) and enter a random username/password.

### Jolla/connman 
/var/lib/connman/Camp2023wifi.config :

```
 [service_Camp2023]
 Type=wifi
 Name=Camp2023-legacy
 EAP=ttls
 Phase2=PAP
 Identity=camp
 Passphrase=camp
```


### wpa_supplicant
This is the default option on Raspberry Pi OS.  Edit /etc/wpa_supplicant/wpa_supplicant.conf and add the network:

```
 network={
 	ssid="Camp2023"
 	key_mgmt=WPA-EAP
 	eap=TTLS
 	identity="camp"
 	password="camp"
 	# ca path on debian 7.x and raspberry pi OS, modify accordingly
 	ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"
 	altsubject_match="DNS:radius.c3noc.net"
 	phase2="auth=PAP"
 }
```

### Interfaces
As an alternative, you can specify the wpa_supplicant config options directly in /etc/network/interfaces:

```
 iface wlan0 inet dhcp
 	wpa-ssid Camp2023
 	wpa-identity camp
 	wpa-password camp
 	wpa-proto WPA2
 	wpa-key_mgmt WPA-EAP
 	wpa-group CCMP
 	wpa-pairwise CCMP
 	wpa-eap TTLS
 	wpa-phase2 "auth=PAP"
 	wpa-ca_cert "/etc/ssl/certs/ISRG_Root_X1.pem"
 	wpa-altsubject_match DNS:radius.c3noc.net
```

### Netctl

```
Description='Camp2023 secure WPA2 802.1X config'
Interface=wls1
Connection=wireless
Security=wpa-configsection
IP=dhcp
ESSID=Camp2023
WPAConfigSection=(
    'ssid="Camp2023"'
    'proto=RSN WPA'
    'key_mgmt=WPA-EAP'
    'eap=TTLS'
    'identity="camp"'
    'password="camp"'
    'ca_cert="/etc/ssl/certs/ISRG_Root_X1.pem"'
    'altsubject_match="DNS:radius.c3noc.net"'
    'phase2="auth=PAP"'
)
```

### IWD
```
[Security]
EAP-Method=PEAP
EAP-Identity=anonymous@Camp2023
EAP-PEAP-CACert=/etc/ssl/certs/ISRG_Root_X1.pem
EAP-PEAP-ServerDomainMask=radius.c3noc.net
EAP-PEAP-Phase2-Method=MSCHAPV2
EAP-PEAP-Phase2-Identity=camp
EAP-PEAP-Phase2-Password=camp

[Settings]
AutoConnect=true
```
### NixOS

```
networking.wireless.networks."Camp2023".auth = ''
  key_mgmt=WPA-EAP
  eap=TTLS
  identity="camp"
  password="camp"
  ca_cert="${builtins.fetchurl {
    url = "https://letsencrypt.org/certs/isrgrootx1.pem";
    sha256 = "sha256:1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92";
  }}"
  altsubject_match="DNS:radius.c3noc.net"
  phase2="auth=PAP"
'';
```

## Apple macOS
To enable the most secure WiFi configuration on macOS:

1. Download [this mobileconfig file](https://eventinfra.org/Camp2023/Camp2023.mobileconfig) and double-click on it. You'll get an unhelpful notification.
2. Open Settings and search for the "Profiles" pane.
3. Click the "+" button and select the mobileconfig file.
4. After you've finished the install, your computer should automatically connect to the camp WiFi.

## Apple iOS
To enable the most secure WiFi configuration on iOS, open this [mobileconfig file](https://eventinfra.org/Camp2023/Camp2023.mobileconfig) in Safari. After the file is installed, your device should automatically connect to the camp WiFi.

## Windows
Windows users (and other clients using MSCHAPv2) should use a fixed username and password. You can use "camp/camp" or "guest/guest" as username/password.

Import one of these profiles for the most secure WiFi settings for Windows:

* [Camp2023](https://eventinfra.org/Camp2023/Camp2023.xml) (2.4GHz+5GHz)

To import and connect follow these steps:

* Open a command prompt and execute: netsh wlan add profile filename=Camp2023.xml
* Connect to the Camp2023 network; use "camp/camp" as the username/password when prompted. Alternatively, use "outboundonly/outboundonly" as the username/password to enable inbound traffic firewalling.