IETF Wireless 802.1X/WPA Instructions

The IETF network in Maastricht has had admission control added in preparation for our next meeting in Beijing. You can access the production wireless network via two mechanisms:

  • Using 802.1X/WPA Enterprise access
  • Using a web-based portal

Basic Information

Your username is one of three things:

  1. The 10-Digit Registration ID you received in your registration confirmation email or your payment receipt IF YOU REGISTERED BEFORE FRIDAY JULY 23, 5PM MEST
  2. The 6-Digit ID on the back of your badge IF YOU REGISTERED BEFORE FRIDAY JULY 23, 5PM MEST
  3. From a printed paper "anonymous" slip available at the Help Desk or the Registration Desk.

Your password is "ietf" (all lower case).

Supported EAP Types:

  • PEAPv0 with MSCHAPv2
  • PEAPv1 with GTC
  • TTLS with PAP or MSCHAPv2

The certificate we use is signed by the RGnet/PSGnet. The Root Cert is available locally and remotely. Alternatively, you could configure your device to simply accept the cert.

Windows XP  and Windows 2000 Supplicant Setup

Use the following instructions to set up a Windows XP or Windows 2000 supplicant for 802.1x authentication:

  1. Open Network Connections (select Start menu > Settings > Network Connections).
  2. Right-click on the connection and click on Properties.
  3. In the General tab, make sure that “Show icon in notification area when connected” is checked.
  4. In the Authentication tab, select the “Enable network access control using IEEE 802.1X” check box. Then, select the EAP method. Both PEAP and TTLS are tested
  5. Make sure all check boxes that imply machine authentication, Smart Card or Client Certificates are unchecked. Check in each tab and sub-menus
  6. Save Changes
  7. Disable/Enable? the wireless interface or if necessary reboot the machine.

The authentication process is as follows:

  1. Press Ctrl-Alt-Delete and log on to the local machine.
  2. Select the ietf.1x or ietf-a.1x wireless network
  3. You should have either a Username/Password? pop-up or a bubble will appear on the icon for your wireless adapter.
  4. After establishing the EAP authentication, notice that the bubble (balloon) appears in the notification area.
  5. Click on the bubble (balloon) to open the network logon window.
  6. Provide your username and password.


  • If a user logs in incorrectly twice, the Windows XP client will typically not let them retry the login again. The only way to let them retry is to reboot (or log off) the XP client or disable/enable the interface.
  • After launching the network logon window by clicking the bubble (balloon), the user might get another bubble (balloon) in the notification area before logging in. In this case, the user must close the logon window opened previously and click the bubble (balloon) which appeared in the notification area to re-launch the network logon window.

Windows 7

  1. Right click the Wireless icon in the system tray
  2. Select SSID ‘ietf.1x’ or ‘ietf-a.1x’
  3. Click Connect
  4. When prompted for a Username and Password enter your badge number for the user and ‘ietf’ for the password


For most users selecting the ietf.1x or ietf-a.1x SSID you will be prompted for Username and Password and using your new credentials should be authenticated to the network. For those of you who have cached ietf/ietf as username and password, or those who have never done 802.1x you may need to edit your 802.1X profiles as follows;

To configure Mac OS X 10.5 or 10.6 for IETF Wireless:

  1. Go to the Apple Menu, and select System Preferences
  2. Click the Network system preference icon
  3. Verify that the lock icon is unlocked. If the icon shows as being locked, click the lock icon in the lower left and enter your computer password to make changes
  4. Click AirPort on the left. Verify AirPort is turned on, and then click Advanced at the bottom right and perform the following:
    • Click the 802.1X tab
    • Click the +(plus) sign in the lower left-hand corner, select Add User Profile and type a name for the new configuration .
    • On the right, enter the following information:
    • User Name: Enter username from your slip
    • Password: Enter the password from your slip
    • Authentication: Your choice! PEAP and TTLS both have been tested
    • Wireless Network: ietf.1x or ietf-a.1x
    • Security Type: WPA2 and WPA are both supported
    • Click OK
  5. Click Apply
  6. Select "ietf.1x" or “ietf-a.1x” from the Network Name drop down menu.
  7. You may be prompted with a window that asks for a password. From this window, select the User Profile name you created in the previous steps, and then click OK
  8. You may be prompted with a Verify Certificate window.
  9. Click Apply within the Network Preference window.

Linux/BSD Secure Supplicant Setup

Given that different distributions have different solutions and to avoid political discussions, please come to the HelpDesk if you need assistance configuring the 802.1X supplicant for your system.

User Submitted Known-Working Configurations

as an aside... I fought some with ubuntu-lucid today and got on the wireless:
 (network manager promptiness)
 o wpa2/enterprise
 o emtpy anonymous-id
 o Username: 10-digit registration-id (from the registration email,
yes this is a circular dependency)
 o passwd: documented passwd

On the ietf-a.1x this config works for me, on Ubuntu-Lucid && Android (phone).

Thanks to Chris Morrow <morrowc@…>

this is what I have in wpa_supplicant.conf


Thanks to Mark Andrews <marka@…>

If you are using wpa_supplicant you can try the following;

edit the wpa_supplicant.conf 

then execute...
wpa_supplicant -i wlan0 -c etc/wpa_supplicant.conf

#  Sample config verified on freeBSD

Put the following in /etc/wpa_supplicant.conf

   identity="number on back of ietf badge"

Replace "number on back of ietf badge" with the number on the back of
your IETF badge.

Then add the following to /etc/rc.conf.  This is for wpi0.  If you use
a different interface, comment out the existing entry and add the
following substituting your interface for wpi0.

ifconfig_wlan0="DHCP WPA ssid ietf.1x mode 11g"

You may not need the "mode 11g" at the end.

Compiled from various efforts at the Help Desk

For me ietf-a.1x worked today on my MacBook after I removed an old entry
in the 802.1X Network tab of the System Preferences.  The old ietf.1x
and ietf-a.1x were from previous meeting (with user name ietf).

Thanks to Benno Overeinder <benno@…>

Configuration instructions (Blackberry Bold 2 9700).  OS v5.0, which I believe is their newest.

Menu->Options->Security Options->Advanced Security Options->TLS

The problem I had was that 'TLS Default' was set to 'Proxy'.  The only other choice is 'Handheld'; set it to that.

Then do

Menu->Setup->Set Up Wi-Fi->Wi-Fi Options.
Click on ietf.1x, then Edit,
Select a CA certificate.  Any certificate doesn't matter.  Scroll down anf check 'Disable Server Certificate Validation'.

This is, IIRC, all you need to do.  Works for me, YMMV.

Thanks to Eric Osborne <eosborne@…>

Last modified 8 years ago Last modified on 29 Jul 2010, 14:48:31

Attachments (1)

Download all attachments as: .zip