Consider supporting iwd in addition to wpa_supplicant

[rien333]

Issue type

• [x] New feature request.

Feature description

Intel has been steadily developing their wpa_supplicant alternative iwd for a few years now, and the stable release has been out for a couple months (it's at 1.9 as of writing). I can really see many distros opting to use this as the new default, espcially because it's (i) faster [1] [2] (ii) provides the same functionality as wpa_supplicant (as well as other benefits, see the various references in this request). Some distro's are already making the switch (e.g. Arch Linux — which also powers the popular Manjaro distro — made the switch already on its installation media, and Ubuntu is currently considering switching). Of course, all notable distros already offer users the option to replace wpa_supplicant by iwd by way of their package manager, so there is certainly an user base and distro-level support for iwd already.

iwd currently works with eduroam, but requires some extra hassle [3] [4]. The former of these references provides some interesting pointers on how one can convert information specific to wpa_supplicant to iwd by looking at the CAT installer python script of your institution.

In spirit with this project's ambition to

[push] secure Wi-Fi settings to all users without the need to expose them to or require them to understand all of the underlying technologies and configuration parameters

I think iwd deserves to be an supported option of the CAT project (maybe not very soon, but at least at some point in the future). The current wpa_supplicant support shouldn't be replaced, of course.

[ikreb7]

Hello @rien333,

thanks for this detailed description. I totally agree that we should support it. If I find time I will implement it.

[rien333]

Thanks! I can see this not being a top priority right now, but it's good to keep in mind that iwd support might be important in the near-future (and even more for those already using iwd)

[twoln]

The CAT installer really interacts with NetworkManager. It will produce a spa_supplicant config file as a last resort but I have always treated this as somewhat exotic as I do not believe that a casual user is likely to make any use out of this. I wonder what happens when iwd replaces spa_supplicant? Will our interaction with Network Manager be in any way changed. If not then the main stream of ur work should be untouched.

[rien333]

The CAT installer really interacts with NetworkManager

Odd. NetworkManager natively supports iwd as an alternative to wpa_supplicant (I use them in conjuction). Perhaps iwd is at fault for requiring some additional configuration for more complex networks (or specifically for eduroam-like networks)

[twoln]

I will test Manjaro distro and see if I can spot the problem

[twoln]

I have just installed newest Manjaro, added iwd, disabled spa_suppicant. Unfortunately I am not able to get iwd to see my device. iwctl does not list any devices or adapters. Running iwd in debug allows me to see that wlan0 interface appears when I add it to my virtual machine. ifconfig also sees the device.

Tried the same on Ubuntu 20.04 and wit the same result. Any ideas?

[twoln]

I probably found a reason on the net: https://www.reddit.com/r/archlinux/comments/c8fysv/iw_and_iwd_cant_find_my_usb_wifi_adapter/ Looks like I would need another adapter.

[rien333]

Great to see some progress (#207) on this issue! To ensure full compatibility between this installer and iwd, it may be helpful to take a good look at the issues people encounter when using iwd and eduroam together, there are periodically new threads over at the archlinux reddit where people complain about configuration difficulties.

One out-standing issue I have no knowledge on concerns certifactes. If memory serves (see also this thread), iwd didn't like the format of the certificate I got while using the CAT installer.

And to respond to an issue highlighted in https://github.com/GEANT/CAT/pull/207/files:

But we have to discuss at first how we decide when we use wpa_supllicant or iwd?

In some cases, you could probably just query networkmanager for the wifi backend being used. (though in principle, both iwd and wpa_supplicant can be used outside networkmanager)

[twoln]

I agree that we essentially have two usage scenarios, the most natural one being the NetworkManager interaction and I would like to start testing with that. The second one is a copy of what we have mow with spa_supplicant as stands-alone. I always felt that people who are capable of using the config file to set things up could probably also do things without any real help, so providing the actual config while helpful is probably not vital.

On actual testing - can someone provide some USB wifi adapter examples that actually work with iwd? The ones that I have and that work with wpa_config do not and without something to test with it is hard to verify that something actually works.

[balrog-kun]

Wifi dongles with the RT2870 / RT3070 chips work for me, but I haven't seen adapters that still uses wext on the market anymore. From https://www.aliexpress.com/wholesale?SearchText=wifi+adapter all should work.

But we have to discuss at first how we decide when we use wpa_supllicant or iwd?

In some cases, you could probably just query networkmanager for the wifi backend being used. (though in principle, both iwd and wpa_supplicant can be used outside networkmanager)

I suppose there's no reason to not create both NM and iwd config files, /var/lib/iwd can be created even when iwd isn't installed but a user might switch to iwd at a later point.

[twoln]

Correct me if I'm wrong, but isn't it that if iwd is used then it just replaces the function of wpa_supplicant leaving the whole NM interface intact? If so and since we just interact with NM this should just work and it would be great is someone could just check. The other thing is producing iwd/wpa_supplicant config files directly for cases where NM is not used. I did mention before that I believe this to be a total minority of cases, but I have nothing agains of having this implemented.

[balrog-kun]

Correct me if I'm wrong, but isn't it that if iwd is used then it just replaces the function of wpa_supplicant leaving the whole NM interface intact?

This would make sense but no, currently IWD has no interface that is able to receive an 802.1X configuration from NM so even when controlled by NM, IWD must be pre-provisioned with a config file for each 802.1X network.

The opposite scenario is supported, where an IWD config file exists and no NM connection profile, in that case NM automatically creates a "mirror" profile.

[twoln]

Thanks, this explains the problem.

[balrog-kun]

One extra note: unlike wpa_supplicant IWD has a built-in DHCP client and an autoconnect logic so there's a group of users who don't command it through NM or Connman but with its own client. So for those users I guess it would make sense to create IWD config files regardless.