Is iwd really better?

[vxld100]

I'm currently considering switching from the default arch-based asahi linux installation to NixOS. While reading the installation guide I came across the section advertising iwd as the better choice compared to wpa_supplicant. However, I am not sure this is the case.

The main justification for this choice is a reddit comment stating that the wifi chips on macbooks are not supported by wpa_supplicant. However, the original reddit post itself disproves this claim. (In fairness note that the comment's author said that these chips were not support "last time they checked".) Not only that, but OP was able to resolve a major issue with wifi by switching to wpa_supplicant as a NetworkManager backend, namely, that of being able to connect AT ALL to an eduroam (WPA2-Enterprise Wifi) network.

As a university student myself, I can confirm OP's findings with my current installation on an M1 pro macbook, mainly that as a NetworkManager backend one doesn't feel the difference between iwd and wpa_supplicant, except for the enourmous difficulty in connecting to eduroam and similar networks with the former (I too failed with iwd after hours of trying).

Now, I cannot really judge the quality of the software except for as an end user, and so I have nothing to say with respect to the other arguments in favor of iwd. Therefore I refrain from suggesting a change of a default choice. However, it would be cool to at least have a little addition in the installation guide on how to use either one or the other, or how to set up a wifi connection with nmcli directly, while choosing the backend in case someone like me (e.g., another student) knows they are going to need a specific one.

[tpwrules]

It's worth nothing that reddit comment is from marcan, the main Asahi author, and I generally aim to follow the configuration and recommendations of Asahi itself.

However, we only actually force iwd in the installer image, not in your config. Does iwd work properly using the iwctl tool in the installer environment to connect to an eduroam network? NetworkManager should not be in play there. I am pretty sure nixos-generate-config will generate a configuration which uses wpa_supplicant. It sounds like you might have manually enabled iwd in your configuration yourself.

I don't see a cite that wpa_supplicant properly supports WPA3. I can update the guide to better clarify the choices to prevent headache. But I don't see that we should change the installer yet.

[vxld100]

Well, iwd really is the default on the arch-based asahi-linux installation. I did not set that up myself (and wasn't presented with a choice at installation either).

I haven't tested connecting just with iwctl to an eduroam, but I can't see it working, since the reason it doesn't work with NetworkManager is because in order to connect to an 802.1x connection iwd requires some additional configuration (provisioning files), which are NOT present by default, and the guide on the arch wiki isn't really helpful.

As for wpa_supplicant support of WPA3, the arch wiki claims that it does support it...

But if it's true that the nix installation comes with wpa_supplicant by default and iwd is only used in the installer, then the problem goes away, for iwd works fine for connecting to non-enterprise networks.

[tpwrules]

The support is specifically a problem with the Broadcom hardware in MacBooks for whatever reason.

Also then this might mean you couldn't install NixOS on Apple Silicon if eduroam is the only network you have access to, which would be unfortunate but unlikely.

[vxld100]

I'm confused now. Are you referring to iwd or wpa_supplicant support?

As for installing any os only with access to an eduroam network, that would be cumbersome anyways, for that usually requires downloading ca certificates, and what's more the installation script that comes with them assumes the presence of NetworkManager or wpa_supplicant (see Help>FAQ). The only alternative is then extensive manual configuration.

[tpwrules]

The original motivation for using iwd was that wpa_supplicant WPA3 support is broken on Broadcom hardware which is in MacBooks. I haven't confirmed whether or not this is true.

I don't know what the installation process would be like using eduroam if it worked. But networking is needed in the installer and the installer contains iwd.

[autrimpo]

I use eduroam with iwd just fine, have been for years. You do need to provision the config file manually unfortunately:

let
  user = "you@uni.edu";
  password = "foobar";
  eduroamConf = pkgs.writeText "eduroam.8021x" ''
    [Security]
    EAP-Method=PEAP
    EAP-Identity=${user}
    EAP-PEAP-Phase2-Method=MSCHAPV2
    EAP-PEAP-Phase2-Identity=${user}
    EAP-PEAP-Phase2-Password=${password}

    [Settings]
    AutoConnect=true
  '';
in {
  system.activationScripts.eduroam = ''
    cp ${eduroamConf} /var/lib/iwd/eduroam.8021x
  '';
};

You might need to tweak the network parameters according to your university's guidelines.

[vxld100]

Well, that's quite awesome. Did you find this in some kind of documentation, in case one needs to add other parameters?

[autrimpo]

I think I took what I needed from what was in Arch wiki at the time, but man iwd.network should document all the possible options.

[vxld100]

Thank you so much!

[yu-re-ka]

With asahi kernels 6.6.x, wpa_supplicant randomly disconnects. Debugged this a while with the person who authored most of the changes to the brcmfmac driver from 6.5 to 6.6, and the result was that wpa_supplicant does weird things and I should really switch to iwd.

[uuuvn]

The main justification for this choice is a reddit comment stating that the wifi chips on macbooks are not supported by wpa_supplicant.

They are, but WPA3-SAE doesn't work properly and iwd is in general far more modern, cleaner and easy to use.

I wrote #73 for exactly that reason (i use WPA3-SAE-only on my home network, which IMO should be the default in 2023)