Difference between revisions of "Virginia Tech Wifi (OLD)"

From the Linux and Unix Users Group at Virginia Teck Wiki
Jump to: navigation, search
imported>Cov
(Connecting with wicd)
 
(49 intermediate revisions by 12 users not shown)
Line 1: Line 1:
=Introduction=
+
#REDIRECT [[Virginia Tech Wifi]]
Since the 2008-2009 school year, there have been two options for
 
connecting to the Virginia Tech network by wireless card. One network,
 
called '''VT-Wireless''', operates by means of WPA2 Enterprise and is secured with EAP/TLS. The other network, called '''VT_WLAN''', is an unsecured, captive portal wireless network.
 
While connections to VT-Wireless are secure by default, and
 
require no user authentication once set up, the setup to connect to
 
VT-Wireless has a number of steps. In contrast, set up for connecting
 
to the unsecured VT_WLAN network is negligible, but you will be
 
required to manually authenticate each time you connect. [''NOTE: see [#VT_WLAN_Auto_Login below] for scripts on how to enable automated authentication to VT_WLAN.'']
 
The table below summarizes the advantages and disadvantages of connecting to the two wireless LANs.
 
 
 
<table style="text-align: center;" align="center" border="1" cellpadding="10">
 
 
 
<tbody><tr>
 
<td>
 
</td><th>VT-Wireless
 
</th><th>VT_WLAN
 
</th></tr>
 
<tr>
 
<th>Secure (Encrypted)<br /> Connection
 
</th><td> yes </td><td> no
 
</td></tr>
 
<tr>
 
<th>Setup
 
</th><td> involved </td><td> trivial
 
</td></tr>
 
<tr>
 
<th>Authentication
 
</th><td> automatic </td><td> manual[#VT_WLAN_Auto_Login *]
 
</td></tr></tbody></table>
 
=VT-Wireless=
 
The VT-Wireless network is secured by WPA with EAP/TLS encryption.
 
This encryption mechanism is put in place through a certificate
 
authentication mechanism.
 
==Obtaining the VT-Wireless Certificate==
 
Regardless of what program you use to make your connection, you will need to [https://netcert.cns.vt.edu/netcert/ obtain your p12 certificate and password from CNS].
 
Complete the form and download the p12 certificate file. Write down the
 
certificate password and store it some place where you can find it
 
again. You will need it in setting up your connection to VT-Wireless.
 
 
 
===Connecting by NetworkManager===
 
The setup for NetworkManager depends on your version of the
 
software. Please follow the instructions appropriate to your version
 
below.
 
In GNOME, you can right-click the NetworkManager applet icon in
 
the panel and select "About" to find the version of NetworkManager.
 
Ubuntu users: version 0.6 ships with 8.04 Hardy Heron, and 0.7 ships
 
with 8.10 Intrepid Ibex.
 
 
 
====NetworkManager 0.7====
 
====Converting the certificate to PEM certificates and keys====
 
['''NOTE:''' The following steps are only necessary to use NetworkManager 0.7. NetworkManager 0.6 has a [#NetworkManager_0.6 more straightforward setup] and wpa_supplicant works pretty much [#Connecting_by_WPA_Supplicant out of the box] as well.]
 
You will need to convert the p12 certificate into PEM formats. We will assume your downloaded p12 file is called '''<tt>netcert-1.p12</tt>''' and that its password is '''''netcertpasswd'''''.
 
Open a terminal and <tt>cd</tt> to the directory that contains your p12 file. Then issue the following commands:
 
 
 
<pre>openssl pkcs12 -in netcert-1.p12 -out vt_client_cert.pem -clcerts -nokeys
 
openssl pkcs12 -in netcert-1.p12 -out vt_private_key.pem -nocerts
 
</pre>
 
In each step, you will be prompted for the password (''netcertpasswd'')
 
that you were issued along with your p12 certificate. Additionally, in
 
the final step where you generate your private key, you will be asked
 
to enter a password. Enter the same password that came with your p12
 
key.
 
'''Sources'''
 
 
 
<ul><li> [http://www.codealias.info/technotes/wpa2_eap-tls_authentication_linux_client_setup http://www.codealias.info/technotes/wpa2_eap-tls_authentication_linux_client_setup]
 
</li></ul>
 
==== Make sure you have the CA Certificate ====
 
Next, you will need to make sure you have the Thawte CA certificate. In Ubuntu, you should find this certificate as <tt>/etc/ssl/certs/Thawte_Premium_Server_CA.pem</tt>.
 
If you can't find the certificate, you can copy the text below and paste it into a new file of the same name.
 
 
 
<pre>-----BEGIN CERTIFICATE-----
 
MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMC
 
WkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du
 
MR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2Vy
 
dGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3Rl
 
IFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl
 
cnZlckB0aGF3dGUuY29tMB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1
 
OVowgc4xCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQ
 
BgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMUVGhhd3RlIENvbnN1bHRpbmcg
 
Y2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24x
 
ITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNlcnZlciBDQTEoMCYGCSqGSIb3
 
DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNvbTCBnzANBgkqhkiG9w0B
 
AQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkEVdbQ7xwblRZH7xhI
 
NTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQug2SBhRz1JPL
 
lyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMRuHM/qgeN
 
9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
 
AQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI
 
hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZ
 
a4JMpAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcU
 
Qg==
 
-----END CERTIFICATE-----
 
</pre>
 
<br />
 
Left-click the NetworkManager applet and select the VT-Wireless network.
 
<a href="http://www.vtluug.org/wiki/index.php?title=Image:Nm_choose_wireless.png" class="image" title="Image:nm_choose_wireless.png"><img alt="Image:nm_choose_wireless.png" src="VT-Wireless_files/Nm_choose_wireless.html" height="255" width="313" border="0"></a>
 
You will see a prompt to configure the connection. First, from the Authentication drop-down menu, select TLS.
 
<a href="http://www.vtluug.org/wiki/index.php?title=Image:Nm_choose_tls.png" class="image" title="Image:nm_choose_tls.png"><img alt="Image:nm_choose_tls.png" src="VT-Wireless_files/Nm_choose_tls.html" height="466" width="494" border="0"></a>
 
Next, fill in the rest of the options:
 
<a href="http://www.vtluug.org/wiki/index.php?title=Image:Nm_vt_wireless_options.png" class="image" title="Image:nm_vt_wireless_options.png"><img alt="Image:nm_vt_wireless_options.png" src="VT-Wireless_files/Nm_vt_wireless_options.html" height="466" width="494" border="0"></a>
 
 
 
<table align="center" border="1" cellpadding="5">
 
 
 
<tbody><tr>
 
<th>Field </th><th> Value
 
</th></tr>
 
<tr>
 
<th>SSID
 
</th><td>VT-Wireless
 
</td></tr>
 
<tr>
 
<th>Wireless Security
 
</th><td> WPA &amp; WPA2 Enterprise
 
</td></tr>
 
<tr>
 
<th>Authentication
 
</th><td> TLS
 
</td></tr>
 
<tr>
 
<th>Identity
 
</th><td>''Your VT PID''
 
</td></tr>
 
<tr>
 
<th>User Certificate
 
</th><td> /path/to/vt_client_cert.pem
 
</td></tr>
 
<tr>
 
<th>CA Certificate
 
</th><td> /etc/ssl/certs/Thawte_Premium_Server_CA.pem
 
</td></tr>
 
<tr>
 
<th>Private Key
 
</th><td> /path/to/vt_private_key.pem
 
</td></tr>
 
<tr>
 
<th>Private Key Password
 
</th><td> ''netcertpasswd''
 
</td></tr></tbody></table>
 
Click "Connect" and you should connect to the VT-Wireless network.
 
 
 
===NetworkManager 0.6===
 
Left-click the NetworkManager applet and select VT-Wireless. You
 
will be prompted to enter information about the connection. Here are
 
the entries you should use:
 
 
 
<table align="center" border="1" cellpadding="5">
 
 
 
<tbody><tr>
 
<th>Field </th><th> Value
 
</th></tr>
 
<tr>
 
<th>SSID
 
</th><td>VT-Wireless
 
</td></tr>
 
<tr>
 
<th>Wireless Security
 
</th><td> WPA2 Enterprise
 
</td></tr>
 
<tr>
 
<th>EAP Method
 
</th><td> TLS
 
</td></tr>
 
<tr>
 
<th>Key Type
 
</th><td>Automatic (Default)
 
</td></tr>
 
<tr>
 
<th>Phase2 Type
 
</th><td> None (Default)
 
</td></tr>
 
<tr>
 
<th>Identity
 
</th><td>''Your VT PID''
 
</td></tr>
 
<tr>
 
<th>Password
 
</th><td> ''empty''
 
</td></tr>
 
<tr>
 
<th>Client Certificate File
 
</th><td> (None)
 
</td></tr>
 
<tr>
 
<th>CA Certificate File
 
</th><td> (None)
 
</td></tr>
 
<tr>
 
<th>Private Key File
 
</th><td> netcert-1.p12 <br />(the certificate downloaded<br />from VT NetCert)
 
</td></tr>
 
<tr>
 
<th>Private Key Password
 
</th><td> ''netcertpasswd''
 
</td></tr></tbody></table>
 
==Connecting with wicd==
 
''The following instructions were written for wicd 1.6.2.2 on Ubuntu 9.10 Karmic Koala. If other versions or distributions have significantly different steps, please add those instructions or make a note of the need for them on [[VTLUUG Wiki:Wanted]].''
 
 
 
Wicd is an alternative to Network Manager. To install it on Debian-based systems, run <code>sudo apt-get install wicd</code>. Installing it will uninstall Network Manager, so make sure you already have your certificate downloaded. Unlike Network Manager, you do not need to convert the PKCS#12 certificate that CNS provides to a set of PEM certificates.
 
 
 
Open wicd, either from the tray icon or from Applications->Internet->Wicd Network Manager. Allow wicd to scan the wireless networks then check the "Automatically connect to this network" checkbox by the topmost VT-Wireless entry. (You do not need to check the boxes for every VT-Wireless entry. The screenshot below was made from a working configuration that automatically checked all of them.)
 
 
 
[[Image:wicd_1.6.2.2.png]]
 
 
 
Click the "Properties" button of the topmost VT-Wireless entry and enter the following information:
 
 
 
* Check the "Use these settings for all networks sharing this essid" box.
 
* Leave the "Use Encryption" box checked.
 
* Select EAP-TLS from the encryption type dropdown menu.
 
* Enter your PID into the "Identity" box.
 
* Enter the path to your private key into the "Private Key" box, i.e. <code>/home/user/netcert/netcert-1.p12</code>.
 
* Paste the certificate password into the "Private Key Password" box.
 
 
 
[[Image:wicd_1.6.2.2_properties.png]]
 
 
 
Click "OK" and your computer should be all setup to use VT-Wireless.
 
 
 
==Connecting by WPA Supplicant==
 
===Editing wpa_supplicant.conf===
 
Add the following to your <tt>/etc/wpa_supplicant.conf</tt> file (if no file exists, create it):
 
 
 
<pre>network={
 
    ssid="VT-Wireless"
 
    key_mgmt=WPA-EAP
 
    eap=TLS
 
    identity="PID"
 
    private_key="/PATH/TO/NETCERT.p12"
 
    private_key_passwd="PASSWORD"
 
}
 
</pre>
 
Replace PID with your actual PID (without any trailing @vt.edu),
 
/PATH/TO/NETCERT.p12 with the actual path to your certificate (you can
 
store it in /etc) and PASSWORD with the certificate password given to
 
you when you downloaded the certificate. Note the certificate used here
 
should be the original one you downloaded. Reformatting the certificate
 
is only necessary for NetworkManager 0.7.
 
 
 
===Running WPA Supplicant===
 
====Ubuntu====
 
In Ubuntu, make sure to shut down NetworkManager with:
 
 
 
<pre>sudo /etc/init.d/NetworkManager stop
 
</pre>
 
Next, issue the following command:
 
 
 
<pre>sudo wpa_supplicant -B -i wlan0 -D wext -c /etc/wpa_supplicant.conf
 
</pre>
 
Confirm that you are associated with VT-Wireless
 
 
 
<pre>sudo iwconfig INTERFACE
 
</pre>
 
where <tt>INTERFACE</tt> is your wireless card's device interface. Usually this is <tt>wlan0</tt> but depending on udev and perhaps other system features, it might appear as ath0, eth1 or something else. Run <tt>sudo ifconfig -a</tt> to see all your interfaces listed.
 
You should see the words <tt>Access Point:</tt> followed by a MAC address (e.g., <tt>00:0F:23:EA:4A:01</tt>). If instead you see <tt>Access Point: not associated</tt>. Try the command again. If that still fails, bring down the interface and bring it back up
 
 
 
<pre>sudo ifconfig INTERFACE down
 
sudo ifconfig INTERFACE up
 
</pre>
 
and re-issue the <tt>wpa_supplicant</tt> command.
 
Next, obtain an IP address. In Ubuntu, this is done with
 
 
 
<pre>sudo dhclient INTERFACE
 
</pre>
 
If all goes well, you'll obtain an IP address. Otherwise, you'll receive a timeout for your DHCP request.
 
 
 
====Gentoo====
 
If you're already using wpa_supplicant, just restart your interface:
 
 
 
<pre># /etc/init.d/wlan0 restart
 
</pre>
 
This should connect you.
 
If you're not using wpa_supplicant, you'll need to migrate from
 
Wireless Tools to it in order to speak WPA and 802.1X to the
 
VT-Wireless network. Refer to the [http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=4&amp;chap=4#doc_chap2 Gentoo documentation] for a step-by-step guide to setting up WPA Supplicant.
 
 
 
=VT_WLAN=
 
VT_WLAN service is available in approximately 90% of academic and
 
administrative spaces across the Blacksburg campus. This wireless
 
network is composed of unencrypted IEEE 802.11g access nodes. To limit
 
access to faculty and staff, VT Communications Network Services uses a Cisco captive portal. They switched from Bluesocket during the summer of 2009. You have to register for [http://www.cns.vt.edu/html/wireless/wlan/registration.html Customer OnLine Access (COLA)] or in person at the Student Telecommunications Office to enable your account.
 
 
 
==Authentication==
 
The captive portal system will hijack the URL you first try to visit. Due to the nature of [[w:SSL|SSL]], https connections cannot be directed to the login page and will time out.
 
Type in your PID and password to be granted access.
 
 
 
==Logging in from the Command Line==
 
You can use CURL to log in from the command line or automate this (or any) web-based process. VTLUUG members previously provided scripts for the Bluesocket authentication, but due to the improvements that VT-Wireless brings, noone has bothered to write a new script for the Cisco captive portal.
 
 
 
==Some Technical Details==
 
The access points force SSL and are all signed by the Thawte Premium Server CA. The routers are named:
 
* bur-agw-2.cns.vt.edu
 
* bur-agw-3.cns.vt.edu
 
* cas-agw-?.cns.vt.edu
 
* hil-agw-?.cns.vt.edu
 
* isb-agw-?.cns.vt.edu
 
* owe-agw-1.cns.vt.edu
 
* sha-agw-1.cns.vt.edu
 
 
 
Some other details:
 
* Generally, in order to minimize congestion, connectivity is spread across multiple channels.
 
* No MAC-based authentication is performed.
 
* DHCP is independent of the captive portal authentication and occurs first.
 
* You can ping without logging in.
 
* All wireless networks (including the .1x networks) on campus now use [[rfc:1918|RFC-1918]] addresses from the 172.31.0.0/16 network. These are
 
translated with NAT into 198.82.x.x addresses for access outside the wireless network.
 
* All of the .1x wireless networks support IPv6.  Some of the VT_WLAN networks support IPv6. [Is IPv6 now deployed everywhere?]
 
* You can access certain [all?] VT sites like [http://www.cns.vt.edu/ CNS] without having to authenticate.
 
 
 
=Network Information Sources=
 
<ul><li> [http://www.cns.vt.edu/html/wireless/wlan/index.html Communications Network Services: Wireless LAN]
 
</li><li> [http://computing.vt.edu/internet_and_web/internet_access/ipaddresses.html Virginia Tech IP Addresses]
 
</li></ul>
 
 
 
[[Category:Howtos]]
 
[[Category:Campus computing resources]]
 

Latest revision as of 06:47, 4 January 2019

Redirect to: