imported>Cov |
|
(56 intermediate revisions by 13 users not shown) |
Line 1: |
Line 1: |
− | =Introduction=
| + | #REDIRECT [[Virginia Tech Wifi]] |
− | Since the 2008-2009 school year, there have been two options for
| |
− | connecting to the Virginia Tech network by wireless card. One network,
| |
− | called '''VT-Wireless''', operates by means of WPA2 Enterprise and is secured with EAP/TLS. The other network, called '''VT_WLAN''', is an unsecured, captive portal wireless network.
| |
− | While connections to VT-Wireless are secure by default, and
| |
− | require no user authentication once set up, the setup to connect to
| |
− | VT-Wireless has a number of steps. In contrast, set up for connecting
| |
− | to the unsecured VT_WLAN network is negligible, but you will be
| |
− | required to manually authenticate each time you connect. [''NOTE: see [#VT_WLAN_Auto_Login below] for scripts on how to enable automated authentication to VT_WLAN.'']
| |
− | The table below summarizes the advantages and disadvantages of connecting to the two wireless LANs.
| |
− | | |
− | <table style="text-align: center;" align="center" border="1" cellpadding="10">
| |
− | | |
− | <tbody><tr>
| |
− | <td>
| |
− | </td><th>VT-Wireless
| |
− | </th><th>VT_WLAN
| |
− | </th></tr>
| |
− | <tr>
| |
− | <th>Secure (Encrypted)<br /> Connection
| |
− | </th><td> yes </td><td> no
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Setup
| |
− | </th><td> involved </td><td> trivial
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Authentication
| |
− | </th><td> automatic </td><td> manual[#VT_WLAN_Auto_Login *]
| |
− | </td></tr></tbody></table>
| |
− | =VT-Wireless=
| |
− | The VT-Wireless network is secured by WPA with EAP/TLS encryption.
| |
− | This encryption mechanism is put in place through a certificate
| |
− | authentication mechanism.
| |
− | ==Obtaining the VT-Wireless Certificate==
| |
− | Regardless of what program you use to make your connection, you will need to [https://netcert.cns.vt.edu/netcert/ obtain your p12 certificate and password from CNS].
| |
− | Complete the form and download the p12 certificate file. Write down the
| |
− | certificate password and store it some place where you can find it
| |
− | again. You will need it in setting up your connection to VT-Wireless.
| |
− | | |
− | ===Connecting by NetworkManager===
| |
− | The setup for NetworkManager depends on your version of the
| |
− | software. Please follow the instructions appropriate to your version
| |
− | below.
| |
− | In GNOME, you can right-click the NetworkManager applet icon in
| |
− | the panel and select "About" to find the version of NetworkManager.
| |
− | Ubuntu users: version 0.6 ships with 8.04 Hardy Heron, and 0.7 ships
| |
− | with 8.10 Intrepid Ibex.
| |
− | | |
− | ====NetworkManager 0.7====
| |
− | ====Converting the certificate to PEM certificates and keys====
| |
− | ['''NOTE:''' The following steps are only necessary to use NetworkManager 0.7. NetworkManager 0.6 has a [#NetworkManager_0.6 more straightforward setup] and wpa_supplicant works pretty much [#Connecting_by_WPA_Supplicant out of the box] as well.]
| |
− | You will need to convert the p12 certificate into PEM formats. We will assume your downloaded p12 file is called '''<tt>netcert-1.p12</tt>''' and that its password is '''''netcertpasswd'''''.
| |
− | Open a terminal and <tt>cd</tt> to the directory that contains your p12 file. Then issue the following commands:
| |
− | | |
− | <pre>openssl pkcs12 -in netcert-1.p12 -out vt_client_cert.pem -clcerts -nokeys
| |
− | openssl pkcs12 -in netcert-1.p12 -out vt_private_key.pem -nocerts
| |
− | </pre>
| |
− | In each step, you will be prompted for the password (''netcertpasswd'')
| |
− | that you were issued along with your p12 certificate. Additionally, in
| |
− | the final step where you generate your private key, you will be asked
| |
− | to enter a password. Enter the same password that came with your p12
| |
− | key.
| |
− | '''Sources'''
| |
− | | |
− | <ul><li> [http://www.codealias.info/technotes/wpa2_eap-tls_authentication_linux_client_setup http://www.codealias.info/technotes/wpa2_eap-tls_authentication_linux_client_setup]
| |
− | </li></ul>
| |
− | ==== Make sure you have the CA Certificate ====
| |
− | Next, you will need to make sure you have the Thawte CA certificate. In Ubuntu, you should find this certificate as <tt>/etc/ssl/certs/Thawte_Premium_Server_CA.pem</tt>.
| |
− | If you can't find the certificate, you can copy the text below and paste it into a new file of the same name.
| |
− | | |
− | <pre>-----BEGIN CERTIFICATE-----
| |
− | MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMC
| |
− | WkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du
| |
− | MR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2Vy
| |
− | dGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3Rl
| |
− | IFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl
| |
− | cnZlckB0aGF3dGUuY29tMB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1
| |
− | OVowgc4xCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQ
| |
− | BgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMUVGhhd3RlIENvbnN1bHRpbmcg
| |
− | Y2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24x
| |
− | ITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNlcnZlciBDQTEoMCYGCSqGSIb3
| |
− | DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNvbTCBnzANBgkqhkiG9w0B
| |
− | AQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkEVdbQ7xwblRZH7xhI
| |
− | NTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQug2SBhRz1JPL
| |
− | lyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMRuHM/qgeN
| |
− | 9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
| |
− | AQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI
| |
− | hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZ
| |
− | a4JMpAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcU
| |
− | Qg==
| |
− | -----END CERTIFICATE-----
| |
− | </pre>
| |
− | <br />
| |
− | Left-click the NetworkManager applet and select the VT-Wireless network.
| |
− | <a href="http://www.vtluug.org/wiki/index.php?title=Image:Nm_choose_wireless.png" class="image" title="Image:nm_choose_wireless.png"><img alt="Image:nm_choose_wireless.png" src="VT-Wireless_files/Nm_choose_wireless.html" height="255" width="313" border="0"></a>
| |
− | You will see a prompt to configure the connection. First, from the Authentication drop-down menu, select TLS.
| |
− | <a href="http://www.vtluug.org/wiki/index.php?title=Image:Nm_choose_tls.png" class="image" title="Image:nm_choose_tls.png"><img alt="Image:nm_choose_tls.png" src="VT-Wireless_files/Nm_choose_tls.html" height="466" width="494" border="0"></a>
| |
− | Next, fill in the rest of the options:
| |
− | <a href="http://www.vtluug.org/wiki/index.php?title=Image:Nm_vt_wireless_options.png" class="image" title="Image:nm_vt_wireless_options.png"><img alt="Image:nm_vt_wireless_options.png" src="VT-Wireless_files/Nm_vt_wireless_options.html" height="466" width="494" border="0"></a>
| |
− | | |
− | <table align="center" border="1" cellpadding="5">
| |
− | | |
− | <tbody><tr>
| |
− | <th>Field </th><th> Value
| |
− | </th></tr>
| |
− | <tr>
| |
− | <th>SSID
| |
− | </th><td>VT-Wireless
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Wireless Security
| |
− | </th><td> WPA & WPA2 Enterprise
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Authentication
| |
− | </th><td> TLS
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Identity
| |
− | </th><td>''Your VT PID''
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>User Certificate
| |
− | </th><td> /path/to/vt_client_cert.pem
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>CA Certificate
| |
− | </th><td> /etc/ssl/certs/Thawte_Premium_Server_CA.pem
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Private Key
| |
− | </th><td> /path/to/vt_private_key.pem
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Private Key Password
| |
− | </th><td> ''netcertpasswd''
| |
− | </td></tr></tbody></table>
| |
− | Click "Connect" and you should connect to the VT-Wireless network.
| |
− | | |
− | ===NetworkManager 0.6===
| |
− | Left-click the NetworkManager applet and select VT-Wireless. You
| |
− | will be prompted to enter information about the connection. Here are
| |
− | the entries you should use:
| |
− | | |
− | <table align="center" border="1" cellpadding="5">
| |
− | | |
− | <tbody><tr>
| |
− | <th>Field </th><th> Value
| |
− | </th></tr>
| |
− | <tr>
| |
− | <th>SSID
| |
− | </th><td>VT-Wireless
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Wireless Security
| |
− | </th><td> WPA2 Enterprise
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>EAP Method
| |
− | </th><td> TLS
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Key Type
| |
− | </th><td>Automatic (Default)
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Phase2 Type
| |
− | </th><td> None (Default)
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Identity
| |
− | </th><td>''Your VT PID''
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Password
| |
− | </th><td> ''empty''
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Client Certificate File
| |
− | </th><td> (None)
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>CA Certificate File
| |
− | </th><td> (None)
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Private Key File
| |
− | </th><td> netcert-1.p12 <br />(the certificate downloaded<br />from VT NetCert)
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Private Key Password
| |
− | </th><td> ''netcertpasswd''
| |
− | </td></tr></tbody></table>
| |
− | ==Connecting by wicd(wicked)==
| |
− | Wicd is an alternative to network manager and is used on many light
| |
− | weight systems since it has few requirements and uses your systems own
| |
− | ifconfig/iwconfig commands.
| |
− | It still under active devlopment but is more than stable enough
| |
− | for everyday use. Also NetworkManager has a tendancy to disconnect
| |
− | every 10 minutes for about 20 seconds then it automatically reconnects.
| |
− | Not a show stopper but could be annoying during a web-based
| |
− | assignments.
| |
− | Instead of using TLS, we will be using PEAP. This is a
| |
− | different encryption scheme and is much more simple to setup compared
| |
− | to TLS. I will also try setting up networkmanager with this method
| |
− | later...
| |
− | OK, do you have a VPN password? If not, follow these instructions for setting up your remote VPN login account[http://answers.vt.edu/kb/entry/2846/ [1]].
| |
− | <br />
| |
− | Next you need to locate the copy of the Thawte_Premium_Server_CA.pem on your system.
| |
− | For me it was in:
| |
− | | |
− | <pre>/etc/ssl/certs/
| |
− | </pre>
| |
− | After dillegently locating this file, open up network manager.
| |
− | Click san to make sure your list of devices is up to date.
| |
− | Next click the "Properties" button next to the VT-Wireless at the top of the list (any one is fine really).
| |
− | Make sure there is a check in both "Use these settings for all networks sharing this essid" and "Use encyption".
| |
− | Next in the drop down box right below choose "PEAP with TKIP/MSCHAPV2"
| |
− | This will present you with "Identity", "Password", and "Path to CA Cert" text boxes.
| |
− | | |
− | <pre>Identity: <Your PID>
| |
− | Password: <The one you set up earlier for VPN access>
| |
− | Path to CA Cert: <something like /etc/ssl/certs/Thawte_Premium_Server_CA.pem>
| |
− | </pre>
| |
− | Then just click OK.
| |
− | | |
− | <ul><li>Note: wicd will "star" out your identity and the path to the CA
| |
− | Cert feilds so don't be alarmed when your ID and the path to the CA
| |
− | Cert get transformed automatically to * when you click away from the
| |
− | text box.
| |
− | </li><li>Note: This method works for connecting iPhone(s)/iPod Touch(s)
| |
− | </li></ul>
| |
− | <ul><li>These Instructions are based on my own personal setup
| |
− | </li></ul>
| |
− | <pre>Eee PC 901
| |
− | Ralink rt2860 (staging driver in kernel)
| |
− | ArchLinux
| |
− | Xfce 4.6
| |
− | wicd 1.6.2
| |
− | kernel 2.6.30
| |
− | </pre>
| |
− | ==Connecting by WPA Supplicant==
| |
− | ===Editing wpa_supplicant.conf===
| |
− | Add the following to your <tt>/etc/wpa_supplicant.conf</tt> file (if no file exists, create it):
| |
− | | |
− | <pre>network={
| |
− | ssid="VT-Wireless"
| |
− | key_mgmt=WPA-EAP
| |
− | eap=TLS
| |
− | identity="PID"
| |
− | private_key="/PATH/TO/NETCERT.p12"
| |
− | private_key_passwd="PASSWORD"
| |
− | }
| |
− | </pre>
| |
− | Replace PID with your actual PID (without any trailing @vt.edu),
| |
− | /PATH/TO/NETCERT.p12 with the actual path to your certificate (you can
| |
− | store it in /etc) and PASSWORD with the certificate password given to
| |
− | you when you downloaded the certificate. Note the certificate used here
| |
− | should be the original one you downloaded. Reformatting the certificate
| |
− | is only necessary for NetworkManager 0.7.
| |
− | | |
− | ===Running WPA Supplicant===
| |
− | ====Ubuntu====
| |
− | In Ubuntu, make sure to shut down NetworkManager with:
| |
− | | |
− | <pre>sudo /etc/init.d/NetworkManager stop
| |
− | </pre>
| |
− | Next, issue the following command:
| |
− | | |
− | <pre>sudo wpa_supplicant -B -i wlan0 -D wext -c /etc/wpa_supplicant.conf
| |
− | </pre>
| |
− | Confirm that you are associated with VT-Wireless
| |
− | | |
− | <pre>sudo iwconfig INTERFACE
| |
− | </pre>
| |
− | where <tt>INTERFACE</tt> is your wireless card's device interface. Usually this is <tt>wlan0</tt> but depending on udev and perhaps other system features, it might appear as ath0, eth1 or something else. Run <tt>sudo ifconfig -a</tt> to see all your interfaces listed.
| |
− | You should see the words <tt>Access Point:</tt> followed by a MAC address (e.g., <tt>00:0F:23:EA:4A:01</tt>). If instead you see <tt>Access Point: not associated</tt>. Try the command again. If that still fails, bring down the interface and bring it back up
| |
− | | |
− | <pre>sudo ifconfig INTERFACE down
| |
− | sudo ifconfig INTERFACE up
| |
− | </pre>
| |
− | and re-issue the <tt>wpa_supplicant</tt> command.
| |
− | Next, obtain an IP address. In Ubuntu, this is done with
| |
− | | |
− | <pre>sudo dhclient INTERFACE
| |
− | </pre>
| |
− | If all goes well, you'll obtain an IP address. Otherwise, you'll receive a timeout for your DHCP request.
| |
− | | |
− | ====Gentoo====
| |
− | If you're already using wpa_supplicant, just restart your interface:
| |
− | | |
− | <pre># /etc/init.d/wlan0 restart
| |
− | </pre>
| |
− | This should connect you.
| |
− | If you're not using wpa_supplicant, you'll need to migrate from
| |
− | Wireless Tools to it in order to speak WPA and 802.1X to the
| |
− | VT-Wireless network. Refer to the [http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=4&chap=4#doc_chap2 Gentoo documentation] for a step-by-step guide to setting up WPA Supplicant.
| |
− | | |
− | =VT_WLAN=
| |
− | VT_WLAN service is available in approximately 90% of academic and
| |
− | administrative spaces across the Blacksburg campus. This wireless
| |
− | network is composed of unencrypted IEEE 802.11g access nodes. To limit
| |
− | access to faculty and staff, VT Communications Network Services uses an
| |
− | authentication technology from Bluesocket. You have to register for [http://www.cns.vt.edu/html/wireless/wlan/registration.html Customer OnLine Access (COLA)] or in person at the Student Telecommunications Office to enable your account.
| |
− | | |
− | ==Authentication==
| |
− | The Bluesocket authentication technology will automatically redirect
| |
− | you to the login page (or hijack the URL you are trying to visit in
| |
− | some cases [cache related?], leading to SSL certificate problems).
| |
− | Simply type in your PID and password to be granted access.
| |
− | | |
− | ==Logging in from the Command Line==
| |
− | You can use CURL to log in from the command line or automate the process.
| |
− | | |
− | <pre>curl -d which_form=reg -d _FORM_SUBMIT=1 -d bs_name=YOUR_PID -d bs_password=YOUR_PASSWORD \
| |
− | -d source=`/sbin/ifconfig eth1 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}'` \
| |
− | https://`/sbin/route | grep -Eo '(bur|cas|hil|isb|owe|sha)-agw-[123]'`.cns.vt.edu/login.pl</pre>
| |
− | Here is a modified version of the above script so you do not have to
| |
− | store your user name and password. Save it to a file.. 'chmod +x
| |
− | the_file' then run it like so './the_file USER PASS' Note: By doing
| |
− | this the command you use (with your username and pass) will be stored
| |
− | in ~/.bash_history. You might wish to delete that file (or edit it).
| |
− | | |
− | <pre>#!/bin/bash
| |
− | curl -d which_form=reg -d _FORM_SUBMIT=1 -d bs_name=$1 -d bs_password=$2 \
| |
− | -d source=`/sbin/ifconfig eth1 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}'` \
| |
− | https://`/sbin/route | grep -Eo '(bur|cas|hil|isb|owe|sha)-agw-[123]'`.cns.vt.edu/login.pl</pre>
| |
− | <br />Depending on the characters in your password, you may need to
| |
− | quote it to prevent expansion, i.e. bs_password='MY!$?*PASSWORD'.
| |
− | ifconfig and route are located in /sbin and therefore generally not in
| |
− | the $PATH of a normal user. You should be able to run them as such,
| |
− | however.
| |
− | | |
− | ==VT_WLAN Auto Login==
| |
− | Although now antiquated, the following entry put in
| |
− | /etc/conf.d/wireless on a Gentoo machine using Wireless Tools would
| |
− | insecurely but automatically sign in to VT_WLAN.
| |
− | | |
− | <pre>postup() {
| |
− | if [[ ${IFACE} = "wlan0" ]]; then
| |
− | ROUTER="$(/sbin/route | grep -Eo '(bur|cas|hil|isb|owe|sha)-agw-[123]')"
| |
− | | |
− | if [[ ! "x${ROUTER}" = "x" ]] ; then
| |
− | IP="$(/sbin/ifconfig eth1 | grep 'inet addr:' | cut -d: -f2 \
| |
− | | awk '{ print $1}')"
| |
− | | |
− | curl -k -f -s -d which_form=reg -d _FORM_SUBMIT=1 \
| |
− | -d bs_name=PID \
| |
− | -d bs_password=PASSWORD \
| |
− | -d source=${IP} \
| |
− | https://${ROUTER}.cns.vt.edu/login.pl
| |
− | return $?
| |
− | fi
| |
− | fi
| |
− | return 0
| |
− | }</pre>
| |
− | PID and PASSWORD should of course be your PID and password. This
| |
− | setup is only really suitable for a single user machine like a laptop.
| |
− | To very slightly improve security you should <tt>chmod a-r /etc/conf.d/wireless</tt>. This script does not authenticate the access point and would send your password to rogue access points. Using [#VT-Wireless VT-Wireless]
| |
− | rather than this script to automate login is highly recommended. If you
| |
− | insist on ugly hacks then you could perhaps look into using the [http://www.vtluug.org/wiki/index.php?title=VT_VPN VPN] on top of VT_WLAN.
| |
− | | |
− | ==Some Technical Details==
| |
− | The access points force SSL and are all signed by the Thawte Premium Server CA. The routers are named:
| |
− | | |
− | <ul><li> bur-agw-2.cns.vt.edu
| |
− | </li><li> bur-agw-3.cns.vt.edu
| |
− | </li><li> cas-agw-?.cns.vt.edu
| |
− | </li><li> hil-agw-?.cns.vt.edu
| |
− | </li><li> isb-agw-?.cns.vt.edu
| |
− | </li><li> owe-agw-1.cns.vt.edu
| |
− | </li><li> sha-agw-1.cns.vt.edu
| |
− | </li></ul>
| |
− | Generally, in order to minimize congestion, connectivity is spread across multiple channels. Channel 11 seems to be the busiest.
| |
− | No MAC-based authentication is performed.
| |
− | DHCP is independent of of the Bluesocket authentication and occurs first.
| |
− | All wireless networks (including the .1x networks) on campus now
| |
− | use RFC-1918 addresses from the 172.31.0.0/16 network. These are
| |
− | translated with NAT into 198.82.x.x addresses for access outside the
| |
− | wireless network.
| |
− | All of the .1x wireless networks support IPv6. Some of the VT_WLAN networks support IPv6.
| |
− | You can access certain VT sites like [http://www.cns.vt.edu/ CNS] without having to authenticate.
| |
− | | |
− | =Network Information Sources=
| |
− | <ul><li> [http://www.cns.vt.edu/html/wireless/wlan/index.html Communications Network Services: Wireless LAN]
| |
− | </li><li> [http://computing.vt.edu/internet_and_web/internet_access/ipaddresses.html Virginia Tech IP Addresses]
| |
− | </li></ul>
| |