|
|
(33 intermediate revisions by 10 users not shown) |
Line 1: |
Line 1: |
− | Since the fall of 2008, there have been two wireless networks on campus. One network, called '''VT-Wireless''', encrypts all traffic and is secured with EAP-TLS or PEAP-MSCHAPv2. The other network, [[VT_WLAN]], is an unencrypted, captive portal wireless network. While connections to VT-Wireless are secure by default, and require no user authentication once set up, the EAP-TLS setup has a number of steps. In contrast, setup for VT_WLAN network is negligible, but you will be required to manually authenticate each time you connect (although this can be scripted), and your traffic will be readable to everyone.
| + | #REDIRECT [[Virginia Tech Wifi]] |
− | | |
− | {| border="1"
| |
− | |-
| |
− | ! Network
| |
− | ! Security
| |
− | ! Setup
| |
− | ! Support
| |
− | |-
| |
− | | VT-Wireless
| |
− | | Strongest ([[w:Extensible Authentication Protocol#EAP-TLS|EAP-TLS]])
| |
− | | Involved
| |
− | | Most laptops, not all mobile devices
| |
− | |-
| |
− | | VT-Wireless
| |
− | | Unknown ([[w:Extensible Authentication Protocol#PEAPv0/EAP-MSCHAPv2|PEAPv0/EAP-MSCHAPv2]])
| |
− | | Simple
| |
− | | Most devices, including mobile devices
| |
− | |-
| |
− | | [[VT_WLAN]]
| |
− | | Weak ([[w:Captive portal|Captive portal]])
| |
− | | Negligible
| |
− | | All devices
| |
− | |}
| |
− | | |
− | =PEAP-MSCHAPv2=
| |
− | * Set your remote passphrase by going to [https://my.vt.edu my.vt.edu]->Settings->Remote Passphrase.
| |
− | * In your wireless configuration program, select VT-Wireless.
| |
− | * Choose PEAP as the EAP type.
| |
− | * Choose MSCHAPv2 as the authentication method.
| |
− | * Use your PID and remote passphrase as your login credentials.
| |
− | | |
− | Add the following lines to /etc/wpa_supplicant.conf
| |
− | | |
− | network={
| |
− | ssid="VT-Wireless"
| |
− | proto=WPA2
| |
− | key_mgmt=WPA-EAP
| |
− | eap=PEAP
| |
− | phase2="auth=MSCHAPV2"
| |
− | identity="your PID"
| |
− | password="your passphrase"
| |
− | priority=10
| |
− | }
| |
− | | |
− | =EAP-TLS=
| |
− | The setup for EAP-TLS involves downloading a passworded personal certificate and making sure a copy of the certificate authority's signing certificate is on your computer. Some network managers, such as NetworkManager, require an extra step of converting the personal certificate to a different format.
| |
− | | |
− | ==Obtaining the VT-Wireless Certificate==
| |
− | Regardless of what program you use to make your connection, you will need to [https://netcert.cns.vt.edu/netcert/ obtain your p12 certificate and password from CNS]. Complete the form and download the p12 certificate file. Save the certificate password permanently and copy it for immediate use. You will need it in setting up your connection to VT-Wireless.
| |
− | | |
− | ===Checking for the CA Certificate===
| |
− | Next, you will need to make sure you have the Thawte Premium Server Certificate Authority (CA) certificate. In Ubuntu, you should be able to find this certificate at <code>/etc/ssl/certs/Thawte_Premium_Server_CA.pem</code>. If you can't find the certificate on your system, you can copy the text below and paste it into a new file of the same name.
| |
− | | |
− | <pre>
| |
− | -----BEGIN CERTIFICATE-----
| |
− | MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMC
| |
− | WkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du
| |
− | MR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2Vy
| |
− | dGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3Rl
| |
− | IFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl
| |
− | cnZlckB0aGF3dGUuY29tMB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1
| |
− | OVowgc4xCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQ
| |
− | BgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMUVGhhd3RlIENvbnN1bHRpbmcg
| |
− | Y2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24x
| |
− | ITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNlcnZlciBDQTEoMCYGCSqGSIb3
| |
− | DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNvbTCBnzANBgkqhkiG9w0B
| |
− | AQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkEVdbQ7xwblRZH7xhI
| |
− | NTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQug2SBhRz1JPL
| |
− | lyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMRuHM/qgeN
| |
− | 9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
| |
− | AQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI
| |
− | hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZ
| |
− | a4JMpAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcU
| |
− | Qg==
| |
− | -----END CERTIFICATE-----
| |
− | </pre>
| |
− | | |
− | ==Choosing a Network Manager==
| |
− | [[w:NetworkManager|NetworkManager]] is installed by default on Ubuntu and Fedora. As of fall 2009, NetworkManager does not support the PKCS#12 format certificates that CNS provide out of the box. For Android devices running 2.2 and newer, please refer to the [[Android#Android 2.2 (EAP-TLS)|Android EAP-TLS]] instructions. Android's network manager does not need the certificate to be converted. Converting the certificate requires some work, but the steps are outlined below. If you don't rely on NetworkManager for other kinds of connections like mobile broadband or [[Proxies and VPN|VPN]], or are having problems with NetworkManager, use Wicd as a graphical connection manager instead. If you don't want or need a graphical interface, a WPA Supplicant configuration is also described below.
| |
− | | |
− | ===Connecting by NetworkManager===
| |
− | The setup for NetworkManager depends on your version of the software. Please follow the instructions appropriate to your version below. In GNOME, you can right-click the NetworkManager applet icon in the panel and select "About" to find the version of NetworkManager.
| |
− | | |
− | Ubuntu users: Version 0.6 ships with 8.04 Hardy Heron, 0.7 ships with 8.10 Intrepid Ibex and 9.04 Jaunty Jackalope, and 0.8 ships with 9.10 Karmic Koala.
| |
− | | |
− | ====NetworkManager 0.7 and 0.8====
| |
− | ====Converting the certificate to PEM certificates and keys====
| |
− | '''NOTE:''' The following steps are only necessary to use NetworkManager 0.7 and 0.8. NetworkManager 0.6 has a [[#NetworkManager_0.6 | more straightforward setup]]
| |
− | | |
− | You will need to convert the PKCS#12 (.p12) certificate into PEM formats. We will assume your downloaded p12 file is called <code>netcert-1.p12</code> and that its password is <code>netcertpasswd</code>.
| |
− | Open a terminal and <code>cd</code> to the directory that contains your .p12 file. Then issue the following commands:
| |
− | | |
− | <pre>
| |
− | openssl pkcs12 -in netcert-1.p12 -out vt_client_cert.pem -clcerts -nokeys
| |
− | openssl pkcs12 -in netcert-1.p12 -out vt_private_key.pem -nocerts
| |
− | </pre>
| |
− | | |
− | In each step, you will be prompted for the password (<code>netcertpasswd</code>) that you were issued along with your .p12 certificate. Right click and paste it in or press <code>ctrl+shift+v</code> if you're using the GNOME Terminal. Additionally, in the final step where you generate your private key, you will be asked to enter a password. Paste in same password.
| |
− | | |
− | '''Sources'''
| |
− | | |
− | * [http://www.codealias.info/technotes/wpa2_eap-tls_authentication_linux_client_setup WPA2 EAP/TLS Linux client setup]
| |
− | | |
− | Left-click the NetworkManager applet and select the VT-Wireless network.
| |
− | | |
− | <!--<a href="http://www.vtluug.org/wiki/index.php?title=Image:Nm_choose_wireless.png" class="image" title="Image:nm_choose_wireless.png"><img alt="Image:nm_choose_wireless.png" src="VT-Wireless_files/Nm_choose_wireless.html" height="255" width="313" border="0"></a>-->
| |
− | | |
− | You will see a prompt to configure the connection. First, from the Authentication drop-down menu, select TLS.
| |
− | | |
− | <!--<a href="http://www.vtluug.org/wiki/index.php?title=Image:Nm_choose_tls.png" class="image" title="Image:nm_choose_tls.png"><img alt="Image:nm_choose_tls.png" src="VT-Wireless_files/Nm_choose_tls.html" height="466" width="494" border="0"></a>-->
| |
− | | |
− | Next, fill in the rest of the options:
| |
− | | |
− | <!--<a href="http://www.vtluug.org/wiki/index.php?title=Image:Nm_vt_wireless_options.png" class="image" title="Image:nm_vt_wireless_options.png"><img alt="Image:nm_vt_wireless_options.png" src="VT-Wireless_files/Nm_vt_wireless_options.html" height="466" width="494" border="0"></a>-->
| |
− | | |
− | <table align="center" border="1" cellpadding="5">
| |
− | | |
− | <tr>
| |
− | <th>Field </th><th> Value
| |
− | </th></tr>
| |
− | <tr>
| |
− | <th>SSID
| |
− | </th><td>VT-Wireless
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Wireless Security
| |
− | </th><td> WPA & WPA2 Enterprise
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Authentication
| |
− | </th><td> TLS
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Identity
| |
− | </th><td>''Your VT PID''
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>User Certificate
| |
− | </th><td> /path/to/vt_client_cert.pem
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>CA Certificate
| |
− | </th><td> /etc/ssl/certs/Thawte_Premium_Server_CA.pem
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Private Key
| |
− | </th><td> /path/to/vt_private_key.pem
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Private Key Password
| |
− | </th><td> ''netcertpasswd''
| |
− | </td></tr></table>
| |
− | Click "Connect" and you should connect to the VT-Wireless network.
| |
− | | |
− | ===NetworkManager 0.6===
| |
− | Left-click the NetworkManager applet and select VT-Wireless. You
| |
− | will be prompted to enter information about the connection. Here are
| |
− | the entries you should use:
| |
− | | |
− | <table align="center" border="1" cellpadding="5">
| |
− | | |
− | <tr>
| |
− | <th>Field </th><th> Value
| |
− | </th></tr>
| |
− | <tr>
| |
− | <th>SSID
| |
− | </th><td>VT-Wireless
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Wireless Security
| |
− | </th><td> WPA2 Enterprise
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>EAP Method
| |
− | </th><td> TLS
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Key Type
| |
− | </th><td>Automatic (Default)
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Phase2 Type
| |
− | </th><td> None (Default)
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Identity
| |
− | </th><td>''Your VT PID''
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Password
| |
− | </th><td> ''empty''
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Client Certificate File
| |
− | </th><td> (None)
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>CA Certificate File
| |
− | </th><td> (None)
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Private Key File
| |
− | </th><td> netcert-1.p12 <br />(the certificate downloaded<br />from VT NetCert)
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Private Key Password
| |
− | </th><td> ''netcertpasswd''
| |
− | </td></tr></table>
| |
− | | |
− | ==Connecting with Wicd==
| |
− | {{Version|Wicd 1.7.x on Archlinux}}
| |
− | | |
− | Wicd is an alternative to NetworkManager. It has proven to be more reliable than NetworkManager for a number of users. Unlike NetworkManager, to use Wicd, you do not need to convert the PKCS#12 certificate that CNS provides to a set of PEM certificates. Also unlike NetworkManager, wicd does not have VPN or mobile-broadband support built in (yet, Q1 2011).
| |
− | | |
− | To install Wicd on Debian-based systems, run <code>sudo apt-get install wicd</code>. Installing it will uninstall NetworkManager.
| |
− | | |
− | To install wicd on Archlinux, run <code># pacman -S wicd</code>.
| |
− | | |
− | Also be sure to comment out any other network-management software you might have in /etc/rc.conf deamons array and add wicd (after dbus).
| |
− | | |
− | Before wicd can be used with VT-Wireless, you have to add a new template. These templates are stored in <code>/etc/wicd/encryption/templates/</code>
| |
− | | |
− | Here you will want to make a new file, called eap-tls-vt
| |
− | | |
− | and paste these contents into the file:
| |
− | | |
− | <code>
| |
− | name = eap-tls-vt
| |
− | author = stanner
| |
− | version = 1
| |
− | require identity *Identity private_key *Private_Key private_key_passwd *Private_Key_Password
| |
− | optional ca_cert *Path_to_CA_Cert
| |
− | | |
− | -----
| |
− | ctrl_interface=/var/run/wpa_supplicant
| |
− | network={
| |
− | ssid="$_ESSID"
| |
− | key_mgmt=WPA-EAP
| |
− | eap=TLS
| |
− | identity="$_IDENTITY"
| |
− | ca_cert="$_CA_CERT"
| |
− | private_key="$_PRIVATE_KEY"
| |
− | private_key_passwd="$_PRIVATE_KEY_PASSWD"
| |
− | }
| |
− | </code>
| |
− | | |
− | After saving this file, you will want to make sure you add your new template to the "active" list by adding "eap-tls-vt" to the bottom of <code>/etc/wicd/encryption/templates/active </code>
| |
− | | |
− | Now restart wicd by either restarting the service or by restarting your system.
| |
− | | |
− | Open Wicd, either by left clicking the tray icon or by selecting Applications->Internet->Wicd Network Manager. Allow Wicd to scan the wireless networks then check the "Automatically connect to this network" checkbox by the topmost VT-Wireless entry. (You do not need to check the boxes for every VT-Wireless entry. The screenshot below was made from a working configuration that automatically checked all of them.)
| |
− | | |
− | [[Image:wicd_1.6.2.2.png]]
| |
− | | |
− | Click the "Properties" button of the topmost VT-Wireless entry and enter the following information:
| |
− | | |
− | * Check the "Use these settings for all networks sharing this essid" box.
| |
− | * Leave the "Use Encryption" box checked.
| |
− | * Select eap-tls-vt from the encryption type dropdown menu.
| |
− | * Enter your PID into the "Identity" box.
| |
− | * Enter the path to your private key into the "Private Key" box, i.e. <code>/home/user/netcert/netcert-1.p12</code>.
| |
− | * Paste the certificate password into the "Private Key Password" box.
| |
− | * Enter the path to the CA Cert (if you have ca_certificates installed on your system,) <code>/etc/ssl/certs/Thawte_Premium_Server_CA.pem</code>
| |
− | | |
− | [[Image:wicd_1.6.2.2_properties.png]]
| |
− | | |
− | Click "OK" and your computer should be all setup to use VT-Wireless.
| |
− | | |
− | ==Connecting by WPA Supplicant==
| |
− | WPA Supplicant is the preferred method of connection to WPA-secured wireless networks without a graphical interface. It supports PKCS#12 certificates.
| |
− | | |
− | ===Editing wpa_supplicant.conf===
| |
− | Add the following to your <code>/etc/wpa_supplicant.conf</code> file (if no file exists, create it):
| |
− | | |
− | <pre>
| |
− | ctrl_interface=/var/run/wpa_supplicant
| |
− | eapol_version=1
| |
− | ap_scan=1
| |
− | fast_reauth=1
| |
− | network={
| |
− | ssid="VT-Wireless"
| |
− | key_mgmt=WPA-EAP
| |
− | eap=TLS
| |
− | identity="PID"
| |
− | private_key="/PATH/TO/NETCERT.p12"
| |
− | private_key_passwd="PASSWORD"
| |
− | }
| |
− | </pre>
| |
− | | |
− | Replace <code>PID</code> with your actual PID (without any trailing @vt.edu), <code>/PATH/TO/NETCERT.p12</code> with the actual path to your certificate (you can store it in /etc/netcert) and <code>PASSWORD</code> with the certificate password given to you when you downloaded the certificate. Note the certificate used here should be the original PKCS#12 file you downloaded. Reformatting the certificate is only necessary for NetworkManager.
| |
− | | |
− | ===Running WPA Supplicant===
| |
− | ====Ubuntu====
| |
− | In Ubuntu, make sure to shut down NetworkManager with:
| |
− | | |
− | <pre>
| |
− | $ sudo /etc/init.d/NetworkManager stop
| |
− | </pre>
| |
− | Next, issue the following command:
| |
− | | |
− | <pre>
| |
− | $ sudo wpa_supplicant -B -i wlan0 -D wext -c /etc/wpa_supplicant.conf
| |
− | </pre>
| |
− | Confirm that you are associated with VT-Wireless
| |
− | | |
− | <pre>
| |
− | $ sudo iwconfig INTERFACE
| |
− | </pre>
| |
− | | |
− | where <code>INTERFACE</code> is your wireless card's device interface. Usually this is <code>wlan0</code> but depending on udev and perhaps other system features, it might appear as ath0, eth1 or something else. Run <code>sudo ifconfig -a</code> to see all your interfaces listed.
| |
− | If you have properly connected, you should see <code>Access Point:</code> followed by a MAC address (e.g., <code>00:0F:23:EA:4A:01</code>). If instead you see <code>Access Point: not associated</code>, try the command again. If it still fails after a couple of seconds, bring down the interface and bring it back up:
| |
− | | |
− | <pre>
| |
− | $ sudo ifconfig INTERFACE down
| |
− | $ sudo ifconfig INTERFACE up
| |
− | </pre>
| |
− | | |
− | and re-issue the <code>wpa_supplicant</code> command.
| |
− | Next, obtain an IP address. In Ubuntu, this is done with
| |
− | | |
− | <pre>
| |
− | $ sudo dhclient INTERFACE
| |
− | </pre>
| |
− | | |
− | If all goes well, you'll obtain an IP address. Otherwise, you'll receive a timeout for your DHCP request.
| |
− | | |
− | ====Gentoo====
| |
− | If you're already using wpa_supplicant, just restart your interface after editing <code>wpa_supplicant.conf</code>:
| |
− | | |
− | <pre>
| |
− | # /etc/init.d/wlan0 restart
| |
− | </pre>
| |
− | | |
− | This should connect you. If you're not using wpa_supplicant, you'll need to migrate from Wireless Tools to it in order to use WPA. Refer to the [http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=4&chap=4#doc_chap2 Gentoo documentation] for a step-by-step guide to setting up WPA Supplicant.
| |
− | | |
− | | |
− | =Network Information Sources=
| |
− | * [http://www.cns.vt.edu/html/wireless/wlan/index.html Communications Network Services: Wireless LAN]
| |
− | * [http://computing.vt.edu/internet_and_web/internet_access/ipaddresses.html Virginia Tech IP Addresses]
| |
− | | |
− | [[Category:Howtos]]
| |
− | [[Category:Campus computing resources]]
| |