imported>Cov |
|
(58 intermediate revisions by 13 users not shown) |
Line 1: |
Line 1: |
− | =Introduction=
| + | #REDIRECT [[Virginia Tech Wifi]] |
− | Since the 2008-2009 school year, there have been two options for
| |
− | connecting to the Virginia Tech network by wireless card. One network,
| |
− | called '''VT-Wireless''', operates by means of WPA2 Enterprise and is secured with EAP/TLS. The other network, called '''VT_WLAN''', is an unsecured, captive portal wireless network.
| |
− | While connections to VT-Wireless are secure by default, and
| |
− | require no user authentication once set up, the setup to connect to
| |
− | VT-Wireless has a number of steps. In contrast, set up for connecting
| |
− | to the unsecured VT_WLAN network is negligible, but you will be
| |
− | required to manually authenticate each time you connect.
| |
− | | |
− | The table below summarizes the advantages and disadvantages of connecting to the two wireless LANs.
| |
− | | |
− | {|
| |
− | | |
− | <tbody><tr>
| |
− | <td>
| |
− | </td><th>VT-Wireless
| |
− | </th><th>VT_WLAN
| |
− | </th></tr>
| |
− | <tr>
| |
− | <th>Secure (Encrypted)<br> Connection
| |
− | </th><td> yes </td><td> no
| |
− | | |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Setup
| |
− | </th><td> involved </td><td> trivial
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Authentication
| |
− | </th><td> automatic </td><td> manual<a href="#VT_WLAN_Auto_Login" title="">*</a>
| |
− | </td></tr>
| |
− | |}
| |
− | | |
− | =VT-Wireless=
| |
− | The VT-Wireless network is secured by WPA with EAP/TLS encryption.
| |
− | This encryption mechanism is put in place through a certificate
| |
− | authentication mechanism.
| |
− | ==Obtaining the VT-Wireless Certificate==
| |
− | Regardless of what program you use to make your connection, you will need to <a href="https://netcert.cns.vt.edu/netcert/" class="external text" title="https://netcert.cns.vt.edu/netcert/" rel="nofollow">obtain your p12 certificate and password from CNS</a>.
| |
− | Complete the form and download the p12 certificate file. Write down the
| |
− | certificate password and store it some place where you can find it
| |
− | again. You will need it in setting up your connection to VT-Wireless.
| |
− | | |
− | | |
− | ===Connecting by NetworkManager===
| |
− | The setup for NetworkManager depends on your version of the
| |
− | software. Please follow the instructions appropriate to your version
| |
− | below.
| |
− | In GNOME, you can right-click the NetworkManager applet icon in
| |
− | the panel and select "About" to find the version of NetworkManager.
| |
− | Ubuntu users: version 0.6 ships with 8.04 Hardy Heron, and 0.7 ships
| |
− | with 8.10 Intrepid Ibex.
| |
− | | |
− | ====NetworkManager 0.7====
| |
− | ====Converting the certificate to PEM certificates and keys====
| |
− | | |
− | ['''NOTE:''' The following steps are only necessary to use NetworkManager 0.7. NetworkManager 0.6 has a <a href="#NetworkManager_0.6" title="">more straightforward setup</a> and wpa_supplicant works pretty much <a href="#Connecting_by_WPA_Supplicant" title="">out of the box</a> as well.]
| |
− | You will need to convert the p12 certificate into PEM formats. We will assume your downloaded p12 file is called '''<tt>netcert-1.p12</tt>''' and that its password is <i>'''netcertpasswd'''</i>.
| |
− | Open a terminal and <tt>cd</tt> to the directory that contains your p12 file. Then issue the following commands:
| |
− | | |
− | | |
− | <pre>openssl pkcs12 -in netcert-1.p12 -out vt_client_cert.pem -clcerts -nokeys
| |
− | openssl pkcs12 -in netcert-1.p12 -out vt_private_key.pem -nocerts
| |
− | </pre>
| |
− | In each step, you will be prompted for the password (<i>netcertpasswd</i>)
| |
− | that you were issued along with your p12 certificate. Additionally, in
| |
− | the final step where you generate your private key, you will be asked
| |
− | to enter a password. Enter the same password that came with your p12
| |
− | key.
| |
− | '''Sources'''
| |
− | | |
− | <ul><li> <a href="http://www.codealias.info/technotes/wpa2_eap-tls_authentication_linux_client_setup" class="external free" title="http://www.codealias.info/technotes/wpa2_eap-tls_authentication_linux_client_setup" rel="nofollow">http://www.codealias.info/technotes/wpa2_eap-tls_authentication_linux_client_setup</a>
| |
− | </li></ul>
| |
− | ====Make sure you have the CA Certificate====
| |
− | | |
− | Next, you will need to make sure you have the Thawte CA certificate. In Ubuntu, you should find this certificate as <tt>/etc/ssl/certs/Thawte_Premium_Server_CA.pem</tt>.
| |
− | If you can't find the certificate, you can copy the text below and paste it into a new file of the same name.
| |
− | | |
− | <pre>-----BEGIN CERTIFICATE-----
| |
− | MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMC
| |
− | WkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du
| |
− | MR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2Vy
| |
− | dGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3Rl
| |
− | IFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl
| |
− | cnZlckB0aGF3dGUuY29tMB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1
| |
− | OVowgc4xCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQ
| |
− | BgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMUVGhhd3RlIENvbnN1bHRpbmcg
| |
− | Y2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24x
| |
− | ITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNlcnZlciBDQTEoMCYGCSqGSIb3
| |
− | DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNvbTCBnzANBgkqhkiG9w0B
| |
− | AQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkEVdbQ7xwblRZH7xhI
| |
− | NTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQug2SBhRz1JPL
| |
− | lyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMRuHM/qgeN
| |
− | 9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
| |
− | AQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI
| |
− | hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZ
| |
− | a4JMpAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcU
| |
− | Qg==
| |
− | -----END CERTIFICATE-----
| |
− | </pre>
| |
− | <br>
| |
− | Left-click the NetworkManager applet and select the VT-Wireless network.
| |
− | [[Image:Nm_choose_wireless.png]]
| |
− | You will see a prompt to configure the connection. First, from the Authentication drop-down menu, select TLS.
| |
− | [[Image:Nm_choose_tls.png]]
| |
− | Next, fill in the rest of the options:
| |
− | [[Image:Nm_vt_wireless_options.png]]
| |
− | | |
− | {|
| |
− | <tbody><tr>
| |
− | <th>Field </th><th> Value
| |
− | </th></tr>
| |
− | <tr>
| |
− | <th>SSID
| |
− | </th><td>VT-Wireless
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Wireless Security
| |
− | </th><td> WPA & WPA2 Enterprise
| |
− | </td></tr>
| |
− | <tr>
| |
− | | |
− | <th>Authentication
| |
− | </th><td> TLS
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Identity
| |
− | </th><td><i>Your VT PID</i>
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>User Certificate
| |
− | </th><td> /path/to/vt_client_cert.pem
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>CA Certificate
| |
− | </th><td> /etc/ssl/certs/Thawte_Premium_Server_CA.pem
| |
− | | |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Private Key
| |
− | </th><td> /path/to/vt_private_key.pem
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Private Key Password
| |
− | </th><td> <i>netcertpasswd</i>
| |
− | </td></tr>
| |
− | |}
| |
− | Click "Connect" and you should connect to the VT-Wireless network.
| |
− | | |
− | ===NetworkManager 0.6===
| |
− | | |
− | Left-click the NetworkManager applet and select VT-Wireless. You
| |
− | will be prompted to enter information about the connection. Here are
| |
− | the entries you should use:
| |
− | | |
− | <table align="center" border="1" cellpadding="5">
| |
− | | |
− | <tbody><tr>
| |
− | <th>Field </th><th> Value
| |
− | </th></tr>
| |
− | <tr>
| |
− | <th>SSID
| |
− | </th><td>VT-Wireless
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Wireless Security
| |
− | </th><td> WPA2 Enterprise
| |
− | | |
− | </td></tr>
| |
− | <tr>
| |
− | <th>EAP Method
| |
− | </th><td> TLS
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Key Type
| |
− | </th><td>Automatic (Default)
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Phase2 Type
| |
− | </th><td> None (Default)
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Identity
| |
− | | |
− | </th><td><i>Your VT PID</i>
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Password
| |
− | </th><td> <i>empty</i>
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Client Certificate File
| |
− | </th><td> (None)
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>CA Certificate File
| |
− | </th><td> (None)
| |
− | | |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Private Key File
| |
− | </th><td> netcert-1.p12 <br>(the certificate downloaded<br>from VT NetCert)
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Private Key Password
| |
− | </th><td> <i>netcertpasswd</i>
| |
− | </td></tr></tbody></table>
| |
− | | |
− | | |
− | ==Connecting by wicd (wicked)==
| |
− | | |
− | Follow the PEM certificate creation instructions for NetworkManager. Select EAP/TLS and then input the PEM certificates and the Thawte certificate. The certificate on Debian, Arch and potentially other systems is in
| |
− | <pre>/etc/ssl/certs/
| |
− | </pre>
| |
− | | |
− | ==Connecting by WPA Supplicant==
| |
− | ===Editing wpa_supplicant.conf===
| |
− | Add the following to your <tt>/etc/wpa_supplicant.conf</tt> file (if no file exists, create it):
| |
− | | |
− | <pre>network={
| |
− | ssid="VT-Wireless"
| |
− | key_mgmt=WPA-EAP
| |
− | eap=TLS
| |
− | identity="PID"
| |
− | private_key="/PATH/TO/NETCERT.p12"
| |
− | private_key_passwd="PASSWORD"
| |
− | }
| |
− | </pre>
| |
− | Replace PID with your actual PID (without any trailing @vt.edu),
| |
− | /PATH/TO/NETCERT.p12 with the actual path to your certificate (you can
| |
− | store it in /etc) and PASSWORD with the certificate password given to
| |
− | you when you downloaded the certificate. Note the certificate used here
| |
− | should be the original one you downloaded. Reformatting the certificate
| |
− | is only necessary for NetworkManager 0.7.
| |
− | | |
− | ===Running WPA Supplicant===
| |
− | ====Ubuntu====
| |
− | In Ubuntu, make sure to shut down NetworkManager with:
| |
− | | |
− | <pre>sudo /etc/init.d/NetworkManager stop
| |
− | </pre>
| |
− | Next, issue the following command:
| |
− | | |
− | <pre>sudo wpa_supplicant -B -i wlan0 -D wext -c /etc/wpa_supplicant.conf
| |
− | </pre>
| |
− | Confirm that you are associated with VT-Wireless
| |
− | | |
− | <pre>sudo iwconfig INTERFACE
| |
− | </pre>
| |
− | where <tt>INTERFACE</tt> is your wireless card's device interface. Usually this is <tt>wlan0</tt> but depending on udev and perhaps other system features, it might appear as ath0, eth1 or something else. Run <tt>sudo ifconfig -a</tt> to see all your interfaces listed.
| |
− | | |
− | You should see the words <tt>Access Point:</tt> followed by a MAC address (e.g., <tt>00:0F:23:EA:4A:01</tt>). If instead you see <tt>Access Point: not associated</tt>. Try the command again. If that still fails, bring down the interface and bring it back up
| |
− | | |
− | <pre>sudo ifconfig INTERFACE down
| |
− | sudo ifconfig INTERFACE up
| |
− | </pre>
| |
− | and re-issue the <tt>wpa_supplicant</tt> command.
| |
− | Next, obtain an IP address. In Ubuntu, this is done with
| |
− | | |
− | | |
− | <pre>sudo dhclient INTERFACE
| |
− | </pre>
| |
− | If all goes well, you'll obtain an IP address. Otherwise, you'll receive a timeout for your DHCP request.
| |
− | | |
− | ====Gentoo====
| |
− | If you're already using wpa_supplicant, just restart your interface:
| |
− | | |
− | <pre># /etc/init.d/wlan0 restart
| |
− | </pre>
| |
− | This should connect you.
| |
− | If you're not using wpa_supplicant, you'll need to migrate from
| |
− | Wireless Tools to it in order to speak WPA and 802.1X to the
| |
− | VT-Wireless network. Refer to the <a href="http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=4&chap=4#doc_chap2" class="external text" title="http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=4&chap=4#doc_chap2" rel="nofollow">Gentoo documentation</a> for a step-by-step guide to setting up WPA Supplicant.
| |
− | | |
− | | |
− | =VT_WLAN=
| |
− | VT_WLAN service is available in approximately 90% of academic and
| |
− | administrative spaces across the Blacksburg campus. This wireless
| |
− | network is composed of unencrypted IEEE 802.11g access nodes. To limit
| |
− | access to faculty and staff, VT Communications Network Services uses an
| |
− | authentication technology from Bluesocket. You have to register for <a href="http://www.cns.vt.edu/html/wireless/wlan/registration.html" class="external text" title="http://www.cns.vt.edu/html/wireless/wlan/registration.html" rel="nofollow">Customer OnLine Access (COLA)</a> or in person at the Student Telecommunications Office to enable your account.
| |
− | | |
− | ==Authentication==
| |
− | | |
− | The Bluesocket authentication technology will automatically redirect
| |
− | you to the login page (or hijack the URL you are trying to visit in
| |
− | some cases [cache related?], leading to SSL certificate problems).
| |
− | Simply type in your PID and password to be granted access.
| |
− | | |
− | ==Logging in from the Command Line==
| |
− | You can use CURL to log in from the command line or automate the process.
| |
− | | |
− | <pre>curl -d which_form=reg -d _FORM_SUBMIT=1 -d bs_name=YOUR_PID -d bs_password=YOUR_PASSWORD \
| |
− | -d source=`/sbin/ifconfig eth1 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}'` \
| |
− | https://`/sbin/route | grep -Eo '(bur|cas|hil|isb|owe|sha)-agw-[123]'`.cns.vt.edu/login.pl</pre>
| |
− | Here is a modified version of the above script so you do not have to
| |
− | store your user name and password. Save it to a file.. 'chmod +x
| |
− | the_file' then run it like so './the_file USER PASS' Note: By doing
| |
− | this the command you use (with your username and pass) will be stored
| |
− | in ~/.bash_history. You might wish to delete that file (or edit it).
| |
− | | |
− | <pre>#!/bin/bash
| |
− | curl -d which_form=reg -d _FORM_SUBMIT=1 -d bs_name=$1 -d bs_password=$2 \
| |
− | -d source=`/sbin/ifconfig eth1 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}'` \
| |
− | https://`/sbin/route | grep -Eo '(bur|cas|hil|isb|owe|sha)-agw-[123]'`.cns.vt.edu/login.pl</pre>
| |
− | | |
− | <br>Depending on the characters in your password, you may need to
| |
− | quote it to prevent expansion, i.e. bs_password='MY!$?*PASSWORD'.
| |
− | ifconfig and route are located in /sbin and therefore generally not in
| |
− | the $PATH of a normal user. You should be able to run them as such,
| |
− | however.
| |
− | | |
− | ==VT_WLAN Auto Login==
| |
− | Although now antiquated, the following entry put in
| |
− | /etc/conf.d/wireless on a Gentoo machine using Wireless Tools would
| |
− | insecurely but automatically sign in to VT_WLAN.
| |
− | | |
− | <pre>postup() {
| |
− | if [[ ${IFACE} = "wlan0" ]]; then
| |
− | ROUTER="$(/sbin/route | grep -Eo '(bur|cas|hil|isb|owe|sha)-agw-[123]')"
| |
− | | |
− | if [[ ! "x${ROUTER}" = "x" ]] ; then
| |
− | IP="$(/sbin/ifconfig eth1 | grep 'inet addr:' | cut -d: -f2 \
| |
− | | awk '{ print $1}')"
| |
− | | |
− | curl -k -f -s -d which_form=reg -d _FORM_SUBMIT=1 \
| |
− | -d bs_name=PID \
| |
− | -d bs_password=PASSWORD \
| |
− | -d source=${IP} \
| |
− | https://${ROUTER}.cns.vt.edu/login.pl
| |
− | return $?
| |
− | fi
| |
− | fi
| |
− | return 0
| |
− | }</pre>
| |
− | | |
− | PID and PASSWORD should of course be your PID and password. This
| |
− | setup is only really suitable for a single user machine like a laptop.
| |
− | To very slightly improve security you should <tt>chmod a-r /etc/conf.d/wireless</tt>. This script does not authenticate the access point and would send your password to rogue access points. Using [#VT-Wireless] rather than this script to automate login is highly recommended. If you
| |
− | insist on ugly hacks then you could perhaps look into using the [[VT VPN]] on top of VT_WLAN.
| |
− | | |
− | =Some Technical Details=
| |
− | The access points force SSL and are all signed by the Thawte Premium Server CA. The routers are named:
| |
− | | |
− | * bur-agw-2.cns.vt.edu
| |
− | * bur-agw-3.cns.vt.edu
| |
− | * cas-agw-?.cns.vt.edu
| |
− | * hil-agw-?.cns.vt.edu
| |
− | * isb-agw-?.cns.vt.edu
| |
− | * owe-agw-1.cns.vt.edu
| |
− | * sha-agw-1.cns.vt.edu
| |
− | | |
− | Generally, in order to minimize congestion, connectivity is spread across multiple channels. Channel 11 seems to be the busiest.
| |
− | No MAC-based authentication is performed.
| |
− | DHCP is independent of of the Bluesocket authentication and occurs first.
| |
− | All wireless networks (including the .1x networks) on campus now
| |
− | use RFC-1918 addresses from the 172.31.0.0/16 network. These are
| |
− | translated with NAT into 198.82.x.x addresses for access outside the
| |
− | wireless network.
| |
− | All of the .1x wireless networks support IPv6. Some of the VT_WLAN networks support IPv6.
| |
− | You can access certain VT sites like [http://www.cns.vt.edu/ CNS] without having to authenticate.
| |
− | | |
− | =Network Information Sources=
| |
− | * [http://www.cns.vt.edu/html/wireless/wlan/index.html Communications Network Services: Wireless LAN]
| |
− | * [http://computing.vt.edu/internet_and_web/internet_access/ipaddresses.html Virginia Tech IP Addresses]
| |
− | | |
− | [[Category:Howto]]
| |