imported>Cov |
|
(51 intermediate revisions by 12 users not shown) |
Line 1: |
Line 1: |
− | =Introduction=
| + | #REDIRECT [[Virginia Tech Wifi]] |
− | Since the 2008-2009 school year, there have been two options for
| |
− | connecting to the Virginia Tech network by wireless card. One network,
| |
− | called '''VT-Wireless''', operates by means of WPA2 Enterprise and is secured with EAP/TLS. The other network, called '''VT_WLAN''', is an unsecured, captive portal wireless network.
| |
− | While connections to VT-Wireless are secure by default, and
| |
− | require no user authentication once set up, the setup to connect to
| |
− | VT-Wireless has a number of steps. In contrast, set up for connecting
| |
− | to the unsecured VT_WLAN network is negligible, but you will be
| |
− | required to manually authenticate each time you connect. [''NOTE: see [#VT_WLAN_Auto_Login below] for scripts on how to enable automated authentication to VT_WLAN.'']
| |
− | The table below summarizes the advantages and disadvantages of connecting to the two wireless LANs.
| |
− | | |
− | <table style="text-align: center;" align="center" border="1" cellpadding="10">
| |
− | | |
− | <tbody><tr>
| |
− | <td>
| |
− | </td><th>VT-Wireless
| |
− | </th><th>VT_WLAN
| |
− | </th></tr>
| |
− | <tr>
| |
− | <th>Secure (Encrypted)<br /> Connection
| |
− | </th><td> yes </td><td> no
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Setup
| |
− | </th><td> involved </td><td> trivial
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Authentication
| |
− | </th><td> automatic </td><td> manual[#VT_WLAN_Auto_Login *]
| |
− | </td></tr></tbody></table>
| |
− | =VT-Wireless=
| |
− | The VT-Wireless network is secured by WPA with EAP/TLS encryption.
| |
− | This encryption mechanism is put in place through a certificate
| |
− | authentication mechanism.
| |
− | ==Obtaining the VT-Wireless Certificate==
| |
− | Regardless of what program you use to make your connection, you will need to [https://netcert.cns.vt.edu/netcert/ obtain your p12 certificate and password from CNS].
| |
− | Complete the form and download the p12 certificate file. Write down the
| |
− | certificate password and store it some place where you can find it
| |
− | again. You will need it in setting up your connection to VT-Wireless.
| |
− | | |
− | ===Connecting by NetworkManager===
| |
− | The setup for NetworkManager depends on your version of the
| |
− | software. Please follow the instructions appropriate to your version
| |
− | below.
| |
− | In GNOME, you can right-click the NetworkManager applet icon in
| |
− | the panel and select "About" to find the version of NetworkManager.
| |
− | Ubuntu users: version 0.6 ships with 8.04 Hardy Heron, and 0.7 ships
| |
− | with 8.10 Intrepid Ibex.
| |
− | | |
− | ====NetworkManager 0.7====
| |
− | ====Converting the certificate to PEM certificates and keys====
| |
− | ['''NOTE:''' The following steps are only necessary to use NetworkManager 0.7. NetworkManager 0.6 has a [#NetworkManager_0.6 more straightforward setup] and wpa_supplicant works pretty much [#Connecting_by_WPA_Supplicant out of the box] as well.]
| |
− | You will need to convert the p12 certificate into PEM formats. We will assume your downloaded p12 file is called '''<tt>netcert-1.p12</tt>''' and that its password is '''''netcertpasswd'''''.
| |
− | Open a terminal and <tt>cd</tt> to the directory that contains your p12 file. Then issue the following commands:
| |
− | | |
− | <pre>openssl pkcs12 -in netcert-1.p12 -out vt_client_cert.pem -clcerts -nokeys
| |
− | openssl pkcs12 -in netcert-1.p12 -out vt_private_key.pem -nocerts
| |
− | </pre>
| |
− | In each step, you will be prompted for the password (''netcertpasswd'')
| |
− | that you were issued along with your p12 certificate. Additionally, in
| |
− | the final step where you generate your private key, you will be asked
| |
− | to enter a password. Enter the same password that came with your p12
| |
− | key.
| |
− | '''Sources'''
| |
− | | |
− | <ul><li> [http://www.codealias.info/technotes/wpa2_eap-tls_authentication_linux_client_setup http://www.codealias.info/technotes/wpa2_eap-tls_authentication_linux_client_setup]
| |
− | </li></ul>
| |
− | ==== Make sure you have the CA Certificate ====
| |
− | Next, you will need to make sure you have the Thawte CA certificate. In Ubuntu, you should find this certificate as <tt>/etc/ssl/certs/Thawte_Premium_Server_CA.pem</tt>.
| |
− | If you can't find the certificate, you can copy the text below and paste it into a new file of the same name.
| |
− | | |
− | <pre>-----BEGIN CERTIFICATE-----
| |
− | MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMC
| |
− | WkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du
| |
− | MR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2Vy
| |
− | dGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3Rl
| |
− | IFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl
| |
− | cnZlckB0aGF3dGUuY29tMB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1
| |
− | OVowgc4xCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQ
| |
− | BgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMUVGhhd3RlIENvbnN1bHRpbmcg
| |
− | Y2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24x
| |
− | ITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNlcnZlciBDQTEoMCYGCSqGSIb3
| |
− | DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNvbTCBnzANBgkqhkiG9w0B
| |
− | AQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkEVdbQ7xwblRZH7xhI
| |
− | NTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQug2SBhRz1JPL
| |
− | lyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMRuHM/qgeN
| |
− | 9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
| |
− | AQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI
| |
− | hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZ
| |
− | a4JMpAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcU
| |
− | Qg==
| |
− | -----END CERTIFICATE-----
| |
− | </pre>
| |
− | <br />
| |
− | Left-click the NetworkManager applet and select the VT-Wireless network.
| |
− | <a href="http://www.vtluug.org/wiki/index.php?title=Image:Nm_choose_wireless.png" class="image" title="Image:nm_choose_wireless.png"><img alt="Image:nm_choose_wireless.png" src="VT-Wireless_files/Nm_choose_wireless.html" height="255" width="313" border="0"></a>
| |
− | You will see a prompt to configure the connection. First, from the Authentication drop-down menu, select TLS.
| |
− | <a href="http://www.vtluug.org/wiki/index.php?title=Image:Nm_choose_tls.png" class="image" title="Image:nm_choose_tls.png"><img alt="Image:nm_choose_tls.png" src="VT-Wireless_files/Nm_choose_tls.html" height="466" width="494" border="0"></a>
| |
− | Next, fill in the rest of the options:
| |
− | <a href="http://www.vtluug.org/wiki/index.php?title=Image:Nm_vt_wireless_options.png" class="image" title="Image:nm_vt_wireless_options.png"><img alt="Image:nm_vt_wireless_options.png" src="VT-Wireless_files/Nm_vt_wireless_options.html" height="466" width="494" border="0"></a>
| |
− | | |
− | <table align="center" border="1" cellpadding="5">
| |
− | | |
− | <tbody><tr>
| |
− | <th>Field </th><th> Value
| |
− | </th></tr>
| |
− | <tr>
| |
− | <th>SSID
| |
− | </th><td>VT-Wireless
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Wireless Security
| |
− | </th><td> WPA & WPA2 Enterprise
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Authentication
| |
− | </th><td> TLS
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Identity
| |
− | </th><td>''Your VT PID''
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>User Certificate
| |
− | </th><td> /path/to/vt_client_cert.pem
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>CA Certificate
| |
− | </th><td> /etc/ssl/certs/Thawte_Premium_Server_CA.pem
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Private Key
| |
− | </th><td> /path/to/vt_private_key.pem
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Private Key Password
| |
− | </th><td> ''netcertpasswd''
| |
− | </td></tr></tbody></table>
| |
− | Click "Connect" and you should connect to the VT-Wireless network.
| |
− | | |
− | ===NetworkManager 0.6===
| |
− | Left-click the NetworkManager applet and select VT-Wireless. You
| |
− | will be prompted to enter information about the connection. Here are
| |
− | the entries you should use:
| |
− | | |
− | <table align="center" border="1" cellpadding="5">
| |
− | | |
− | <tbody><tr>
| |
− | <th>Field </th><th> Value
| |
− | </th></tr>
| |
− | <tr>
| |
− | <th>SSID
| |
− | </th><td>VT-Wireless
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Wireless Security
| |
− | </th><td> WPA2 Enterprise
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>EAP Method
| |
− | </th><td> TLS
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Key Type
| |
− | </th><td>Automatic (Default)
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Phase2 Type
| |
− | </th><td> None (Default)
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Identity
| |
− | </th><td>''Your VT PID''
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Password
| |
− | </th><td> ''empty''
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Client Certificate File
| |
− | </th><td> (None)
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>CA Certificate File
| |
− | </th><td> (None)
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Private Key File
| |
− | </th><td> netcert-1.p12 <br />(the certificate downloaded<br />from VT NetCert)
| |
− | </td></tr>
| |
− | <tr>
| |
− | <th>Private Key Password
| |
− | </th><td> ''netcertpasswd''
| |
− | </td></tr></tbody></table>
| |
− | ==Connecting with wicd==
| |
− | ''The following instructions were written for wicd 1.6.2.2 on Ubuntu 9.10 Karmic Koala. If other versions or distributions have significantly different steps, please add those instructions or make a note of the need for them on [[VTLUUG Wiki:Wanted]].''
| |
− | | |
− | Wicd is an alternative to Network Manager. To install it on Debian-based systems, run <code>sudo apt-get install wicd</code>. Installing it will uninstall Network Manager, so make sure you already have your certificate downloaded. Unlike Network Manager, you do not need to convert the PKCS#12 certificate that CNS provides to a set of PEM certificates.
| |
− | | |
− | Open wicd, either from the tray icon or from Applications->Internet->Wicd Network Manager. Allow wicd to scan the wireless networks then check the "Automatically connect to this network" checkbox by the topmost VT-Wireless entry. (You do not need to check the boxes for every VT-Wireless entry. The screenshot below was made from a working configuration that automatically checked all of them.)
| |
− | | |
− | [[Image:wicd_1.6.2.2.png]]
| |
− | | |
− | Click the "Properties" button of the topmost VT-Wireless entry and enter the following information:
| |
− | | |
− | [[Image:wicd_1.6.2.2_properties.png]]
| |
− | | |
− | * Check the "Use these settings for all networks sharing this essid" box.
| |
− | * Leave the "Use Encryption" box checked.
| |
− | * Select EAP-TLS from the encryption type dropdown menu.
| |
− | * Enter your PID into the "Identity" box.
| |
− | * Enter the path to your private key into the "Private Key" box, i.e. /home/user/netcert/netcert-1.p12.
| |
− | * Paste the certificate password into the "Private Key Password" box.
| |
− | | |
− | Click "OK" and your computer should be all setup to use VT-Wireless.
| |
− | | |
− | ==Connecting by WPA Supplicant==
| |
− | ===Editing wpa_supplicant.conf===
| |
− | Add the following to your <tt>/etc/wpa_supplicant.conf</tt> file (if no file exists, create it):
| |
− | | |
− | <pre>network={
| |
− | ssid="VT-Wireless"
| |
− | key_mgmt=WPA-EAP
| |
− | eap=TLS
| |
− | identity="PID"
| |
− | private_key="/PATH/TO/NETCERT.p12"
| |
− | private_key_passwd="PASSWORD"
| |
− | }
| |
− | </pre>
| |
− | Replace PID with your actual PID (without any trailing @vt.edu),
| |
− | /PATH/TO/NETCERT.p12 with the actual path to your certificate (you can
| |
− | store it in /etc) and PASSWORD with the certificate password given to
| |
− | you when you downloaded the certificate. Note the certificate used here
| |
− | should be the original one you downloaded. Reformatting the certificate
| |
− | is only necessary for NetworkManager 0.7.
| |
− | | |
− | ===Running WPA Supplicant===
| |
− | ====Ubuntu====
| |
− | In Ubuntu, make sure to shut down NetworkManager with:
| |
− | | |
− | <pre>sudo /etc/init.d/NetworkManager stop
| |
− | </pre>
| |
− | Next, issue the following command:
| |
− | | |
− | <pre>sudo wpa_supplicant -B -i wlan0 -D wext -c /etc/wpa_supplicant.conf
| |
− | </pre>
| |
− | Confirm that you are associated with VT-Wireless
| |
− | | |
− | <pre>sudo iwconfig INTERFACE
| |
− | </pre>
| |
− | where <tt>INTERFACE</tt> is your wireless card's device interface. Usually this is <tt>wlan0</tt> but depending on udev and perhaps other system features, it might appear as ath0, eth1 or something else. Run <tt>sudo ifconfig -a</tt> to see all your interfaces listed.
| |
− | You should see the words <tt>Access Point:</tt> followed by a MAC address (e.g., <tt>00:0F:23:EA:4A:01</tt>). If instead you see <tt>Access Point: not associated</tt>. Try the command again. If that still fails, bring down the interface and bring it back up
| |
− | | |
− | <pre>sudo ifconfig INTERFACE down
| |
− | sudo ifconfig INTERFACE up
| |
− | </pre>
| |
− | and re-issue the <tt>wpa_supplicant</tt> command.
| |
− | Next, obtain an IP address. In Ubuntu, this is done with
| |
− | | |
− | <pre>sudo dhclient INTERFACE
| |
− | </pre>
| |
− | If all goes well, you'll obtain an IP address. Otherwise, you'll receive a timeout for your DHCP request.
| |
− | | |
− | ====Gentoo====
| |
− | If you're already using wpa_supplicant, just restart your interface:
| |
− | | |
− | <pre># /etc/init.d/wlan0 restart
| |
− | </pre>
| |
− | This should connect you.
| |
− | If you're not using wpa_supplicant, you'll need to migrate from
| |
− | Wireless Tools to it in order to speak WPA and 802.1X to the
| |
− | VT-Wireless network. Refer to the [http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=4&chap=4#doc_chap2 Gentoo documentation] for a step-by-step guide to setting up WPA Supplicant.
| |
− | | |
− | =VT_WLAN=
| |
− | VT_WLAN service is available in approximately 90% of academic and
| |
− | administrative spaces across the Blacksburg campus. This wireless
| |
− | network is composed of unencrypted IEEE 802.11g access nodes. To limit
| |
− | access to faculty and staff, VT Communications Network Services uses a Cisco captive portal. They switched from Bluesocket during the summer of 2009. You have to register for [http://www.cns.vt.edu/html/wireless/wlan/registration.html Customer OnLine Access (COLA)] or in person at the Student Telecommunications Office to enable your account.
| |
− | | |
− | ==Authentication==
| |
− | The captive portal system will hijack the URL you first try to visit. Due to the nature of [[w:SSL|SSL]], https connections cannot be directed to the login page and will time out.
| |
− | Type in your PID and password to be granted access.
| |
− | | |
− | ==Logging in from the Command Line==
| |
− | You can use CURL to log in from the command line or automate this (or any) web-based process. VTLUUG members previously provided scripts for the Bluesocket authentication, but due to the improvements that VT-Wireless brings, noone has bothered to write a new script for the Cisco captive portal.
| |
− | | |
− | ==Some Technical Details==
| |
− | The access points force SSL and are all signed by the Thawte Premium Server CA. The routers are named:
| |
− | * bur-agw-2.cns.vt.edu
| |
− | * bur-agw-3.cns.vt.edu
| |
− | * cas-agw-?.cns.vt.edu
| |
− | * hil-agw-?.cns.vt.edu
| |
− | * isb-agw-?.cns.vt.edu
| |
− | * owe-agw-1.cns.vt.edu
| |
− | * sha-agw-1.cns.vt.edu
| |
− | | |
− | Some other details:
| |
− | * Generally, in order to minimize congestion, connectivity is spread across multiple channels.
| |
− | * No MAC-based authentication is performed.
| |
− | * DHCP is independent of the captive portal authentication and occurs first.
| |
− | * You can ping without logging in.
| |
− | * All wireless networks (including the .1x networks) on campus now use [[rfc:1918|RFC-1918]] addresses from the 172.31.0.0/16 network. These are
| |
− | translated with NAT into 198.82.x.x addresses for access outside the wireless network.
| |
− | * All of the .1x wireless networks support IPv6. Some of the VT_WLAN networks support IPv6. [Is IPv6 now deployed everywhere?]
| |
− | * You can access certain [all?] VT sites like [http://www.cns.vt.edu/ CNS] without having to authenticate.
| |
− | | |
− | =Network Information Sources=
| |
− | <ul><li> [http://www.cns.vt.edu/html/wireless/wlan/index.html Communications Network Services: Wireless LAN]
| |
− | </li><li> [http://computing.vt.edu/internet_and_web/internet_access/ipaddresses.html Virginia Tech IP Addresses]
| |
− | </li></ul>
| |
− | | |
− | [[Category:Howtos]]
| |
− | [[Category:Campus computing resources]]
| |