19
edits
Changes
Fix header for InCommon cert
On campus, there are 2 wireless networks. '''Eduroameduroam''' is the preferred method, which uses PEAP-MSCHAPv2 to authenticate to the RADIUS server, while the second SSID, '''VirginiaTech''', provides a captive-portal and allows for guest account creation.
As of January 2015 the [https://www.computing.vt.edu/content/eduroam preferred method] of wireless access at Virginia Tech is through the [https://eduroam.org/ Eduroameduroam] network. Eduroam eduroam is a secure wireless access service that was developed for the use of research and educational institutions. One of the advantages of the Eduroam eduroam network is that you will be able to connect to the Internet at any participating institution using your Virginia Tech credentials. The Eduroameduroam-US site provides a [https://www.eduroam.us/technical_overview technical overview] of how the network authenticates you to the Virginia Tech RADIUS servers.
==General Connection Information==
===eduroam===
The following settings are recommended for connecting to the Eduroam eduroam network:
* '''SSID:''' eduroam
* '''EAP:''' PEAP
* '''Phase 2:''' MSCHAPv2
* '''Root CA:''' [https://2029.globalsign.com GlobalSign Root CA - R3] "USERTrust RSA Certification Authority" or pin the certificate (see below)
* '''Server Name:''' eduroam.nis.vt.edu
* '''Identity:''' pid@vt.edu (So if your PID was "hokiebird", hokiebird@vt.edu)
The certificate presented by the RADIUS server is chained as such:
* GlobalSign Root CA - R3 USERTrust RSA Certification Authority** Trusted Root CA SHA256 G2*** Virginia Tech Global Qualified InCommon RSA Server CA**** eduroam.nis.vt.edu
Below is where to obtain each of these, along with some metadata. The filenames are arbitrary, but will be used for the rest of this article. For every certificate (''especially'' the root, the signature chain helps with the rest), consider where you are obtaining it from and how much trust that you are getting what you think you are. You will probably want the PEM formatted certificate, if you have the option.
====GlobalSign Root CA - R3USERTrust RSA Certification Authority====
''Filename:'' GlobalSign_Root_CA_-_R3USERTrust_RSA_Certification_Authority.pem
''Subject:'' OU C = GlobalSign Root CA - R3US, ST = New Jersey, L = Jersey City, O = GlobalSignThe USERTRUST Network, CN = GlobalSignUSERTrust RSA Certification Authority
This is a common root CA and should have shipped with your OS. It is likely located in <code>/etc/ssl/certs/GlobalSign_Root_CA_-_R3USERTrust_RSA_Certification_Authority.pem</code>. If Note that if you are unable to locate follow the Authority Information Access of the intermediate certificate, it in your OS, may direct you can get it directly from [https://2029.globalsign.com/ GlobalSign]. (This page seems to not be loading correctly at the momenta URL which points to a different version of this certficate, which is cross signed by AddTrust and expires in May 2020. [https://supportThe one in your cert store is self-signed and expires in 2038.globalsign.com/customer/en/portal/articles/1426602-globalsign-root-certificates Here] is You want the parent pageone from your cert store.)
====Trusted Root InCommon RSA Server CA SHA256 G2====
''Filename:'' TrustedRootCASHA256G2InCommonRSAServerCA_2.pem
''Subject:'' C = BEUS, OU ST = MI, L = Trusted RootAnn Arbor, O = GlobalSign nv-saInternet2, OU = InCommon, CN = Trusted Root InCommon RSA Server CA SHA256 G2
This is an intermediate certificate, again issued by GlobalSignInCommon. You can get it directly from GlobalSign InCommon [httpshttp://supportcrt.globalsignusertrust.com/customer/portal/articles/1211591-trusted-root-intermediate-certificates InCommonRSAServerCA_2.crt here]. ====Virginia Tech Global Qualified Server CA==== ''Filename:'' VirginiaTechGlobalQualifiedServerCA.pem ''Subject:'' C = US, ST = Virginia, L = Blacksburg, OU = Global Qualified Server CA, O = Virginia Polytechnic Institute and State University, CN = Virginia Tech Global Qualified Server CA This can be obtained from the Virginia Tech PKI [http://www.pki.vt.edu/developer/rootca.html#globalqualifiedserver website]. This website is only available from VT IP addresses (including VPN). Although certificates higher in the chain are also provided here, the page does ''not'' support https. '''''DO NOT''''' get your root CA here.
====eduroam.nis.vt.edu====
''Filename:'' eduroam.nis.vt.edu.crtpem
''Subject:'' C = US, postalCode = 24061, ST = Virginia, L = Blacksburg, street = 800 Washington St. SW, O = Virginia Polytechnic Institute and State University, OU = Secure Identity Services, CN = eduroam.nis.vt.edu
This can be obtained from the [https://appscerts.pkiit.vt.edu/ca-manager/search VTCA VT Certificate Manager]. This requires PID login. Search for "eduroam.nis.vt.edu". '''Note''': As of 2017 June 19, there will be 2 results, due to some internal testing. Download Grab the certificate with the serial 3699307517ED7E8B. The certificate with serial 7A083CC134D0303D is ''incorrect''most recently issued.
===Validating the certificate===
<li> Obtain ''all'' certificates in the chain ''in PEM format'' </li>
<li> Concatenate the non-leaf certificates in to a single file: </li>
<pre>$ cat GlobalSign_Root_CA_-_R3USERTrust_RSA_Certification_Authority.pem TrustedRootCASHA256G2InCommonRSAServerCA_2.pem VirginiaTechGlobalQualifiedServerCA.pem >> ca.pem</pre>
<li> Verify the certificates are signed correctly </li>
<pre>$ openssl verify -verbose -purpose sslserver -CAfile ca.pem eduroam.nis.vt.edu.crtpemeduroam.nis.vt.edu.crtpem: OK</pre>
<li> For at least the root and leaf certificates, verify the subject (compare to above) </li>
<pre>$ openssl x509 -in file_of_cert_you_want_to_check -noout -subject</pre>
Although you can verify connection to the Virginia Tech RADIUS servers you must keep in mind that you are connecting to a network that you do not control. It is possible that there are network monitors in place which can record and potentially modify traffic.
We encourage you to take precautions against network eavesdropping and mischief (on the Eduroam eduroam network, and in general). Potential countermeasures that one might want to employ include using [https://www.eff.org/HTTPS-EVERYWHERE HTTPS when connecting to sites], using a [https://www.computing.vt.edu/content/virtual-private-network VPN], or using the [https://www.torproject.org/ Tor Browser Bundle].
For general tips on improving your security while using the network, consider reading the EFF's [https://ssd.eff.org/ Surveillance Self-Defense] tips, reading [https://www.hokieprivacy.org/ Hokie Privacy], and/or contacting the [https://security.vt.edu/ Virginia Tech Information Security Office].
* Authentication: Protected EAP (PEAP)
* Anonymous identity: anonymous@vt.edu
* Domain: nis.vt.edu* CA certificate: Select <code>/path/to/GlobalSign_Root_CA_-_R3USERTrust_RSA_Certification_Authority.pem</code> via the file picker
* PEAP version: Automatic
* Inner authentication: MSCHAPv2
* Password: YOUR_NETWORK_PASSWORD
==wpa_supplicant Instructions==
ca_cert="hash://server/sha256/216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a"
# if you prefer to dynamically validate the certificate by its cryptographic attributes
ca_cert="/path/to/GlobalSign_Root_CA_-_R3USERTrust_RSA_Certification_Authority.pem"
domain_match="eduroam.nis.vt.edu"
identity="YourPidHere@vt.edu"
$ sudo wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/eduroam.conf
$ sudo dhcpcd wlan0
On [[OpenBSD]], the process is a little more complicated:
# ifconfig wlan0 nwid edoroam wpa wpaakms 802.1x up
# /usr/local/sbin/wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant.conf
# dhclient wlan0
# ifconfig iwm0 inet6 autoconf
Alternate config options, besides domain_match are as follows (obviously not correct):
Name = eduroam
EAP = peap
CACertFile = /etc/ssl/certs/GlobalSign_Root_CA_-_R3USERTrust_RSA_Certification_Authority.pem
DomainMatch = eduroam.nis.vt.edu
AnonymousIdentity = anonymous@vt.edu
# Do not validate: you will get online, but consider your connection to be as secure as a public hotspot
# (Android 7.1+ only) Use system certificates: This will check to make sure the certificate chains back to some CA in the system cert store. This is significantly better than no validation, but still not very good. You may also need to specify a domain. If so, use "vt.edu"
# Download and import the GlobalSign USERTrust Root CA: detailed instructions to come. Since you are still not checking the CN, it is only marginally better than using system certificates.
# Use the [https://play.google.com/store/apps/details?id=uk.ac.swansea.eduroamcat eduroam CAT] tool: this will setup the whole wireless profile and use the correct CA and verify the CN. As such, it is the preferred method. Warning, it is ugly. If you have an existing "eduroam" profile, you will need to remove it. When it prompts for the username and password, use <YOUR-PID>@vt.edu and your network password. It relies on geolocation to prompt for the profile for the right school. You may need to go outside to get a good GPS signal. If it is able to do geo-ip (e.g., you are connected to the "VirginiaTech" SSID), it gets you close enough.