Open main menu

Linux and Unix Users Group at Virginia Teck Wiki β

Changes

Virginia Tech Wifi

507 bytes added, 21:00, 2 February 2015
Move certificate pinning up to the connection information and fix some typos
Unfortunately, the PKI Certificate Search is only available from campus IPs.
 
====Certificate pinning====
 
Many network managers for Linux/UNIX use wpa_supplicant as their underlying IEEE 802.1x/WPA Supplicant and generate a configuration file on the fly. As a result many network managers have similar configuration formats. In this section we will walk through generating a certificate pin for the Certificate used to authenticate the VT RADIUS servers in eduroam.
 
wpa_supplicant offers multiple mechanisms for certificate management. The ca_cert parameter can point to a file which contains one or more CA certificates which will be used to validate the certificate. With that option you also have the ability to specify a substring match of the certificate's common name.
 
In our configuration we opted for a much stronger level of validation where in we specify the hash of the certificate that we expect to see. When using this method of certificate validation, you specify the ca_cert parameter as hash://server/sha256/<sha256 hash of DER encoded certificate>.
 
In order to generate the sha256 hash of the DER encoded certificate, download the certificate by clicking the "Download" link on the [https://ash.eprov.seti.vt.edu/EJBCAWebRequest/certSearch?cmd=search&keyword=VT-Wireless Certificate Search for VT-Wireless]
 
Validate that the certificate downloaded is in fact signed by the Virginia Tech Certificate Authority:
 
(TODO)
 
Then generate the sha256 hash (in the directory where the certificate downloaded to):
 
openssl x509 -in VT-Wireless.cns.vt.edu.crt -outform der | sha256sum
216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a -
 
It is recommended that you perform these steps yourself rather than trusting the certificate hash presented in the configurations below.
 
'''Note:''' As we are pinning the certificate instead of relying on a PKI, when CNS rotates the certificates being used, the configuration will need to be updated to match the new certificate.
==A word of caution on MSCHAPv2==
ca_cert="/etc/ssl/certs/GlobalSign_Root_CA.pem
}
 
==Certificate pinning==
===For eduroam===
In the above wpa_supplicant configuration, we pin the server certificate that we expect the RADIUS server to present. wpa_supplicant offers multiple mechanisms for certificate management. The ca\_cert parameter can point to a file which contains one or more CA certificates which will be used to validate the certificate. With that option you also have the ability to specify a substring match of the certificate's common name.
 
In our configuration we opted for a much stronger level of validation where in we specify the hash of the certificate that we expect to see. When using this method of certificate validation, you specify the ca_cert parameter as hash://server/sha256/<sha256 hash of DER encoded certificate>.
 
In order to generate the sha256 hash of the DER encoded certificate (so that you can validate that the above hash is correct), download the certificate by clicking the "Download" link on the [https://ash.eprov.seti.vt.edu/EJBCAWebRequest/certSearch?cmd=search&keyword=VT-Wireless Certifcate Search for VT-Wireless]
 
Validate that the certificate downloaded is in fact signed by the Virginia Tech Certificate Authority:
 
(TODO)
Then generate the sha256 hash (in the directory where the certificate downloaded to):
 
openssl x509 -in VT-Wireless.cns.vt.edu.crt -outform der | sha256sum
216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a -
==netctl==
Anonymous user