Open main menu

Linux and Unix Users Group at Virginia Teck Wiki β

Changes

Virginia Tech Wifi

869 bytes added, 18:12, 6 February 2015
Added FAQ section, removed redundant content
There are three wireless networks on campus. One network, called VT-Wireless, encrypts all traffic and is secured with [[EAP-TLS]] or PEAP-MSCHAPv2. A second network, CONNECTtoVT-Wireless, is an unencrypted, captive portal wireless network designed to set up connecting to VT-Wireless without offering Internet access. Due to user issues faced during deployment, CONNECTtoVT-Wireless began offering captive portal access to VT users.
As of January 2015 the [https://www.computing.vt.edu/content/eduroam preferred method] of wireless access at Virginia Tech is through the [https://eduroam.org/ Eduroam] network. Eduroam is a secure wireless access service that was developed for the use of research and educational institutions. One of the advantages of the Eduroam network over the VT-Wireless network is that you will be able to connect to the Internet at any participating institution using your Virginia Tech credentials. The Eduroam-US site provides a [https://www.eduroam.us/technical_overview technical overview] of how the network authenticates you to the Virginia Tech RADIUS servers.
==General Connection Information==
===eduroam===
The following settings are recommended for connecting to the Eduroam network:
* '''SSID: ''' eduroam* '''EAP: ''' PEAP* '''Phase 2: ''' MSCHAPv2* '''Identity: ''' pid@vt.edu (So if your PID was "hokiebird", hokiebird@vt.edu)* '''Anonymous Identity: ''' anonymous@vt.edu* '''Password: ''' [https://www.computing.vt.edu/kb/entry/3765 Your Network Password] ''Regardless of what software you use to establish your connection, you must first set your remote (network) passphrase by going to [https://my.vt.edu my.vt.edu]→Settings→Change Network Password.''
===Legacy connections===
* [[Virginia Tech Wifi: VT-Wireless]] - VT-Wireless with PEAP-MSCHAPv2 (network password)
* [[EAP-TLS]] - VT-Wireless with EAP-TLS (netcerts)
* CONNECTtoVT-Wireless as a captive portal
===Certificate Pinning===
Due to vulnerabilities in the MSCHAPv2 protocol that allow the protocol to be cracked quickly with a 100% success rate<ref>[https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/Cracking MS-CHAPv2]</ref>, it is ''absolutely critical'' that the RADIUS server certificate be validated properly before attempting authentication. Unfortunately, VT is in the process of deprecating a much stronger authentication method, [[EAP-TLS]], and as such, network certificates will no longer be an option.
Where possible, we opt for the highest level of verification of the certificate: manually pinning the hash of the certificate we expect to be presented. The canonical form of the hash used by many network managers is the SHA256 hash of the DER encoding of the certificate.
For general tips on improving your security while using the network, consider reading the EFF's [https://ssd.eff.org/ Surveillance Self-Defense] tips, reading [https://www.hokieprivacy.org/ Hokie Privacy], and/or contacting the [https://security.vt.edu/ Virginia Tech Information Security Office].
==Set Your Remote Access (Network) Passphrase==Regardless of what software you use to establish your connection, you must first set your remote passphrase by going to [https://my.vt.edu my.vt.edu]→Settings→Change Network Password. ==NetworkManagerInstructions==
* In your wireless configuration program, select eduroam.
* '''TODO:''' Certificate verification (Warning, until certificate verification is added, it is ''not'' recommended that you use this method of accessing the network.)
==wpa_supplicantInstructions==
[http://w1.fi/wpa_supplicant/ wpa_supplicant] is a cross-platform supplicant which implements IEEE 802.1x/WPA and is used in many Linux/UNIX distributions.
$ sudo dhcpcd wlan0
==netctlInstructions==
[https://wiki.archlinux.org/index.php/netctl netctl] is a network manager which is native to the ArchLinux distribution. netctl makes use of wpa_supplicant under the hood, and so the configuration is similar.
$ sudo netctl start eduroam
==AndroidInstructions==
[[File:AndroidEduroamNoCert.png|170px|thumb|Sample Android configuration of eduroam, but crucially lacking certificate validation.]]
* Press "Connect".
'''TODO:''' Android certificate validation
 
==Frequently Asked Questions==
===Is eduroam free?===
Eduroam at Virginia Tech is free for:
* VT affiliates with VT-Wireless access and network passwords
* Users at other participating institutions
'''TODO===Why is eduroam the preferred SSID?===Using eduroam has several advantages:* Your wifi probes identify you as an eduroam user, rather than a VT affiliate* You have access to seamless roaming if you ever travel to another participating college campus* The anonymous identity feature separates RADIUS authentication logs from the network access provider's logs The main disadvantage is that Virginia Tech'' Android certificate validations eduroam implementation does not appear to support the deprecated [[EAP-TLS]] system, while VT-Wireless does (as of February 2015).
==References==
Anonymous user