Open main menu

Linux and Unix Users Group at Virginia Teck Wiki β

Changes

Virginia Tech Wifi (OLD)

2,342 bytes added, 07:09, 13 November 2009
no edit summary
VT-Wireless has a number of steps. In contrast, set up for connecting
to the unsecured VT_WLAN network is negligible, but you will be
required to manually authenticate each time you connect.[''NOTE: see [#VT_WLAN_Auto_Login below] for scripts on how to enable automated authentication to VT_WLAN.'']
The table below summarizes the advantages and disadvantages of connecting to the two wireless LANs.
{|<table style="text-align: center;" align="center" border="1" cellpadding="10">
<tbody><tr>
</th></tr>
<tr>
<th>Secure (Encrypted)<br/> Connection
</th><td> yes </td><td> no
 
</td></tr>
<tr>
<tr>
<th>Authentication
</th><td> automatic </td><td> manual<a href="[#VT_WLAN_Auto_Login" title="">*]</atd></tr></tdtbody></trtable>|} 
=VT-Wireless=
The VT-Wireless network is secured by WPA with EAP/TLS encryption.
authentication mechanism.
==Obtaining the VT-Wireless Certificate==
Regardless of what program you use to make your connection, you will need to <a href="[https://netcert.cns.vt.edu/netcert/" class="external text" title="https://netcert.cns.vt.edu/netcert/" rel="nofollow">obtain your p12 certificate and password from CNS</a>].
Complete the form and download the p12 certificate file. Write down the
certificate password and store it some place where you can find it
again. You will need it in setting up your connection to VT-Wireless.
 
===Connecting by NetworkManager===
====NetworkManager 0.7====
====Converting the certificate to PEM certificates and keys====
 ['''NOTE:''' The following steps are only necessary to use NetworkManager 0.7. NetworkManager 0.6 has a <a href="[#NetworkManager_0.6" title="">more straightforward setup</a> ] and wpa_supplicant works pretty much <a href="[#Connecting_by_WPA_Supplicant" title="">out of the box</a> ] as well.]You will need to convert the p12 certificate into PEM formats. We will assume your downloaded p12 file is called '''<tt>netcert-1.p12</tt>''' and that its password is <i>'''''netcertpasswd'''</i>''.
Open a terminal and <tt>cd</tt> to the directory that contains your p12 file. Then issue the following commands:
 
<pre>openssl pkcs12 -in netcert-1.p12 -out vt_client_cert.pem -clcerts -nokeys
openssl pkcs12 -in netcert-1.p12 -out vt_private_key.pem -nocerts
</pre>
In each step, you will be prompted for the password (<i>''netcertpasswd</i>'')
that you were issued along with your p12 certificate. Additionally, in
the final step where you generate your private key, you will be asked
'''Sources'''
<ul><li> <a href="[http://www.codealias.info/technotes/wpa2_eap-tls_authentication_linux_client_setup" class="external free" title="http://www.codealias.info/technotes/wpa2_eap-tls_authentication_linux_client_setup" rel="nofollow">http://www.codealias.info/technotes/wpa2_eap-tls_authentication_linux_client_setup</a>]
</li></ul>
====Make sure you have the CA Certificate==== 
Next, you will need to make sure you have the Thawte CA certificate. In Ubuntu, you should find this certificate as <tt>/etc/ssl/certs/Thawte_Premium_Server_CA.pem</tt>.
If you can't find the certificate, you can copy the text below and paste it into a new file of the same name.
-----END CERTIFICATE-----
</pre>
<br/>
Left-click the NetworkManager applet and select the VT-Wireless network.
[[<a href="http://www.vtluug.org/wiki/index.php?title=Image:Nm_choose_wireless.png]]" class="image" title="Image:nm_choose_wireless.png"><img alt="Image:nm_choose_wireless.png" src="VT-Wireless_files/Nm_choose_wireless.html" height="255" width="313" border="0"></a>
You will see a prompt to configure the connection. First, from the Authentication drop-down menu, select TLS.
[[<a href="http://www.vtluug.org/wiki/index.php?title=Image:Nm_choose_tls.png]]" class="image" title="Image:nm_choose_tls.png"><img alt="Image:nm_choose_tls.png" src="VT-Wireless_files/Nm_choose_tls.html" height="466" width="494" border="0"></a>
Next, fill in the rest of the options:
[[<a href="http://www.vtluug.org/wiki/index.php?title=Image:Nm_vt_wireless_options.png]]" class="image" title="Image:nm_vt_wireless_options.png"><img alt="Image:nm_vt_wireless_options.png" src="VT-Wireless_files/Nm_vt_wireless_options.html" height="466" width="494" border="0"></a> <table align="center" border="1" cellpadding="5">
{|
<tbody><tr>
<th>Field </th><th> Value
</td></tr>
<tr>
 
<th>Authentication
</th><td> TLS
<tr>
<th>Identity
</th><td><i>''Your VT PID</i>''
</td></tr>
<tr>
<th>CA Certificate
</th><td> /etc/ssl/certs/Thawte_Premium_Server_CA.pem
 
</td></tr>
<tr>
<tr>
<th>Private Key Password
</th><td> ''netcertpasswd''<i/td>netcertpasswd</itr></tdtbody></trtable>|}
Click "Connect" and you should connect to the VT-Wireless network.
===NetworkManager 0.6===
 
Left-click the NetworkManager applet and select VT-Wireless. You
will be prompted to enter information about the connection. Here are
<th>Wireless Security
</th><td> WPA2 Enterprise
 
</td></tr>
<tr>
<tr>
<th>Identity
 </th><td><i>''Your VT PID</i>''
</td></tr>
<tr>
<th>Password
</th><td> <i>''empty</i>''
</td></tr>
<tr>
<th>CA Certificate File
</th><td> (None)
 
</td></tr>
<tr>
<th>Private Key File
</th><td> netcert-1.p12 <br/>(the certificate downloaded<br/>from VT NetCert)
</td></tr>
<tr>
<th>Private Key Password
</th><td> <i>''netcertpasswd</i>''
</td></tr></tbody></table>
==Connecting by wicd(wicked)==
Wicd is an alternative to network manager and is used on many light
weight systems since it has few requirements and uses your systems own
ifconfig/iwconfig commands.
It still under active devlopment but is more than stable enough
for everyday use. Also NetworkManager has a tendancy to disconnect
every 10 minutes for about 20 seconds then it automatically reconnects.
Not a show stopper but could be annoying during a web-based
assignments.
Instead of using TLS, we will be using PEAP. This is a
different encryption scheme and is much more simple to setup compared
to TLS. I will also try setting up networkmanager with this method
later...
OK, do you have a VPN password? If not, follow these instructions for setting up your remote VPN login account[http://answers.vt.edu/kb/entry/2846/ [1]].
<br />
Next you need to locate the copy of the Thawte_Premium_Server_CA.pem on your system.
For me it was in:
<pre>/etc/ssl/certs/
</pre>
After dillegently locating this file, open up network manager.
Click san to make sure your list of devices is up to date.
Next click the "Properties" button next to the VT-Wireless at the top of the list (any one is fine really).
Make sure there is a check in both "Use these settings for all networks sharing this essid" and "Use encyption".
Next in the drop down box right below choose "PEAP with TKIP/MSCHAPV2"
This will present you with "Identity", "Password", and "Path to CA Cert" text boxes.
==Connecting by wicd (wicked)==<pre>Identity: &lt;Your PID&gt;Password: &lt;The one you set up earlier for VPN access&gt;Path to CA Cert: &lt;something like /etc/ssl/certs/Thawte_Premium_Server_CA.pem&gt;</pre>Then just click OK.
Follow <ul><li>Note: wicd will "star" out your identity and the PEM certificate creation instructions for NetworkManager. Select EAP/TLS path to the CACert feilds so don't be alarmed when your ID and then input the PEM certificates and path to the CACert get transformed automatically to * when you click away from the Thawte certificatetext box. The certificate on Debian, Arch and potentially other systems is in<pre/li><li>Note: This method works for connecting iPhone(s)/iPod Touch(s)</etcli></sslul><ul><li>These Instructions are based on my own personal setup</certsli></ul><pre>Eee PC 901Ralink rt2860 (staging driver in kernel)ArchLinuxXfce 4.6wicd 1.6.2kernel 2.6.30
</pre>
 
==Connecting by WPA Supplicant==
===Editing wpa_supplicant.conf===
</pre>
where <tt>INTERFACE</tt> is your wireless card's device interface. Usually this is <tt>wlan0</tt> but depending on udev and perhaps other system features, it might appear as ath0, eth1 or something else. Run <tt>sudo ifconfig -a</tt> to see all your interfaces listed.
 
You should see the words <tt>Access Point:</tt> followed by a MAC address (e.g., <tt>00:0F:23:EA:4A:01</tt>). If instead you see <tt>Access Point: not associated</tt>. Try the command again. If that still fails, bring down the interface and bring it back up
and re-issue the <tt>wpa_supplicant</tt> command.
Next, obtain an IP address. In Ubuntu, this is done with
 
<pre>sudo dhclient INTERFACE
If you're not using wpa_supplicant, you'll need to migrate from
Wireless Tools to it in order to speak WPA and 802.1X to the
VT-Wireless network. Refer to the <a href="http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=4&amp;chap=4#doc_chap2" class="external text" title="[http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=4&amp;chap=4#doc_chap2" rel="nofollow">Gentoo documentation</a> ] for a step-by-step guide to setting up WPA Supplicant. 
=VT_WLAN=
network is composed of unencrypted IEEE 802.11g access nodes. To limit
access to faculty and staff, VT Communications Network Services uses an
authentication technology from Bluesocket. You have to register for <a href="[http://www.cns.vt.edu/html/wireless/wlan/registration.html" class="external text" title="http://www.cns.vt.edu/html/wireless/wlan/registration.html" rel="nofollow">Customer OnLine Access (COLA)</a> ] or in person at the Student Telecommunications Office to enable your account.
==Authentication==
 
The Bluesocket authentication technology will automatically redirect
you to the login page (or hijack the URL you are trying to visit in
-d source=`/sbin/ifconfig eth1 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}'` \
https://`/sbin/route | grep -Eo '(bur|cas|hil|isb|owe|sha)-agw-[123]'`.cns.vt.edu/login.pl</pre>
 <br/>Depending on the characters in your password, you may need to
quote it to prevent expansion, i.e. bs_password='MY!$?*PASSWORD'.
ifconfig and route are located in /sbin and therefore generally not in
return 0
}</pre>
 
PID and PASSWORD should of course be your PID and password. This
setup is only really suitable for a single user machine like a laptop.
To very slightly improve security you should <tt>chmod a-r /etc/conf.d/wireless</tt>. This script does not authenticate the access point and would send your password to rogue access points. Using [#VT-Wireless VT-Wireless] rather than this script to automate login is highly recommended. If youinsist on ugly hacks then you could perhaps look into using the [[VT http://www.vtluug.org/wiki/index.php?title=VT_VPN VPN]] on top of VT_WLAN.
==Some Technical Details==
The access points force SSL and are all signed by the Thawte Premium Server CA. The routers are named:
* <ul><li> bur-agw-2.cns.vt.edu* </li><li> bur-agw-3.cns.vt.edu* </li><li> cas-agw-?.cns.vt.edu* </li><li> hil-agw-?.cns.vt.edu* </li><li> isb-agw-?.cns.vt.edu* </li><li> owe-agw-1.cns.vt.edu* </li><li> sha-agw-1.cns.vt.edu</li></ul>
Generally, in order to minimize congestion, connectivity is spread across multiple channels. Channel 11 seems to be the busiest.
No MAC-based authentication is performed.
=Network Information Sources=
* <ul><li> [http://www.cns.vt.edu/html/wireless/wlan/index.html Communications Network Services: Wireless LAN]* </li><li> [http://computing.vt.edu/internet_and_web/internet_access/ipaddresses.html Virginia Tech IP Addresses] [[Category:Howto]][[Category:Import cleanup]]</li></ul>
Anonymous user