Difference between revisions of "Virginia Tech Wifi"

From the Linux and Unix Users Group at Virginia Teck Wiki
Jump to: navigation, search
imported>Ram
(RADIUS certificates: Delete Section)
imported>Ram
(Move the old header for the page over)
(6 intermediate revisions by the same user not shown)
Line 16: Line 16:
 
* Password: [https://www.computing.vt.edu/kb/entry/3765 Your Network Password]
 
* Password: [https://www.computing.vt.edu/kb/entry/3765 Your Network Password]
  
====Certificate pinning====
+
====RADIUS certificates====
 +
The certificate verification methods vary greatly between different network managers, but the certificate currently in use for the Virginia Tech RADIUS servers is available from the [https://ash.eprov.seti.vt.edu/EJBCAWebRequest/certSearch?cmd=search&keyword=VT-Wireless PKI Certificate Search site] and the certificate chain is the (Obsolete) [https://secure.hosting.vt.edu/www.pki.vt.edu/developer/rootca.html#globalserver Virginia Tech Global Server CA] chain.
  
Many network managers for Linux/UNIX use wpa_supplicant as their underlying IEEE 802.1x/WPA Supplicant and generate a configuration file on the fly.  As a result many network managers have similar configuration formats.  In this section we will walk through generating a certificate pin for the Certificate used to authenticate the VT RADIUS servers in eduroam.
+
Unfortunately, the PKI Certificate Search is only available from campus IPs.
 
 
wpa_supplicant offers multiple mechanisms for certificate management. The ca_cert parameter can point to a file which contains one or more CA certificates which will be used to validate the certificate. With that option you also have the ability to specify a substring match of the certificate's common name. Where possible, in our configurations we opted for a much stronger level of validation by specifing the hash of the certificate that we expect to see.
 
 
 
In order to generate the certificate hash, download the certificate by clicking the "Download" link on the [https://ash.eprov.seti.vt.edu/EJBCAWebRequest/certSearch?cmd=search&keyword=VT-Wireless Certificate Search for VT-Wireless] (Unfortunately this site is only available to Virginia Tech IPs)
 
 
 
Validate that the certificate downloaded is in fact signed by the (Obsolete) [https://secure.hosting.vt.edu/www.pki.vt.edu/developer/rootca.html#globalserver Virginia Tech Global Server CA] chain.
 
 
 
(TODO)
 
 
 
Then generate the sha256 hash (in the directory where the certificate downloaded to):
 
 
 
openssl x509 -in VT-Wireless.cns.vt.edu.crt -outform der | sha256sum
 
216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a  -
 
 
 
It is recommended that you perform these steps yourself rather than trusting the certificate hash presented in the configurations below.
 
 
 
'''Note:''' As we are pinning the certificate instead of relying on a PKI, when CNS rotates the certificates being used, the configuration will need to be updated to match the new certificate.
 
 
 
====A word of caution====
 
Although you can verify connection to the Virginia Tech RADIUS servers you must keep in mind that you are connecting to a network that you do not control. It is possible that there are network monitors in place which can record and potentially modify traffic.
 
 
 
We encourage you to take precautions against network eavesdropping and mischief (on the Eduroam network, and in general). Potential countermeasures that one might want to employ include using [https://www.eff.org/HTTPS-EVERYWHERE HTTPS when connecting to sites], using a [https://www.computing.vt.edu/content/virtual-private-network VPN], or using the [https://www.torproject.org/ Tor Browser Bundle].
 
 
 
For general tips on improving your security while using the network, consider reading reading the EFF's [https://ssd.eff.org/ Surveillance Self-Defense] tips and/or contacting the [https://security.vt.edu/ Virginia Tech Information Security Office].
 
  
 
==A word of caution on MSCHAPv2==
 
==A word of caution on MSCHAPv2==
Line 85: Line 62:
 
[http://w1.fi/wpa_supplicant/ wpa_supplicant] is a cross-platform supplicant which implements IEEE 802.1x/WPA and is used in many Linux/UNIX distributions.
 
[http://w1.fi/wpa_supplicant/ wpa_supplicant] is a cross-platform supplicant which implements IEEE 802.1x/WPA and is used in many Linux/UNIX distributions.
  
In order to connect to the eduroam network, add the following to <code>/etc/wpa_supplicant/eduroam.conf</code> modifying the identity and password to reflect your PID and Network Password:
+
In order to connect to the eduroam network, add the following to /etc/wpa_supplicant/eduroam.conf modifying the identity and password to reflect your PID and Network Password:
  
 
  ctrl_interface=DIR=/run/wpa_supplicant GROUP=wheel
 
  ctrl_interface=DIR=/run/wpa_supplicant GROUP=wheel
Line 111: Line 88:
  
 
===For VT-Wireless (legacy)===
 
===For VT-Wireless (legacy)===
Add the following lines to <code>/etc/wpa_supplicant.conf</code>:
+
Add the following lines to /etc/wpa_supplicant.conf:
  
 
  ctrl_interface=DIR=/run/wpa_supplicant GROUP=wheel
 
  ctrl_interface=DIR=/run/wpa_supplicant GROUP=wheel
Line 128: Line 105:
 
  ca_cert="/etc/ssl/certs/GlobalSign_Root_CA.pem
 
  ca_cert="/etc/ssl/certs/GlobalSign_Root_CA.pem
 
  }
 
  }
 +
 +
==Certificate pinning==
 +
===For eduroam===
 +
In the above wpa_supplicant configuration, we pin the server certificate that we expect the RADIUS server to present. wpa_supplicant offers multiple mechanisms for certificate management. The ca\_cert parameter can point to a file which contains one or more CA certificates which will be used to validate the certificate. With that option you also have the ability to specify a substring match of the certificate's common name.
 +
 +
In our configuration we opted for a much stronger level of validation where in we specify the hash of the certificate that we expect to see. When using this method of certificate validation, you specify the ca_cert parameter as hash://server/sha256/<sha256 hash of DER encoded certificate>.
 +
 +
In order to generate the sha256 hash of the DER encoded certificate (so that you can validate that the above hash is correct), download the certificate by clicking the "Download" link on the [https://ash.eprov.seti.vt.edu/EJBCAWebRequest/certSearch?cmd=search&keyword=VT-Wireless Certifcate Search for VT-Wireless]
 +
 +
Validate that the certificate downloaded is in fact signed by the Virginia Tech Certificate Authority:
 +
 +
(TODO)
 +
Then generate the sha256 hash (in the directory where the certificate downloaded to):
 +
 +
openssl x509 -in VT-Wireless.cns.vt.edu.crt -outform der | sha256sum
 +
216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a  -
  
 
==netctl==
 
==netctl==
Line 133: Line 126:
  
 
===eduroam (preferred)===
 
===eduroam (preferred)===
Put the following configuration in <code>/etc/netctl/eduroam</code> with your proper PID and Network Password. Further, this assumes that your wireless network device is wlan0, which you might have to change to match your system. The ca_cert line pins the server certificate and can be generated/validated using the mechanism described above.
+
Put the following configuration in /etc/netctl/eduroam with your proper PID and Network Password. Further, this assumes that your wireless network device is wlan0, which you might have to change to match your system. The ca_cert line pins the server certificate and can be generated/validated using the mechanism described above.
  
 
  Description='Federated Educational Wifi Network'
 
  Description='Federated Educational Wifi Network'

Revision as of 20:50, 2 February 2015

Since the fall of 2008, there have been two wireless networks on campus. One network, called VT-Wireless, encrypts all traffic and is secured with EAP-TLS or PEAP-MSCHAPv2. The other network, called VT_WLAN was an unencrypted network captive portal using PID authentication. In July, 2013 VT_WLAN was superseded by CONNECTtoVT-Wireless, an unencrypted, captive portal wireless network designed to set up connecting to VT-Wireless without offering Internet access. Due to user issues faced during deployment, CONNECTtoVT-Wireless began offering captive portal access to VT users. In January 2015, eduroam access was enabled, allowing members of any eduroam-affiliated institution to use wifi at any other institution. Connections to VT-Wireless and eduroam are secure by default, and has one of two different methods to connect.

As of January 2015 the preferred method of wireless access at Virginia Tech is through the Eduroam network. Eduroam is a wireless access service that was developed for the use of research and educational institutions. One of the advantages of the Eduroam network over the VT-Wireless network is that you will be able to connect to the Internet at any participating institution using your Virginia Tech credentials. The Eduroam-US site provides a technical overview of how the network authenticates you to the Virginia Tech RADIUS servers.


Connection information

eduroam

The following settings are recommended for connecting to the Eduroam network:

  • SSID: eduroam
  • EAP: PEAP
  • Phase 2: MSCHAPv2
  • Identity: pid@vt.edu (So if your PID was "hokiebird", hokiebird@vt.edu)
  • Anonymous Identity: anonymous@vt.edu
  • Password: Your Network Password

RADIUS certificates

The certificate verification methods vary greatly between different network managers, but the certificate currently in use for the Virginia Tech RADIUS servers is available from the PKI Certificate Search site and the certificate chain is the (Obsolete) Virginia Tech Global Server CA chain.

Unfortunately, the PKI Certificate Search is only available from campus IPs.

A word of caution on MSCHAPv2

Warning: Use of PEAP-MSCHAPv2 to connect to the Virginia Tech network is strongly discouraged by the Linux and Unix Users Group due to attacks that can allow all traffic to be decrypted with a 100% success rate. Unfortunately, VT has deprecated its use so users will soon lose the choice to use certificates.

At DefCon 20 in July 2012, an attack was announced for MSCHAPv2 that allows the protocol to be cracked quickly with a 100% success rate.[1] Use of MSCHAPv2 is strongly discouraged.


Set your remote access (network) passphrase

Regardless of what software you use to establish your connection, you must first set your remote passphrase by going to my.vt.edu→Settings→Change Network Password.

Android

eduroam (preferred)

TODO

VT-Wireless (legacy)

The following instructions were written for 2.2 (Froyo) of Android and may not work on other platforms or versions. If you would like to see additional coverage, please add it yourself or make a request on the wiki's wanted page.

  • From the home screen, press the menu button and choose "Settings"→"Wireless & networks"→"Wi-Fi settings".
  • Remove any existing entries for the network you'd like to add or any conflicting network.
  • From the "WiFi networks" listing, click on the network you'd like to add.
  • Choose PEAP as the EAP method and MSCHAPv2 as the phase two authentication mechanism.
  • Enter your credentials for the identity and press "Connect".

NetworkManager

eduroam (preferred)

  • In your wireless configuration program, select eduroam.
  • Choose PEAP as the EAP type.
  • Choose MSCHAPv2 as the authentication method.
  • Use PID@vt.edu and network passphrase as your login credentials.
  • Use anonymous@vt.edu as your Anonymous Identity
  • TODO: Certificate verification

VT-Wireless (legacy)

  • In your wireless configuration program, select VT-Wireless.
  • Choose PEAP as the EAP type.
  • Choose MSCHAPv2 as the authentication method.
  • Use your PID and network passphrase as your login credentials.

wpa_supplicant

For eduroam (preferred)

wpa_supplicant is a cross-platform supplicant which implements IEEE 802.1x/WPA and is used in many Linux/UNIX distributions.

In order to connect to the eduroam network, add the following to /etc/wpa_supplicant/eduroam.conf modifying the identity and password to reflect your PID and Network Password: 

ctrl_interface=DIR=/run/wpa_supplicant GROUP=wheel
update_config=1
fast_reauth=1
ap_scan=1

network={
    ssid="eduroam"
    proto=RSN
    key_mgmt=WPA-EAP
    eap=PEAP
    phase2="auth=MSCHAPV2"
    anonymous_identity="anonymous@vt.edu"
    ca_cert="hash://server/sha256/216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a" 

    identity="YourPidHere@vt.edu"
    password="YourNetworkPasswordHere"
}

You can then connect to the network by running (where wlan0 is your wireless interface): 

$ sudo wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/eduroam.conf
$ sudo dhcpcd wlan0

For VT-Wireless (legacy)

Add the following lines to /etc/wpa_supplicant.conf: 

ctrl_interface=DIR=/run/wpa_supplicant GROUP=wheel
update_config=1
fast_reauth=1
ap_scan=1

network={
	ssid="VT-Wireless"
	proto=WPA2
	key_mgmt=WPA-EAP
	eap=PEAP
	phase2="auth=MSCHAPV2"
	identity="your PID"
	password="your passphrase"
	ca_cert="/etc/ssl/certs/GlobalSign_Root_CA.pem
}

Certificate pinning

For eduroam

In the above wpa_supplicant configuration, we pin the server certificate that we expect the RADIUS server to present. wpa_supplicant offers multiple mechanisms for certificate management. The ca\_cert parameter can point to a file which contains one or more CA certificates which will be used to validate the certificate. With that option you also have the ability to specify a substring match of the certificate's common name.

In our configuration we opted for a much stronger level of validation where in we specify the hash of the certificate that we expect to see. When using this method of certificate validation, you specify the ca_cert parameter as hash://server/sha256/<sha256 hash of DER encoded certificate>.

In order to generate the sha256 hash of the DER encoded certificate (so that you can validate that the above hash is correct), download the certificate by clicking the "Download" link on the Certifcate Search for VT-Wireless

Validate that the certificate downloaded is in fact signed by the Virginia Tech Certificate Authority: 

(TODO)

Then generate the sha256 hash (in the directory where the certificate downloaded to): 

openssl x509 -in VT-Wireless.cns.vt.edu.crt -outform der | sha256sum
216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a  -

netctl

netctl is a network manager which is native to the ArchLinux distribution. netctl makes use of wpa_supplicant under the hood, and so the configuration is similar.

eduroam (preferred)

Put the following configuration in /etc/netctl/eduroam with your proper PID and Network Password. Further, this assumes that your wireless network device is wlan0, which you might have to change to match your system. The ca_cert line pins the server certificate and can be generated/validated using the mechanism described above. 

Description='Federated Educational Wifi Network'
Interface=wlan0
Connection=wireless
Security=wpa-configsection

IP=dhcp
IP6=stateless

WPAConfigSection=(
    'ssid="eduroam"'
    'proto=RSN'
    'key_mgmt=WPA-EAP'
    'eap=PEAP'
    'phase2="auth=MSCHAPV2"'
    'anonymous_identity="anonymous@vt.edu"'
    'ca_cert="hash://server/sha256/216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a"'

    'identity="YourPidHere@vt.edu"'
    'password="YourNetworkPasswordHere"'
)

Ensure that this file is owned by root and only readable by root: 

$ sudo chown root:root /etc/netctl/eduroam
$ sudo chmod 600 /etc/netctl/eduroam

You can then start the connection using standard netctl methods: 

$ sudo netctl start eduroam

For VT-Wireless (legacy)

Tested on Arch Linux with netctl 0.8 (updated on 2013-04-12).

  • Create a file, /etc/netctl/VT-Wireless and place this in it:
Description="VT-Wireless PEAP-MSCHAPv2"
Interface=wlan0
Connection=wireless
Security=wpa-configsection

IP=dhcp
IP6=stateless

WPAConfigSection=(
    'ssid="VT-Wireless"'
    'proto=RSN'
    'key_mgmt=WPA-EAP'
    'eap=PEAP'
    'phase2="auth=MSCHAPV2"'
    'identity="YOUR IDENTITY"'
    'password="NETWORK PASSWORD"
    'ca_cert="/etc/ssl/certs/GlobalSign_Root_CA.pem"'
)

Make sure to change IDENTITY to your PID, and NETWORK PASSWORD to your network password.

  • After creating this file, make sure to change the owner to root (sudo chown root:root /etc/netctl/VT-Wireless) and change the permissions so that it can be read only by the owner (sudo chmod 0600 /etc/netctl/VT-Wireless). This will ensure that your private key password cannot be read by others easily.
  • To connect, simply type the following in a terminal:
sudo netctl start VT-Wireless

References

  1. [1]
Retrieved from "https://vtluug.org/w/index.php?title=Virginia_Tech_Wifi&oldid=3215"