Open main menu

Linux and Unix Users Group at Virginia Teck Wiki β

Changes

Virginia Tech Wifi

591 bytes added, 17:48, 6 February 2015
Added verifcation instructions
As of January 2015 the [https://www.computing.vt.edu/content/eduroam preferred method] of wireless access at Virginia Tech is through the [https://eduroam.org/ Eduroam] network. Eduroam is a secure wireless access service that was developed for the use of research and educational institutions. One of the advantages of the Eduroam network over the VT-Wireless network is that you will be able to connect to the Internet at any participating institution using your Virginia Tech credentials. The Eduroam-US site provides a [https://www.eduroam.us/technical_overview technical overview] of how the network authenticates you to the Virginia Tech RADIUS servers.
 
For information on connecting to the legacy VT-Wireless network, see [[Virginia Tech Wifi: VT-Wireless]].
==Connection Information==
* Password: [https://www.computing.vt.edu/kb/entry/3765 Your Network Password]
===Legacy connections===It may be still possible to use older networks, but their use is deprecated in favor of eduroam and thus unsupported.* [[Virginia Tech Wifi: VT-Wireless]] - VT-Wireless with PEAP-MSCHAPv2 (network password)* [[EAP-TLS]] - VT-Wireless with EAP-TLS (netcerts) ===Certificate Pinning====
Due to vulnerabilities in the MSCHAPv2 protocol that allow the protocol to be cracked quickly with a 100% success rate<ref>[https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/]</ref>, it is ''absolutely critical'' that the RADIUS server certificate be validated properly before attempting authentication. Unfortunately, VT is in the process of deprecating a much stronger authentication method, [[EAP-TLS]], and as such, network certificates will no longer be an option.
In order to generate the certificate hash, download the certificate by clicking the "Download" link on the [https://ash.eprov.seti.vt.edu/EJBCAWebRequest/certSearch?cmd=search&keyword=VT-Wireless Certificate Search for VT-Wireless] (Unfortunately this site is only available to Virginia Tech IPs)
Validate that the downloaded certificate is in fact signed by the (Now Obsolete) [https://secure.hosting.vt.edu/www.pki.vt.edu/developer/rootca.html#globalserver Virginia Tech Global Server CA] chain. You will first need to download ''all'' certificates in the "CA: Virginia_Tech_Global_Server_CA" chain and concatenate them.
(TODO)$ cat GlobalSignRootCA.pem GlobalSignRootSignPartnersCA.pem VirginiaTechGlobalRootCA.pem VirginiaTechGlobalServerCA.pem >> ca.pem $ openssl verify -verbose -purpose sslserver -CAfile ca.pem VT-Wireless.cns.vt.edu.crt VT-Wireless.cns.vt.edu.crt: OK
Then generate the sha256 hash (in the directory where the certificate downloaded to):
'''Note:''' As we are pinning the certificate instead of relying on a PKI, when CNS rotates the certificates being used, the configuration will need to be updated to match the new certificate.
====A Word of Caution====
Although you can verify connection to the Virginia Tech RADIUS servers you must keep in mind that you are connecting to a network that you do not control. It is possible that there are network monitors in place which can record and potentially modify traffic.
We encourage you to take precautions against network eavesdropping and mischief (on the Eduroam network, and in general). Potential countermeasures that one might want to employ include using [https://www.eff.org/HTTPS-EVERYWHERE HTTPS when connecting to sites], using a [https://www.computing.vt.edu/content/virtual-private-network VPN], or using the [https://www.torproject.org/ Tor Browser Bundle].
For general tips on improving your security while using the network, consider reading reading the EFF's [https://ssd.eff.org/ Surveillance Self-Defense] tips , reading [https://www.hokieprivacy.org/ Hokie Privacy], and/or contacting the [https://security.vt.edu/ Virginia Tech Information Security Office].
==Set Your Remote Access (Network) Passphrase==
Anonymous user