Changes
→wpa_supplicant Instructions: openbsd-specific instructions
As of January 2015 the [https://www.computing.vt.edu/content/eduroam preferred method] of wireless access at Virginia Tech is through the [https://eduroam.org/ Eduroam] network. Eduroam is a secure wireless access service that was developed for the use of research and educational institutions. One of the advantages of the Eduroam network over the VT-Wireless network is that you will be able to connect to the Internet at any participating institution using your Virginia Tech credentials. The Eduroam-US site provides a [https://www.eduroam.us/technical_overview technical overview] of how the network authenticates you to the Virginia Tech RADIUS servers.
==General Connection Information==
''Subject:'' OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
This is a common root CA and should have shipped with your OS. It is likely located in <code>/etc/ssl/certs/GlobalSign_Root_CA_-_R3.pem</code>. If you are unable to locate it in your OS, you can get it directly from [https://2029.globalsign.com/ GlobalSign].(This page seems to not be loading correctly at the moment. [https://support.globalsign.com/customer/en/portal/articles/1426602-globalsign-root-certificates Here] is the parent page.)
====Trusted Root CA SHA256 G2====
Validate the certificate (see above) then generate the sha256 hash:
$ openssl x509 -in VT-Wirelesseduroam.cnsnis.vt.edu.crt -outform der | sha256sum
9b5163a3360f07b2dce2fd1e958c541687cf4c5360bb8adc87fa821c1c969910 -
==NetworkManager Instructions==
==wpa_supplicant Instructions==
$ sudo wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/eduroam.conf
$ sudo dhcpcd wlan0
On [[OpenBSD]], the process is a little more complicated:
# ifconfig wlan0 nwid edoroam wpa wpaakms 802.1x up
# /usr/local/sbin/wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant.conf
# dhclient wlan0
# ifconfig iwm0 inet6 autoconf
Alternate config options, besides domain_match are as follows (obviously not correct):
'anonymous_identity="anonymous@vt.edu"'
'ca_cert="hash://server/sha256/216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a"'
'domain_match="VT-Wirelesseduroam.cnsnis.vt.edu"'
'identity="YourPidHere@vt.edu"'
'password="YourNetworkPasswordHere"'
EAP = peap
CACertFile = /etc/ssl/certs/GlobalSign_Root_CA_-_R3.pem
DomainMatch = eduroam.nis.vt.edu
AnonymousIdentity = anonymous@vt.edu
Phase2 = MSCHAPV2
'''TODO:''' Android certificate validation
Quick and dirty options for validating the eduroam certificate, in order from least secure to most secure:
# Do not validate: you will get online, but consider your connection to be as secure as a public hotspot
# (Android 7.1+ only) Use system certificates: This will check to make sure the certificate chains back to some CA in the system cert store. This is significantly better than no validation, but still not very good. You may also need to specify a domain. If so, use "vt.edu"
# Download and import the GlobalSign Root CA: detailed instructions to come. Since you are still not checking the CN, it is only marginally better than using system certificates.
# Use the [https://play.google.com/store/apps/details?id=uk.ac.swansea.eduroamcat eduroam CAT] tool: this will setup the whole wireless profile and use the correct CA and verify the CN. As such, it is the preferred method. Warning, it is ugly. If you have an existing "eduroam" profile, you will need to remove it. When it prompts for the username and password, use <YOUR-PID>@vt.edu and your network password. It relies on geolocation to prompt for the profile for the right school. You may need to go outside to get a good GPS signal. If it is able to do geo-ip (e.g., you are connected to the "VirginiaTech" SSID), it gets you close enough.
==Frequently Asked Questions==
===Is eduroam free?===
* Users at other participating institutions
===Why is eduroam the preferred SSID?===
Using eduroam has several advantages:
* Your wifi probes identify The unencrypted portion of your authentication optionally identifies you as an eduroam user, "anonymous@vt.edu" rather than a VT affiliaterevealing your PID
* You have access to seamless roaming if you ever travel to another participating college campus
* The anonymous identity feature separates RADIUS authentication logs from the network access provider's logs
==References==
[[Category:Howtos]]
[[Category:Campus computing resources]]
[[Category:Needs restoration]]