Changes

Since the fall of 2008On campus, there have been two are 2 wireless networks on campus. One network, called '''VT-WirelessEduroam'''is the preferred method, encrypts all traffic and is secured with EAP-TLS or which uses PEAP-MSCHAPv2. The other network, called [[VT_WLAN]] was an unencrypted network captive portal using PID authentication. In July, 2013 VT_WLAN was superseded by CONNECTtoVT-Wireless, an unencrypted, captive portal wireless network designed to set up connecting authenticate to VT-Wireless without offering Internet access. Due to user issues faced during deploymentthe RADIUS server, CONNECTtoVT-Wireless began offering captive portal access to VT users. In January 2015while the second SSID, '''eduroamVirginiaTech''' access was enabled, allowing members of any eduroamprovides a captive-affiliated institution to use wifi at any other institution. Connections to VT-Wireless portal and eduroam are secure by default, and has one of two different methods to connectallows for guest account creation.

As of January 2015 the [https://www.computing.vt.edu/content/eduroam preferred method] of wireless access at Virginia Tech is through the [https://eduroam.org/ Eduroam] network. Eduroam is a secure wireless access service that was developed for the use of research and educational institutions. One of the advantages of the Eduroam network over the VT-Wireless network is that you will be able to connect to the Internet at any participating institution using your Virginia Tech credentials. The Eduroam-US site provides a [https://www.eduroam.us/technical_overview technical overview] of how the network authenticates you to the Virginia Tech RADIUS servers.

<!-- '''PEAP-MSCHAPv2''' is a wireless authentication scheme used by Virginia Tech as an alternative to [[EAP-TLS]] for connections to [[VT-Wireless]]. --> ==General Connection informationInformation==

* '''SSID: ''' eduroam* '''EAP: ''' PEAP* '''Phase 2: ''' MSCHAPv2* '''Root CA:''' [https://2029.globalsign.com GlobalSign Root CA - R3] or pin the certificate (see below)* '''Server Name:''' eduroam.nis.vt.edu* '''Identity: ''' pid@vt.edu (So if your PID was "hokiebird", hokiebird@vt.edu)* '''Anonymous Identity: ''' anonymous@vt.edu* '''Password: ''' [https://www.computing.vt.edu/kb/entry/3765 Your Network Password] ''Regardless of what software you use to establish your connection, you must first set your remote (network) passphrase by going to [https://my.vt.edu my.vt.edu]→Settings→Change Network Password.'' ===Obtaining the Certificate Chain=== The certificate presented by the RADIUS server is chained as such: * GlobalSign Root CA - R3 ** Trusted Root CA SHA256 G2*** Virginia Tech Global Qualified Server CA**** eduroam.nis.vt.edu Below is where to obtain each of these, along with some metadata. The filenames are arbitrary, but will be used for the rest of this article. For every certificate (''especially'' the root, the signature chain helps with the rest), consider where you are obtaining it from and how much trust that you are getting what you think you are. You will probably want the PEM formatted certificate, if you have the option. ====GlobalSign Root CA - R3==== ''Filename:'' GlobalSign_Root_CA_-_R3.pem ''Subject:'' OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign This is a common root CA and should have shipped with your OS. It is likely located in <code>/etc/ssl/certs/GlobalSign_Root_CA_-_R3.pem</code>. If you are unable to locate it in your OS, you can get it directly from [https://2029.globalsign.com/ GlobalSign]. (This page seems to not be loading correctly at the moment. [https://support.globalsign.com/customer/en/portal/articles/1426602-globalsign-root-certificates Here] is the parent page.) ====Trusted Root CA SHA256 G2==== ''Filename:'' TrustedRootCASHA256G2.pem ''Subject:'' C = BE, OU = Trusted Root, O = GlobalSign nv-sa, CN = Trusted Root CA SHA256 G2 This is an intermediate certificate, again issued by GlobalSign. You can get it directly from GlobalSign [https://support.globalsign.com/customer/portal/articles/1211591-trusted-root-intermediate-certificates here]. ====Virginia Tech Global Qualified Server CA====

Many network managers for Linux/UNIX use wpa_supplicant as their underlying IEEE 802.1x/WPA Supplicant ''Subject:'' C = US, ST = Virginia, L = Blacksburg, OU = Global Qualified Server CA, O = Virginia Polytechnic Institute and generate a configuration file on the fly. As a result many network managers have similar configuration formats. In this section we will walk through generating a certificate pin for the Certificate used to authenticate the VT RADIUS servers in eduroam.State University, CN = Virginia Tech Global Qualified Server CA

wpa_supplicant offers multiple mechanisms for certificate management. The ca_cert parameter This can point to a file which contains one or more CA certificates which will be used to validate obtained from the certificateVirginia Tech PKI [http://www.pki.vt.edu/developer/rootca.html#globalqualifiedserver website]. This website is only available from VT IP addresses (including VPN). With that option you Although certificates higher in the chain are also have provided here, the ability to specify a substring match of the certificatepage does ''not''s common namesupport https. Where possible, in our configurations we opted for a much stronger level of validation by specifing the hash of the certificate that we expect to see'''''DO NOT''''' get your root CA here.

In order to generate the certificate hash, download the certificate by clicking the "Download" link on the [https://ash====eduroam.eprov.setinis.vt.edu/EJBCAWebRequest/certSearch?cmd=search&keyword=VT-Wireless Certificate Search for VT-Wireless] (Unfortunately this site is only available to Virginia Tech IPs)==

Validate that the certificate downloaded is in fact signed by the (Obsolete) [https''Filename://secure'' eduroam.hostingnis.vt.edu/www.pki.vt.edu/developer/rootca.html#globalserver Virginia Tech Global Server CA] chain.crt

Then generate This can be obtained from the sha256 hash (in [https://apps.pki.vt.edu/ca-manager/search VTCA Certificate Manager]. This requires PID login. Search for "eduroam.nis.vt.edu". '''Note''': As of 2017 June 19, there will be 2 results, due to some internal testing. Download the directory where certificate with the serial 3699307517ED7E8B. The certificate downloaded to):with serial 7A083CC134D0303D is ''incorrect''.

It is recommended that you perform these steps yourself rather than trusting <ol><li> Obtain ''all'' certificates in the certificate hash presented chain ''in PEM format'' </li><li> Concatenate the configurations belownon-leaf certificates in to a single file: </li><pre>$ cat GlobalSign_Root_CA_-_R3.pem TrustedRootCASHA256G2.pem VirginiaTechGlobalQualifiedServerCA.pem >> ca.pem</pre><li> Verify the certificates are signed correctly </li><pre>$ openssl verify -verbose -purpose sslserver -CAfile ca.pem eduroam.nis.vt.edu.crteduroam.nis.vt.edu.crt: OK</pre><li> For at least the root and leaf certificates, verify the subject (compare to above) </li><pre>$ openssl x509 -in file_of_cert_you_want_to_check -noout -subject</pre></ol> ===Certificate Pinning===

Due to vulnerabilities in the MSCHAPv2 protocol that allow the protocol to be cracked quickly with a 100% success rate<ref>[https://web.archive.org/web/20160316174007/https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/]</ref>, it is ''absolutely critical'Note:''' As that the RADIUS server certificate be validated properly before attempting authentication. Where possible, we are opt for the highest level of verification of the certificate: manually pinning the hash of the certificate instead we expect to be presented. The canonical form of relying on a PKI, when CNS rotates the certificates being hash used, by many network managers is the SHA256 hash of the configuration will need to be updated to match DER encoding of the new certificate.

====A word of caution====Although you can verify connection to Validate the Virginia Tech RADIUS servers you must keep in mind that you are connecting to a network that you do not control. It is possible that there are network monitors in place which can record and potentially modify traffic.certificate (see above) then generate the sha256 hash:

We encourage you to take precautions against network eavesdropping and mischief (on the Eduroam network, and $ openssl x509 -in general)eduroam. Potential countermeasures that one might want to employ include using [https://www.eff.org/HTTPS-EVERYWHERE HTTPS when connecting to sites], using a [https://www.computingnis.vt.edu/content/virtual.crt -privateoutform der | sha256sum 9b5163a3360f07b2dce2fd1e958c541687cf4c5360bb8adc87fa821c1c969910 -network VPN], or using the [https://www.torproject.org/ Tor Browser Bundle].

For general tips on improving your security while using It is recommended that you perform these steps yourself rather than trusting the network, consider reading reading certificate hash presented in the EFF's [https://ssd.eff.org/ Surveillance Self-Defense] tips and/or contacting the [https://security.vt.edu/ Virginia Tech Information Security Office]configurations below.

==A word '''Note:''' As we are pinning the certificate instead of caution relying on MSCHAPv2==Warning: Use of PEAP-MSCHAPv2 to connect to a PKI, when NI&S rotates the Virginia Tech network is strongly discouraged by certificates being used (at least every 2 years), the Linux and Unix Users Group due configuration will need to attacks that can allow all traffic be updated to be decrypted with a 100% success rate. Unfortunately, VT has deprecated its use so users will soon lose match the choice to use certificatesnew certificate.

At DefCon 20 ===A Word of Caution===Although you can verify connection to the Virginia Tech RADIUS servers you must keep in July 2012, an attack was announced for MSCHAPv2 mind that allows the protocol you are connecting to be cracked quickly with a 100% success rate.<ref>[https://wwwnetwork that you do not control.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/]</ref> '''Use of MSCHAPv2 It is strongly discouragedpossible that there are network monitors in place which can record and potentially modify traffic.'''

==Set For general tips on improving your remote access (security while using the network) passphrase==Regardless of what software you use to establish your connection, you must first set your remote passphrase by going to consider reading the EFF's [https://ssd.eff.org/ Surveillance Self-Defense] tips, reading [https://mywww.vthokieprivacy.edu myorg/ Hokie Privacy], and/or contacting the [https://security.vt.edu/ Virginia Tech Information Security Office]→Settings→Change Network Password.

==AndroidNetworkManager Instructions=====eduroam (preferred)===TODO=== VT-Wireless (legacy)==={{Version|2.2 (Froyo) of Android}}

* From In the home screenlist of wireless networks, press the menu button and choose "Settings"→"Wireless & networks"→select "Wi-Fi settingseduroam".* Remove any existing entries for {{{networks|the network you'd like to add or any conflicting network}}}.* From Set the "WiFi networks" listing, click on {{{network|the network you'd like to add}}}.* Choose PEAP as the EAP method and MSCHAPv2 as the phase two authentication mechanism.* Enter your credentials for the identity and press "Connect".following options:

==NetworkManager==* Wi-Fi security: WPA & WPA2 Enterprise===eduroam * Authentication: Protected EAP (preferredPEAP)===* In your wireless configuration program, select eduroamAnonymous identity: anonymous@vt.edu* Choose PEAP as the EAP typeDomain: nis.vt.edu* Choose MSCHAPv2 as CA certificate: Select <code>/path/to/GlobalSign_Root_CA_-_R3.pem</code> via the file picker* PEAP version: Automatic* Inner authentication method.: MSCHAPv2* Use Username: PID@vt.edu and network passphrase as your login credentials.* Use anonymous@vt.edu as your Anonymous Identity* '''TODOPassword:''' Certificate verificationYOUR_NETWORK_PASSWORD

===VT-Wireless (legacy)===* In your wireless configuration program, select VT-Wireless.* Choose PEAP as the EAP type.* Choose MSCHAPv2 as the authentication method.* Use your {{{identity|PID}}} and network passphrase as your login credentials[[File:Nm settings.png]]

==wpa_supplicantInstructions==

update_config=1

#THIS HASH IS OUT OF DATE, PLEASE FOLLOW INSTRUCTIONS ABOVE # if you prefer to pin the certificate ca_cert="hash://server/sha256/216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a" # if you prefer to dynamically validate the certificate by its cryptographic attributes ca_cert="/path/to/GlobalSign_Root_CA_-_R3.pem" domain_match="eduroam.nis.vt.edu"

===For VTOn [[OpenBSD]], the process is a little more complicated:  # ifconfig wlan0 nwid edoroam wpa wpaakms 802.1x up # /usr/local/sbin/wpa_supplicant -Wireless (legacy)===Add the following lines to <code>B -i wlan0 -c /etc/wpa_supplicant.conf</code> # dhclient wlan0 # ifconfig iwm0 inet6 autoconf Alternate config options, besides domain_match are as follows (obviously not correct):

ctrl_interfacesubject_match=DIR"/C=US/runST=CA/wpa_supplicant GROUPL=wheel update_configSan Francisco/CN=1 fast_reauthTest AS/emailAddress=1as@example.com" ap_scan=1 network={ ssiddomain_suffix_match="VT-Wirelessnis.vt.edu" proto=WPA2 key_mgmt=WPA-EAP eap=PEAP phase2="auth=MSCHAPV2" identity="your {{{identity|PID}}}" password="your passphrase" ca_cert="More thorough documentation is available at [https://w1.fi/cgit/etchostap/sslplain/certswpa_supplicant/GlobalSign_Root_CAwpa_supplicant.pem }conf]

==netctlInstructions==

==connman Instructions =For VT=This config should be useable with connman. Replace Passphrase and Identity with your Network password and PID@vt.edu, respectively. <pre>[global]Name = eduroamDescription = Optionally put something descriptive here. [service_wifi_3c15c2e29584_656475726f616d_managed_ieee8021x]Type = wifiName = eduroamEAP = peapCACertFile = /etc/ssl/certs/GlobalSign_Root_CA_-Wireless (legacy)_R3.pemDomainMatch = eduroam.nis.vt.eduAnonymousIdentity = anonymous@vt.eduPhase2 = MSCHAPV2Identity = PID@vt.eduPassphrase = NETWORKPASSWORD</pre> ==Android Instructions==Tested on [[Arch LinuxFile:AndroidEduroamNoCert.png|170px|thumb|Sample Android configuration of eduroam, but crucially lacking certificate validation.]] with netctl 0 A sample configuration is available to the right, but as this configuration is currently lacking CA certificate validation, we do not at this time recommend connecting to the network. The Identity needs to be modified to match your PID@vt.edu, and your Network Password needs to be entered in the Password field. Steps:* From the home screen, press the menu button and choose "Settings"→"Wireless & networks"→"Wi-Fi settings".* Remove any existing entries for eduroam.8 (updated * From the "WiFi networks" listing, click on 2013-04-12)eduroam.* Choose PEAP as the EAP method and MSCHAPv2 as the phase two authentication mechanism.* Enter your pid@vt.edu for the identity* Enter "anonymous@vt.edu" for the anonymous identity* Enter your Network Password for the password* Press "Connect". '''TODO:''' Android certificate validation Quick and dirty options for validating the eduroam certificate, in order from least secure to most secure:

* Create # Do not validate: you will get online, but consider your connection to be as secure as a public hotspot# (Android 7.1+ only) Use system certificates: This will check to make sure the certificate chains back to some CA in the system cert store. This is significantly better than no validation, but still not very good. You may also need to specify a filedomain. If so, '''/etc/netctl/VT-Wireless''' and place this in it: Description=use "VT-Wireless PEAP-MSCHAPv2vt.edu" Interface=wlan0# Download and import the GlobalSign Root CA: detailed instructions to come. Since you are still not checking the CN, it is only marginally better than using system certificates. Connection# Use the [https://play.google.com/store/apps/details?id=uk.ac.swansea.eduroamcat eduroam CAT] tool: this will setup the whole wireless Security=wpa-configsection IP=dhcp IP6=stateless WPAConfigSection=( 'ssid=profile and use the correct CA and verify the CN. As such, it is the preferred method. Warning, it is ugly. If you have an existing "VT-Wirelesseduroam"' 'proto=RSN' 'key_mgmt=WPAprofile, you will need to remove it. When it prompts for the username and password, use <YOUR-EAP' 'eap=PEAP' 'phase2="auth=MSCHAPV2"' 'identity="YOUR IDENTITY"' 'PID>@vt.edu and your network password=. It relies on geolocation to prompt for the profile for the right school. You may need to go outside to get a good GPS signal. If it is able to do geo-ip (e.g., you are connected to the "NETWORK PASSWORDVirginiaTech" 'ca_cert="/etc/ssl/certs/GlobalSign_Root_CASSID), it gets you close enough.pem"' )

Make sure to change '''IDENTITY''' to your {{{identity|PID}}}, ==Frequently Asked Questions=====Is eduroam free?===eduroam at Virginia Tech is free for:* VT affiliates with wireless entitlements (includes students) access and '''NETWORK PASSWORD''' to your network password.passwords* Users at other participating institutions

===Why is eduroam the preferred SSID?===Using eduroam has several advantages:* After creating this file, make sure The unencrypted portion of your authentication optionally identifies you as "anonymous@vt.edu" rather than revealing your PID* You have access to change the owner seamless roaming if you ever travel to root (<code>sudo chown root:root /etc/netctl/VT-Wireless</code>) and change the permissions so that it can be read only by another participating college campus* The anonymous identity feature separates RADIUS authentication logs from the owner (<code>sudo chmod 0600 /etc/netctl/VT-Wireless</code>). This will ensure that your private key password cannot be read by others easily.network access provider's logs

* To connect===Does eduroam support EAP-TLS?===Currently, simply type the following in a terminal: sudo netctl start VTVirginia Tech eduroam RADIUS servers are not configured for EAP-WirelessTLS.