Changes
→wpa_supplicant Instructions: openbsd-specific instructions
As of January 2015 the [https://www.computing.vt.edu/content/eduroam preferred method] of wireless access at Virginia Tech is through the [https://eduroam.org/ Eduroam] network. Eduroam is a secure wireless access service that was developed for the use of research and educational institutions. One of the advantages of the Eduroam network over the VT-Wireless network is that you will be able to connect to the Internet at any participating institution using your Virginia Tech credentials. The Eduroam-US site provides a [https://www.eduroam.us/technical_overview technical overview] of how the network authenticates you to the Virginia Tech RADIUS servers.
===eduroam===
The following settings are recommended for connecting to the Eduroam network:
* '''SSID: ''' eduroam* '''EAP: ''' PEAP* '''Phase 2: ''' MSCHAPv2* '''Root CA:''' [https://2029.globalsign.com GlobalSign Root CA - R3] or pin the certificate (see below)* '''Server Name:''' eduroam.nis.vt.edu* '''Identity: ''' pid@vt.edu (So if your PID was "hokiebird", hokiebird@vt.edu)* '''Anonymous Identity: ''' anonymous@vt.edu* '''Password: ''' [https://www.computing.vt.edu/kb/entry/3765 Your Network Password] ''Regardless of what software you use to establish your connection, you must first set your remote (network) passphrase by going to [https://my.vt.edu my.vt.edu]→Settings→Change Network Password.'' ===Obtaining the Certificate Chain=== The certificate presented by the RADIUS server is chained as such: * GlobalSign Root CA - R3 ** Trusted Root CA SHA256 G2*** Virginia Tech Global Qualified Server CA**** eduroam.nis.vt.edu Below is where to obtain each of these, along with some metadata. The filenames are arbitrary, but will be used for the rest of this article. For every certificate (''especially'' the root, the signature chain helps with the rest), consider where you are obtaining it from and how much trust that you are getting what you think you are. You will probably want the PEM formatted certificate, if you have the option. ====GlobalSign Root CA - R3==== ''Filename:'' GlobalSign_Root_CA_-_R3.pem ''Subject:'' OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign This is a common root CA and should have shipped with your OS. It is likely located in <code>/etc/ssl/certs/GlobalSign_Root_CA_-_R3.pem</code>. If you are unable to locate it in your OS, you can get it directly from [https://2029.globalsign.com/ GlobalSign]. (This page seems to not be loading correctly at the moment. [https://support.globalsign.com/customer/en/portal/articles/1426602-globalsign-root-certificates Here] is the parent page.) ====Trusted Root CA SHA256 G2==== ''Filename:'' TrustedRootCASHA256G2.pem ''Subject:'' C = BE, OU = Trusted Root, O = GlobalSign nv-sa, CN = Trusted Root CA SHA256 G2 This is an intermediate certificate, again issued by GlobalSign. You can get it directly from GlobalSign [https://support.globalsign.com/customer/portal/articles/1211591-trusted-root-intermediate-certificates here]. ====Virginia Tech Global Qualified Server CA==== ''Filename:'' VirginiaTechGlobalQualifiedServerCA.pem ''Subject:'' C = US, ST = Virginia, L = Blacksburg, OU = Global Qualified Server CA, O = Virginia Polytechnic Institute and State University, CN = Virginia Tech Global Qualified Server CA This can be obtained from the Virginia Tech PKI [http://www.pki.vt.edu/developer/rootca.html#globalqualifiedserver website]. This website is only available from VT IP addresses (including VPN). Although certificates higher in the chain are also provided here, the page does ''not'' support https. '''''DO NOT''''' get your root CA here. ====eduroam.nis.vt.edu==== ''Filename:'' eduroam.nis.vt.edu.crt
''Subject:'' C =US, ST =Virginia, L =Blacksburg, O =Certificate Pinning===Virginia Polytechnic Institute and State University, CN =eduroam.nis.vt.edu
Due to vulnerabilities in the MSCHAPv2 protocol that allow the protocol to be cracked quickly with a 100% success rate<ref>[https://web.archive.org/web/20160316174007/https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/]</ref>, it is ''absolutely critical'' that the RADIUS server certificate be validated properly before attempting authentication. Where possible, we opt for the highest level of verification of the certificate: manually pinning the hash of the certificate we expect to be presented. (TODO)The canonical form of the hash used by many network managers is the SHA256 hash of the DER encoding of the certificate.
$ openssl x509 -in VT-Wirelesseduroam.cnsnis.vt.edu.crt -outform der | sha256sum 216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a 9b5163a3360f07b2dce2fd1e958c541687cf4c5360bb8adc87fa821c1c969910 -
It is recommended that you perform these steps yourself rather than trusting the certificate hash presented in the configurations below.
'''Note:''' As we are pinning the certificate instead of relying on a PKI, when CNS NI&S rotates the certificates being used(at least every 2 years), the configuration will need to be updated to match the new certificate.
Although you can verify connection to the Virginia Tech RADIUS servers you must keep in mind that you are connecting to a network that you do not control. It is possible that there are network monitors in place which can record and potentially modify traffic.
We encourage you to take precautions against network eavesdropping and mischief (on the Eduroam network, and in general). Potential countermeasures that one might want to employ include using [https://www.eff.org/HTTPS-EVERYWHERE HTTPS when connecting to sites], using a [https://www.computing.vt.edu/content/virtual-private-network VPN], or using the [https://www.torproject.org/ Tor Browser Bundle].
For general tips on improving your security while using the network, consider reading reading the EFF's [https://ssd.eff.org/ Surveillance Self-Defense] tips , reading [https://www.hokieprivacy.org/ Hokie Privacy], and/or contacting the [https://security.vt.edu/ Virginia Tech Information Security Office].
==Set Your Remote Access (Network) PassphraseNetworkManager Instructions==Regardless of what software you use to establish your connection, you must first set your remote passphrase by going to [https://my.vt.edu my.vt.edu]→Settings→Change Network Password.
* In your wireless configuration program, select eduroam.Wi-Fi security: WPA & WPA2 Enterprise* Choose Authentication: Protected EAP (PEAP as the EAP type.)* Choose MSCHAPv2 as the authentication methodAnonymous identity: anonymous@vt.edu* Use PID@Domain: nis.vt.edu and network passphrase as your login credentials* CA certificate: Select <code>/path/to/GlobalSign_Root_CA_-_R3.pem</code> via the file picker* PEAP version: Automatic* Inner authentication: MSCHAPv2* Use anonymousUsername: PID@vt.edu as your Anonymous Identity* '''TODOPassword:''' Certificate verification (Warning, until certificate verification is added, it is ''not'' recommended that you use this method of accessing the network.)YOUR_NETWORK_PASSWORD
[[File:Nm settings.png]] ==wpa_supplicantInstructions==
[http://w1.fi/wpa_supplicant/ wpa_supplicant] is a cross-platform supplicant which implements IEEE 802.1x/WPA and is used in many Linux/UNIX distributions.
ctrl_interface=DIR=/run/wpa_supplicant GROUP=wheel
update_config=1
fast_reauth=1
ap_scan=1
phase2="auth=MSCHAPV2"
anonymous_identity="anonymous@vt.edu"
#THIS HASH IS OUT OF DATE, PLEASE FOLLOW INSTRUCTIONS ABOVE # if you prefer to pin the certificate ca_cert="hash://server/sha256/216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a" # if you prefer to dynamically validate the certificate by its cryptographic attributes ca_cert="/path/to/GlobalSign_Root_CA_-_R3.pem" domain_match="eduroam.nis.vt.edu"
identity="YourPidHere@vt.edu"
password="YourNetworkPasswordHere"
$ sudo dhcpcd wlan0
On [[OpenBSD]], the process is a little more complicated: # ifconfig wlan0 nwid edoroam wpa wpaakms 802.1x up # /usr/local/sbin/wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant.conf # dhclient wlan0 # ifconfig iwm0 inet6 autoconf Alternate config options, besides domain_match are as follows (obviously not correct): subject_match="/C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com" domain_suffix_match="nis.vt.edu" More thorough documentation is available at [https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf] ==netctlInstructions==
[https://wiki.archlinux.org/index.php/netctl netctl] is a network manager which is native to the ArchLinux distribution. netctl makes use of wpa_supplicant under the hood, and so the configuration is similar.
'anonymous_identity="anonymous@vt.edu"'
'ca_cert="hash://server/sha256/216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a"'
'identity="YourPidHere@vt.edu"'
'password="YourNetworkPasswordHere"'
)
The ConfigSection (as per the netctl.profile manpage) is just what you would put in a wpa_supplicant config. Again, note that the domain_match is ''less secure'' than ca_cert, but better than not checking at all.
Ensure that this file is owned by root and only readable by root:
$ sudo netctl start eduroam
== connman Instructions ==This config should be useable with connman. Replace Passphrase and Identity with your Network password and PID@vt.edu, respectively. <pre>[global]Name = eduroamDescription = Optionally put something descriptive here. [service_wifi_3c15c2e29584_656475726f616d_managed_ieee8021x]Type = wifiName = eduroamEAP = peapCACertFile = /etc/ssl/certs/GlobalSign_Root_CA_-_R3.pemDomainMatch = eduroam.nis.vt.eduAnonymousIdentity = anonymous@vt.eduPhase2 = MSCHAPV2Identity = PID@vt.eduPassphrase = NETWORKPASSWORD</pre> ==AndroidInstructions==
[[File:AndroidEduroamNoCert.png|170px|thumb|Sample Android configuration of eduroam, but crucially lacking certificate validation.]]
* Press "Connect".
'''TODO:''' Android certificate validation
==References==
[[Category:Howtos]]
[[Category:Campus computing resources]]
[[Category:Needs restoration]]