Changes

Jump to: navigation, search

Virginia Tech Wifi

5,127 bytes added, 19:10, 28 June 2018
wpa_supplicant Instructions: openbsd-specific instructions
There On campus, there are three 2 wireless networks on campus. One network'''Eduroam''' is the preferred method, called VT-Wireless, encrypts all traffic and is secured with [[EAP-TLS]] or which uses PEAP-MSCHAPv2. A to authenticate to the RADIUS server, while the second networkSSID, CONNECTtoVT-Wireless, is an unencrypted'''VirginiaTech''', provides a captive portal wireless network designed to set up connecting to VT-Wireless without offering Internet access. Due to user issues faced during deployment, CONNECTtoVT-Wireless began offering captive portal access to VT usersand allows for guest account creation.
As of January 2015 the [https://www.computing.vt.edu/content/eduroam preferred method] of wireless access at Virginia Tech is through the [https://eduroam.org/ Eduroam] network. Eduroam is a secure wireless access service that was developed for the use of research and educational institutions. One of the advantages of the Eduroam network over the VT-Wireless network is that you will be able to connect to the Internet at any participating institution using your Virginia Tech credentials. The Eduroam-US site provides a [https://www.eduroam.us/technical_overview technical overview] of how the network authenticates you to the Virginia Tech RADIUS servers.
==General Connection Information==
* '''EAP:''' PEAP
* '''Phase 2:''' MSCHAPv2
* '''Root CA:''' [https://2029.globalsign.com GlobalSign Root CA - R3] or pin the certificate (see below)
* '''Server Name:''' eduroam.nis.vt.edu
* '''Identity:''' pid@vt.edu (So if your PID was "hokiebird", hokiebird@vt.edu)
* '''Anonymous Identity:''' anonymous@vt.edu
''Regardless of what software you use to establish your connection, you must first set your remote (network) passphrase by going to [https://my.vt.edu my.vt.edu]→Settings→Change Network Password.''
===Legacy connectionsObtaining the Certificate Chain===It may be still possible to use older networks, but their use is deprecated in favor of eduroam and thus unsupported.* [[Virginia Tech Wifi: VT-Wireless]] - VT-Wireless with PEAP-MSCHAPv2 (network password)* [[EAP-TLS]] - VT-Wireless with EAP-TLS (netcerts)* CONNECTtoVT-Wireless as a captive portal
The certificate presented by the RADIUS server is chained as such: * GlobalSign Root CA - R3 ** Trusted Root CA SHA256 G2*** Virginia Tech Global Qualified Server CA**** eduroam.nis.vt.edu Below is where to obtain each of these, along with some metadata. The filenames are arbitrary, but will be used for the rest of this article. For every certificate (''especially'' the root, the signature chain helps with the rest), consider where you are obtaining it from and how much trust that you are getting what you think you are. You will probably want the PEM formatted certificate, if you have the option. ===Certificate Pinning=GlobalSign Root CA - R3==== ''Filename:'' GlobalSign_Root_CA_-_R3.pem ''Subject:'' OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign This is a common root CA and should have shipped with your OS. It is likely located in <code>/etc/ssl/certs/GlobalSign_Root_CA_-_R3.pem</code>. If you are unable to locate it in your OS, you can get it directly from [https://2029.globalsign.com/ GlobalSign]. (This page seems to not be loading correctly at the moment. [https://support.globalsign.com/customer/en/portal/articles/1426602-globalsign-root-certificates Here] is the parent page.) ====Trusted Root CA SHA256 G2==== ''Filename:'' TrustedRootCASHA256G2.pem ''Subject:'' C = BE, OU = Trusted Root, O = GlobalSign nv-sa, CN = Trusted Root CA SHA256 G2 This is an intermediate certificate, again issued by GlobalSign. You can get it directly from GlobalSign [https://support.globalsign.com/customer/portal/articles/1211591-trusted-root-intermediate-certificates here]. ====Virginia Tech Global Qualified Server CA==== ''Filename:'' VirginiaTechGlobalQualifiedServerCA.pem ''Subject:'' C = US, ST = Virginia, L = Blacksburg, OU = Global Qualified Server CA, O = Virginia Polytechnic Institute and State University, CN = Virginia Tech Global Qualified Server CA This can be obtained from the Virginia Tech PKI [http://www.pki.vt.edu/developer/rootca.html#globalqualifiedserver website]. This website is only available from VT IP addresses (including VPN). Although certificates higher in the chain are also provided here, the page does ''not'' support https. '''''DO NOT''''' get your root CA here. ====eduroam.nis.vt.edu==== ''Filename:'' eduroam.nis.vt.edu.crt ''Subject:'' C = US, ST = Virginia, L = Blacksburg, O = Virginia Polytechnic Institute and State University, CN = eduroam.nis.vt.edu
Due to vulnerabilities in the MSCHAPv2 protocol that allow This can be obtained from the protocol to be cracked quickly with a 100% success rate<ref>[https://wwwapps.pki.cloudcrackervt.com/blog/2012/07edu/29/crackingca-ms-chap-v2manager/ Cracking MS-CHAPv2search VTCA Certificate Manager]</ref>, it is . This requires PID login. Search for "eduroam.nis.vt.edu". '''Note'absolutely critical'' that : As of 2017 June 19, there will be 2 results, due to some internal testing. Download the RADIUS server certificate be validated properly before attempting authenticationwith the serial 3699307517ED7E8B. Unfortunately, VT The certificate with serial 7A083CC134D0303D is in the process of deprecating a much stronger authentication method, [[EAP-TLS]], and as such, network certificates will no longer be an option''incorrect''.
Where possible, we opt for the highest level of verification of the certificate: manually pinning the hash of the certificate we expect to be presented. The canonical form of the hash used by many network managers is the SHA256 hash of the DER encoding of ===Validating the certificate.===
In order to generate <ol><li> Obtain ''all'' certificates in the certificate hash, download chain ''in PEM format'' </li><li> Concatenate the certificate by clicking the "Download" link on the [httpsnon-leaf certificates in to a single file:</li><pre>$ cat GlobalSign_Root_CA_-_R3.pem TrustedRootCASHA256G2.pem VirginiaTechGlobalQualifiedServerCA.pem >> ca.pem</ashpre><li> Verify the certificates are signed correctly </li><pre>$ openssl verify -verbose -purpose sslserver -CAfile ca.eprovpem eduroam.setinis.vt.edu.crteduroam.nis.vt.edu.crt: OK</EJBCAWebRequestpre><li> For at least the root and leaf certificates, verify the subject (compare to above) </certSearch?cmd=search&keyword=VTli><pre>$ openssl x509 -Wireless Certificate Search for VTin file_of_cert_you_want_to_check -Wireless] (Unfortunately this site is only available to Virginia Tech IPs)noout -subject</pre></ol>
Validate that the downloaded certificate is in fact signed by the (Now Obsolete) [https://secure.hosting.vt.edu/www.pki.vt.edu/developer/rootca.html#globalserver Virginia Tech Global Server CA] chain. You will first need to download ''all'' certificates in the "CA: Virginia_Tech_Global_Server_CA" chain and concatenate them.===Certificate Pinning===
$ cat GlobalSignRootCADue to vulnerabilities in the MSCHAPv2 protocol that allow the protocol to be cracked quickly with a 100% success rate<ref>[https://web.pem GlobalSignRootSignPartnersCAarchive.pem VirginiaTechGlobalRootCA.pem VirginiaTechGlobalServerCAorg/web/20160316174007/https://www.pem >> cacloudcracker.pem $ openssl verify com/blog/2012/07/29/cracking-verbose ms-purpose sslserver chap-CAfile cav2/]</ref>, it is ''absolutely critical'' that the RADIUS server certificate be validated properly before attempting authentication.pem VT-WirelessWhere possible, we opt for the highest level of verification of the certificate: manually pinning the hash of the certificate we expect to be presented.cns.vt.edu.crt VT-WirelessThe canonical form of the hash used by many network managers is the SHA256 hash of the DER encoding of the certificate.cns.vt.edu.crt: OK
Then Validate the certificate (see above) then generate the sha256 hash (in the directory where the certificate downloaded to):
$ openssl x509 -in VT-Wirelesseduroam.cnsnis.vt.edu.crt -outform der | sha256sum 216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a 9b5163a3360f07b2dce2fd1e958c541687cf4c5360bb8adc87fa821c1c969910 -
It is recommended that you perform these steps yourself rather than trusting the certificate hash presented in the configurations below.
'''Note:''' As we are pinning the certificate instead of relying on a PKI, when CNS NI&S rotates the certificates being used(at least every 2 years), the configuration will need to be updated to match the new certificate.
===A Word of Caution===
==NetworkManager Instructions==
* In your the list of wireless configuration programnetworks, select "eduroam".Set the following options: * Choose Wi-Fi security: WPA & WPA2 Enterprise* Authentication: Protected EAP (PEAP as the EAP type.)* Choose MSCHAPv2 as the authentication methodAnonymous identity: anonymous@vt.edu* Use PID@Domain: nis.vt.edu and network passphrase as your login credentials* CA certificate: Select <code>/path/to/GlobalSign_Root_CA_-_R3.pem</code> via the file picker* PEAP version: Automatic* Inner authentication: MSCHAPv2* Use anonymousUsername: PID@vt.edu as your Anonymous Identity* '''TODOPassword: YOUR_NETWORK_PASSWORD [[File:''' Certificate verification (Warning, until certificate verification is added, it is ''not'' recommended that you use this method of accessing the networkNm settings.)png]]
==wpa_supplicant Instructions==
ctrl_interface=DIR=/run/wpa_supplicant GROUP=wheel
update_config=1
fast_reauth=1
ap_scan=1
phase2="auth=MSCHAPV2"
anonymous_identity="anonymous@vt.edu"
#THIS HASH IS OUT OF DATE, PLEASE FOLLOW INSTRUCTIONS ABOVE # if you prefer to pin the certificate ca_cert="hash://server/sha256/216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a" # if you prefer to dynamically validate the certificate by its cryptographic attributes ca_cert="/path/to/GlobalSign_Root_CA_-_R3.pem" domain_match="eduroam.nis.vt.edu"
identity="YourPidHere@vt.edu"
password="YourNetworkPasswordHere"
$ sudo wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/eduroam.conf
$ sudo dhcpcd wlan0
 
On [[OpenBSD]], the process is a little more complicated:
 
# ifconfig wlan0 nwid edoroam wpa wpaakms 802.1x up
# /usr/local/sbin/wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant.conf
# dhclient wlan0
# ifconfig iwm0 inet6 autoconf
 
Alternate config options, besides domain_match are as follows (obviously not correct):
 
subject_match="/C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com"
domain_suffix_match="nis.vt.edu"
 
More thorough documentation is available at [https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf]
==netctl Instructions==
'anonymous_identity="anonymous@vt.edu"'
'ca_cert="hash://server/sha256/216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a"'
'domain_match="eduroam.nis.vt.edu"'
'identity="YourPidHere@vt.edu"'
'password="YourNetworkPasswordHere"'
)
 
The ConfigSection (as per the netctl.profile manpage) is just what you would put in a wpa_supplicant config. Again, note that the domain_match is ''less secure'' than ca_cert, but better than not checking at all.
Ensure that this file is owned by root and only readable by root:
$ sudo netctl start eduroam
 
== connman Instructions ==
This config should be useable with connman. Replace Passphrase and Identity with your Network password and PID@vt.edu, respectively.
 
<pre>
[global]
Name = eduroam
Description = Optionally put something descriptive here.
 
[service_wifi_3c15c2e29584_656475726f616d_managed_ieee8021x]
Type = wifi
Name = eduroam
EAP = peap
CACertFile = /etc/ssl/certs/GlobalSign_Root_CA_-_R3.pem
DomainMatch = eduroam.nis.vt.edu
AnonymousIdentity = anonymous@vt.edu
Phase2 = MSCHAPV2
Identity = PID@vt.edu
Passphrase = NETWORKPASSWORD
</pre>
==Android Instructions==
'''TODO:''' Android certificate validation
 
Quick and dirty options for validating the eduroam certificate, in order from least secure to most secure:
 
# Do not validate: you will get online, but consider your connection to be as secure as a public hotspot
# (Android 7.1+ only) Use system certificates: This will check to make sure the certificate chains back to some CA in the system cert store. This is significantly better than no validation, but still not very good. You may also need to specify a domain. If so, use "vt.edu"
# Download and import the GlobalSign Root CA: detailed instructions to come. Since you are still not checking the CN, it is only marginally better than using system certificates.
# Use the [https://play.google.com/store/apps/details?id=uk.ac.swansea.eduroamcat eduroam CAT] tool: this will setup the whole wireless profile and use the correct CA and verify the CN. As such, it is the preferred method. Warning, it is ugly. If you have an existing "eduroam" profile, you will need to remove it. When it prompts for the username and password, use <YOUR-PID>@vt.edu and your network password. It relies on geolocation to prompt for the profile for the right school. You may need to go outside to get a good GPS signal. If it is able to do geo-ip (e.g., you are connected to the "VirginiaTech" SSID), it gets you close enough.
==Frequently Asked Questions==
===Is eduroam free?===
Eduroam eduroam at Virginia Tech is free for:* VT affiliates with VT-Wireless wireless entitlements (includes students) access and network passwords
* Users at other participating institutions
===Why is eduroam the preferred SSID?===
Using eduroam has several advantages:
* Your wifi probes identify The unencrypted portion of your authentication optionally identifies you as an eduroam user, "anonymous@vt.edu" rather than a VT affiliaterevealing your PID
* You have access to seamless roaming if you ever travel to another participating college campus
* The anonymous identity feature separates RADIUS authentication logs from the network access provider's logs
The main disadvantage is that ===Does eduroam support EAP-TLS?===Currently, the Virginia Tech's eduroam implementation does RADIUS servers are not appear to support the deprecated [[configured for EAP-TLS]] system, while VT-Wireless does (as of February 2015).
==References==
[[Category:Howtos]]
[[Category:Campus computing resources]]
[[Category:Needs restoration]]
Anonymous user
Retrieved from "https://vtluug.org/wiki/Special:MobileDiff/3210...3146"

Navigation menu