Changes
→wpa_supplicant Instructions: openbsd-specific instructions
As of January 2015 the [https://www.computing.vt.edu/content/eduroam preferred method] of wireless access at Virginia Tech is through the [https://eduroam.org/ Eduroam] network. Eduroam is a secure wireless access service that was developed for the use of research and educational institutions. One of the advantages of the Eduroam network over the VT-Wireless network is that you will be able to connect to the Internet at any participating institution using your Virginia Tech credentials. The Eduroam-US site provides a [https://www.eduroam.us/technical_overview technical overview] of how the network authenticates you to the Virginia Tech RADIUS servers.
==General Connection informationInformation==
===eduroam===
The following settings are recommended for connecting to the Eduroam network:
* '''SSID: ''' eduroam* '''EAP: ''' PEAP* '''Phase 2: ''' MSCHAPv2* '''Root CA:''' [https://2029.globalsign.com GlobalSign Root CA - R3] or pin the certificate (see below)* '''Server Name:''' eduroam.nis.vt.edu* '''Identity: ''' pid@vt.edu (So if your PID was "hokiebird", hokiebird@vt.edu)* '''Anonymous Identity: ''' anonymous@vt.edu* '''Password: ''' [https://www.computing.vt.edu/kb/entry/3765 Your Network Password]
''Subject:'' OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign This is a common root CA and should have shipped with your OS. It is recommended that likely located in <code>/etc/ssl/certs/GlobalSign_Root_CA_-_R3.pem</code>. If you perform these steps yourself rather than trusting are unable to locate it in your OS, you can get it directly from [https://2029.globalsign.com/ GlobalSign]. (This page seems to not be loading correctly at the moment. [https://support.globalsign.com/customer/en/portal/articles/1426602-globalsign-root-certificates Here] is the parent page.) ====Trusted Root CA SHA256 G2==== ''Filename:'' TrustedRootCASHA256G2.pem ''Subject:'' C = BE, OU = Trusted Root, O = GlobalSign nv-sa, CN = Trusted Root CA SHA256 G2 This is an intermediate certificate hash presented , again issued by GlobalSign. You can get it directly from GlobalSign [https://support.globalsign.com/customer/portal/articles/1211591-trusted-root-intermediate-certificates here]. ====Virginia Tech Global Qualified Server CA==== ''Filename:'' VirginiaTechGlobalQualifiedServerCA.pem ''Subject:'' C = US, ST = Virginia, L = Blacksburg, OU = Global Qualified Server CA, O = Virginia Polytechnic Institute and State University, CN = Virginia Tech Global Qualified Server CA This can be obtained from the Virginia Tech PKI [http://www.pki.vt.edu/developer/rootca.html#globalqualifiedserver website]. This website is only available from VT IP addresses (including VPN). Although certificates higher in the configurations belowchain are also provided here, the page does ''not'' support https.'''''DO NOT''''' get your root CA here. ====eduroam.nis.vt.edu==== ''Filename:'' eduroam.nis.vt.edu.crt ''Subject:'' C = US, ST = Virginia, L = Blacksburg, O = Virginia Polytechnic Institute and State University, CN = eduroam.nis.vt.edu This can be obtained from the [https://apps.pki.vt.edu/ca-manager/search VTCA Certificate Manager]. This requires PID login. Search for "eduroam.nis.vt.edu". '''Note''': As of 2017 June 19, there will be 2 results, due to some internal testing. Download the certificate with the serial 3699307517ED7E8B. The certificate with serial 7A083CC134D0303D is ''incorrect''. ===Validating the certificate=== <ol><li> Obtain ''all'' certificates in the chain ''in PEM format'' </li><li> Concatenate the non-leaf certificates in to a single file: </li><pre>$ cat GlobalSign_Root_CA_-_R3.pem TrustedRootCASHA256G2.pem VirginiaTechGlobalQualifiedServerCA.pem >> ca.pem</pre><li> Verify the certificates are signed correctly </li><pre>$ openssl verify -verbose -purpose sslserver -CAfile ca.pem eduroam.nis.vt.edu.crteduroam.nis.vt.edu.crt: OK</pre><li> For at least the root and leaf certificates, verify the subject (compare to above) </li><pre>$ openssl x509 -in file_of_cert_you_want_to_check -noout -subject</pre></ol> ===Certificate Pinning===
Due to vulnerabilities in the MSCHAPv2 protocol that allow the protocol to be cracked quickly with a 100% success rate<ref>[https://web.archive.org/web/20160316174007/https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/]</ref>, it is ''absolutely critical'Note:''' As that the RADIUS server certificate be validated properly before attempting authentication. Where possible, we are opt for the highest level of verification of the certificate: manually pinning the hash of the certificate instead we expect to be presented. The canonical form of relying on a PKI, when CNS rotates the certificates being hash used, by many network managers is the SHA256 hash of the configuration will need to be updated to match DER encoding of the new certificate.
We encourage you to take precautions against network eavesdropping and mischief (on the Eduroam network, and in general). Potential countermeasures that one might want to employ include using [https://www.eff.org/HTTPS-EVERYWHERE HTTPS when connecting to sites], using a [https://www.computing.vt.edu/content/virtual-private-network VPN], or using the [https://www.torproject.org/ Tor Browser Bundle].
==AndroidNetworkManager Instructions=====eduroam (preferred)===TODO=== VT-Wireless (legacy)==={{Version|2.2 (Froyo) of Android}}
==wpa_supplicantInstructions==
[http://w1.fi/wpa_supplicant/ wpa_supplicant] is a cross-platform supplicant which implements IEEE 802.1x/WPA and is used in many Linux/UNIX distributions.
ctrl_interface=DIR=/run/wpa_supplicant GROUP=wheel
update_config=1
fast_reauth=1
ap_scan=1
phase2="auth=MSCHAPV2"
anonymous_identity="anonymous@vt.edu"
#THIS HASH IS OUT OF DATE, PLEASE FOLLOW INSTRUCTIONS ABOVE # if you prefer to pin the certificate ca_cert="hash://server/sha256/216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a" # if you prefer to dynamically validate the certificate by its cryptographic attributes ca_cert="/path/to/GlobalSign_Root_CA_-_R3.pem" domain_match="eduroam.nis.vt.edu"
identity="YourPidHere@vt.edu"
password="YourNetworkPasswordHere"
$ sudo dhcpcd wlan0
==netctlInstructions==
[https://wiki.archlinux.org/index.php/netctl netctl] is a network manager which is native to the ArchLinux distribution. netctl makes use of wpa_supplicant under the hood, and so the configuration is similar.
Put the following configuration in <code>/etc/netctl/eduroam</code> with your proper PID and Network Password. Further, this assumes that your wireless network device is wlan0, which you might have to change to match your system. The ca_cert line pins the server certificate and can be generated/validated using the mechanism described above.
'anonymous_identity="anonymous@vt.edu"'
'ca_cert="hash://server/sha256/216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a"'
'identity="YourPidHere@vt.edu"'
'password="YourNetworkPasswordHere"'
)
The ConfigSection (as per the netctl.profile manpage) is just what you would put in a wpa_supplicant config. Again, note that the domain_match is ''less secure'' than ca_cert, but better than not checking at all.
Ensure that this file is owned by root and only readable by root:
$ sudo netctl start eduroam
==connman Instructions =VT=This config should be useable with connman. Replace Passphrase and Identity with your Network password and PID@vt.edu, respectively. <pre>[global]Name = eduroamDescription = Optionally put something descriptive here. [service_wifi_3c15c2e29584_656475726f616d_managed_ieee8021x]Type = wifiName = eduroamEAP = peapCACertFile = /etc/ssl/certs/GlobalSign_Root_CA_-Wireless (legacy)_R3.pemDomainMatch = eduroam.nis.vt.eduAnonymousIdentity = anonymous@vt.eduPhase2 = MSCHAPV2Identity = PID@vt.eduPassphrase = NETWORKPASSWORD</pre> ==Android Instructions==Tested on [[Arch LinuxFile:AndroidEduroamNoCert.png|170px|thumb|Sample Android configuration of eduroam, but crucially lacking certificate validation.]] with netctl 0 A sample configuration is available to the right, but as this configuration is currently lacking CA certificate validation, we do not at this time recommend connecting to the network. The Identity needs to be modified to match your PID@vt.edu, and your Network Password needs to be entered in the Password field. Steps:* From the home screen, press the menu button and choose "Settings"→"Wireless & networks"→"Wi-Fi settings".* Remove any existing entries for eduroam.8 (updated * From the "WiFi networks" listing, click on 2013-04-12)eduroam.* Choose PEAP as the EAP method and MSCHAPv2 as the phase two authentication mechanism.* Enter your pid@vt.edu for the identity* Enter "anonymous@vt.edu" for the anonymous identity* Enter your Network Password for the password* Press "Connect". '''TODO:''' Android certificate validation Quick and dirty options for validating the eduroam certificate, in order from least secure to most secure:
===Why is eduroam the preferred SSID?===Using eduroam has several advantages:* After creating this file, make sure The unencrypted portion of your authentication optionally identifies you as "anonymous@vt.edu" rather than revealing your PID* You have access to change the owner seamless roaming if you ever travel to root (<code>sudo chown root:root /etc/netctl/VT-Wireless</code>) and change the permissions so that it can be read only by another participating college campus* The anonymous identity feature separates RADIUS authentication logs from the owner (<code>sudo chmod 0600 /etc/netctl/VT-Wireless</code>). This will ensure that your private key password cannot be read by others easily.network access provider's logs
==References==
<references/>
===Network Information Sources===
* [http://www.cns.vt.edu/html/wireless/wlan/index.html Communications Network Services: Wireless LAN]
* [http://computing.vt.edu/internet_and_web/internet_access/ipaddresses.html Virginia Tech IP Addresses]
[[Category:Howtos]]
[[Category:Campus computing resources]]
[[Category:Needs restoration]]