Changes
→RADIUS certificates: Delete Section
* Anonymous Identity: anonymous@vt.edu
* Password: [https://www.computing.vt.edu/kb/entry/3765 Your Network Password]
====Certificate pinning====
Many network managers for Linux/UNIX use wpa_supplicant as their underlying IEEE 802.1x/WPA Supplicant and generate a configuration file on the fly. As a result many network managers have similar configuration formats. In this section we will walk through generating a certificate pin for the Certificate used to authenticate the VT RADIUS servers in eduroam.
wpa_supplicant offers multiple mechanisms for certificate management. The ca_cert parameter can point to a file which contains one or more CA certificates which will be used to validate the certificate. With that option you also have the ability to specify a substring match of the certificate's common name. In Where possible, in our configuration configurations we opted for a much stronger level of validation where in we specify by specifing the hash of the certificate that we expect to see. When using this method of certificate validation, you specify the ca_cert parameter as hash://server/sha256/<sha256 hash of DER encoded certificate>.
In order to generate the sha256 certificate hash of the DER encoded certificate, download the certificate by clicking the "Download" link on the [https://ash.eprov.seti.vt.edu/EJBCAWebRequest/certSearch?cmd=search&keyword=VT-Wireless Certificate Search for VT-Wireless](Unfortunately this site is only available to Virginia Tech IPs)
Validate that the certificate downloaded is in fact signed by the (Obsolete) [https://secure.hosting.vt.edu/www.pki.vt.edu/developer/rootca.html#globalserver Virginia Tech Certificate Authority:Global Server CA] chain.
(TODO)
'''Note:''' As we are pinning the certificate instead of relying on a PKI, when CNS rotates the certificates being used, the configuration will need to be updated to match the new certificate.
====A word of caution====
Although you can verify connection to the Virginia Tech RADIUS servers you must keep in mind that you are connecting to a network that you do not control. It is possible that there are network monitors in place which can record and potentially modify traffic.
We encourage you to take precautions against network eavesdropping and mischief (on the Eduroam network, and in general). Potential countermeasures that one might want to employ include using [https://www.eff.org/HTTPS-EVERYWHERE HTTPS when connecting to sites], using a [https://www.computing.vt.edu/content/virtual-private-network VPN], or using the [https://www.torproject.org/ Tor Browser Bundle].
For general tips on improving your security while using the network, consider reading reading the EFF's [https://ssd.eff.org/ Surveillance Self-Defense] tips and/or contacting the [https://security.vt.edu/ Virginia Tech Information Security Office].
==A word of caution on MSCHAPv2==
