Difference between revisions of "Virginia Tech Wifi"

From the Linux and Unix Users Group at Virginia Teck Wiki
Jump to: navigation, search
imported>Mutantmonkey
imported>Mutantmonkey
(Remove netcfg instructions, add ca_cert line to wpa_supplicant instructions)
Line 1: Line 1:
<font color="red">Warning: Use of PEAP-MSCHAPv2 to connect to the Virginia Tech network is strongly discouraged by the Linux and Unix Users Group due to attacks that allow all traffic to be decrypted with a 100% success rate.</font>
+
<font color="red">Warning: Use of PEAP-MSCHAPv2 to connect to the Virginia Tech network is strongly discouraged by the Linux and Unix Users Group due to attacks that can allow all traffic to be decrypted with a 100% success rate.</font>
  
 
'''PEAP-MSCHAPv2''' is a wireless authentication scheme used by Virginia Tech as an alternative to [[EAP-TLS]] for connections to [[VT-Wireless]].
 
'''PEAP-MSCHAPv2''' is a wireless authentication scheme used by Virginia Tech as an alternative to [[EAP-TLS]] for connections to [[VT-Wireless]].
Line 33: Line 33:
 
  identity="your {{{identity|PID}}}"
 
  identity="your {{{identity|PID}}}"
 
  password="your passphrase"
 
  password="your passphrase"
 +
ca_cert="/etc/ssl/certs/GlobalSign_Root_CA.pem
 
  }
 
  }
 
==netcfg==
 
Tested on [[Arch Linux]] with netcfg 3.0 (updated on 2013-04-12).
 
 
* Create a file, '''/etc/network.d/VT-Wireless''' and place this in it:
 
CONNECTION='wireless'
 
INTERFACE='wlan0'
 
SECURITY='wpa-configsection'
 
ESSID='VT-Wireless'
 
IP='dhcp'
 
IP6='stateless'
 
CONFIGSECTION='
 
ssid="VT-Wireless"
 
proto=WPA2
 
key_mgmt=WPA-EAP
 
eap=PEAP
 
phase2="auth=MSCHAPV2"
 
identity="IDENTITY"
 
password="NETWORK PASSWORD"
 
'
 
 
Make sure to change '''IDENTITY''' to your {{{identity|PID}}}, and '''NETWORK PASSWORD''' to your network password.
 
 
* After creating this file, make sure to change the owner to root (<code>sudo chown root:root /etc/network.d/VT-Wireless</code>) and change the permissions so that it can be read only by the owner (<code>sudo chmod 0600 /etc/network.d/VT-Wireless</code>). This will ensure that your private key password cannot be read by others easily.
 
 
* To connect, simply type the following in a terminal:
 
sudo netcfg VT-Wireless
 
  
 
==netctl==
 
==netctl==

Revision as of 01:07, 17 August 2014

Warning: Use of PEAP-MSCHAPv2 to connect to the Virginia Tech network is strongly discouraged by the Linux and Unix Users Group due to attacks that can allow all traffic to be decrypted with a 100% success rate.

PEAP-MSCHAPv2 is a wireless authentication scheme used by Virginia Tech as an alternative to EAP-TLS for connections to VT-Wireless.

At DefCon 20 in July 2012, an attack was announced for MSCHAPv2 that allows the protocol to be cracked quickly with a 100% success rate.[1] Use of MSCHAPv2 is strongly discouraged.

Set your remote access passphrase

Regardless of what software you use to establish your connection, you must first set your remote passphrase by going to my.vt.edu→Settings→Change Network Password.

Android

The following instructions were written for 2.2 (Froyo) of Android and may not work on other platforms or versions. If you would like to see additional coverage, please add it yourself or make a request on the wiki's wanted page.

  • From the home screen, press the menu button and choose "Settings"→"Wireless & networks"→"Wi-Fi settings".
  • Remove any existing entries for the network you'd like to add or any conflicting network.
  • From the "WiFi networks" listing, click on the network you'd like to add.
  • Choose PEAP as the EAP method and MSCHAPv2 as the phase two authentication mechanism.
  • Enter your credentials for the identity and press "Connect".

NetworkManager

  • In your wireless configuration program, select VT-Wireless.
  • Choose PEAP as the EAP type.
  • Choose MSCHAPv2 as the authentication method.
  • Use your PID and remote passphrase as your login credentials.

wpa_supplicant

Add the following lines to /etc/wpa_supplicant.conf: 

network={
	ssid="VT-Wireless"
	proto=WPA2
	key_mgmt=WPA-EAP
	eap=PEAP
	phase2="auth=MSCHAPV2"
	identity="your PID"
	password="your passphrase"
	ca_cert="/etc/ssl/certs/GlobalSign_Root_CA.pem
}

netctl

Tested on Arch Linux with netctl 0.8 (updated on 2013-04-12).

  • Create a file, /etc/netctl/VT-Wireless and place this in it:
Description="VT-Wireless PEAP-MSCHAPv2"
Interface=wlan0
Connection=wireless
Security=wpa-configsection

IP=dhcp
IP6=stateless

WPAConfigSection=(
    'ssid="VT-Wireless"'
    'proto=RSN'
    'key_mgmt=WPA-EAP'
    'eap=PEAP'
    'phase2="auth=MSCHAPV2"'
    'identity="YOUR IDENTITY"'
    'password="NETWORK PASSWORD"
    'ca_cert="/etc/ssl/certs/GlobalSign_Root_CA.pem"'
)

Make sure to change IDENTITY to your PID, and NETWORK PASSWORD to your network password.

  • After creating this file, make sure to change the owner to root (sudo chown root:root /etc/netctl/VT-Wireless) and change the permissions so that it can be read only by the owner (sudo chmod 0600 /etc/netctl/VT-Wireless). This will ensure that your private key password cannot be read by others easily.
  • To connect, simply type the following in a terminal:
sudo netctl start VT-Wireless

References

  1. [1]
Retrieved from "https://vtluug.org/w/index.php?title=Virginia_Tech_Wifi&oldid=3178"