Changes
Move the old header for the page over
* Password: [https://www.computing.vt.edu/kb/entry/3765 Your Network Password]
====Certificate pinningRADIUS certificates====The certificate verification methods vary greatly between different network managers, but the certificate currently in use for the Virginia Tech RADIUS servers is available from the [https://ash.eprov.seti.vt.edu/EJBCAWebRequest/certSearch?cmd=search&keyword=VT-Wireless PKI Certificate Search site] and the certificate chain is the (Obsolete) [https://secure.hosting.vt.edu/www.pki.vt.edu/developer/rootca.html#globalserver Virginia Tech Global Server CA] chain.
==A word of caution on MSCHAPv2==
[http://w1.fi/wpa_supplicant/ wpa_supplicant] is a cross-platform supplicant which implements IEEE 802.1x/WPA and is used in many Linux/UNIX distributions.
In order to connect to the eduroam network, add the following to <code>/etc/wpa_supplicant/eduroam.conf</code> modifying the identity and password to reflect your PID and Network Password:
ctrl_interface=DIR=/run/wpa_supplicant GROUP=wheel
===For VT-Wireless (legacy)===
Add the following lines to <code>/etc/wpa_supplicant.conf</code>:
ctrl_interface=DIR=/run/wpa_supplicant GROUP=wheel
ca_cert="/etc/ssl/certs/GlobalSign_Root_CA.pem
}
==Certificate pinning==
===For eduroam===
In the above wpa_supplicant configuration, we pin the server certificate that we expect the RADIUS server to present. wpa_supplicant offers multiple mechanisms for certificate management. The ca\_cert parameter can point to a file which contains one or more CA certificates which will be used to validate the certificate. With that option you also have the ability to specify a substring match of the certificate's common name.
In our configuration we opted for a much stronger level of validation where in we specify the hash of the certificate that we expect to see. When using this method of certificate validation, you specify the ca_cert parameter as hash://server/sha256/<sha256 hash of DER encoded certificate>.
In order to generate the sha256 hash of the DER encoded certificate (so that you can validate that the above hash is correct), download the certificate by clicking the "Download" link on the [https://ash.eprov.seti.vt.edu/EJBCAWebRequest/certSearch?cmd=search&keyword=VT-Wireless Certifcate Search for VT-Wireless]
Validate that the certificate downloaded is in fact signed by the Virginia Tech Certificate Authority:
(TODO)
Then generate the sha256 hash (in the directory where the certificate downloaded to):
openssl x509 -in VT-Wireless.cns.vt.edu.crt -outform der | sha256sum
216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a -
==netctl==
===eduroam (preferred)===
Put the following configuration in <code>/etc/netctl/eduroam</code> with your proper PID and Network Password. Further, this assumes that your wireless network device is wlan0, which you might have to change to match your system. The ca_cert line pins the server certificate and can be generated/validated using the mechanism described above.
Description='Federated Educational Wifi Network'