Changes

====Certificate pinningRADIUS certificates====The certificate verification methods vary greatly between different network managers, but the certificate currently in use for the Virginia Tech RADIUS servers is available from the [https://ash.eprov.seti.vt.edu/EJBCAWebRequest/certSearch?cmd=search&keyword=VT-Wireless PKI Certificate Search site] and the certificate chain is the (Obsolete) [https://secure.hosting.vt.edu/www.pki.vt.edu/developer/rootca.html#globalserver Virginia Tech Global Server CA] chain.

Many network managers for Linux/UNIX use wpa_supplicant as their underlying IEEE 802.1x/WPA Supplicant and generate a configuration file on the fly. As a result many network managers have similar configuration formats. In this section we will walk through generating a certificate pin for the Certificate used to authenticate the VT RADIUS servers in eduroam. wpa_supplicant offers multiple mechanisms for certificate management. The ca_cert parameter can point to a file which contains one or more CA certificates which will be used to validate the certificate. With that option you also have the ability to specify a substring match of the certificate's common name. Where possibleUnfortunately, in our configurations we opted for a much stronger level of validation by specifing the hash of the certificate that we expect to see. In order to generate the certificate hash, download the certificate by clicking the "Download" link on the [https://ash.eprov.seti.vt.edu/EJBCAWebRequest/certSearch?cmd=search&keyword=VT-Wireless PKI Certificate Search for VT-Wireless] (Unfortunately this site is only available to Virginia Tech from campus IPs) Validate that the certificate downloaded is in fact signed by the (Obsolete) [https://secure.hosting.vt.edu/www.pki.vt.edu/developer/rootca.html#globalserver Virginia Tech Global Server CA] chain.  (TODO) Then generate the sha256 hash (in the directory where the certificate downloaded to):  openssl x509 -in VT-Wireless.cns.vt.edu.crt -outform der | sha256sum 216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a - It is recommended that you perform these steps yourself rather than trusting the certificate hash presented in the configurations below. '''Note:''' As we are pinning the certificate instead of relying on a PKI, when CNS rotates the certificates being used, the configuration will need to be updated to match the new certificate. ====A word of caution====Although you can verify connection to the Virginia Tech RADIUS servers you must keep in mind that you are connecting to a network that you do not control. It is possible that there are network monitors in place which can record and potentially modify traffic. We encourage you to take precautions against network eavesdropping and mischief (on the Eduroam network, and in general). Potential countermeasures that one might want to employ include using [https://www.eff.org/HTTPS-EVERYWHERE HTTPS when connecting to sites], using a [https://www.computing.vt.edu/content/virtual-private-network VPN], or using the [https://www.torproject.org/ Tor Browser Bundle]. For general tips on improving your security while using the network, consider reading reading the EFF's [https://ssd.eff.org/ Surveillance Self-Defense] tips and/or contacting the [https://security.vt.edu/ Virginia Tech Information Security Office].

In order to connect to the eduroam network, add the following to <code>/etc/wpa_supplicant/eduroam.conf</code> modifying the identity and password to reflect your PID and Network Password:

Add the following lines to <code>/etc/wpa_supplicant.conf</code>:

Put the following configuration in <code>/etc/netctl/eduroam</code> with your proper PID and Network Password. Further, this assumes that your wireless network device is wlan0, which you might have to change to match your system. The ca_cert line pins the server certificate and can be generated/validated using the mechanism described above.