Changes

There On campus, there are three 2 wireless networks on campus. One network'''eduroam''' is the preferred method, called VT-Wireless, encrypts all traffic and is secured with [[EAP-TLS]] or which uses PEAP-MSCHAPv2. A to authenticate to the RADIUS server, while the second network, CONNECTtoVT-WirelessSSID, an unencrypted'''VirginiaTech''', provides a captive portal wireless network designed to set up connecting to VT-Wireless without offering Internet access. Due to user issues faced during deployment, CONNECTtoVT-Wireless began offering captive portal access to VT usersand allows for guest account creation.

As of January 2015 the [https://www.computing.vt.edu/content/eduroam preferred method] of wireless access at Virginia Tech is through the [https://eduroam.org/ Eduroameduroam] network. Eduroam eduroam is a secure wireless access service that was developed for the use of research and educational institutions. One of the advantages of the Eduroam network over the VT-Wireless eduroam network is that you will be able to connect to the Internet at any participating institution using your Virginia Tech credentials. The Eduroameduroam-US site provides a [https://www.eduroam.us/technical_overview technical overview] of how the network authenticates you to the Virginia Tech RADIUS servers.

==General Connection Information==

The following settings are recommended for connecting to the Eduroam eduroam network:

* '''SSID: ''' eduroam* '''EAP: ''' PEAP* '''Phase 2: ''' MSCHAPv2* '''Root CA:''' "USERTrust RSA Certification Authority" or pin the certificate (see below)* '''Server Name:''' eduroam.nis.vt.edu* '''Identity: ''' pid@vt.edu (So if your PID was "hokiebird", hokiebird@vt.edu)* '''Anonymous Identity: ''' anonymous@vt.edu* '''Password: ''' [https://www.computing.vt.edu/kb/entry/3765 Your Network Password]

Due to vulnerabilities in ===Obtaining the MSCHAPv2 protocol that allow the protocol to be cracked quickly with a 100% success rate<ref>[https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/]</ref>, it is ''absolutely critical'' that the RADIUS server certificate be validated properly before attempting authentication. Unfortunately, VT is in the process of deprecating a much stronger authentication method, [[EAP-TLS]], and as such, network certificates will no longer be an option.Certificate Chain===

Where possible, we opt for the highest level of verification of the certificate: manually pinning the hash of the The certificate we expect to be presented. The canonical form of by the hash used by many network managers RADIUS server is the SHA256 hash of the DER encoding of the certificate.chained as such:

In order to generate the certificate hash, download the certificate by clicking the "Download" link on the [https://ash* USERTrust RSA Certification Authority** InCommon RSA Server CA *** eduroam.eprov.setinis.vt.edu/EJBCAWebRequest/certSearch?cmd=search&keyword=VT-Wireless Certificate Search for VT-Wireless] (Unfortunately this site is only available to Virginia Tech IPs)

Validate that Below is where to obtain each of these, along with some metadata. The filenames are arbitrary, but will be used for the downloaded rest of this article. For every certificate is in fact signed by (''especially'' the root, the signature chain helps with the (Now Obsoleterest) [https://secure, consider where you are obtaining it from and how much trust that you are getting what you think you are.hosting.vt.edu/www.pki.vt.edu/developer/rootca.html#globalserver Virginia Tech Global Server CA] chainYou will probably want the PEM formatted certificate, if you have the option.

Then generate the sha256 hash (in the directory where the certificate downloaded to)''Filename:'' USERTrust_RSA_Certification_Authority.pem

''Subject:'' C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority This is a common root CA and should have shipped with your OS. It is likely located in <code>/etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem</code>. Note that if you follow the Authority Information Access of the intermediate certificate, it may direct you to a URL which points to a different version of this certficate, which is cross signed by AddTrust and expires in May 2020. The one in your cert store is self-signed and expires in 2038. You want the one from your cert store. ====InCommon RSA Server CA==== ''Filename:'' InCommonRSAServerCA_2.pem ''Subject:'' C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA This is an intermediate certificate issued by InCommon. You can get it directly from InCommon [http://crt.usertrust.com/InCommonRSAServerCA_2.crt here]. ====eduroam.nis.vt.edu==== ''Filename:'' eduroam.nis.vt.edu.pem ''Subject:'' C = US, postalCode = 24061, ST = Virginia, L = Blacksburg, street = 800 Washington St. SW, O = Virginia Polytechnic Institute and State University, OU = Secure Identity Services, CN = eduroam.nis.vt.edu This can be obtained from the [https://certs.it.vt.edu/search VT Certificate Manager]. This requires PID login. Search for "eduroam.nis.vt.edu". Grab the certificate most recently issued. ===Validating the certificate=== <ol><li> Obtain ''all'' certificates in the chain ''in PEM format'' </li><li> Concatenate the non-leaf certificates in to a single file: </li><pre>$ cat USERTrust_RSA_Certification_Authority.pem InCommonRSAServerCA_2.pem > ca.pem</pre><li> Verify the certificates are signed correctly </li><pre>$ openssl verify -verbose -purpose sslserver -CAfile ca.pem eduroam.nis.vt.edu.pemeduroam.nis.vt.edu.pem: OK</pre><li> For at least the root and leaf certificates, verify the subject (compare to above) </li><pre>$ openssl x509 -in file_of_cert_you_want_to_check -noout -subject</pre></ol> ===Certificate Pinning=== Due to vulnerabilities in the MSCHAPv2 protocol that allow the protocol to be cracked quickly with a 100% success rate<ref>[https://web.archive.org/web/20160316174007/https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/]</ref>, it is ''absolutely critical'' that the RADIUS server certificate be validated properly before attempting authentication. Where possible, we opt for the highest level of verification of the certificate: manually pinning the hash of the certificate we expect to be presented. The canonical form of the hash used by many network managers is the SHA256 hash of the DER encoding of the certificate. Validate the certificate (see above) then generate the sha256 hash:  $ openssl x509 -in VT-Wirelesseduroam.cnsnis.vt.edu.crt -outform der | sha256sum 216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a 9b5163a3360f07b2dce2fd1e958c541687cf4c5360bb8adc87fa821c1c969910 -

'''Note:''' As we are pinning the certificate instead of relying on a PKI, when CNS NI&S rotates the certificates being used(at least every 2 years), the configuration will need to be updated to match the new certificate.

====A Word of Caution====

We encourage you to take precautions against network eavesdropping and mischief (on the Eduroam eduroam network, and in general). Potential countermeasures that one might want to employ include using [https://www.eff.org/HTTPS-EVERYWHERE HTTPS when connecting to sites], using a [https://www.computing.vt.edu/content/virtual-private-network VPN], or using the [https://www.torproject.org/ Tor Browser Bundle]. For general tips on improving your security while using the network, consider reading the EFF's [https://ssd.eff.org/ Surveillance Self-Defense] tips, reading [https://www.hokieprivacy.org/ Hokie Privacy], and/or contacting the [https://security.vt.edu/ Virginia Tech Information Security Office].

==Set Your Remote Access (Network) Passphrase==Regardless In the list of what software you use to establish your connectionwireless networks, you must first set your remote passphrase by going to [httpsselect "eduroam". Set the following options://my.vt.edu my.vt.edu]→Settings→Change Network Password.

==NetworkManager==* Wi-Fi security: WPA & WPA2 Enterprise===eduroam * Authentication: Protected EAP (preferredPEAP)===* In your wireless configuration program, select eduroamAnonymous identity: anonymous@vt.edu* Choose PEAP as the EAP typeDomain: nis.vt.edu* Choose MSCHAPv2 as CA certificate: Select <code>/path/to/USERTrust_RSA_Certification_Authority.pem</code> via the file picker* PEAP version: Automatic* Inner authentication method.: MSCHAPv2* Use Username: PID@vt.edu and network passphrase as your login credentials.* Use anonymous@vt.edu as your Anonymous Identity* '''TODOPassword:''' Certificate verificationYOUR_NETWORK_PASSWORD

===VT-Wireless (legacy)===* In your wireless configuration program, select VT-Wireless.* Choose PEAP as the EAP type.* Choose MSCHAPv2 as the authentication method.* Use your {{{identity|PID}}} and network passphrase as your login credentials[[File:Nm settings.png]]

==wpa_supplicantInstructions==

update_config=1

#THIS HASH IS OUT OF DATE, PLEASE FOLLOW INSTRUCTIONS ABOVE # if you prefer to pin the certificate ca_cert="hash://server/sha256/216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a" # if you prefer to dynamically validate the certificate by its cryptographic attributes ca_cert="/path/to/USERTrust_RSA_Certification_Authority.pem" domain_match="eduroam.nis.vt.edu"

===VT-Wireless (legacy)===Add On [[OpenBSD]], the following lines to <code>/etc/wpa_supplicant.conf</code>process is a little more complicated:

ctrl_interface=DIR=# ifconfig wlan0 nwid edoroam wpa wpaakms 802.1x up # /usr/local/sbin/wpa_supplicant -B -i wlan0 -c /runetc/wpa_supplicant GROUP=wheel.conf update_config=1# dhclient wlan0 fast_reauth=1# ifconfig iwm0 inet6 autoconf  ap_scan=1Alternate config options, besides domain_match are as follows (obviously not correct): network={ ssidsubject_match="VT-Wireless" proto/C=WPA2 key_mgmtUS/ST=WPA-EAP eapCA/L=PEAP phase2San Francisco/CN="authTest AS/emailAddress=MSCHAPV2as@example.com" identity domain_suffix_match="your {{{identity|PID}}}nis.vt.edu" password="your passphrase" ca_cert="More thorough documentation is available at [https://w1.fi/cgit/etchostap/sslplain/certswpa_supplicant/GlobalSign_Root_CAwpa_supplicant.pem }conf]

==netctlInstructions==

===VT-Wireless (legacy)=connman Instructions ==Tested on [[Arch Linux]] This config should be useable with netctl 0.8 (updated on 2013-04-12)connman. * Create a file, '''/etc/netctl/VT-Wireless''' Replace Passphrase and place this in it: Description="VT-Wireless PEAP-MSCHAPv2" Interface=wlan0 Connection=wireless Security=wpa-configsection IP=dhcp IP6=stateless WPAConfigSection=( 'ssid="VT-Wireless"' 'proto=RSN' 'key_mgmt=WPA-EAP' 'eap=PEAP' 'phase2="auth=MSCHAPV2"' 'identity="YOUR IDENTITY"' 'Identity with your Network password="NETWORK PASSWORD" 'ca_cert="/etc/ssl/certs/GlobalSign_Root_CAand PID@vt.pem"' ) Make sure to change '''IDENTITY''' to your {{{identity|PID}}}edu, and '''NETWORK PASSWORD''' to your network passwordrespectively.

* After creating this file, make sure to change the owner to root (<codepre>sudo chown root:root /etc/netctl/VT-Wireless</code>) and change the permissions so that it can be read only by the owner (<code>sudo chmod 0600 /etc/netctl/VT-Wireless</code>). This will ensure that your private key password cannot be read by others easily[global]Name = eduroamDescription = Optionally put something descriptive here.

==AndroidInstructions==

Quick and dirty options for validating the eduroam certificate, in order from least secure to most secure: # Do not validate: you will get online, but consider your connection to be as secure as a public hotspot# (Android 7.1+ only) Use system certificates: This will check to make sure the certificate chains back to some CA in the system cert store. This is significantly better than no validation, but still not very good. You may also need to specify a domain. If so, use "vt.edu"# Download and import the USERTrust Root CA: detailed instructions to come. Since you are still not checking the CN, it is only marginally better than using system certificates.# Use the [https://play.google.com/store/apps/details?id=uk.ac.swansea.eduroamcat eduroam CAT] tool: this will setup the whole wireless profile and use the correct CA and verify the CN. As such, it is the preferred method. Warning, it is ugly. If you have an existing "eduroam" profile, you will need to remove it. When it prompts for the username and password, use <YOUR-PID>@vt.edu and your network password. It relies on geolocation to prompt for the profile for the right school. You may need to go outside to get a good GPS signal. If it is able to do geo-ip (e.g., you are connected to the "VirginiaTech" SSID), it gets you close enough. ==Frequently Asked Questions=====Is eduroam free?=== eduroam at Virginia Tech is free for:* VT-Wireless affiliates with wireless entitlements (legacyincludes students)access and network passwords* Users at other participating institutions ===Why is eduroam the preferred SSID?==={{Version|2Using eduroam has several advantages:* The unencrypted portion of your authentication optionally identifies you as "anonymous@vt.2 (Froyo) of Android}}edu" rather than revealing your PID* You have access to seamless roaming if you ever travel to another participating college campus* The anonymous identity feature separates RADIUS authentication logs from the network access provider's logs

* From the home screen, press the menu button and choose "Settings"→"Wireless & networks"→"Wi===Does eduroam support EAP-Fi settings".* Remove any existing entries for {{{networks|the network you'd like to add or any conflicting network}}}.TLS?===* From the "WiFi networks" listingCurrently, click on {{{network|the network you'd like to add}}}.* Choose PEAP as the Virginia Tech eduroam RADIUS servers are not configured for EAP method and MSCHAPv2 as the phase two authentication mechanism.* Enter your credentials for the identity and press "Connect"-TLS.