Changes

<!--There are three wireless networks on campus. One network, called VT-Wireless, encrypts all traffic and is secured with [[EAP-TLS]] or PEAP-MSCHAPv2. A second network, CONNECTtoVT-Wireless, is an unencrypted, captive portal wireless network designed to set up connecting to VT-Wireless without offering Internet access. Due to user issues faced during deployment, CONNECTtoVT-Wireless began offering captive portal access to VT users.-->On campus, there are 2 wireless networks. '''Eduroameduroam''' is the preferred method, which uses PEAP-MSCHAPv2 to authenticate to the RADIUS server, while the second SSID, '''VirginiaTech''', provides a captive-portaland allows for guest account creation.

As of January 2015 the [https://www.computing.vt.edu/content/eduroam preferred method] of wireless access at Virginia Tech is through the [https://eduroam.org/ Eduroameduroam] network. Eduroam eduroam is a secure wireless access service that was developed for the use of research and educational institutions. One of the advantages of the Eduroam network over the VT-Wireless eduroam network is that you will be able to connect to the Internet at any participating institution using your Virginia Tech credentials. The Eduroameduroam-US site provides a [https://www.eduroam.us/technical_overview technical overview] of how the network authenticates you to the Virginia Tech RADIUS servers.

The following settings are recommended for connecting to the Eduroam eduroam network:

===Obtaining the Certificate PinningChain=== The certificate presented by the RADIUS server is chained as such: * USERTrust RSA Certification Authority** InCommon RSA Server CA *** eduroam.nis.vt.edu Below is where to obtain each of these, along with some metadata. The filenames are arbitrary, but will be used for the rest of this article. For every certificate (''especially'' the root, the signature chain helps with the rest), consider where you are obtaining it from and how much trust that you are getting what you think you are. You will probably want the PEM formatted certificate, if you have the option. ====USERTrust RSA Certification Authority==== ''Filename:'' USERTrust_RSA_Certification_Authority.pem ''Subject:'' C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority This is a common root CA and should have shipped with your OS. It is likely located in <code>/etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem</code>. Note that if you follow the Authority Information Access of the intermediate certificate, it may direct you to a URL which points to a different version of this certficate, which is cross signed by AddTrust and expires in May 2020. The one in your cert store is self-signed and expires in 2038. You want the one from your cert store. ====InCommon RSA Server CA==== ''Filename:'' InCommonRSAServerCA_2.pem ''Subject:'' C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA This is an intermediate certificate issued by InCommon. You can get it directly from InCommon [http://crt.usertrust.com/InCommonRSAServerCA_2.crt here].

Due to vulnerabilities in the MSCHAPv2 protocol that allow the protocol to be cracked quickly with a 100% success rate<ref>[https://www====eduroam.cloudcrackernis.com/blog/2012/07/29/cracking-ms-chap-v2/ Cracking MS-CHAPv2]</ref>, it is ''absolutely critical'' that the RADIUS server certificate be validated properly before attempting authentication. Unfortunately, VT has deprecated a much stronger authentication method, [[EAP-TLS]], and as such, network certificates are no longer an optionvt.edu====

Where possible, we opt for the highest level of verification of the certificate''Filename: manually pinning the hash of the certificate we expect to be presented'' eduroam. The canonical form of the hash used by many network managers is the SHA256 hash of the DER encoding of the certificatenis.vt.edu.pem

In order to generate the certificate hash''Subject:'' C = US, postalCode = 24061, download the certificate by clicking the "Download" link on the [https://ashST = Virginia, L = Blacksburg, street = 800 Washington St.eprovSW, O = Virginia Polytechnic Institute and State University, OU = Secure Identity Services, CN = eduroam.setinis.vt.edu/EJBCAWebRequest/certSearch?cmd=search&keyword=VT-Wireless Certificate Search for VT-Wireless] (Unfortunately this site is only available to Virginia Tech IPs)

Validate that This can be obtained from the downloaded certificate is in fact signed by the (Now Obsolete) [https://securecerts.hostingit.vt.edu/wwwsearch VT Certificate Manager]. This requires PID login. Search for "eduroam.pkinis.vt.edu/developer/rootca.html#globalserver Virginia Tech Global Server CA] chain". You will first need to download ''all'' certificates in Grab the "CA: Virginia_Tech_Global_Server_CA" chain and concatenate themcertificate most recently issued.

It is worth noting that ===Validating the new Virginia Tech CA is signed by the Global Sign R3 CA, and the Radius Server presents the name of "wireless.cns.vt.edu".certificate===

<ol><li> Obtain ''all'' certificates in the chain ''in PEM format'' </li><li> Concatenate the non-leaf certificates in to a single file: </li><pre>$ cat GlobalSignRootCAUSERTrust_RSA_Certification_Authority.pem GlobalSignRootSignPartnersCAInCommonRSAServerCA_2.pem VirginiaTechGlobalRootCA.pem VirginiaTechGlobalServerCA> ca.pem </pre><li>Verify the certificates are signed correctly </li> ca.pem <pre>$ openssl verify -verbose -purpose sslserver -CAfile ca.pem VT-Wirelesseduroam.cnsnis.vt.edu.crtpem VT-Wirelesseduroam.cnsnis.vt.edu.crtpem: OK</pre><li> For at least the root and leaf certificates, verify the subject (compare to above) </li><pre>$ openssl x509 -in file_of_cert_you_want_to_check -noout -subject</pre></ol>

Due to vulnerabilities in the MSCHAPv2 protocol that allow the protocol to be cracked quickly with a 100% success rate<ref>[https://web.archive.org/web/20160316174007/https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/]</ref>, it is ''absolutely critical'' that the RADIUS server certificate be validated properly before attempting authentication. Where possible, we opt for the highest level of verification of the certificate: manually pinning the hash of the certificate we expect to be presented. The canonical form of the hash used by many network managers is the SHA256 hash of the DER encoding of the certificate. Validate the certificate (see above) then generate the sha256 hash:  $ openssl x509 -in VT-Wirelesseduroam.cnsnis.vt.edu.crt -outform der | sha256sum 216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a 9b5163a3360f07b2dce2fd1e958c541687cf4c5360bb8adc87fa821c1c969910 -

'''Note:''' As we are pinning the certificate instead of relying on a PKI, when CNS NI&S rotates the certificates being used(at least every 2 years), the configuration will need to be updated to match the new certificate.

We encourage you to take precautions against network eavesdropping and mischief (on the Eduroam eduroam network, and in general). Potential countermeasures that one might want to employ include using [https://www.eff.org/HTTPS-EVERYWHERE HTTPS when connecting to sites], using a [https://www.computing.vt.edu/content/virtual-private-network VPN], or using the [https://www.torproject.org/ Tor Browser Bundle].

* In your the list of wireless configuration programnetworks, select "eduroam".Set the following options: * Choose Wi-Fi security: WPA & WPA2 Enterprise* Authentication: Protected EAP (PEAP as the EAP type.)* Choose MSCHAPv2 as the authentication methodAnonymous identity: anonymous@vt.edu* Use PID@Domain: nis.vt.edu and network passphrase as your login credentials* CA certificate: Select <code>/path/to/USERTrust_RSA_Certification_Authority.pem</code> via the file picker* PEAP version: Automatic* Inner authentication: MSCHAPv2* Use anonymousUsername: PID@vt.edu as your Anonymous Identity* '''TODOPassword: YOUR_NETWORK_PASSWORD [[File:''' Certificate verification (Warning, until certificate verification is added, it is ''not'' recommended that you use this method of accessing the networkNm settings.)png]]

#alternately, if you can use this line below, but it is less secure than pinning prefer to dynamically validate the cert!certificate by its cryptographic attributes ca_cert="/path/to/USERTrust_RSA_Certification_Authority.pem" domain_match="VT-Wirelesseduroam.cnsnis.vt.edu"

On [[OpenBSD]], the process is a little more complicated:  # ifconfig wlan0 nwid eduroam wpa wpaakms 802.1x up # /usr/local/sbin/wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant.conf # dhclient wlan0 # ifconfig wlan0 inet6 autoconf Alternate config options, besides domain_match and ca_cert are as follows (obviously not correct):

domain_suffix_match="cnsnis.vt.edu"

More thourough thorough documentation is available at [https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf]

'domain_match="VT-Wirelesseduroam.cnsnis.vt.edu"'

CACertFile = /etc/ssl/certs/GlobalSign_Root_CA_-_R3USERTrust_RSA_Certification_Authority.pemDomainMatch = eduroam.nis.vt.edu

Eduroam eduroam at Virginia Tech is free for:* VT affiliates with VT-Wireless wireless entitlements (includes students) access and network passwords

* Your wifi probes identify The unencrypted portion of your authentication optionally identifies you as an eduroam user, "anonymous@vt.edu" rather than a VT affiliaterevealing your PID

The main disadvantage is that ===Does eduroam support EAP-TLS?===Currently, the Virginia Tech's eduroam implementation does RADIUS servers are not appear to support the deprecated [[configured for EAP-TLS]] system, while VT-Wireless does (as of February 2015).