14
edits
Changes
openbsd typos →wpa_supplicant Instructions
As of January 2015 the [https://www.computing.vt.edu/content/eduroam preferred method] of wireless access at Virginia Tech is through the [https://eduroam.org/ Eduroameduroam] network. Eduroam eduroam is a secure wireless access service that was developed for the use of research and educational institutions. One of the advantages of the Eduroam network over the VT-Wireless eduroam network is that you will be able to connect to the Internet at any participating institution using your Virginia Tech credentials. The Eduroameduroam-US site provides a [https://www.eduroam.us/technical_overview technical overview] of how the network authenticates you to the Virginia Tech RADIUS servers.
==General Connection Information==
===eduroam===
The following settings are recommended for connecting to the Eduroam eduroam network:
* '''SSID:''' eduroam
* '''EAP:''' PEAP
* '''Phase 2:''' MSCHAPv2
* '''Root CA:''' "USERTrust RSA Certification Authority" or pin the certificate (see below)
* '''Server Name:''' eduroam.nis.vt.edu
* '''Identity:''' pid@vt.edu (So if your PID was "hokiebird", hokiebird@vt.edu)
* '''Anonymous Identity:''' anonymous@vt.edu
''Regardless of what software you use to establish your connection, you must first set your remote (network) passphrase by going to [https://my.vt.edu my.vt.edu]→Settings→Change Network Password.''
===Obtaining the Certificate PinningChain=== The certificate presented by the RADIUS server is chained as such: * USERTrust RSA Certification Authority** InCommon RSA Server CA *** eduroam.nis.vt.edu Below is where to obtain each of these, along with some metadata. The filenames are arbitrary, but will be used for the rest of this article. For every certificate (''especially'' the root, the signature chain helps with the rest), consider where you are obtaining it from and how much trust that you are getting what you think you are. You will probably want the PEM formatted certificate, if you have the option. ====USERTrust RSA Certification Authority==== ''Filename:'' USERTrust_RSA_Certification_Authority.pem ''Subject:'' C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority This is a common root CA and should have shipped with your OS. It is likely located in <code>/etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem</code>. Note that if you follow the Authority Information Access of the intermediate certificate, it may direct you to a URL which points to a different version of this certficate, which is cross signed by AddTrust and expires in May 2020. The one in your cert store is self-signed and expires in 2038. You want the one from your cert store. ====InCommon RSA Server CA==== ''Filename:'' InCommonRSAServerCA_2.pem ''Subject:'' C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA This is an intermediate certificate issued by InCommon. You can get it directly from InCommon [http://crt.usertrust.com/InCommonRSAServerCA_2.crt here]. ====eduroam.nis.vt.edu==== ''Filename:'' eduroam.nis.vt.edu.pem
$ openssl x509 -in VT-Wirelesseduroam.cnsnis.vt.edu.crt -outform der | sha256sum 216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a 9b5163a3360f07b2dce2fd1e958c541687cf4c5360bb8adc87fa821c1c969910 -
It is recommended that you perform these steps yourself rather than trusting the certificate hash presented in the configurations below.
'''Note:''' As we are pinning the certificate instead of relying on a PKI, when CNS NI&S rotates the certificates being used(at least every 2 years), the configuration will need to be updated to match the new certificate.
===A Word of Caution===
Although you can verify connection to the Virginia Tech RADIUS servers you must keep in mind that you are connecting to a network that you do not control. It is possible that there are network monitors in place which can record and potentially modify traffic.
We encourage you to take precautions against network eavesdropping and mischief (on the Eduroam eduroam network, and in general). Potential countermeasures that one might want to employ include using [https://www.eff.org/HTTPS-EVERYWHERE HTTPS when connecting to sites], using a [https://www.computing.vt.edu/content/virtual-private-network VPN], or using the [https://www.torproject.org/ Tor Browser Bundle].
For general tips on improving your security while using the network, consider reading the EFF's [https://ssd.eff.org/ Surveillance Self-Defense] tips, reading [https://www.hokieprivacy.org/ Hokie Privacy], and/or contacting the [https://security.vt.edu/ Virginia Tech Information Security Office].
==NetworkManager Instructions==
==wpa_supplicant Instructions==
ctrl_interface=DIR=/run/wpa_supplicant GROUP=wheel
update_config=1
fast_reauth=1
ap_scan=1
anonymous_identity="anonymous@vt.edu"
#THIS HASH IS OUT OF DATE, PLEASE FOLLOW INSTRUCTIONS ABOVE
# if you prefer to pin the certificate
ca_cert="hash://server/sha256/216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a"
#alternately, if you can use this line below, but it is less secure than pinning prefer to dynamically validate the cert!certificate by its cryptographic attributes ca_cert="/path/to/USERTrust_RSA_Certification_Authority.pem" domain_match="VT-Wirelesseduroam.cnsnis.vt.edu"
identity="YourPidHere@vt.edu"
password="YourNetworkPasswordHere"
$ sudo wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/eduroam.conf
$ sudo dhcpcd wlan0
On [[OpenBSD]], the process is a little more complicated:
# ifconfig wlan0 nwid eduroam wpa wpaakms 802.1x up
# /usr/local/sbin/wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant.conf
# dhclient wlan0
# ifconfig wlan0 inet6 autoconf
Alternate config options, besides domain_match are as follows (obviously not correct):
subject_match="/C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com"
domain_suffix_match="nis.vt.edu"
More thorough documentation is available at [https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf]
==netctl Instructions==
'anonymous_identity="anonymous@vt.edu"'
'ca_cert="hash://server/sha256/216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a"'
'identity="YourPidHere@vt.edu"'
'password="YourNetworkPasswordHere"'
)
The ConfigSection (as per the netctl.profile manpage) is just what you would put in a wpa_supplicant config. Again, note that the domain_match is ''less secure'' than ca_cert, but better than not checking at all.
Ensure that this file is owned by root and only readable by root:
Name = eduroam
EAP = peap
CACertFile = /etc/ssl/certs/GlobalSign_Root_CA_-_R3USERTrust_RSA_Certification_Authority.pemDomainMatch = eduroam.nis.vt.edu
AnonymousIdentity = anonymous@vt.edu
Phase2 = MSCHAPV2
'''TODO:''' Android certificate validation
Quick and dirty options for validating the eduroam certificate, in order from least secure to most secure:
# Do not validate: you will get online, but consider your connection to be as secure as a public hotspot
# (Android 7.1+ only) Use system certificates: This will check to make sure the certificate chains back to some CA in the system cert store. This is significantly better than no validation, but still not very good. You may also need to specify a domain. If so, use "vt.edu"
# Download and import the USERTrust Root CA: detailed instructions to come. Since you are still not checking the CN, it is only marginally better than using system certificates.
# Use the [https://play.google.com/store/apps/details?id=uk.ac.swansea.eduroamcat eduroam CAT] tool: this will setup the whole wireless profile and use the correct CA and verify the CN. As such, it is the preferred method. Warning, it is ugly. If you have an existing "eduroam" profile, you will need to remove it. When it prompts for the username and password, use <YOUR-PID>@vt.edu and your network password. It relies on geolocation to prompt for the profile for the right school. You may need to go outside to get a good GPS signal. If it is able to do geo-ip (e.g., you are connected to the "VirginiaTech" SSID), it gets you close enough.
==Frequently Asked Questions==
===Is eduroam free?===
* Users at other participating institutions
===Why is eduroam the preferred SSID?===
Using eduroam has several advantages:
* Your wifi probes identify The unencrypted portion of your authentication optionally identifies you as an eduroam user, "anonymous@vt.edu" rather than a VT affiliaterevealing your PID
* You have access to seamless roaming if you ever travel to another participating college campus
* The anonymous identity feature separates RADIUS authentication logs from the network access provider's logs
==References==
[[Category:Howtos]]
[[Category:Campus computing resources]]
[[Category:Needs restoration]]