Changes

<!--There are three wireless networks on campus. One network, called VT-Wireless, encrypts all traffic and is secured with [[EAP-TLS]] or PEAP-MSCHAPv2. A second network, CONNECTtoVT-Wireless, is an unencrypted, captive portal wireless network designed to set up connecting to VT-Wireless without offering Internet access. Due to user issues faced during deployment, CONNECTtoVT-Wireless began offering captive portal access to VT users.-->On campus, there are 2 wireless networks. :* '''Eduroameduroam''' : uses federated credentials and is the preferred method, which uses PEAP-MSCHAPv2 to authenticate to .* '''VirginiaTech''': for guests and devices that cannot use the RADIUS server, while the second SSID, authentication method of '''VirginiaTecheduroam''', provides a captive-portal.and allows for guest account creationAny remotely modern/complete Linux or Unix system will be able to connect to eduroam without any issues.

As of January 2015 the [https://www.computing.vt.edu/content/Because '''eduroam preferred method] of wireless access at Virginia Tech is through the [https://eduroam.org/ Eduroam] network. Eduroam is ''''s credentials are federated, it means that a secure wireless access service that was developed for the use of research and educational institutions. One of the advantages of the Eduroam network over the VT-Wireless network user is that you will be able to automatically connect to the Internet at any participating institution using your Virginia Tech credentialsinstitutions. The Eduroameduroam-US site provides a [https://www.eduroam.us/technical_overview technical overview] of how the network authenticates you to the Virginia Tech RADIUS serversauthentication system.

The following settings are recommended for connecting to the Eduroam eduroam network:

* '''Root CA:''' [https://2029.globalsign.com GlobalSign Root CA - R3]"USERTrust RSA Certification Authority" or pin the certificate (see below)

===Obtaining the Certificate PinningChain=== The certificate presented by the RADIUS server is chained as such: * USERTrust RSA Certification Authority** InCommon RSA Server CA *** eduroam.nis.vt.edu Below is where to obtain each of these, along with some metadata. The filenames are arbitrary, but will be used for the rest of this article. For every certificate (''especially'' the root, the signature chain helps with the rest), consider where you are obtaining it from and how much trust that you are getting what you think you are. You will probably want the PEM formatted certificate, if you have the option. ====USERTrust RSA Certification Authority==== ''Filename:'' USERTrust_RSA_Certification_Authority.pem ''Subject:'' C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority This is a common root CA and should have shipped with your OS. It is likely located in <code>/etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem</code>. Note that if you follow the Authority Information Access of the intermediate certificate, it may direct you to a URL which points to a different version of this certficate, which is cross signed by AddTrust and expired in May 2020. The one in your cert store is self-signed and expires in 2038. You want the one from your cert store. ====InCommon RSA Server CA==== ''Filename:'' InCommonRSAServerCA_2.pem ''Subject:'' C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA This is an intermediate certificate issued to InCommon. You can get it directly from InCommon [http://crt.usertrust.com/InCommonRSAServerCA_2.crt here]. ====eduroam.nis.vt.edu==== ''Filename:'' eduroam.nis.vt.edu.pem

Due to vulnerabilities in the MSCHAPv2 protocol that allow the protocol to be cracked quickly with a 100% success rate<ref>[https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ Cracking MS-CHAPv2]</ref>, it is ''absolutely criticalSubject:'' that the RADIUS server certificate be validated properly before attempting authentication. UnfortunatelyC = US, postalCode = 24061, ST = Virginia, VT has deprecated a much stronger authentication methodL = Blacksburg, [[EAP-TLS]]street = 800 Washington St. SW, O = Virginia Polytechnic Institute and as suchState University, OU = Secure Identity Services, network certificates are no longer an optionCN = eduroam.nis.vt.edu

Where possible, we opt for This can be obtained from the highest level of verification of the certificate[https: manually pinning the hash of the certificate we expect to be presented//certs.it.vt.edu/search VT Certificate Manager]. This requires PID login. Search for "eduroam.nis.vt.edu". The canonical form of the hash used by many network managers is the SHA256 hash of the DER encoding of Grab the certificatemost recently issued.

In order to generate ===Validating the certificate hash, [https://apps.pki.vt.edu/ca-manager/search search] for eduroam.nis.vt.edu, and download the certificate by clicking the "download" link. '''Note:''' This site is only available to Virginia Tech IPs (incluing VPN), and required PID login.===

Validate that <ol><li> Obtain ''all'' certificates in the downloaded certificate is chain ''in fact signed by PEM format'' </li><li> Concatenate the [httpnon-leaf certificates in to a single file:</li><pre>$ cat USERTrust_RSA_Certification_Authority.pem InCommonRSAServerCA_2.pem > ca.pem</wwwpre><li> Verify the certificates are signed correctly </li><pre>$ openssl verify -verbose -purpose sslserver -CAfile ca.pem eduroam.pkinis.vt.edu/developer/rootca.html#globalqualifiedserver Virginia Tech Global Server Qualified Server CA] chainpemeduroam.nis.vt.edu. You will first need pem: OK</pre><li> For at least the root and leaf certificates, verify the subject (compare to download ''all'' certificates above) </li><pre>$ openssl x509 -in the "CA: Virginia_Tech_Global_Server_CA" chain and concatenate them.file_of_cert_you_want_to_check -noout -subject</pre></ol>

$ cat Due to vulnerabilities in the MSCHAPv2 protocol that allow the protocol to be cracked quickly with a 100% success rate<ref>[https://web.archive.org/web/etc20160316174007/sslhttps:/certs/GlobalSign_Root_CA_-_R3www.pem TrustedRootCASHA256G2cloudcracker.pem VirginiaTechGlobalQualifiedServerCA.pem >> ca.pem $ openssl verify com/blog/2012/07/29/cracking-verbose ms-purpose sslserver chap-CAfile cav2/]</ref>, it is ''absolutely critical'' that the RADIUS server certificate be validated properly before attempting authentication.pem eduroamWhere possible, we opt for the highest level of verification of the certificate: manually pinning the hash of the certificate we expect to be presented.nis.vt.edu.crt eduroamThe canonical form of the hash used by many network managers is the SHA256 hash of the DER encoding of the certificate.nis.vt.edu.crt: OK

Then Validate the certificate (see above) then generate the sha256 hash:

$ openssl x509 -in VT-Wirelesseduroam.cnsnis.vt.edu.crt -outform der | sha256sum

'''Note:''' As we are pinning the certificate instead of relying on a PKI, when NI&S rotates the certificates being used (at least every 2 yearsyear), the configuration will need to be updated to match the new certificate. ===Getting your network password hash===MSCHAPv2 verifies the NT4 hash of your password, not the password itself. This means knowing the hash of the password is sufficient to connect to authenticate. Depending on the client, you may be able to store the hash in your config instead of the password. To reiterate, '''this hash is just as sensitive as your password'''. The hash is less human memorable, though, and does act as a deterrent to shoulder-surfing. To derive the password hash, you can:<pre>printf 'YOUR-NETW-ORKP-SSWD' \ | iconv -f ASCII -t UTF-16LE \ | openssl dgst -md4 \ | cut -d ' ' -f 2</pre> If you are using OpenSSL 3, you will need to specify the legacy provider:<pre> | openssl dgst -md4 -provider legacy \</pre>

We encourage you to take precautions against network eavesdropping and mischief (on the Eduroam eduroam network, and in general). Potential countermeasures that one might want to employ include using [https://www.eff.org/HTTPS-EVERYWHERE HTTPS when connecting to sites], using a [https://www.computing.vt.edu/content/virtual-private-network VPN], or using the [https://www.torproject.org/ Tor Browser Bundle].

* In your the list of wireless configuration programnetworks, select "eduroam".Set the following options: * Choose Wi-Fi security: WPA & WPA2 Enterprise* Authentication: Protected EAP (PEAP as the EAP type.)* Choose MSCHAPv2 as the authentication methodAnonymous identity: anonymous@vt.edu* Use PID@Domain: nis.vt.edu and network passphrase as your login credentials* CA certificate: Select <code>/path/to/USERTrust_RSA_Certification_Authority.pem</code> via the file picker* PEAP version: Automatic* Inner authentication: MSCHAPv2* Use anonymousUsername: PID@vt.edu as your Anonymous Identity* '''TODOPassword: YOUR_NETWORK_PASSWORD [[File:''' Certificate verification (Warning, until certificate verification is added, it is ''not'' recommended that you use this method of accessing the networkNm settings.)png]]

#THIS HASH IS OUT OF DATEif you prefer to pin the certificate, PLEASE FOLLOW INSTRUCTIONS ABOVEfollow the instructions above to generate a hash ca_cert="hash://server/sha256/216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff" #alternately, if you can use this line below, but it is less secure than pinning prefer to dynamically validate the cert!certificate by its cryptographic attributes ca_cert="/path/to/USERTrust_RSA_Certification_Authority.pem" domain_match="VT-Wirelesseduroam.cnsnis.vt.edu" identity="YourPidHerePID@vt.edu" password="YourNetworkPasswordHereYOUR_NETWORK_PASSWORD"

Alternate config options, besides domain_match and ca_cert are as follows (obviously not correct):

domain_suffix_match="cnsnis.vt.edu" More thorough documentation is available at [https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf] ===OpenBSD Instructions===Since the [[OpenBSD]] network stack doesn't support 802.1x authentication, wpa_supplicant is needed to connect. wpa_supplicant on OpenBSD is different from its Linux counterpart in that it is only capable of 802.1x authentication and nothing more. First, install wpa_supplicant from ports if it is not already installed. After that, add just the <code>network={ .. }</code> portion of the above configuration to <code>/etc/wpa_supplicant.conf</code>. The wpa_supplicant service can be enabled with (where iwm0 is your wireless interface):  $ rcctl enable wpa_supplicant $ rcctl set wpa_supplicant flags -c /etc/wpa_supplicant.conf -s -D openbsd -i iwm0 $ rcctl start wpa_supplicant Finally, connect to the network with (again, replacing iwm0 with your wireless interface):

More thourough documentation is available at [https://w1 $ ifconfig iwm0 join eduroam wpa wpaakms 802.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf]1x up $ dhclient iwm0 $ ifconfig iwm0 inet6 autoconf

'domain_match="VT-Wirelesseduroam.cnsnis.vt.edu"'

CACertFile = /etc/ssl/certs/GlobalSign_Root_CA_-_R3USERTrust_RSA_Certification_Authority.pemDomainMatch = eduroam.nis.vt.edu

* From Navigate to the home screen, press the menu button and choose "Settings"→"Wireless & networks"→"list of Wi-Fi settings"networks.* Remove "Forget" any existing entries for eduroam.

'''TODONOTE:''' Older versions of Android do not allow not verifying the server certificate validation. Setting both the root CA and the domain are essential for protecting your credentials. Although older versions will get you connected, use at your own risk.

Eduroam eduroam at Virginia Tech is free for:* VT affiliates with VT-Wireless wireless entitlements (includes students) access and network passwords

* Your wifi probes identify The unencrypted portion of your authentication optionally identifies you as an eduroam user, "anonymous@vt.edu" rather than a VT affiliaterevealing your PID

The main disadvantage is that ===Does eduroam support EAP-TLS?===Currently, the Virginia Tech's eduroam implementation does RADIUS servers are not appear to support the deprecated [[configured for EAP-TLS]] system, while VT-Wireless does (as of February 2015).