Changes

On campus, there are 2 wireless networks:* '''PEAP-MSCHAPv2eduroam''' : uses federated credentials and is a wireless the preferred method.* '''VirginiaTech''': for guests and devices that cannot use the authentication scheme used by Virginia Tech as an alternative method of '''eduroam'''.Any remotely modern/complete Linux or Unix system will be able to [[EAP-TLS]] for connections connect to [[VT-Wireless]]eduroam without any issues.

Because '''eduroam''''s credentials are federated, it means that a VT user is able to automatically connect to the Internet at participating institutions. The eduroam-US site provides a [https://www.eduroam.us/technical_overview technical overview] of the authentication system. ==General Connection informationInformation==

The following settings are recommended for connecting to the Eduroam eduroam network: * '''SSID:''' eduroam* '''EAP:''' PEAP* '''Phase 2:''' MSCHAPv2* '''Root CA:''' "USERTrust RSA Certification Authority" or pin the certificate (see below)* '''Server Name:''' eduroam.nis.vt.edu* '''Identity:''' pid@vt.edu (So if your PID was "hokiebird", hokiebird@vt.edu)* '''Anonymous Identity:''' anonymous@vt.edu* '''Password:''' [https://www.computing.vt.edu/kb/entry/3765 Your Network Password] ''Regardless of what software you use to establish your connection, you must first set your remote (network) passphrase by going to [https://my.vt.edu my.vt.edu]→Settings→Change Network Password.'' ===Obtaining the Certificate Chain=== The certificate presented by the RADIUS server is chained as such: * USERTrust RSA Certification Authority** InCommon RSA Server CA *** eduroam.nis.vt.edu Below is where to obtain each of these, along with some metadata. The filenames are arbitrary, but will be used for the rest of this article. For every certificate (''especially'' the root, the signature chain helps with the rest), consider where you are obtaining it from and how much trust that you are getting what you think you are. You will probably want the PEM formatted certificate, if you have the option. ====USERTrust RSA Certification Authority==== ''Filename:'' USERTrust_RSA_Certification_Authority.pem ''Subject:'' C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority This is a common root CA and should have shipped with your OS. It is likely located in <code>/etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem</code>. Note that if you follow the Authority Information Access of the intermediate certificate, it may direct you to a URL which points to a different version of this certficate, which is cross signed by AddTrust and expired in May 2020. The one in your cert store is self-signed and expires in 2038. You want the one from your cert store. ====InCommon RSA Server CA==== ''Filename:'' InCommonRSAServerCA_2.pem ''Subject:'' C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA This is an intermediate certificate issued to InCommon. You can get it directly from InCommon [http://crt.usertrust.com/InCommonRSAServerCA_2.crt here].

* SSID: ====eduroam* EAP: PEAP* Phase 2: MSCHAPv2* Identity: pid@vt.edu (So if your PID was "hokiebird", hokiebird@vt.edu)* Anonymous Identity: anonymous@vt.edu* Password: [https://www.computingnis.vt.edu/kb/entry/3765 Your Network Password]====

====RADIUS certificates====The certificate verification methods vary greatly between different network managers, but the certificate currently in use for the Virginia Tech RADIUS servers is available from the [https''Filename://ash'' eduroam.eprov.setinis.vt.edu/EJBCAWebRequest/certSearch?cmd=search&keyword=VT-Wireless PKI Certificate Search site] and the certificate chain is the (Obsolete) [https://secure.hosting.vt.edu/www.pki.vt.edu/developer/rootca.html#globalserver Virginia Tech Global Server CA] chain.pem

''Subject:'' C =US, postalCode =A word of caution on MSCHAPv224061, ST =Virginia, L = Blacksburg, street = 800 Washington St. SW, O =Warning: Use of PEAP-MSCHAPv2 to connect to the Virginia Tech network is strongly discouraged by the Linux Polytechnic Institute and Unix Users Group due to attacks that can allow all traffic to be decrypted with a 100% success rateState University, OU = Secure Identity Services, CN = eduroam.nis. Unfortunately, VT has deprecated its use so users will soon lose the choice to use certificatesvt.edu

At DefCon 20 in July 2012, an attack was announced for MSCHAPv2 that allows This can be obtained from the protocol to be cracked quickly with a 100% success rate.<ref>[https://wwwcerts.it.cloudcrackervt.com/blog/2012/07/29/cracking-ms-chap-v2edu/search VT Certificate Manager]</ref> '''Use of MSCHAPv2 is strongly discouraged.'''This requires PID login. Search for "eduroam.nis.vt.edu". Grab the certificate most recently issued.

==Set your remote access (network) passphrase==<ol><li> Obtain ''all'' certificates in the chain ''in PEM format'' </li>Regardless of what software you use to establish your connection, you must first set your remote passphrase by going <li> Concatenate the non-leaf certificates in to [httpsa single file:</li><pre>$ cat USERTrust_RSA_Certification_Authority.pem InCommonRSAServerCA_2.pem > ca.pem</pre><li> Verify the certificates are signed correctly </myli><pre>$ openssl verify -verbose -purpose sslserver -CAfile ca.pem eduroam.nis.vt.edu my.pemeduroam.nis.vt.edu]→Settings→Change Network Password.pem: OK</pre><li> For at least the root and leaf certificates, verify the subject (compare to above) </li><pre>$ openssl x509 -in file_of_cert_you_want_to_check -noout -subject</pre></ol>

==Android=Certificate Pinning====eduroam (preferred)===TODO=== VT-Wireless (legacy)==={{Version|2.2 (Froyo) of Android}}

* From Due to vulnerabilities in the MSCHAPv2 protocol that allow the home screenprotocol to be cracked quickly with a 100% success rate<ref>[https://web.archive.org/web/20160316174007/https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/]</ref>, press it is ''absolutely critical'' that the menu button and choose "Settings"→"Wireless & networks"→"Wi-Fi settings"RADIUS server certificate be validated properly before attempting authentication.* Remove any existing entries Where possible, we opt for {{{networks|the highest level of verification of the certificate: manually pinning the hash of the certificate we expect to be presented. The canonical form of the hash used by many network managers is the SHA256 hash of the DER encoding of the certificate. Validate the certificate (see above) then generate the sha256 hash:  $ openssl x509 -in eduroam.nis.vt.edu.crt -outform der | sha256sum 9b5163a3360f07b2dce2fd1e958c541687cf4c5360bb8adc87fa821c1c969910 - It is recommended that youperform these steps yourself rather than trusting the certificate hash presented in the configurations below. '''d like Note:''' As we are pinning the certificate instead of relying on a PKI, when NI&S rotates the certificates being used (at least every year), the configuration will need to be updated to add or any conflicting match the new certificate. ===Getting your network}}}.password hash===* From MSCHAPv2 verifies the "WiFi networks" listingNT4 hash of your password, click not the password itself. This means knowing the hash of the password is sufficient to connect to authenticate. Depending on {{{network|the network client, you may be able to store the hash in your config instead of the password. To reiterate, '''this hash is just as sensitive as your password'''. The hash is less human memorable, though, and does act as a deterrent to shoulder-surfing. To derive the password hash, youcan:<pre>printf 'YOUR-NETW-ORKP-SSWD' \ | iconv -f ASCII -t UTF-16LE \ | openssl dgst -md4 \ | cut -d like ' ' -f 2</pre> If you are using OpenSSL 3, you will need to specify the legacy provider:<pre> | openssl dgst -md4 -provider legacy \</pre> ===A Word of Caution===Although you can verify connection to the Virginia Tech RADIUS servers you must keep in mind that you are connecting to add}}}a network that you do not control. It is possible that there are network monitors in place which can record and potentially modify traffic.* Choose PEAP as We encourage you to take precautions against network eavesdropping and mischief (on the EAP method eduroam network, and MSCHAPv2 as in general). Potential countermeasures that one might want to employ include using [https://www.eff.org/HTTPS-EVERYWHERE HTTPS when connecting to sites], using a [https://www.computing.vt.edu/content/virtual-private-network VPN], or using the phase two authentication mechanism[https://www.torproject.org/ Tor Browser Bundle].* Enter For general tips on improving your credentials for security while using the network, consider reading the identity EFF's [https://ssd.eff.org/ Surveillance Self-Defense] tips, reading [https://www.hokieprivacy.org/ Hokie Privacy], and press "Connect"/or contacting the [https://security.vt.edu/ Virginia Tech Information Security Office]. ==NetworkManager Instructions==

==NetworkManager=====eduroam (preferred)===* In your the list of wireless configuration programnetworks, select "eduroam".* Choose PEAP as the EAP type.* Choose MSCHAPv2 as Set the authentication method.* Use PID@vt.edu and network passphrase as your login credentials.following options:

===VT-Wireless (legacy)===* In your wireless configuration program, select VT-Wireless.* Choose PEAP as the EAP type.* Choose MSCHAPv2 as the authentication method.* Use your {{{identity|PID}}} and network passphrase as your login credentials[[File:Nm settings.png]]

==wpa_supplicantInstructions==

In order to connect to the eduroam network, add the following to <code>/etc/wpa_supplicant/eduroam.conf </code> modifying the identity and password to reflect your PID and Network Password:

update_config=1

# if you prefer to pin the certificate, follow the instructions above to generate a hash ca_cert="hash://server/sha256/216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff" # if you prefer to dynamically validate the certificate by its cryptographic attributes ca_cert="/path/to/USERTrust_RSA_Certification_Authority.pem" domain_match="eduroam.nis.vt.edu" identity="YourPidHerePID@vt.edu" password="YourNetworkPasswordHereYOUR_NETWORK_PASSWORD"

===For VT-Wireless Alternate config options, besides domain_match are as follows (legacyobviously not correct)===Add the following lines to /etc/wpa_supplicant.conf:  ctrl_interface=DIR=/run/wpa_supplicant GROUP=wheel update_config=1 fast_reauth=1 ap_scan=1 network={ ssid="VT-Wireless" proto=WPA2 key_mgmt=WPA-EAP eap=PEAP phase2="auth=MSCHAPV2" identity="your {{{identity|PID}}}" password="your passphrase" ca_cert="/etc/ssl/certs/GlobalSign_Root_CA.pem }

subject_match="/C=Certificate pinningUS/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com" domain_suffix_match=For eduroam===In the above wpa_supplicant configuration, we pin the server certificate that we expect the RADIUS server to present. wpa_supplicant offers multiple mechanisms for certificate management. The ca\_cert parameter can point to a file which contains one or more CA certificates which will be used to validate the certificate"nis. With that option you also have the ability to specify a substring match of the certificate's common namevt.edu"

In our configuration we opted for a much stronger level of validation where in we specify the hash of the certificate that we expect to seeMore thorough documentation is available at [https://w1. When using this method of certificate validation, you specify the ca_cert parameter as hash:fi/cgit/hostap/serverplain/sha256wpa_supplicant/<sha256 hash of DER encoded certificate>wpa_supplicant.conf]

In order ===OpenBSD Instructions===Since the [[OpenBSD]] network stack doesn't support 802.1x authentication, wpa_supplicant is needed to generate the sha256 hash connect. wpa_supplicant on OpenBSD is different from its Linux counterpart in that it is only capable of the DER encoded certificate (so 802.1x authentication and nothing more. First, install wpa_supplicant from ports if it is not already installed. After that you can validate that the above hash is correct), download add just the certificate by clicking <code>network={ .. }</code> portion of the "Download" link on the [https:above configuration to <code>/etc/ashwpa_supplicant.eprovconf</code>.seti.vt.edu/EJBCAWebRequest/certSearch?cmd=search&keyword=VT-Wireless Certifcate Search for VT-Wireless]The wpa_supplicant service can be enabled with (where iwm0 is your wireless interface):

(TODO)Then generate Finally, connect to the sha256 hash network with (in the directory where the certificate downloaded toagain, replacing iwm0 with your wireless interface):

openssl x509 -in VT-Wireless$ ifconfig iwm0 join eduroam wpa wpaakms 802.cns.vt.edu.crt -outform der | sha256sum1x up 216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a $ dhclient iwm0 -$ ifconfig iwm0 inet6 autoconf

==netctlInstructions==

===eduroam (preferred)===Put the following configuration in <code>/etc/netctl/eduroam </code> with your proper PID and Network Password. Further, this assumes that your wireless network device is wlan0, which you might have to change to match your system. The ca_cert line pins the server certificate and can be generated/validated using the mechanism described above.

==connman Instructions ==This config should be useable with connman. Replace Passphrase and Identity with your Network password and PID@vt.edu, respectively. <pre>[global]Name = eduroamDescription = Optionally put something descriptive here. [service_wifi_3c15c2e29584_656475726f616d_managed_ieee8021x]Type = wifiName = eduroamEAP = peapCACertFile = /etc/ssl/certs/USERTrust_RSA_Certification_Authority.pemDomainMatch = eduroam.nis.vt.eduAnonymousIdentity = anonymous@vt.eduPhase2 = MSCHAPV2Identity = PID@vt.eduPassphrase = NETWORKPASSWORD</pre> ==iwd Instructions==This is a sample configuration, usually located at something like <code>/var/lib/iwd/eduroam.8021x</code>. For VT-Wireless details, read <code>iwd.network(legacy5)</code>. <pre>[Security]EAP-Method =PEAPEAP-Identity =anonymous@vt.eduEAP-PEAP-CACert =embed:USERTrust_RSA_Certification_AuthorityEAP-PEAP-ServerDomainMask = eduroam.nis.vt.eduEAP-PEAP-Phase2-Method = MSCHAPV2EAP-PEAP-Phase2-Identity = PID@vt.eduEAP-PEAP-Phase2-Password-Hash = 8846f7eaee8fb117ad06bdd830b7586c [@pem@USERTrust_RSA_Certification_Authority]-----BEGIN CERTIFICATE-----MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAwMjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkYtJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmTYo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97lc6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4eeUB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeEHg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPFUp/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KOVWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcRiQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYzeSf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZXHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRBVXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aBL6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfGjjxDah2nGN59PRbxYvnKkKj9-----END CERTIFICATE-----</pre> ==Android Instructions== Tested on [[Arch LinuxFile:AndroidEduroamNoCert.png|170px|thumb|Sample Android configuration of eduroam, but crucially lacking certificate validation.]] with netctl 0 A sample configuration is available to the right, but as this configuration is currently lacking CA certificate validation, we do not at this time recommend connecting to the network. The Identity needs to be modified to match your PID@vt.8 (updated on 2013-04-12)edu, and your Network Password needs to be entered in the Password field.

Steps:* Create a file, '''/etc/netctl/VTNavigate to the list of Wi-Wireless''' and place this in it:Fi networks. Description=* "VT-Wireless PEAP-MSCHAPv2Forget"any existing entries for eduroam. Interface=wlan0 Connection=wireless Security=wpa-configsection IP=dhcp IP6=stateless WPAConfigSection=( 'ssid=* From the "VT-WirelessWiFi networks"'listing, click on eduroam. 'proto=RSN' 'key_mgmt=WPA-* Choose PEAP as the EAP'method and MSCHAPv2 as the phase two authentication mechanism. 'eap=PEAP' 'phase2=* For the CA certificate, select "auth=MSCHAPV2Use system certificates"'. Optionally, import the root CA from above, and select that instead for better security. '* For the domain, enter ```eduroam.nis.vt.edu```* Enter your pid@vt.edu for the identity=* Enter "YOUR IDENTITYanonymous@vt.edu"'for the anonymous identity '* Enter your Network Password for the password=* Press "NETWORK PASSWORDConnect".  'ca_cert="/etc/ssl/certs/GlobalSign_Root_CANOTE: Older versions of Android do not allow not verifying the server certificate. Setting both the root CA and the domain are essential for protecting your credentials. Although older versions will get you connected, use at your own risk.pem"' )

Make sure to change '''IDENTITY''' to your {{{identity|PID}}}, ==Frequently Asked Questions=====Is eduroam free?===eduroam at Virginia Tech is free for:* VT affiliates with wireless entitlements (includes students) access and '''NETWORK PASSWORD''' to your network password.passwords* Users at other participating institutions

===Why is eduroam the preferred SSID?===Using eduroam has several advantages:* After creating this file, make sure The unencrypted portion of your authentication optionally identifies you as "anonymous@vt.edu" rather than revealing your PID* You have access to change the owner seamless roaming if you ever travel to root (<code>sudo chown root:root /etc/netctl/VT-Wireless</code>) and change the permissions so that it can be read only by another participating college campus* The anonymous identity feature separates RADIUS authentication logs from the owner (<code>sudo chmod 0600 /etc/netctl/VT-Wireless</code>). This will ensure that your private key password cannot be read by others easily.network access provider's logs

* To connect===Does eduroam support EAP-TLS?===Currently, simply type the following in a terminal: sudo netctl start VTVirginia Tech eduroam RADIUS servers are not configured for EAP-WirelessTLS.