19
edits
Changes
m
Since the fall of 2008On campus, there have been two are 2 wireless networks on campus. One network, called :* '''VT-Wirelesseduroam''', encrypts all traffic : uses federated credentials and is secured with EAP-TLS or PEAP-MSCHAPv2the preferred method. The other network, called [[VT_WLAN]] was an unencrypted network captive portal using PID * '''VirginiaTech''': for guests and devices that cannot use the authentication. In July, 2013 VT_WLAN was superseded by CONNECTtoVT-Wireless, an unencrypted, captive portal wireless network designed to set up connecting to VT-Wireless without offering Internet access. Due to user issues faced during deployment, CONNECTtoVT-Wireless began offering captive portal access to VT users. In January 2015, method of '''eduroam''' access was enabled, allowing members of any eduroam-affiliated institution .Any remotely modern/complete Linux or Unix system will be able to use wifi at any other institution. Connections connect to VT-Wireless and eduroam are secure by default, and has one of two different methods to connectwithout any issues.
As of January 2015 the [https://www.computing.vt.edu/content/Because '''eduroam preferred method] of wireless access at Virginia Tech is through the [https://eduroam.org/ Eduroam] network. Eduroam is ''''s credentials are federated, it means that a wireless access service that was developed for the use of research and educational institutions. One of the advantages of the Eduroam network over the VT-Wireless network user is that you will be able to automatically connect to the Internet at any participating institution using your Virginia Tech credentialsinstitutions. The Eduroameduroam-US site provides a [https://www.eduroam.us/technical_overview technical overview] of how the network authenticates you to the Virginia Tech RADIUS serversauthentication system.
<!-- ==General Connection Information=====eduroam===The following settings are recommended for connecting to the eduroam network: * '''SSID:''' eduroam* '''EAP:'''PEAP-* '''Phase 2:''' MSCHAPv2* '''Root CA:''' "USERTrust RSA Certification Authority" or pin the certificate (see below)* '''Server Name:''' eduroam.nis.vt.edu* '''Identity:'''pid@vt.edu (So if your PID was "hokiebird", hokiebird@vt.edu)* '' is a wireless authentication scheme used 'Anonymous Identity:''' anonymous@vt.edu* '''Password:''' [https://www.computing.vt.edu/kb/entry/3765 Your Network Password] ''Regardless of what software you use to establish your connection, you must first set your remote (network) passphrase by Virginia Tech as an alternative going to [[EAP-TLS]https://my.vt.edu my.vt.edu] →Settings→Change Network Password.'' ===Obtaining the Certificate Chain=== The certificate presented by the RADIUS server is chained as such: * USERTrust RSA Certification Authority** InCommon RSA Server CA *** eduroam.nis.vt.edu Below is where to obtain each of these, along with some metadata. The filenames are arbitrary, but will be used for connections the rest of this article. For every certificate (''especially'' the root, the signature chain helps with the rest), consider where you are obtaining it from and how much trust that you are getting what you think you are. You will probably want the PEM formatted certificate, if you have the option. ====USERTrust RSA Certification Authority==== ''Filename:'' USERTrust_RSA_Certification_Authority.pem ''Subject:'' C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority This is a common root CA and should have shipped with your OS. It is likely located in <code>/etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem</code>. Note that if you follow the Authority Information Access of the intermediate certificate, it may direct you to a URL which points to a different version of this certficate, which is cross signed by AddTrust and expired in May 2020. The one in your cert store is self-signed and expires in 2038. You want the one from your cert store. ====InCommon RSA Server CA==== ''Filename:'' InCommonRSAServerCA_2.pem ''Subject:'' C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA This is an intermediate certificate issued to InCommon. You can get it directly from InCommon [[VT-Wireless]http://crt.usertrust.com/InCommonRSAServerCA_2.crt here]. -->
* SSID''Filename: '' eduroam* EAP: PEAP* Phase 2: MSCHAPv2* Identity: pid@vt.edu (So if your PID was "hokiebird", hokiebird@vtnis.edu)* Anonymous Identity: anonymous@vt.edu* Password: [https://www.computing.vt.edu/kb/entry/3765 Your Network Password]pem
Many network managers for LinuxThis can be obtained from the [https://UNIX use wpa_supplicant as their underlying IEEE 802certs.it.vt.1xedu/WPA Supplicant and generate a configuration file on the flysearch VT Certificate Manager]. As a result many network managers have similar configuration formatsThis requires PID login. In this section we will walk through generating a certificate pin Search for "eduroam.nis.vt.edu". Grab the Certificate used to authenticate the VT RADIUS servers in eduroamcertificate most recently issued.
wpa_supplicant offers multiple mechanisms for certificate management. The ca_cert parameter can point to a file which contains one or more CA certificates which will be used to validate the certificate. With that option you also have the ability to specify a substring match of the certificate's common name. Where possible, in our configurations we opted for a much stronger level of validation by specifing the hash of ===Validating the certificate that we expect to see.===
In order to generate <ol><li> Obtain ''all'' certificates in the certificate hash, download chain ''in PEM format'' </li><li> Concatenate the certificate by clicking the "Download" link on the [httpsnon-leaf certificates in to a single file:</li><pre>$ cat USERTrust_RSA_Certification_Authority.pem InCommonRSAServerCA_2.pem > ca.pem</pre><li> Verify the certificates are signed correctly </ashli><pre>$ openssl verify -verbose -purpose sslserver -CAfile ca.eprovpem eduroam.setinis.vt.edu.pemeduroam.nis.vt.edu.pem: OK</EJBCAWebRequestpre><li> For at least the root and leaf certificates, verify the subject (compare to above) </certSearch?cmd=search&keyword=VTli><pre>$ openssl x509 -in file_of_cert_you_want_to_check -Wireless Certificate Search for VTnoout -Wireless] (Unfortunately this site is only available to Virginia Tech IPs)subject</pre></ol>
Validate that the certificate downloaded is in fact signed by the (Obsolete) [https://secure.hosting.vt.edu/www.pki.vt.edu/developer/rootca.html#globalserver Virginia Tech Global Server CA] chain.===Certificate Pinning===
Then Validate the certificate (see above) then generate the sha256 hash (in the directory where the certificate downloaded to):
We encourage you to take precautions against ===Getting your network eavesdropping and mischief (on password hash===MSCHAPv2 verifies the Eduroam networkNT4 hash of your password, and in general)not the password itself. Potential countermeasures that one might want This means knowing the hash of the password is sufficient to employ include using [https://www.eff.org/HTTPS-EVERYWHERE HTTPS when connecting connect to sites], using a [https://wwwauthenticate.computing.vt.edu/content/virtual-private-network VPN]Depending on the client, or using you may be able to store the hash in your config instead of the [https://wwwpassword.torprojectTo reiterate, '''this hash is just as sensitive as your password'''.org/ Tor Browser Bundle]The hash is less human memorable, though, and does act as a deterrent to shoulder-surfing.
For general tips on improving your security while using To derive the networkpassword hash, consider reading reading the EFFyou can:<pre>printf 'YOUR-NETW-ORKP-SSWD' \ | iconv -f ASCII -t UTF-16LE \ | openssl dgst -md4 \ | cut -d ' 's [https://ssd.eff.org/ Surveillance Self-Defense] tips and/or contacting the [https://security.vt.eduf 2</ Virginia Tech Information Security Office].pre>
==A word of caution on MSCHAPv2==Warning: Use of PEAP-MSCHAPv2 to connect to the Virginia Tech network is strongly discouraged by the Linux and Unix Users Group due to attacks that can allow all traffic to be decrypted with a 100% success rate. UnfortunatelyIf you are using OpenSSL 3, VT has deprecated its use so users you will soon lose need to specify the choice to use certificates.legacy provider:<pre> | openssl dgst -md4 -provider legacy \</pre>
At DefCon 20 ===A Word of Caution===Although you can verify connection to the Virginia Tech RADIUS servers you must keep in July 2012, an attack was announced for MSCHAPv2 mind that allows the protocol you are connecting to be cracked quickly with a 100% success rate.<ref>[https://wwwnetwork that you do not control.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/]</ref> '''Use of MSCHAPv2 It is strongly discouragedpossible that there are network monitors in place which can record and potentially modify traffic.'''
==Set For general tips on improving your remote access (security while using the network) passphrase==Regardless of what software you use to establish your connection, you must first set your remote passphrase by going to consider reading the EFF's [https://ssd.eff.org/ Surveillance Self-Defense] tips, reading [https://mywww.vthokieprivacy.edu myorg/ Hokie Privacy], and/or contacting the [https://security.vt.edu/ Virginia Tech Information Security Office]→Settings→Change Network Password.
* From In the home screenlist of wireless networks, press the menu button and choose "Settings"→"Wireless & networks"→select "Wi-Fi settingseduroam".* Remove any existing entries for {{{networks|the network you'd like to add or any conflicting network}}}.* From Set the "WiFi networks" listing, click on {{{network|the network you'd like to add}}}.* Choose PEAP as the EAP method and MSCHAPv2 as the phase two authentication mechanism.* Enter your credentials for the identity and press "Connect".following options:
==NetworkManager==* Wi-Fi security: WPA & WPA2 Enterprise===eduroam * Authentication: Protected EAP (preferredPEAP)===* In your wireless configuration program, select eduroamAnonymous identity: anonymous@vt.edu* Choose PEAP as the EAP typeDomain: nis.vt.edu* Choose MSCHAPv2 as CA certificate: Select <code>/path/to/USERTrust_RSA_Certification_Authority.pem</code> via the file picker* PEAP version: Automatic* Inner authentication method.: MSCHAPv2* Use Username: PID@vt.edu and network passphrase as your login credentials.* Use anonymous@vt.edu as your Anonymous Identity* '''TODOPassword:''' Certificate verificationYOUR_NETWORK_PASSWORD
===VT-Wireless (legacy)===* In your wireless configuration program, select VT-Wireless.* Choose PEAP as the EAP type.* Choose MSCHAPv2 as the authentication method.* Use your {{{identity|PID}}} and network passphrase as your login credentials[[File:Nm settings.png]]
===For eduroam (preferred)===
ctrl_interface=DIR=More thorough documentation is available at [https://w1.fi/cgit/hostap/plain/runwpa_supplicant/wpa_supplicant GROUP.conf] ===wheel update_configOpenBSD Instructions=1 fast_reauth=1 ap_scan=1 Since the [[OpenBSD]] network stack doesn't support 802.1x authentication, wpa_supplicant is needed to connect. wpa_supplicant on OpenBSD is different from its Linux counterpart in that it is only capable of 802.1x authentication and nothing more. First, install wpa_supplicant from ports if it is not already installed. After that, add just the <code>network={.. }</code> portion of the above configuration to <code>/etc/wpa_supplicant.conf</code>. The wpa_supplicant service can be enabled with (where iwm0 is your wireless interface): ssid="VT-Wireless" proto=WPA2 $ rcctl enable wpa_supplicant key_mgmt=WPA $ rcctl set wpa_supplicant flags -c /etc/wpa_supplicant.conf -s -D openbsd -EAPi iwm0 eap=PEAP $ rcctl start wpa_supplicant phase2="auth=MSCHAPV2" identity="Finally, connect to the network with (again, replacing iwm0 with your {{{identity|PID}}}"wireless interface): password="your passphrase" ca_cert="/etc/ssl/certs/GlobalSign_Root_CA $ ifconfig iwm0 join eduroam wpa wpaakms 802.pem1x up }$ dhclient iwm0 $ ifconfig iwm0 inet6 autoconf
===eduroam (preferred)===
'domain_match="eduroam.nis.vt.edu"'
* Create a file, '''/etc/netctl/VT<pre>[Security]EAP-Method = PEAPEAP-Identity = anonymous@vt.eduEAP-PEAP-Wireless''' and place this in itCACert = embed:USERTrust_RSA_Certification_Authority DescriptionEAP-PEAP-ServerDomainMask ="VTeduroam.nis.vt.eduEAP-Wireless PEAP-MSCHAPv2"Phase2-Method = MSCHAPV2 InterfaceEAP-PEAP-Phase2-Identity =wlan0PID@vt.edu ConnectionEAP-PEAP-Phase2-Password-Hash =wireless8846f7eaee8fb117ad06bdd830b7586c [@pem@USERTrust_RSA_Certification_Authority] Security=wpa-configsection----BEGIN CERTIFICATE-----MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAwMjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkYtJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmTYo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97lc6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4eeUB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeEHg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPFUp/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KOVWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcRiQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ IP=dhcpXHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/ IP6=statelessqS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB WPAConfigSection=(L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfGjjxDah2nGN59PRbxYvnKkKj9 'ssid="VT-Wireless"'----END CERTIFICATE-----</pre> 'proto=RSN'=Android Instructions== [[File:AndroidEduroamNoCert.png|170px|thumb|Sample Android configuration of eduroam, but crucially lacking certificate validation.]] 'key_mgmt=WPAA sample configuration is available to the right, but as this configuration is currently lacking CA certificate validation, we do not at this time recommend connecting to the network. The Identity needs to be modified to match your PID@vt.edu, and your Network Password needs to be entered in the Password field. Steps:* Navigate to the list of Wi-EAP'Fi networks.* "Forget" any existing entries for eduroam.* From the "WiFi networks" listing, click on eduroam. 'eap=* Choose PEAP'as the EAP method and MSCHAPv2 as the phase two authentication mechanism. 'phase2=* For the CA certificate, select "auth=MSCHAPV2Use system certificates"'. Optionally, import the root CA from above, and select that instead for better security. '* For the domain, enter ```eduroam.nis.vt.edu```* Enter your pid@vt.edu for the identity=* Enter "YOUR IDENTITYanonymous@vt.edu"'for the anonymous identity '* Enter your Network Password for the password=* Press "NETWORK PASSWORDConnect". 'ca_cert="/etc/ssl/certs/GlobalSign_Root_CANOTE: Older versions of Android do not allow not verifying the server certificate. Setting both the root CA and the domain are essential for protecting your credentials. Although older versions will get you connected, use at your own risk.pem"' )
Make sure to change '''IDENTITY''' to your {{{identity|PID}}}, ==Frequently Asked Questions=====Is eduroam free?===eduroam at Virginia Tech is free for:* VT affiliates with wireless entitlements (includes students) access and '''NETWORK PASSWORD''' to your network password.passwords* Users at other participating institutions
* To connect===Does eduroam support EAP-TLS?===Currently, simply type the following in a terminal: sudo netctl start VTVirginia Tech eduroam RADIUS servers are not configured for EAP-WirelessTLS.
==Connection information====eduroam.nis.vt.edu=eduroam===The following settings are recommended for connecting to the Eduroam network:
''Subject:'' C =US, postalCode =24061, ST =Virginia, L =Certificate pinningBlacksburg, street =800 Washington St. SW, O =Virginia Polytechnic Institute and State University, OU =Secure Identity Services, CN =eduroam.nis.vt.edu
Due to vulnerabilities in the MSCHAPv2 protocol that allow the protocol to be cracked quickly with a 100% success rate<ref>[https://web.archive.org/web/20160316174007/https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/]</ref>, it is ''absolutely critical'' that the RADIUS server certificate be validated properly before attempting authentication. Where possible, we opt for the highest level of verification of the certificate: manually pinning the hash of the certificate we expect to be presented. (TODO)The canonical form of the hash used by many network managers is the SHA256 hash of the DER encoding of the certificate.
$ openssl x509 -in VT-Wirelesseduroam.cnsnis.vt.edu.crt -outform der | sha256sum 216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a 9b5163a3360f07b2dce2fd1e958c541687cf4c5360bb8adc87fa821c1c969910 -
It is recommended that you perform these steps yourself rather than trusting the certificate hash presented in the configurations below.
'''Note:''' As we are pinning the certificate instead of relying on a PKI, when CNS NI&S rotates the certificates being used(at least every year), the configuration will need to be updated to match the new certificate. ====A word of caution====Although you can verify connection to the Virginia Tech RADIUS servers you must keep in mind that you are connecting to a network that you do not control. It is possible that there are network monitors in place which can record and potentially modify traffic.
We encourage you to take precautions against network eavesdropping and mischief (on the eduroam network, and in general). Potential countermeasures that one might want to employ include using [https://www.eff.org/HTTPS-EVERYWHERE HTTPS when connecting to sites], using a [https://www.computing.vt.edu/content/virtual-private-network VPN], or using the [https://www.torproject.org/ Tor Browser Bundle].
==AndroidNetworkManager Instructions=====eduroam (preferred)===TODO=== VT-Wireless (legacy)==={{Version|2.2 (Froyo) of Android}}
==wpa_supplicantInstructions==
[http://w1.fi/wpa_supplicant/ wpa_supplicant] is a cross-platform supplicant which implements IEEE 802.1x/WPA and is used in many Linux/UNIX distributions.
ctrl_interface=DIR=/run/wpa_supplicant GROUP=wheel
update_config=1
fast_reauth=1
ap_scan=1
phase2="auth=MSCHAPV2"
anonymous_identity="anonymous@vt.edu"
# if you prefer to pin the certificate, follow the instructions above to generate a hash ca_cert="hash://server/sha256/216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff" # if you prefer to dynamically validate the certificate by its cryptographic attributes ca_cert="/path/to/USERTrust_RSA_Certification_Authority.pem" domain_match="eduroam.nis.vt.edu" identity="YourPidHerePID@vt.edu" password="YourNetworkPasswordHereYOUR_NETWORK_PASSWORD"
}
$ sudo dhcpcd wlan0
Alternate config options, besides domain_match are as follows (obviously not correct): subject_match="/C=US/ST=For VT-Wireless (legacy)CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com"Add the following lines to <code>/etc/wpa_supplicant domain_suffix_match="nis.vt.conf</code>:edu"
==netctlInstructions==
[https://wiki.archlinux.org/index.php/netctl netctl] is a network manager which is native to the ArchLinux distribution. netctl makes use of wpa_supplicant under the hood, and so the configuration is similar.
Put the following configuration in <code>/etc/netctl/eduroam</code> with your proper PID and Network Password. Further, this assumes that your wireless network device is wlan0, which you might have to change to match your system. The ca_cert line pins the server certificate and can be generated/validated using the mechanism described above.
'anonymous_identity="anonymous@vt.edu"'
'ca_cert="hash://server/sha256/216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a"'
'identity="YourPidHere@vt.edu"'
'password="YourNetworkPasswordHere"'
)
The ConfigSection (as per the netctl.profile manpage) is just what you would put in a wpa_supplicant config. Again, note that the domain_match is ''less secure'' than ca_cert, but better than not checking at all.
Ensure that this file is owned by root and only readable by root:
$ sudo netctl start eduroam
==connman Instructions =For VT-Wireless (legacy)=This config should be useable with connman. Replace Passphrase and Identity with your Network password and PID@vt.edu, respectively. <pre>[global]Name =eduroamDescription =Optionally put something descriptive here. Tested on [[Arch Linuxservice_wifi_3c15c2e29584_656475726f616d_managed_ieee8021x]] with netctl 0Type = wifiName = eduroamEAP = peapCACertFile = /etc/ssl/certs/USERTrust_RSA_Certification_Authority.pemDomainMatch = eduroam.nis.vt.eduAnonymousIdentity = anonymous@vt.eduPhase2 = MSCHAPV2Identity = PID@vt.eduPassphrase = NETWORKPASSWORD</pre> ==iwd Instructions==This is a sample configuration, usually located at something like <code>/var/lib/iwd/eduroam.8021x</code>. For details, read <code>iwd.8 network(updated on 2013-04-125)</code>.
===Why is eduroam the preferred SSID?===Using eduroam has several advantages:* After creating this file, make sure The unencrypted portion of your authentication optionally identifies you as "anonymous@vt.edu" rather than revealing your PID* You have access to change the owner seamless roaming if you ever travel to root (<code>sudo chown root:root /etc/netctl/VT-Wireless</code>) and change the permissions so that it can be read only by another participating college campus* The anonymous identity feature separates RADIUS authentication logs from the owner (<code>sudo chmod 0600 /etc/netctl/VT-Wireless</code>). This will ensure that your private key password cannot be read by others easily.network access provider's logs
==References==
<references/>
===Network Information Sources===
* [http://www.cns.vt.edu/html/wireless/wlan/index.html Communications Network Services: Wireless LAN]
* [http://computing.vt.edu/internet_and_web/internet_access/ipaddresses.html Virginia Tech IP Addresses]
[[Category:Howtos]]
[[Category:Campus computing resources]]
[[Category:Needs restoration]]
