There On campus, there are three 2 wireless networks on campus:* '''eduroam''': uses federated credentials and is the preferred method. One network, called VT-Wireless, encrypts all traffic * '''VirginiaTech''': for guests and is secured with [[EAP-TLS]] devices that cannot use the authentication method of '''eduroam'''.Any remotely modern/complete Linux or PEAP-MSCHAPv2. A second network, CONNECTtoVT-Wireless, an unencrypted, captive portal wireless network designed Unix system will be able to set up connecting connect to VT-Wireless eduroam without offering Internet access. Due to user any issues faced during deployment, CONNECTtoVT-Wireless began offering captive portal access to VT users.

As of January 2015 the [https://www.computing.vt.edu/content/Because '''eduroam preferred method] of wireless access at Virginia Tech is through the [https://eduroam.org/ Eduroam] network. Eduroam is ''''s credentials are federated, it means that a secure wireless access service that was developed for the use of research and educational institutions. One of the advantages of the Eduroam network over the VT-Wireless network user is that you will be able to automatically connect to the Internet at any participating institution using your Virginia Tech credentialsinstitutions. The Eduroameduroam-US site provides a [https://www.eduroam.us/technical_overview technical overview] of how the network authenticates you to the Virginia Tech RADIUS serversauthentication system.

For information on ==General Connection Information=====eduroam===The following settings are recommended for connecting to the legacy VT-Wireless eduroam network: * '''SSID:''' eduroam* '''EAP:''' PEAP* '''Phase 2:''' MSCHAPv2* '''Root CA:''' "USERTrust RSA Certification Authority" or pin the certificate (see below)* '''Server Name:''' eduroam.nis.vt.edu* '''Identity:''' pid@vt.edu (So if your PID was "hokiebird", see hokiebird@vt.edu)* '''Anonymous Identity:''' anonymous@vt.edu* '''Password:''' [https://www.computing.vt.edu/kb/entry/3765 Your Network Password] ''Regardless of what software you use to establish your connection, you must first set your remote (network) passphrase by going to [Virginia Tech Wifihttps: VT-Wireless]//my.vt.edu my.vt.edu]→Settings→Change Network Password.'' ===Obtaining the Certificate Chain=== The certificate presented by the RADIUS server is chained as such: * USERTrust RSA Certification Authority** InCommon RSA Server CA *** eduroam.nis.vt.edu

Below is where to obtain each of these, along with some metadata. The filenames are arbitrary, but will be used for the rest of this article. For every certificate (''especially'' the root, the signature chain helps with the rest), consider where you are obtaining it from and how much trust that you are getting what you think you are. You will probably want the PEM formatted certificate, if you have the option. ====USERTrust RSA Certification Authority==== ''Filename:'' USERTrust_RSA_Certification_Authority.pem ''Subject:'' C =US, ST =Connection New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority This is a common root CA and should have shipped with your OS. It is likely located in <code>/etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem</code>. Note that if you follow the Authority InformationAccess of the intermediate certificate, it may direct you to a URL which points to a different version of this certficate, which is cross signed by AddTrust and expired in May 2020. The one in your cert store is self-signed and expires in 2038. You want the one from your cert store. ====InCommon RSA Server CA==== ''Filename:'' InCommonRSAServerCA_2.pem ''Subject:'' C =US, ST =MI, L =eduroamAnn Arbor, O =Internet2, OU =InCommon, CN =InCommon RSA Server CAThe following settings are recommended for connecting This is an intermediate certificate issued to the Eduroam networkInCommon. You can get it directly from InCommon [http://crt.usertrust.com/InCommonRSAServerCA_2.crt here]. ====eduroam.nis.vt.edu====

* SSID''Filename: '' eduroam* EAP: PEAP* Phase 2: MSCHAPv2* Identity: pid@vt.edu (So if your PID was "hokiebird", hokiebird@vtnis.edu)* Anonymous Identity: anonymous@vt.edu* Password: [https://www.computing.vt.edu/kb/entry/3765 Your Network Password]pem

''Subject:'' C =US, postalCode =24061, ST =Virginia, L =Certificate PinningBlacksburg, street =800 Washington St. SW, O =Virginia Polytechnic Institute and State University, OU =Secure Identity Services, CN =eduroam.nis.vt.edu

Due to vulnerabilities in the MSCHAPv2 protocol that allow This can be obtained from the protocol to be cracked quickly with a 100% success rate<ref>[https://wwwcerts.cloudcrackerit.com/blog/2012/07/29/cracking-ms-chap-v2vt.edu/search VT Certificate Manager]</ref>, it is ''absolutely critical'' that . This requires PID login. Search for "eduroam.nis.vt.edu". Grab the RADIUS server certificate be validated properly before attempting authentication. Unfortunately, VT is in the process of deprecating a much stronger authentication method, [[EAP-TLS]], and as such, network certificates will no longer be an optionmost recently issued.

Where possible, we opt for the highest level of verification of the certificate: manually pinning the hash of the certificate we expect to be presented. The canonical form of the hash used by many network managers is the SHA256 hash of the DER encoding of ===Validating the certificate.===

In order to generate <ol><li> Obtain ''all'' certificates in the certificate hash, download chain ''in PEM format'' </li><li> Concatenate the certificate by clicking the "Download" link on the [httpsnon-leaf certificates in to a single file:</li><pre>$ cat USERTrust_RSA_Certification_Authority.pem InCommonRSAServerCA_2.pem > ca.pem</pre><li> Verify the certificates are signed correctly </ashli><pre>$ openssl verify -verbose -purpose sslserver -CAfile ca.eprovpem eduroam.setinis.vt.edu.pemeduroam.nis.vt.edu.pem: OK</EJBCAWebRequestpre><li> For at least the root and leaf certificates, verify the subject (compare to above) </certSearch?cmd=search&keyword=VTli><pre>$ openssl x509 -in file_of_cert_you_want_to_check -Wireless Certificate Search for VTnoout -Wireless] (Unfortunately this site is only available to Virginia Tech IPs)subject</pre></ol>

Due to vulnerabilities in the MSCHAPv2 protocol that allow the protocol to be cracked quickly with a 100% success rate<ref>[https://web.archive.org/web/20160316174007/https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/]</ref>, it is ''absolutely critical'' that the RADIUS server certificate be validated properly before attempting authentication. Where possible, we opt for the highest level of verification of the certificate: manually pinning the hash of the certificate we expect to be presented. (TODO)The canonical form of the hash used by many network managers is the SHA256 hash of the DER encoding of the certificate.

Then Validate the certificate (see above) then generate the sha256 hash (in the directory where the certificate downloaded to):

$ openssl x509 -in VT-Wirelesseduroam.cnsnis.vt.edu.crt -outform der | sha256sum 216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a 9b5163a3360f07b2dce2fd1e958c541687cf4c5360bb8adc87fa821c1c969910 -

'''Note:''' As we are pinning the certificate instead of relying on a PKI, when CNS NI&S rotates the certificates being used(at least every year), the configuration will need to be updated to match the new certificate. ===Getting your network password hash===MSCHAPv2 verifies the NT4 hash of your password, not the password itself. This means knowing the hash of the password is sufficient to connect to authenticate. Depending on the client, you may be able to store the hash in your config instead of the password. To reiterate, '''this hash is just as sensitive as your password'''. The hash is less human memorable, though, and does act as a deterrent to shoulder-surfing. To derive the password hash, you can:<pre>printf 'YOUR-NETW-ORKP-SSWD' \ | iconv -f ASCII -t UTF-16LE \ | openssl dgst -md4 \ | cut -d ' ' -f 2</pre> If you are using OpenSSL 3, you will need to specify the legacy provider:<pre> | openssl dgst -md4 -provider legacy \</pre>

====A Word of Caution====

We encourage you to take precautions against network eavesdropping and mischief (on the Eduroam eduroam network, and in general). Potential countermeasures that one might want to employ include using [https://www.eff.org/HTTPS-EVERYWHERE HTTPS when connecting to sites], using a [https://www.computing.vt.edu/content/virtual-private-network VPN], or using the [https://www.torproject.org/ Tor Browser Bundle]. For general tips on improving your security while using the network, consider reading the EFF's [https://ssd.eff.org/ Surveillance Self-Defense] tips, reading [https://www.hokieprivacy.org/ Hokie Privacy], and/or contacting the [https://security.vt.edu/ Virginia Tech Information Security Office].

==Set Your Remote Access (Network) Passphrase==Regardless In the list of what software you use to establish your connectionwireless networks, you must first set your remote passphrase by going to [httpsselect "eduroam". Set the following options://my.vt.edu my.vt.edu]→Settings→Change Network Password.

* In your wireless configuration program, select eduroam.* Choose PEAP as the EAP type.* Choose MSCHAPv2 as the authentication method.* Use PID@vt.edu and network passphrase as your login credentials.* Use anonymous@vt.edu as your Anonymous Identity* '''TODO[[File:''' Certificate verification (Warning, until certificate verification is added, it is ''not'' recommended that you use this method of accessing the networkNm settings.)png]]

==wpa_supplicantInstructions==

update_config=1

# if you prefer to pin the certificate, follow the instructions above to generate a hash ca_cert="hash://server/sha256/216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff" # if you prefer to dynamically validate the certificate by its cryptographic attributes ca_cert="/path/to/USERTrust_RSA_Certification_Authority.pem" domain_match="eduroam.nis.vt.edu" identity="YourPidHerePID@vt.edu" password="YourNetworkPasswordHereYOUR_NETWORK_PASSWORD"

Alternate config options, besides domain_match are as follows (obviously not correct):  subject_match="/C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com" domain_suffix_match="nis.vt.edu" More thorough documentation is available at [https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf] ===OpenBSD Instructions===Since the [[OpenBSD]] network stack doesn't support 802.1x authentication, wpa_supplicant is needed to connect. wpa_supplicant on OpenBSD is different from its Linux counterpart in that it is only capable of 802.1x authentication and nothing more. First, install wpa_supplicant from ports if it is not already installed. After that, add just the <code>network={ .. }</code> portion of the above configuration to <code>/etc/wpa_supplicant.conf</code>. The wpa_supplicant service can be enabled with (where iwm0 is your wireless interface):  $ rcctl enable wpa_supplicant $ rcctl set wpa_supplicant flags -c /etc/wpa_supplicant.conf -s -D openbsd -i iwm0 $ rcctl start wpa_supplicant Finally, connect to the network with (again, replacing iwm0 with your wireless interface):  $ ifconfig iwm0 join eduroam wpa wpaakms 802.1x up $ dhclient iwm0 $ ifconfig iwm0 inet6 autoconf ==netctlInstructions==

== connman Instructions ==This config should be useable with connman. Replace Passphrase and Identity with your Network password and PID@vt.edu, respectively. <pre>[global]Name = eduroamDescription = Optionally put something descriptive here. [service_wifi_3c15c2e29584_656475726f616d_managed_ieee8021x]Type = wifiName = eduroamEAP = peapCACertFile = /etc/ssl/certs/USERTrust_RSA_Certification_Authority.pemDomainMatch = eduroam.nis.vt.eduAnonymousIdentity = anonymous@vt.eduPhase2 = MSCHAPV2Identity = PID@vt.eduPassphrase = NETWORKPASSWORD</pre> ==iwd Instructions==This is a sample configuration, usually located at something like <code>/var/lib/iwd/eduroam.8021x</code>. For details, read <code>iwd.network(5)</code>. <pre>[Security]EAP-Method = PEAPEAP-Identity = anonymous@vt.eduEAP-PEAP-CACert = embed:USERTrust_RSA_Certification_AuthorityEAP-PEAP-ServerDomainMask = eduroam.nis.vt.eduEAP-PEAP-Phase2-Method = MSCHAPV2EAP-PEAP-Phase2-Identity = PID@vt.eduEAP-PEAP-Phase2-Password-Hash = 8846f7eaee8fb117ad06bdd830b7586c [@pem@USERTrust_RSA_Certification_Authority]-----BEGIN CERTIFICATE-----MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAwMjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkYtJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmTYo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97lc6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4eeUB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeEHg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPFUp/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KOVWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcRiQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYzeSf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZXHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRBVXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aBL6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfGjjxDah2nGN59PRbxYvnKkKj9-----END CERTIFICATE-----</pre> ==AndroidInstructions==

* From Navigate to the home screen, press the menu button and choose "Settings"→"Wireless & networks"→"list of Wi-Fi settings"networks.* Remove "Forget" any existing entries for eduroam.