19
edits
Changes
m
As of January 2015 the [https://www.computing.vt.edu/content/Because '''eduroam preferred method] of wireless access at Virginia Tech is through the [https://eduroam.org/ eduroam] network. eduroam is ''''s credentials are federated, it means that a secure wireless access service that was developed for the use of research and educational institutions. One of the advantages of the eduroam network VT user is that you will be able to automatically connect to the Internet at any participating institution using your Virginia Tech credentialsinstitutions. The eduroam-US site provides a [https://www.eduroam.us/technical_overview technical overview] of how the network authenticates you to the Virginia Tech RADIUS serversauthentication system.
#THIS HASH IS OUT OF DATE, PLEASE FOLLOW INSTRUCTIONS ABOVE # if you prefer to pin the certificate, follow the instructions above to generate a hash ca_cert="hash://server/sha256/216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff"
On [[OpenBSD]], the process is a little more complicated:
# ifconfig wlan0 nwid eduroam wpa wpaakms 802.1x up
# /usr/local/sbin/wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant.conf
# dhclient wlan0
# ifconfig wlan0 inet6 autoconf
'''TODONOTE:''' Older versions of Android certificate validation Quick and dirty options for validating do not allow not verifying the eduroam server certificate, in order from least secure to most secure: # Do not validate: you will get online, but consider your connection to be as secure as a public hotspot# (Android 7.1+ only) Use system certificates: This will check to make sure Setting both the certificate chains back to some root CA in and the system cert store. This is significantly better than no validation, but still not very good. You may also need to specify a domain. If so, use "vt.edu"# Download and import the USERTrust Root CA: detailed instructions to come. Since you are still not checking the CN, it is only marginally better than using system certificates.# Use the [https://play.google.com/store/apps/details?id=uk.ac.swansea.eduroamcat eduroam CAT] tool: this will setup the whole wireless profile and use the correct CA and verify the CN. As such, it is the preferred method. Warning, it is ugly. If you have an existing "eduroam" profile, you will need to remove it. When it prompts essential for the username and password, use <YOUR-PID>@vt.edu and protecting your network passwordcredentials. It relies on geolocation to prompt for the profile for the right school. You may need to go outside to Although older versions will get a good GPS signal. If it is able to do geo-ip (e.g., you are connected to the "VirginiaTech" SSID), it gets you close enoughuse at your own risk.
On campus, there are 2 wireless networks. :* '''eduroam''' : uses federated credentials and is the preferred method, which uses PEAP-MSCHAPv2 to authenticate to the RADIUS server, while the second SSID, .* '''VirginiaTech''', provides a captive-portal : for guests and allows for guest account creationdevices that cannot use the authentication method of '''eduroam'''.Any remotely modern/complete Linux or Unix system will be able to connect to eduroam without any issues.
==General Connection Information==
''Subject:'' C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
This is a common root CA and should have shipped with your OS. It is likely located in <code>/etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem</code>. Note that if you follow the Authority Information Access of the intermediate certificate, it may direct you to a URL which points to a different version of this certficate, which is cross signed by AddTrust and expires expired in May 2020. The one in your cert store is self-signed and expires in 2038. You want the one from your cert store.
====InCommon RSA Server CA====
''Subject:'' C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA
This is an intermediate certificate issued by to InCommon. You can get it directly from InCommon [http://crt.usertrust.com/InCommonRSAServerCA_2.crt here].
====eduroam.nis.vt.edu====
It is recommended that you perform these steps yourself rather than trusting the certificate hash presented in the configurations below.
'''Note:''' As we are pinning the certificate instead of relying on a PKI, when NI&S rotates the certificates being used (at least every 2 yearsyear), the configuration will need to be updated to match the new certificate.
===Getting your network password hash===
printf 'YOUR-NETW-ORKP-SSWD' \
| iconv -f ASCII -t UTF-16LE \
| openssl dgst -md4 \
| cut -d ' ' -f 2
</pre>
If you are using OpenSSL 3, you will need to specify the legacy provider:
<pre>
| openssl dgst -md4 -provider legacy \
</pre>
phase2="auth=MSCHAPV2"
anonymous_identity="anonymous@vt.edu"
# if you prefer to dynamically validate the certificate by its cryptographic attributes
ca_cert="/path/to/USERTrust_RSA_Certification_Authority.pem"
domain_match="eduroam.nis.vt.edu"
identity="YourPidHerePID@vt.edu" password="YourNetworkPasswordHereYOUR_NETWORK_PASSWORD"
}
$ sudo wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/eduroam.conf
$ sudo dhcpcd wlan0
Alternate config options, besides domain_match are as follows (obviously not correct):
More thorough documentation is available at [https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf]
===OpenBSD Instructions===
Since the [[OpenBSD]] network stack doesn't support 802.1x authentication, wpa_supplicant is needed to connect. wpa_supplicant on OpenBSD is different from its Linux counterpart in that it is only capable of 802.1x authentication and nothing more. First, install wpa_supplicant from ports if it is not already installed. After that, add just the <code>network={ .. }</code> portion of the above configuration to <code>/etc/wpa_supplicant.conf</code>. The wpa_supplicant service can be enabled with (where iwm0 is your wireless interface):
$ rcctl enable wpa_supplicant
$ rcctl set wpa_supplicant flags -c /etc/wpa_supplicant.conf -s -D openbsd -i iwm0
$ rcctl start wpa_supplicant
Finally, connect to the network with (again, replacing iwm0 with your wireless interface):
$ ifconfig iwm0 join eduroam wpa wpaakms 802.1x up
$ dhclient iwm0
$ ifconfig iwm0 inet6 autoconf
==netctl Instructions==
Steps:
* From Navigate to the home screen, press the menu button and choose "Settings"→"Wireless & networks"→"list of Wi-Fi settings"networks.* Remove "Forget" any existing entries for eduroam.
* From the "WiFi networks" listing, click on eduroam.
* Choose PEAP as the EAP method and MSCHAPv2 as the phase two authentication mechanism.
* For the CA certificate, select "Use system certificates". Optionally, import the root CA from above, and select that instead for better security.
* For the domain, enter ```eduroam.nis.vt.edu```
* Enter your pid@vt.edu for the identity
* Enter "anonymous@vt.edu" for the anonymous identity
* Press "Connect".
==Frequently Asked Questions==
