=Introduction=Since the 2008-2009 school year, there have been two options forconnecting to the Virginia Tech network by wireless card. One network,called '''VT-Wireless''', operates by means of WPA2 Enterprise and is secured with EAP/TLS. The other network, called '''VT_WLAN''', is an unsecured, captive portal wireless network.While connections to VT-Wireless are secure by default, andrequire no user authentication once set up, the setup to connect toVT-Wireless has a number of steps. In contrast, set up for connectingto the unsecured VT_WLAN network is negligible, but you will berequired to manually authenticate each time you connect. [''NOTE: see [#VT_WLAN_Auto_Login below] for scripts on how to enable automated authentication to VT_WLAN.'']The table below summarizes the advantages and disadvantages of connecting to the two wireless LANs. <table style="text-align: center;" align="center" border="1" cellpadding="10"> <tbody><tr><td></td><th>VT-Wireless</th><th>VT_WLAN</th></tr><tr><th>Secure (Encrypted)<br /> Connection</th><td> yes </td><td> no</td></tr><tr><th>Setup</th><td> involved </td><td> trivial</td></tr><tr><th>Authentication</th><td> automatic </td><td> manualREDIRECT [#VT_WLAN_Auto_Login *]</td></tr></tbody></table>=VT-Wireless=The VT-Wireless network is secured by WPA with EAP/TLS encryption.This encryption mechanism is put in place through a certificateauthentication mechanism. ==Obtaining the VT-Wireless Certificate==Regardless of what program you use to make your connection, you will need to [https://netcert.cns.vt.edu/netcert/ obtain your p12 certificate and password from CNS].Complete the form and download the p12 certificate file. Write down thecertificate password and store it some place where you can find itagain. You will need it in setting up your connection to VT-Wireless. ===Connecting by NetworkManager===The setup for NetworkManager depends on your version of thesoftware. Please follow the instructions appropriate to your versionbelow.In GNOME, you can right-click the NetworkManager applet icon inthe panel and select "About" to find the version of NetworkManager.Ubuntu users: version 0.6 ships with 8.04 Hardy Heron, and 0.7 shipswith 8.10 Intrepid Ibex. ====NetworkManager 0.7========Converting the certificate to PEM certificates and keys====['''NOTE:''' The following steps are only necessary to use NetworkManager 0.7. NetworkManager 0.6 has a [#NetworkManager_0.6 more straightforward setup] and wpa_supplicant works pretty much [#Connecting_by_WPA_Supplicant out of the box] as well.]You will need to convert the p12 certificate into PEM formats. We will assume your downloaded p12 file is called '''<tt>netcert-1.p12</tt>''' and that its password is '''''netcertpasswd'''''.Open a terminal and <tt>cd</tt> to the directory that contains your p12 file. Then issue the following commands: <pre>openssl pkcs12 -in netcert-1.p12 -out vt_client_cert.pem -clcerts -nokeysopenssl pkcs12 -in netcert-1.p12 -out vt_private_key.pem -nocerts</pre>In each step, you will be prompted for the password (''netcertpasswd'')that you were issued along with your p12 certificate. Additionally, inthe final step where you generate your private key, you will be askedto enter a password. Enter the same password that came with your p12key.'''Sources''' <ul><li> [http://www.codealias.info/technotes/wpa2_eap-tls_authentication_linux_client_setup http://www.codealias.info/technotes/wpa2_eap-tls_authentication_linux_client_setup]</li></ul>==== Make sure you have the CA Certificate ====Next, you will need to make sure you have the Thawte CA certificate. In Ubuntu, you should find this certificate as <tt>/etc/ssl/certs/Thawte_Premium_Server_CA.pem</tt>.If you can't find the certificate, you can copy the text below and paste it into a new file of the same name. <pre>-----BEGIN CERTIFICATE-----MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29tMB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgc4xCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNlcnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkEVdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMRuHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUIhfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZa4JMpAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcUQg==-----END CERTIFICATE-----</pre><br />Left-click the NetworkManager applet and select the VT-Wireless network.<a href="http://www.vtluug.org/wiki/index.php?title=Image:Nm_choose_wireless.png" class="image" title="Image:nm_choose_wireless.png"><img alt="Image:nm_choose_wireless.png" src="VT-Wireless_files/Nm_choose_wireless.html" height="255" width="313" border="0"></a>You will see a prompt to configure the connection. First, from the Authentication drop-down menu, select TLS.<a href="http://www.vtluug.org/wiki/index.php?title=Image:Nm_choose_tls.png" class="image" title="Image:nm_choose_tls.png"><img alt="Image:nm_choose_tls.png" src="VT-Wireless_files/Nm_choose_tls.html" height="466" width="494" border="0"></a>Next, fill in the rest of the options:<a href="http://www.vtluug.org/wiki/index.php?title=Image:Nm_vt_wireless_options.png" class="image" title="Image:nm_vt_wireless_options.png"><img alt="Image:nm_vt_wireless_options.png" src="VT-Wireless_files/Nm_vt_wireless_options.html" height="466" width="494" border="0"></a> <table align="center" border="1" cellpadding="5"> <tbody><tr><th>Field </th><th> Value</th></tr><tr><th>SSID</th><td>VT-Wireless</td></tr><tr><th>Wireless Security</th><td> WPA & WPA2 Enterprise</td></tr><tr><th>Authentication</th><td> TLS</td></tr><tr><th>Identity</th><td>''Your VT PID''</td></tr><tr><th>User Certificate</th><td> /path/to/vt_client_cert.pem</td></tr><tr><th>CA Certificate</th><td> /etc/ssl/certs/Thawte_Premium_Server_CA.pem</td></tr><tr><th>Private Key</th><td> /path/to/vt_private_key.pem</td></tr><tr><th>Private Key Password</th><td> ''netcertpasswd''</td></tr></tbody></table>Click "Connect" and you should connect to the VT-Wireless network. ===NetworkManager 0.6===Left-click the NetworkManager applet and select VT-Wireless. Youwill be prompted to enter information about the connection. Here arethe entries you should use: <table align="center" border="1" cellpadding="5"> <tbody><tr><th>Field </th><th> Value</th></tr><tr><th>SSID</th><td>VT-Wireless</td></tr><tr><th>Wireless Security</th><td> WPA2 Enterprise</td></tr><tr><th>EAP Method</th><td> TLS</td></tr><tr><th>Key Type</th><td>Automatic (Default)</td></tr><tr><th>Phase2 Type</th><td> None (Default)</td></tr><tr><th>Identity</th><td>''Your VT PID''</td></tr><tr><th>Password</th><td> ''empty''</td></tr><tr><th>Client Certificate File</th><td> (None)</td></tr><tr><th>CA Certificate File</th><td> (None)</td></tr><tr><th>Private Key File</th><td> netcert-1.p12 <br />(the certificate downloaded<br />from VT NetCert)</td></tr><tr><th>Private Key Password</th><td> ''netcertpasswd''</td></tr></tbody></table>==Connecting by wicd(wicked)==Wicd is an alternative to network manager and is used on many lightweight systems since it has few requirements and uses your systems ownifconfig/iwconfig commands.It still under active devlopment but is more than stable enoughfor everyday use. Also NetworkManager has a tendancy to disconnectevery 10 minutes for about 20 seconds then it automatically reconnects.Not a show stopper but could be annoying during a web-basedassignments.Instead of using TLS, we will be using PEAP. This is adifferent encryption scheme and is much more simple to setup comparedto TLS. I will also try setting up networkmanager with this methodlater...OK, do you have a VPN password? If not, follow these instructions for setting up your remote VPN login account[http://answers.vt.edu/kb/entry/2846/ [1]].<br />Next you need to locate the copy of the Thawte_Premium_Server_CA.pem on your system.For me it was in: <pre>/etc/ssl/certs/</pre>After dillegently locating this file, open up network manager.Click san to make sure your list of devices is up to date.Next click the "Properties" button next to the VT-Wireless at the top of the list (any one is fine really).Make sure there is a check in both "Use these settings for all networks sharing this essid" and "Use encyption".Next in the drop down box right below choose "PEAP with TKIP/MSCHAPV2"This will present you with "Identity", "Password", and "Path to CA Cert" text boxes. <pre>Identity: <Your PID>Password: <The one you set up earlier for VPN access>Path to CA Cert: <something like /etc/ssl/certs/Thawte_Premium_Server_CA.pem></pre>Then just click OK. <ul><li>Note: wicd will "star" out your identity and the path to the CACert feilds so don't be alarmed when your ID and the path to the CACert get transformed automatically to * when you click away from thetext box.</li><li>Note: This method works for connecting iPhone(s)/iPod Touch(s)</li></ul><ul><li>These Instructions are based on my own personal setup</li></ul><pre>Eee PC 901Ralink rt2860 (staging driver in kernel)ArchLinuxXfce 4.6wicd 1.6.2kernel 2.6.30</pre>==Connecting by WPA Supplicant=====Editing wpa_supplicant.conf===Add the following to your <tt>/etc/wpa_supplicant.conf</tt> file (if no file exists, create it): <pre>network={ ssid="VT-Wireless" key_mgmt=WPA-EAP eap=TLS identity="PID" private_key="/PATH/TO/NETCERT.p12" private_key_passwd="PASSWORD"}</pre>Replace PID with your actual PID (without any trailing @vt.edu),/PATH/TO/NETCERT.p12 with the actual path to your certificate (you canstore it in /etc) and PASSWORD with the certificate password given toyou when you downloaded the certificate. Note the certificate used hereshould be the original one you downloaded. Reformatting the certificateis only necessary for NetworkManager 0.7. ===Running WPA Supplicant=======Ubuntu====In Ubuntu, make sure to shut down NetworkManager with: <pre>sudo /etc/init.d/NetworkManager stop</pre>Next, issue the following command: <pre>sudo wpa_supplicant -B -i wlan0 -D wext -c /etc/wpa_supplicant.conf</pre>Confirm that you are associated with VT-Wireless <pre>sudo iwconfig INTERFACE</pre>where <tt>INTERFACE</tt> is your wireless card's device interface. Usually this is <tt>wlan0</tt> but depending on udev and perhaps other system features, it might appear as ath0, eth1 or something else. Run <tt>sudo ifconfig -a</tt> to see all your interfaces listed.You should see the words <tt>Access Point:</tt> followed by a MAC address (e.g., <tt>00:0F:23:EA:4A:01</tt>). If instead you see <tt>Access Point: not associated</tt>. Try the command again. If that still fails, bring down the interface and bring it back up <pre>sudo ifconfig INTERFACE downsudo ifconfig INTERFACE up</pre>and re-issue the <tt>wpa_supplicant</tt> command.Next, obtain an IP address. In Ubuntu, this is done with <pre>sudo dhclient INTERFACE</pre>If all goes well, you'll obtain an IP address. Otherwise, you'll receive a timeout for your DHCP request. ====Gentoo====If you're already using wpa_supplicant, just restart your interface: <pre># /etc/init.d/wlan0 restart</pre>This should connect you.If you're not using wpa_supplicant, you'll need to migrate fromWireless Tools to it in order to speak WPA and 802.1X to theVT-Wireless network. Refer to the [http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=4&chap=4#doc_chap2 Gentoo documentation] for a step-by-step guide to setting up WPA Supplicant. =VT_WLAN=VT_WLAN service is available in approximately 90% of academic andadministrative spaces across the Blacksburg campus. This wirelessnetwork is composed of unencrypted IEEE 802.11g access nodes. To limitaccess to faculty and staff, VT Communications Network Services uses anauthentication technology from Bluesocket. You have to register for [http://www.cns.vt.edu/html/wireless/wlan/registration.html Customer OnLine Access (COLA)] or in person at the Student Telecommunications Office to enable your account. ==Authentication==The Bluesocket authentication technology will automatically redirectyou to the login page (or hijack the URL you are trying to visit insome cases [cache related?], leading to SSL certificate problems).Simply type in your PID and password to be granted access. ==Logging in from the Command Line==You can use CURL to log in from the command line or automate the process. <pre>curl -d which_form=reg -d _FORM_SUBMIT=1 -d bs_name=YOUR_PID -d bs_password=YOUR_PASSWORD \-d source=`/sbin/ifconfig eth1 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}'` \https://`/sbin/route | grep -Eo '(bur|cas|hil|isb|owe|sha)-agw-[123]'`.cns.vt.edu/login.pl</pre>Here is a modified version of the above script so you do not have tostore your user name and password. Save it to a file.. 'chmod +xthe_file' then run it like so './the_file USER PASS' Note: By doingthis the command you use (with your username and pass) will be storedin ~/.bash_history. You might wish to delete that file (or edit it). <pre>#!/bin/bashcurl -d which_form=reg -d _FORM_SUBMIT=1 -d bs_name=$1 -d bs_password=$2 \-d source=`/sbin/ifconfig eth1 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}'` \https://`/sbin/route | grep -Eo '(bur|cas|hil|isb|owe|sha)-agw-[123]'`.cns.vt.edu/login.pl</pre><br />Depending on the characters in your password, you may need toquote it to prevent expansion, i.e. bs_password='MY!$?*PASSWORD'.ifconfig and route are located in /sbin and therefore generally not inthe $PATH of a normal user. You should be able to run them as such,however. ==VT_WLAN Auto Login==Although now antiquated, the following entry put in/etc/conf.d/wireless on a Gentoo machine using Wireless Tools wouldinsecurely but automatically sign in to VT_WLAN. <pre>postup() { if [[ ${IFACE} = "wlan0" ]]; then ROUTER="$(/sbin/route | grep -Eo '(bur|cas|hil|isb|owe|sha)-agw-[123]')" if [[ ! "x${ROUTER}" = "x" ]] ; then IP="$(/sbin/ifconfig eth1 | grep 'inet addr:' | cut -d: -f2 \ | awk '{ print $1}')" curl -k -f -s -d which_form=reg -d _FORM_SUBMIT=1 \ -d bs_name=PID \ -d bs_password=PASSWORD \ -d source=${IP} \ https://${ROUTER}.cns.vt.edu/login.pl return $? fi fi return 0}</pre>PID and PASSWORD should of course be your PID and password. Thissetup is only really suitable for a single user machine like a laptop.To very slightly improve security you should <tt>chmod a-r /etc/conf.d/wireless</tt>. This script does not authenticate the access point and would send your password to rogue access points. Using [#VT-Wireless VT-Wireless]rather than this script to automate login is highly recommended. If youinsist on ugly hacks then you could perhaps look into using the [http://www.vtluug.org/wiki/index.php?title=VT_VPN VPN] on top of VT_WLAN. ==Some Technical Details==The access points force SSL and are all signed by the Thawte Premium Server CA. The routers are named: <ul><li> bur-agw-2.cns.vt.edu</li><li> bur-agw-3.cns.vt.edu</li><li> cas-agw-?.cns.vt.edu</li><li> hil-agw-?.cns.vt.edu</li><li> isb-agw-?.cns.vt.edu</li><li> owe-agw-1.cns.vt.edu</li><li> sha-agw-1.cns.vt.edu</li></ul>Generally, in order to minimize congestion, connectivity is spread across multiple channels. Channel 11 seems to be the busiest.No MAC-based authentication is performed.DHCP is independent of of the Bluesocket authentication and occurs first.All wireless networks (including the .1x networks) on campus nowuse RFC-1918 addresses from the 172.31.0.0/16 network. These aretranslated with NAT into 198.82.x.x addresses for access outside thewireless network.All of the .1x wireless networks support IPv6. Some of the VT_WLAN networks support IPv6.You can access certain VT sites like [http://www.cns.vt.edu/ CNS] without having to authenticate. =Network Information Sources=<ul><li> [http://www.cns.vt.edu/html/wireless/wlan/index.html Communications Network Services: Wireless LAN]</li><li> [http://computing.vt.edu/internet_and_web/internet_access/ipaddresses.html Virginia Tech IP AddressesWifi]]</li></ul>