Changes
no edit summary
At DefCon 20 in July 2012, an attack was announced for MSCHAPv2 that allows the protocol to be cracked quickly with a 100% success rate.<ref>[https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/]</ref> '''Use of MSCHAPv2 is strongly discouraged.'''
==Set your remote access (network) passphrase==
Regardless of what software you use to establish your connection, you must first set your remote passphrase by going to [https://my.vt.edu my.vt.edu]→Settings→Change Network Password.
==Android==
===eduroam (preferred)===
TODO
=== VT-Wireless (legacy)===
{{Version|2.2 (Froyo) of Android}}
==NetworkManager==
===eduroam (preferred)===
* In your wireless configuration program, select eduroam.
* Choose PEAP as the EAP type.
* Choose MSCHAPv2 as the authentication method.
* Use PID@vt.edu and network passphrase as your login credentials.
===VT-Wireless (legacy)===
* In your wireless configuration program, select VT-Wireless.
* Choose PEAP as the EAP type.
* Choose MSCHAPv2 as the authentication method.
* Use your {{{identity|PID}}} and remote network passphrase as your login credentials.
==wpa_supplicant==
===For eduroam (preferred)===
[http://w1.fi/wpa_supplicant/ wpa_supplicant] is a cross-platform supplicant which implements IEEE 802.1x/WPA and is used in many Linux/UNIX distributions.
In order to connect to the eduroam network, add the following to /etc/wpa_supplicant/eduroam.conf modifying the identity and password to reflect your PID and Network Password:
ctrl_interface=DIR=/run/wpa_supplicant GROUP=wheel
update_config=1
fast_reauth=1
ap_scan=1
network={
ssid="eduroam"
proto=RSN
key_mgmt=WPA-EAP
eap=PEAP
phase2="auth=MSCHAPV2"
anonymous_identity="anonymous@vt.edu"
ca_cert="hash://server/sha256/216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a"
identity="YourPidHere@vt.edu"
password="YourNetworkPasswordHere"
}
You can then connect to the network by running (where wlan0 is your wireless interface):
$ sudo wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/eduroam.conf
$ sudo dhcpcd wlan0
===For VT-Wireless (legacy)===
Add the following lines to /etc/wpa_supplicant.conf:
ctrl_interface=DIR=/run/wpa_supplicant GROUP=wheel
update_config=1
fast_reauth=1
ap_scan=1
network={
ssid="VT-Wireless"
ca_cert="/etc/ssl/certs/GlobalSign_Root_CA.pem
}
==Certificate pinning==
===For eduroam===
In the above wpa_supplicant configuration, we pin the server certificate that we expect the RADIUS server to present. wpa_supplicant offers multiple mechanisms for certificate management. The ca\_cert parameter can point to a file which contains one or more CA certificates which will be used to validate the certificate. With that option you also have the ability to specify a substring match of the certificate's common name.
In our configuration we opted for a much stronger level of validation where in we specify the hash of the certificate that we expect to see. When using this method of certificate validation, you specify the ca_cert parameter as hash://server/sha256/<sha256 hash of DER encoded certificate>.
In order to generate the sha256 hash of the DER encoded certificate (so that you can validate that the above hash is correct), download the certificate by clicking the "Download" link on the [https://ash.eprov.seti.vt.edu/EJBCAWebRequest/certSearch?cmd=search&keyword=VT-Wireless Certifcate Search for VT-Wireless]
Validate that the certificate downloaded is in fact signed by the Virginia Tech Certificate Authority:
(TODO)
Then generate the sha256 hash (in the directory where the certificate downloaded to):
openssl x509 -in VT-Wireless.cns.vt.edu.crt -outform der | sha256sum
216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a -
==netctl==
[https://wiki.archlinux.org/index.php/netctl netctl] is a network manager which is native to the ArchLinux distribution. netctl makes use of wpa_supplicant under the hood, and so the configuration is similar.
===eduroam (preferred)===
Put the following configuration in /etc/netctl/eduroam with your proper PID and Network Password. Further, this assumes that your wireless network device is wlan0, which you might have to change to match your system. The ca_cert line pins the server certificate and can be generated/validated using the mechanism described above.
Description='Federated Educational Wifi Network'
Interface=wlan0
Connection=wireless
Security=wpa-configsection
IP=dhcp
IP6=stateless
WPAConfigSection=(
'ssid="eduroam"'
'proto=RSN'
'key_mgmt=WPA-EAP'
'eap=PEAP'
'phase2="auth=MSCHAPV2"'
'anonymous_identity="anonymous@vt.edu"'
'ca_cert="hash://server/sha256/216c5f2568c6e84860b12535efe93500623ccee999306b84260f951bcbd57b1a"'
'identity="YourPidHere@vt.edu"'
'password="YourNetworkPasswordHere"'
)
Ensure that this file is owned by root and only readable by root:
$ sudo chown root:root /etc/netctl/eduroam
$ sudo chmod 600 /etc/netctl/eduroam
You can then start the connection using standard netctl methods:
$ sudo netctl start eduroam
===For VT-Wireless (legacy)===
Tested on [[Arch Linux]] with netctl 0.8 (updated on 2013-04-12).