Changes

Jump to: navigation, search

Virginia Tech Wifi (OLD)

423 bytes added, 14:25, 5 February 2010
no edit summary
=Introduction=Since the fall of 2008, there have been two options for connecting to the Virginia Tech network by wireless cardnetworks on campus. One network, called '''VT-Wireless''', operates by means of WPA2 Enterprise encrypts all traffic and is secured with EAP/-TLSor PEAP-MSCHAPv2. The other network, called '''[[VT_WLAN''']], is an unsecuredunencrypted, captive portal wireless network. While connections to VT-Wireless are secure by default, and require no user authentication once set up, the EAP-TLS setup has a number of steps. In contrast, setup for VT_WLAN network is negligible, but you will be required to manually authenticate each time you connect (although this can be scripted), and your traffic will be readable to everyone.
<table style="text-align: center;" align="center" {| border="1" cellpadding="10">|-! Network! Security! Setup! Support|-| VT-Wireless| Strongest ([[w:Extensible Authentication Protocol#EAP-TLS|EAP-TLS]])| Involved| Most laptops, not all mobile devices|-| VT-Wireless| Unknown ([[w:Extensible Authentication Protocol#PEAPv0/EAP-MSCHAPv2|PEAPv0/EAP-MSCHAPv2]])| Simple| Most devices, including mobile devices|-| [[VT_WLAN]]| Weak ([[w:Captive portal|Captive portal]])| Negligible| Most devices, including mobile devices|}
<tr><td></td><th>VT-Wireless</th><th>VT_WLAN</th></tr><tr><th>Secure (Encrypted)<br /> Connection</th><td> yes </td><td> no</td></tr><tr><th>Setup</th><td> involved </td><td> trivial</td></tr><tr><th>Authentication</th><td> automatic </td><td> manual</td></tr></table> =VT-Wireless=The VT-Wireless network is secured by WPA with EAP/TLS or PEAP/MS-CHAPv2 encryption. ==PEAP MSCHAPv2==* Set your remote passphrase by going to [https://my.vt.edumy.vt.edu]->settingsSettings->Remote Passphrase.* In your wireless configuration program, select VT-Wireless.
* Choose PEAP as the EAP type.
* Choose MSCHAPv2 as the authentication method.
* Use your PID and remote passphrase as your login credentials.
 
=EAP-TLS=
The setup for EAP-TLS involves downloading a passworded personal certificate and making sure a copy of the certificate authority's signing certificate is on your computer. Some network managers, such as NetworkManager, require an extra step of converting the personal certificate to a different format.
==Obtaining the VT-Wireless Certificate==
Regardless of what program you use to make your connection, you will need to [https://netcert.cns.vt.edu/netcert/ obtain your p12 certificate and password from CNS]. Complete the form and download the p12 certificate file. Save the certificate password permanently and copy it for immediate use. You will need it in setting up your connection to VT-Wireless.
==Choosing a Network Manager==[[w:NetworkManager|NetworkManager]] is installed by default on Ubuntu and Fedora. As of fall 2009, it does not support the PKCS#12 format certificates that CNS provide out of the box, however. Converting the certificate requires some work, but the steps are outlined below. If you don't rely on NetworkManager for other kinds of connections like mobile broadband or [[Proxies and VPN|VPN]], or are having problems with NetworkManager, use Wicd instead. If you don't want or need a graphical interface, a WPA Supplicant configuration is also described below. ===Connecting by NetworkManager===The setup for NetworkManager depends on your version of the software. Please follow the instructions appropriate to your version below. In GNOME, you can right-click the NetworkManager applet icon in the panel and select "About" to find the version of NetworkManager. Ubuntu users: Version 0.6 ships with 8.04 Hardy Heron, 0.7 ships with 8.10 Intrepid Ibex and 9.04 Jaunty Jackalope, and 0.8 ships with Karmic Koala. ====NetworkManager 0.7 and 0.8========Converting the certificate to PEM certificates and keys===='''NOTE:''' The following steps are only necessary to use NetworkManager 0.7 and 0.8. NetworkManager 0.6 has a [[#NetworkManager_0.6 | more straightforward setup]] You will need to convert the PKCS#12 (.p12) certificate into PEM formats. We will assume your downloaded p12 file is called <code>netcert-1.p12</code> and that its password is <code>netcertpasswd</code>.Open a terminal and <code>cd</code> to the directory that contains your .p12 file. Then issue the following commands: <pre>openssl pkcs12 -in netcert-1.p12 -out vt_client_cert.pem -clcerts -nokeysopenssl pkcs12 -in netcert-1.p12 -out vt_private_key.pem -nocerts</pre> In each step, you will be prompted Checking for the password (<code>netcertpasswd</code>) that you were issued along with your .p12 certificate. Right click and paste it in or press <code>ctrl+shift+v</code> if you're using the GNOME Terminal. Additionally, in the final step where you generate your private key, you will be asked to enter a password. Enter the same password that came with your p12key. '''Sources''' * [http://www.codealias.info/technotes/wpa2_eap-tls_authentication_linux_client_setup WPA2 EAP/TLS Linux client setup] ==== Make sure you have the CA Certificate ====Next, you will need to make sure you have the Thawte certificate authority Premium Server Certificate Authority (CA) certificate. In Ubuntu, you should be able to find this certificate at <code>/etc/ssl/certs/Thawte_Premium_Server_CA.pem</code>. If you can't find the certificate on your system, you can copy the text below and paste it into a new file of the same name.
<pre>
-----END CERTIFICATE-----
</pre>
 
==Choosing a Network Manager==
[[w:NetworkManager|NetworkManager]] is installed by default on Ubuntu and Fedora. As of fall 2009, NetworkManager does not support the PKCS#12 format certificates that CNS provide out of the box. Converting the certificate requires some work, but the steps are outlined below. If you don't rely on NetworkManager for other kinds of connections like mobile broadband or [[Proxies and VPN|VPN]], or are having problems with NetworkManager, use Wicd as a graphical connection manager instead. If you don't want or need a graphical interface, a WPA Supplicant configuration is also described below.
 
===Connecting by NetworkManager===
The setup for NetworkManager depends on your version of the software. Please follow the instructions appropriate to your version below. In GNOME, you can right-click the NetworkManager applet icon in the panel and select "About" to find the version of NetworkManager.
 
Ubuntu users: Version 0.6 ships with 8.04 Hardy Heron, 0.7 ships with 8.10 Intrepid Ibex and 9.04 Jaunty Jackalope, and 0.8 ships with 9.10 Karmic Koala.
 
====NetworkManager 0.7 and 0.8====
====Converting the certificate to PEM certificates and keys====
'''NOTE:''' The following steps are only necessary to use NetworkManager 0.7 and 0.8. NetworkManager 0.6 has a [[#NetworkManager_0.6 | more straightforward setup]]
 
You will need to convert the PKCS#12 (.p12) certificate into PEM formats. We will assume your downloaded p12 file is called <code>netcert-1.p12</code> and that its password is <code>netcertpasswd</code>.
Open a terminal and <code>cd</code> to the directory that contains your .p12 file. Then issue the following commands:
 
<pre>
openssl pkcs12 -in netcert-1.p12 -out vt_client_cert.pem -clcerts -nokeys
openssl pkcs12 -in netcert-1.p12 -out vt_private_key.pem -nocerts
</pre>
 
In each step, you will be prompted for the password (<code>netcertpasswd</code>) that you were issued along with your .p12 certificate. Right click and paste it in or press <code>ctrl+shift+v</code> if you're using the GNOME Terminal. Additionally, in the final step where you generate your private key, you will be asked to enter a password. Paste in same password.
 
'''Sources'''
 
* [http://www.codealias.info/technotes/wpa2_eap-tls_authentication_linux_client_setup WPA2 EAP/TLS Linux client setup]
Left-click the NetworkManager applet and select the VT-Wireless network.
===Editing wpa_supplicant.conf===
Add the following to your <ttcode>/etc/wpa_supplicant.conf</ttcode> file (if no file exists, create it):
<pre>network={
}
</pre>
 Replace <code>PID</code> with your actual PID (without any trailing @vt.edu),<code>/PATH/TO/NETCERT.p12</code> with the actual path to your certificate (you canstore it in /etc/netcert) and <code>PASSWORD</code> with the certificate password given toyou when you downloaded the certificate. Note the certificate used hereshould be the original PKCS#12 file you downloaded. Reformatting the certificateis only necessary for NetworkManager.
===Running WPA Supplicant===
Anonymous user

Navigation menu