Connecting to Campus Networks on Linux

From MTU LUG Wiki
Revision as of 21:19, 16 July 2024 by D2wn (talk | contribs) (made initial entry)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

This aims to be an all-inclusive guide on connecting to every type of network Michigan Tech uses on Campus on a Linux machine. If you use Windows, follow this guide instead :P


If you run into any problems following these instructions, or just want someone to walk you through it step-by-step, feel free to ask for help in the #tech-support channel in LUG's Discord or IRC and we'll be happy to help you out

eduroam

eduroam is a collaborative project between institutions that allow students at one participating university to get an internet connection at any other participating universities with their university credentials, by connecting to the eduroam network there.

Also, for some reason, it's typically the most reliable network on Tech's campus (yes, even more reliable than the actual MichiganTech network).

NetworkManager

NOTE: This whole section needs work, it's just here as a placeholder. Ask in the Discord/IRC if you need help.

If you use NetworkManager (the default on most distros), for some reason WPA2-EAP networks (such as eduroam) must be configured by manually creating a config file and cannot be added in the GUI.

As such, you can add eduroam as a connectable network by putting the following contents in /etc/NetworkManager/system-connections/eduroam.nmconnection:

[ NOTE: I think the UUID is supposed to be generated on-demand? ]

[connection]
id=eduroam
uuid=1b5b76ef-7a0a-4160-ae51-1c110cf160b7
type=wifi
autoconnect=false
permissions=user:<USER>:;

[wifi]
mode=infrastructure
ssid=eduroam

[wifi-security]
key-mgmt=wpa-eap

[802-1x]
eap=peap;
identity=<MTU_ID>
password=<PASSWORD>
phase2-auth=mschapv2

[ipv4]
method=auto

[ipv6]
addr-gen-mode=stable-privacy
method=auto

[proxy]

Where <USER> is the username of your account on your Linux computer, <MTU_ID> is your MTU Student ID (such as noahholl) and <PASSWORD> is your MTU password in plaintext.

iwd

Create the following file in /var/lib/iwd/eduroam.8021x:

[ NOTE: This config has AlwaysRandomizeAddress=true, which will randomize your WiFi card's MAC address on each connection. While not required, it can be nice to preserve your privacy when connecting to foreign networks. ]

[Settings]
AutoConnect=true
AlwaysRandomizeAddress=true

[Security]
EAP-Method=PEAP
EAP-Identity=anonymous@mtu.edu
EAP-PEAP-CACert=/var/lib/iwd/eduroam.pem
EAP-PEAP-ServerDomainMask=www.login.mtu.edu
EAP-PEAP-Phase2-Method=MSCHAPV2
EAP-PEAP-Phase2-Identity=<MTU_ID>@mtu.edu
EAP-PEAP-Phase2-Password-Hash=<PASSWORD_HASH>

Where <MTU_ID> is your MTU Student ID (such as noahholl) and <PASSWORD_HASH> is the MsCHAPv2 hash of your MTU password.

You can generate the MsCHAPv2 hash for your MTU password by running the following command:

iconv -t utf16le | openssl md4 -provider legacy

Type your password, immediately followed by CTRL+D (You may need to press it twice). DO NOT PRESS ENTER! Pressing enter will mess up the hash, and you will not be able to authenticate to Tech's network with it!


Alternatively, instead of EAP-PEAP-Phase2-Password-Hash=<PASSWORD_HASH>, you can put EAP-PEAP-Phase2-Password=<PASSWORD>, and you would replace <PASSWORD> with your actual MTU password, in plaintext.

This is of course not advisable for security reasons, but it is technically an option if you cannot get the previous method to work.

Getting the certificate (the easy way):

Next, you need Tech's eduroam certificate. You can get it by parsing eduroam's "Configuration Assistant Tool" python script from their website:

curl -s 'https://cat.eduroam.org/user/API.php?action=downloadInstaller&lang=en&profile=3932&device=linux&generatedfor=user&openroaming=0' | sed -e 's/Config.CA = """//g' -ne '1083,1152p' > eduroam.pem

Confirm that you have the correct file, and if so move it to /var/lib/iwd/eduroam.pem:

echo "736c7004527b8d42c27526a5e8ad67b39f395d2d eduroam.pem" | sha1sum -c && sudo mv eduroam.pem /var/lib/iwd/eduroam.pem

If the command returns eduroam.pem: FAILED, proceed to the section below. Otherwise, skip it and proceed to "Connecting to eduroam".

Getting the certificate (the hard way):

Open cat.eduroam.org in your browser, and navigate through the site until you reach the page to download the configuration script for Michigan Tech.

Once you've downloaded the script, open it with a text editor and look for the two certificates.

They should be back-to-back, each beginning with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----.

Copy both certificates into the file eduroam.pem, then move the file to /var/lib/iwd/eduroam.pem:

sudo mv eduroam.pem /var/lib/iwd/eduroam.pem Now you can proceed to "Connecting to eduroam".

Connecting to eduroam:

You should be all good to go! Just connect to eduroam in iwctl and it should take care of the rest for you.

In case you're new to iwd, this can be done by running iwctl, typing station list(identifying the interface of your WiFi card), then station <interface> connect eduroam.

Now you can quit out of iwctl and you should remain connected!

wpa_supplicant

NOTE: This whole section needs work, it's just here as a placeholder. Ask in the Discord/IRC if you need help.

wpa_supplicant is commonly used as a backend for NetworkManager, but if you use it standalone, you can use the following config

MichiganTech

The MichiganTech network is WPA2-EAP, using PEAP and MSCHAPv2. The configuration needed to connect to the network is similar to that of eduroam, with a few notable differences.

For some reason IT recommends ignoring certificate errors for the MichiganTech network, opening users up to potential Evil Twin attacks. We should eventually add sections on how to get the certificate for the network and enable certificate checking, but in the meantime since this is the configuration everyone is using I suppose it's good enough.

NetworkManager

NOTE: This whole section needs work, it's just here as a placeholder. Ask in the Discord/IRC if you need help.

If you use NetworkManager (the default on most distros), for some reason WPA2-EAP networks (such as MichiganTech) must be configured by manually creating a config file and cannot be added in the GUI.

As such, you can add MichiganTech as a connectable network by putting the following contents in /etc/NetworkManager/system-connections/MichiganTech.nmconnection:

[ NOTE: I think the UUID is supposed to be generated on-demand? ]

[connection]
id=MichiganTech
uuid=0c38e990-aa9c-4d61-8e7e-f2ae28f2787d
type=wifi
autoconnect=true
permissions=user:<USER>:;

[wifi]
mode=infrastructure
ssid=MichiganTech

[wifi-security]
key-mgmt=wpa-eap

[802-1x]
eap=peap;
identity=<MTU_ID>
password=<PASSWORD>
phase2-auth=mschapv2

[ipv4]
method=auto

[ipv6]
addr-gen-mode=stable-privacy
method=auto

[proxy]

Where <USER> is the username of your account on your Linux computer, <MTU_ID> is your MTU Student ID (such as noahholl) and <PASSWORD> is your MTU password in plaintext.

Connecting to MichiganTech:

You should be all good to go, so try connecting to MichiganTech via nmcli, nmtui, or one of the many NetworkManager GUIs (whichever you prefer)!

iwd

Create the following file in /var/lib/iwd/MichiganTech.8021x:

[ NOTE: This config has AlwaysRandomizeAddress=true, which will randomize your WiFi card's MAC address on each connection. While not required, it can be nice to preserve your privacy when connecting to foreign networks. ]

[Settings]
AutoConnect=true
AlwaysRandomizeAddress=true

[Security]
EAP-Method=PEAP
EAP-Identity=anonymous
EAP-PEAP-Phase2-Method=MSCHAPV2
EAP-PEAP-Phase2-Identity=<MTU_ID>
EAP-PEAP-Phase2-Password-Hash=<PASSWORD_HASH>

Where <MTU_ID> is your MTU Student ID (such as noahholl) and <PASSWORD_HASH> is the MsCHAPv2 hash of your MTU password.

You can generate the MsCHAPv2 hash for your MTU password by running the following command:

iconv -t utf16le | openssl md4 -provider legacy

Type your password, immediately followed by CTRL+D (You may need to press it twice). DO NOT PRESS ENTER! Pressing enter will mess up the hash, and you will not be able to authenticate to Tech's network with it!


Alternatively, instead of EAP-PEAP-Phase2-Password-Hash=<PASSWORD_HASH>, you can put EAP-PEAP-Phase2-Password=<PASSWORD>, and you would replace <PASSWORD> with your actual MTU password, in plaintext.

This is of course not advisable for security reasons, but it is technically an option if you cannot get the previous method to work.

Connecting to MichiganTech:

You should be all good to go! Just connect to MichiganTech in iwctl and it should take care of the rest for you.

In case you're new to iwd, this can be done by running iwctl, typing station list(identifying the interface of your WiFi card), then station <interface> connect MichiganTech.

Now you can quit out of iwctl and you should remain connected!

wpa_supplicant

NOTE: This whole section needs work, it's just here as a placeholder. Ask in the Discord/IRC if you need help.

wpa_supplicant is commonly used as a backend for NetworkManager, but if you use it standalone, you can use the following config to connect to the MichiganTech network:

ctrl_interface=/run/wpa_supplicant
ap_scan=1
network={
        key_mgmt=WPA-EAP
        eap=PEAP
        identity="<MTU_ID>"
        password="<PASSWORD>"
        phase2="autheap=MSCHAPV2"
}

Where <MTU_ID> is your MTU Student ID (such as noahholl) and <PASSWORD> is your MTU password, in plaintext. (does wpa_supplicant support MsCHAPv2 hashes?)

Connecting to MichiganTech:

You should be all good to go!

MichiganTechGuest

MichiganTechGuest is an open network, you just have to accept the Terms and Conditions on the captive portal before you have internet access.

If you're having issues getting the captive portal to popup, try loading an http-only site such as neverssl.com or Apple's captive portal check domain.

However, it seems direct IP connections work without authenticating on the captive portal? If you have a VPN on, you can just skip accepting the ToC and access the internet as normal. (very useful when wpa_supplicant broke WPA2-EAP support leaving Linux users unable to connect to the proper MichiganTech WiFi)

The guest network has a weird IP range (35.63.66.0/23), it's not in Tech's normal 141.219.0.0/16. (Perhaps to avoid getting the main IP range banned due to abuse?)


//todo

include my bash script that auto-confirms the ToC via a post request with curl (90% done, needs to wait until I'm back on campus to finish)

include how to auto run a script on interface up/down to auto re-authenticate yourself after taking laptop out of sleep mode


MichiganTechIoT

AFAIK, this network is like MichiganTechOpen (open security, devices need to be MAC whitelisted) but devices are allowed to communicate between each other on the LAN.

Primarily intended for IoT devices and gaming consoles.

https://clearpass.tc.mtu.edu/guest/guest_index.php (have to be on Tech's network otherwise it 403's)

MichiganTechOpen

For devices that don't support WPA2-EAP and can't connect to the main MichiganTech network.

It's an open network, but you have to whitelist your devices MAC address in clearpass first.

https://clearpass.tc.mtu.edu/guest/guest_index.php (have to be on Tech's network otherwise it 403's)


Resnet

MAC register ethernet (dorms, datacenters are handled by IT?)

You should be able to just plug your device into an ethernet port connected to Resnet, and navigate to the clearpass URL to whitelist your device

https://clearpass.tc.mtu.edu/guest/guest_index.php (have to be on Tech's network otherwise it 403's)



Sources


https://wiki.ritlug.com/eduroam/


https://wiki.archlinux.org/title/Network_configuration/Wireless#eduroam


https://wiki.archlinux.org/title/Iwd#WPA_Enterprise


https://wiki.archlinux.org/title/Wpa_supplicant#Advanced_usage