Network access in the dormitories with Linux
1. Fundamentals
2. PEAP
3. Various clients wpa_supplicant, xsupplicant
4. Client configuration
5. Root certificate
6. FAQ
7. Links
1. Fundamentals
In order to use the internet access via the dormitory network, the user must be authenticated at the beginning of the session. To do this, you will need special client software as well as your login and password from Bielefeld University (password for "dialin" authorization), Bielefeld University, the OS or the personal user certificate of OWL University. Authentication takes place on the basis of the 802.1X protocol. Only after successful authentication against the Radius server does the DHCP server assign a valid IP address to the client computer and access to the Internet is enabled. The following text contains information and instructions for configuring your Linux system.
2. PEAP
The EAP-PEAP (MSCHAPV2) method is used for authentication in accordance with 802.1X. In some Linux distributions, you still need to include the "T-TeleSec Global Root Class 2" root certificate, but most current distributions (e.g. Ubuntu, Mint, OpenSuse) now include this by default.
3. various clients
Currently, the "wpa_supplicant" is the client of choice for authentication. The "xsupplicant", on the other hand, no longer seems to be included in the software package of common Linux distributions.
With current Linux distributions, it is best to use the graphical network tools supplied, such as the GNOME Network Manager.
4. Client configuration
If your system does not yet provide suitable network tools or you do not want to use them for other reasons, you must configure the clients manually.
In the following, it is always assumed that eth0 refers to the network card with which you want to establish a connection to the dormitory network. If you use several network cards in your computer, please adjust the designation accordingly.
wpa_supplicant
Install the wpa_supplicant package using your package manager (Yast, Yum, Synaptic package manager, etc.). Configure the eth0 network card for dynamic IP address assignment (DHCP) using your system administration.You must now create the configuration file for the wpasupplicant using an editor of your choice. Below you will find a sample file for the PEAP method. Please do not enter any unnecessary spaces and place all paths, login and password in double quotation marks, as omitting these characters can lead to errors depending on the distribution according to the observations made so far.
Example for students of Bielefeld University:
# wpa_supplicant with EAP-PEAP ##################################
ctrl_interface=/var/run/wpa_supplicant
ap_scan=0
network={
key_mgmt=WPA-EAP
eap=PEAP
anonymous_identity="anonymous@uni-bielefeld.de"
identity="mmustermann7@uni-bielefeld.de"
password="<password>"
ca_cert="<Path to the root certificate USERTrustRSACertificationAuthority.pem>"
phase2="auth=MSCHAPV2"
priority=10
}
Example for students at Bielefeld University of Applied Sciences (Hochschule):
# wpa_supplicant with EAP-PEAP ##################################
ctrl_interface=/var/run/wpa_supplicant
ap_scan=0
network={
key_mgmt=WPA-EAP
eap=PEAP
anonymous_identity="jdoe3@hsbi.de"
identity="jdoe3@hsbi.de"
password="<password>"
ca_cert="<Path to the root certificate USERTrustRSACertificationAuthority.pem>"
phase2="auth=MSCHAPV2"
priority=10
}
Examples of the path to the root certificate:
ca_cert="/usr/share/ssl/certs/T-TeleSec_GlobalRoot_Class_2.pem"
,ca_cert="/usr/share/ssl/certs/USERTrustRSACertificationAuthority.pem"
.Common Linux distributions provide a bundle of root certificates instead of a large number of individual certificate files. The file is then called "ca-bundle.crt" and the entry would then be, for example
ca_cert="/usr/share/ssl/certs/ca-bundle.crt"
.Please put your login and password in quotation marks and do not use spaces to the right or left of the "=" characters. Otherwise, problems have been observed on some systems when parsing the configuration files.
Save the created configuration file under the file name /etc/wpasupplicant/wpasupplicant.conf.
Attention: The file contains your password for your university login. Therefore, change the permissions for the file so that only the administrator can read or change the file and third parties cannot access it under any circumstances, with
# chmod 400 /etc/wpasupplicant/wpasupplicant.conf
From the console, you can now start the wpasupplicant for the first time with
# wpasupplicant -d -Dwired -ieth0 -c/etc/wpasupplicant/wpasupplicant.conf
If everything is correct, the wpasupplicant should now authenticate successfully.
If a DHCP client is not yet running in the background, start it now with
#dhclient eth0
(As an alternative to dhclient, you can also use #pump -i eth0 or #dhcpcd eth0.)#ifconfig eth0
should now show your current IP address.Configure automatic authentication on system startup:
The following describes a method that should work on a wide range of systems. Irrespective of this, many current distributions have other graphical configuration tools integrated, such as the Network Manager, which you may wish to give preference to. Please read more about this below.
Create a file with the following contents
#!/bin/shell
wpasupplicant -Dwired -ieth0 -c/etc/wpasupplicant/wpasupplicant.conf
Save this shell script as /etc/wpasupplicant/start_wpasupplicant.sh and change the rights as follows
# chmod 744 /etc/wpasupplicant/start_wpasupplicant.sh
You can now create a shortcut on the desktop and then start authentication manually in future. This can be useful for notebooks with changing locations and network environments.
If your computer is stationary and is to authenticate itself in the dormitory network each time the system is started, you can create symbolic links to the script in the rc directories rc3.d and rc5.d for runlevels 3 and 5:
ln -s /etc/wpasupplicant/start_wpasupplicant.sh /etc/rc3.d/S50start_wpasupplicant
ln -s /etc/wpasupplicant/start_wpasupplicant.sh /etc/rc5.d/S50start_wpasupplicant
5. Root certificate "USERTrust RSA Certification Authority"
The root certificate "USERTrust RSA Certification Authority" is required for authentication using EAP-PEAP. Current distributions include the certificate by default. The many root certificates are often combined in a file such as "ca-bundle.crt". Just have a look around your operating system.
6. FAQ
7. Links
http://hostap.epitest.fi/wpa_supplicant
http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol
http://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol