Cavalier Wireless with Network Manager
From UVA Linux Users Group
If you have a supported wireless card (check here), you can connect to UVA's secure Cavalier network through the Network Manager gui. The following tutorial will walk you through the procedure. There is a little command line prep work to be done with certificates, so wear your terminal pants. But the commands aren't monstrous, and this tutorial should make it easier to deal with.
This guide uses the Gnome Network Manager from the Launchpad.net Network-manager team. The guide should work for any Debian-based distro, any recent version of Network Manager (even on KDE), or really any updated version of Linux -- just some commands may differ.
If this doesn't work for you, can check out this guide that shows how to use WICD in place of Network Manager. However, the author of this Network Manager page had little luck with WICD; it failed to connect, and installing WICD means removing Network Manager, which leaves you completely without any network connection. You can also use wahoo, but be aware that it's a hidden network and not secured.
- UVA Personal Digital Certificate
- UVA stand-alone USHER CA v1 certificate
- A card that supports WPA
Most distributions come with wpasupplicant installed. You can double-check in whatever package manager you use, or use the command line (see below).
Now the certificates have to be sorted. Changes from previous versions: It is no longer necessary to use openssl to extract cert.cer and cacert.cer files. All that is necessary is your personal digital certificate and the UVA stand-alone certificate.
First: Personal Digital Certificate
- If you don't already have a personal digital certificate (a certificate ending in .p12), go to the UVA Personal Digital Certificate page. Choose the OSX option to get your certificate, and you'll be able to download the certificate to your machine and save it wherever you like. Although you can use the Firefox/Netbadge option, the OSX option seems to be the better way to go (see below about browsers and certificates).
- We'll call the file mst3k-cert.p12, but when you download it, the file will have your ID -- (your ID)-cert.p12. Once downloaded, pocket the certificate away someplace safe, like .some_hidden_directory.
Second: USHER certificate
- To get this, go to UVA's stand-alone USHER certificate page.
- Identify yourself via Netbadge, and then you'll be able to download usher.cer. Save that to the same .some_hidden_directory.
When Network Manager sees cavalier, you'll see a little shield next to it, like this:
Note: If you see any cavalier networks with WEP certification, ignore it.
When you click on cavalier, you'll get a dialog that looks like the one on the below-left. You'll need to enter the information as shown in the dialog on the below-right. Choose Security: WPA & WPA2 Enterprise and Authentication: TLS. You'll also use the usher.cer file for the CA certificate and your personal digital certificate for the Private key. Both should still safely tucked away in .some_hidden_directory.
Also, be sure to use the case-sensitive login mst3k@Virginia.EDU as opposed to firstname.lastname@example.org.
- Security: WPA & WPA2 Enterprise
- Authentication: TLS
- Identity: mst3k@Virginia.EDU
- User certificate: (None)
- CA Certificate: usher.cer
- Private key: mst3k-cert.p12
- Private key password: (enter your computing password)
If your card is supported, this should authenticate your access onto the cavalier network.
Browsers and Certificates
There are links on the UVA Personal Digital Certificate page to import the certificate directly into Firefox. Once a certificate is in Firefox, you can export it and use it for all the above processes. However, Firefox on Linux likes to spit authentication errors during this process, although everything works. Afterwards, if you view the certificate in Firefox, you'll see a warning that it isn't authenticated. For now, it's easier to just download the file via the OSX link.
But if you downloaded the certificate directly to your desktop, you can import that certificate into Firefox via Edit > Preferences > Advanced > Encryption > View Certificates > Import. It's a nice way to authenticate for mail, collab, and other NetBadgey sites. If done this way, it also won't give you any authentication errors or warnings.
If you're using Chromium, see the Chromium page on Linux Certification Management. Be sure to wear your command line pants.
If you're using Chrome on Linux, it may just automatically import a certificate from Firefox. Otherwise, follow the instructions on this page to get to Options >> Under the Hood, and then use the "Manage certificates" feature.
Network Manager Changes
This tutorial has been updated to reflect Network Manager 0.8~rc2, which once again recognizes .p12 keys. That version is not available with current Debian-based installations like Ubuntu 9.10, which ships with 0.8~a (as of April, 2010). The Network-manager team at Launchpad.net offers the latest version of Network Manager through their official ppa]. As of April, 2010, that ppa includes version 0.8~rc2.
In previous versions of Network Manager, the .p12 key was used in the gui for the Private Key File, and openssl was used to extract a cert.cer and cacert.cer from the .p12 key. Since then, UVA has to using the stand-alone usher.cer certificate, which also means Linux users needed to change how they connect. This guide is updated to reflect those changes.
Since it is no longer necessary to extract the cert.cer and cacert.cer certificates, the following is only here for historical and reference purposes. If someone is using some method other than Network Manager to connect, they may find these notes useful
Preparing the Files
Now we get into some command-fu, using openssl to extract the files Network Manager needs to connect to Cavalier.
Open a terminal/command line, cd to .some_hidden_directory, and run the following commands:
openssl pkcs12 -cacerts -in mst3k-cert.p12 -out mst3k-cacert.cer
You will then be asked to verify yourself against your certificate. Since you needed to use your computing ID password to get the certificate, that's what it's looking for.
Enter Import Password: (enter your password) MAC verified OK Enter PEM pass phrase: (enter your password) Verifying - Enter PEM pass phrase: (enter your password)
openssl pkcs12 -clcerts -in mst3k-cert.p12 -out mst3k-cert.cer
Like before, you'll be asked to prove that you are really who you think you are.
Enter Import Password: (enter your password) Enter PEM pass phrase: (enter your password) Verifying - Enter PEM pass phrase: (enter your password)
If all went well, openssl should have extracted the mst3k-cacert.cer and mst3k-cert.cer files into that same .some_hidden_directory. You now have all the files necessary to handle the encryption in Network Manager.
- Note: These are now .cer files, and not .pem like previously used. Network Manager will accept *.der, *.pen, *.crt and *.cer files, and the USHER CA v1 certificate is already in .cer format. You could use openssl to extract as .pem files and then rename usher.cer to usher.pem, but that's some extra unnecessary steps.
If you use a debian-based distro, try these commands in the terminal to find out if you have openssl and wpasupplicant installed:
dpkg -l | grep openssl && dpkg -l | grep wpasupplicant
shows the following is installed:
ii openssl 0.9.8g-10.1ubuntu2.1 Secure Socket Layer (SSL) binary and related cryp ii openssl-blacklist 0.4.2 list of blacklisted OpenSSL RSA keys ii openssl-doc 0.9.8g-10.1ubuntu2.1 Secure Socket Layer (SSL) documentation ii python-openssl 0.7-2 Python wrapper around the OpenSSL library ii python-pyopenssl 0.7-2 transitional dummy package ii wpasupplicant 0.6.4-2 Client support for WPA and WPA2 (IEEE 802.11i)
apt-cache policy openssl wpasupplicant
shows the following is installed:
openssl: Installed: 0.9.8g-10.1ubuntu2.1 Candidate: 0.9.8g-10.1ubuntu2.1 Version table: *** 0.9.8g-10.1ubuntu2.1 0 500 http://us.archive.ubuntu.com intrepid-updates/main Packages 500 http://us.archive.ubuntu.com intrepid-security/main Packages 100 /var/lib/dpkg/status 0.9.8g-10.1ubuntu2 0 500 http://us.archive.ubuntu.com intrepid/main Packages wpasupplicant: Installed: 0.6.4-2 Candidate: 0.6.4-2 Version table: *** 0.6.4-2 0 500 http://us.archive.ubuntu.com intrepid/main Packages 100 /var/lib/dpkg/status
Either of these commands will tell you if you have openssl and wpasupplicant installed, or just open your gui pacakge manager (like Synaptic) and search for them.
If you are using an older version of Network Manager and want to use a script to hook into wpa_supplicant.conf, see Cavalier Helper for details. However, new versions of Network Manager require now wpa_supplicant.conf hacking; with the above instructions, it just works.