Cavalier Wireless with Network Manager

From UVA Linux Users Group

Jump to: navigation, search

Contents

Intro

If you have a supported wireless card (check here), you can connect to UVA's secure Cavalier network through the Network Manager gui. The following tutorial will walk you through the procedure. There is a little command line prep work to be done with certificates, so wear your terminal pants. But the commands aren't monstrous, and this tutorial should make it easier to deal with.


This guide uses the Gnome Network Manager from the Launchpad.net Network-manager team. The guide should work for any Debian-based distro, any recent version of Network Manager (even on KDE), or really any updated version of Linux -- just some commands may differ.


If this doesn't work for you, can check out this guide that shows how to use WICD in place of Network Manager. However, the author of this Network Manager page had little luck with WICD; it failed to connect, and installing WICD means removing Network Manager, which leaves you completely without any network connection. You can also use wahoo, but be aware that it's a hidden network and not secured.


(See the addendum for notes on the big Network Manager changes.)


Prerequisites

  • wpasupplicant
  • UVA Personal Digital Certificate
  • UVA stand-alone USHER CA v1 certificate
  • A card that supports WPA


Most distributions come with wpasupplicant installed. You can double-check in whatever package manager you use, or use the command line (see below).


Certificates

Now the certificates have to be sorted. Changes from previous versions: It is no longer necessary to use openssl to extract cert.cer and cacert.cer files. All that is necessary is your personal digital certificate and the UVA stand-alone certificate.


First: Personal Digital Certificate

  • If you don't already have a personal digital certificate (a certificate ending in .p12), go to the UVA Personal Digital Certificate page. Choose the OSX option to get your certificate, and you'll be able to download the certificate to your machine and save it wherever you like. Although you can use the Firefox/Netbadge option, the OSX option seems to be the better way to go (see below about browsers and certificates).


  • We'll call the file mst3k-cert.p12, but when you download it, the file will have your ID -- (your ID)-cert.p12. Once downloaded, pocket the certificate away someplace safe, like .some_hidden_directory.


Second: USHER certificate


  • Identify yourself via Netbadge, and then you'll be able to download usher.cer. Save that to the same .some_hidden_directory.


Network Manager

When Network Manager sees cavalier, you'll see a little shield next to it, like this:

Network Manager showing secure cavalier network

Note: If you see any cavalier networks with WEP certification, ignore it.


When you click on cavalier, you'll get a dialog that looks like the one on the below-left. You'll need to enter the information as shown in the dialog on the below-right. Choose Security: WPA & WPA2 Enterprise and Authentication: TLS. You'll also use the usher.cer file for the CA certificate and your personal digital certificate for the Private key. Both should still safely tucked away in .some_hidden_directory.


Also, be sure to use the case-sensitive login mst3k@Virginia.EDU as opposed to mst3k@virginia.edu.

  • Security: WPA & WPA2 Enterprise
  • Authentication: TLS
  • Identity: mst3k@Virginia.EDU
  • User certificate: (None)
  • CA Certificate: usher.cer
  • Private key: mst3k-cert.p12
  • Private key password: (enter your computing password)


Network Manager login dialog Network Manager login dialog with correct info


If your card is supported, this should authenticate your access onto the cavalier network.


Browsers and Certificates

Firefox

There are links on the UVA Personal Digital Certificate page to import the certificate directly into Firefox. Once a certificate is in Firefox, you can export it and use it for all the above processes. However, Firefox on Linux likes to spit authentication errors during this process, although everything works. Afterwards, if you view the certificate in Firefox, you'll see a warning that it isn't authenticated. For now, it's easier to just download the file via the OSX link.


But if you downloaded the certificate directly to your desktop, you can import that certificate into Firefox via Edit > Preferences > Advanced > Encryption > View Certificates > Import. It's a nice way to authenticate for mail, collab, and other NetBadgey sites. If done this way, it also won't give you any authentication errors or warnings.


Chromium

Chromium is the open-source version of the Google Chrome browser, and manages personal digital certificates much differently.


If you're using Chromium, see the Chromium page on Linux Certification Management. Be sure to wear your command line pants.


If you're using Chrome on Linux, it may just automatically import a certificate from Firefox. Otherwise, follow the instructions on this page to get to Options >> Under the Hood, and then use the "Manage certificates" feature.


Addendum

Network Manager Changes

This tutorial has been updated to reflect Network Manager 0.8~rc2, which once again recognizes .p12 keys. That version is not available with current Debian-based installations like Ubuntu 9.10, which ships with 0.8~a (as of April, 2010). The Network-manager team at Launchpad.net offers the latest version of Network Manager through their official ppa]. As of April, 2010, that ppa includes version 0.8~rc2.

In previous versions of Network Manager, the .p12 key was used in the gui for the Private Key File, and openssl was used to extract a cert.cer and cacert.cer from the .p12 key. Since then, UVA has to using the stand-alone usher.cer certificate, which also means Linux users needed to change how they connect. This guide is updated to reflect those changes.


Historical Notes

Since it is no longer necessary to extract the cert.cer and cacert.cer certificates, the following is only here for historical and reference purposes. If someone is using some method other than Network Manager to connect, they may find these notes useful

Preparing the Files

Now we get into some command-fu, using openssl to extract the files Network Manager needs to connect to Cavalier.

Open a terminal/command line, cd to .some_hidden_directory, and run the following commands:

openssl pkcs12 -cacerts -in mst3k-cert.p12 -out mst3k-cacert.cer

You will then be asked to verify yourself against your certificate. Since you needed to use your computing ID password to get the certificate, that's what it's looking for.

Enter Import Password: (enter your password)
MAC verified OK
Enter PEM pass phrase: (enter your password)
Verifying - Enter PEM pass phrase: (enter your password)

Next commmand:

openssl pkcs12 -clcerts -in mst3k-cert.p12 -out mst3k-cert.cer

Like before, you'll be asked to prove that you are really who you think you are.

Enter Import Password: (enter your password)
Enter PEM pass phrase: (enter your password)
Verifying - Enter PEM pass phrase: (enter your password)


If all went well, openssl should have extracted the mst3k-cacert.cer and mst3k-cert.cer files into that same .some_hidden_directory. You now have all the files necessary to handle the encryption in Network Manager.

  • Note: These are now .cer files, and not .pem like previously used. Network Manager will accept *.der, *.pen, *.crt and *.cer files, and the USHER CA v1 certificate is already in .cer format. You could use openssl to extract as .pem files and then rename usher.cer to usher.pem, but that's some extra unnecessary steps.


Command-Fu

If you use a debian-based distro, try these commands in the terminal to find out if you have openssl and wpasupplicant installed:

dpkg -l | grep openssl && dpkg -l | grep wpasupplicant

shows the following is installed:

ii  openssl                     0.9.8g-10.1ubuntu2.1          Secure Socket Layer (SSL) binary and related cryp
ii  openssl-blacklist           0.4.2                         list of blacklisted OpenSSL RSA keys
ii  openssl-doc                 0.9.8g-10.1ubuntu2.1          Secure Socket Layer (SSL) documentation
ii  python-openssl              0.7-2                         Python wrapper around the OpenSSL library
ii  python-pyopenssl            0.7-2                         transitional dummy package
ii  wpasupplicant               0.6.4-2                       Client support for WPA and WPA2 (IEEE 802.11i)

Another option

apt-cache policy openssl wpasupplicant

shows the following is installed:

openssl:
  Installed: 0.9.8g-10.1ubuntu2.1
  Candidate: 0.9.8g-10.1ubuntu2.1
  Version table:
 *** 0.9.8g-10.1ubuntu2.1 0
        500 http://us.archive.ubuntu.com intrepid-updates/main Packages
        500 http://us.archive.ubuntu.com intrepid-security/main Packages
        100 /var/lib/dpkg/status
     0.9.8g-10.1ubuntu2 0
        500 http://us.archive.ubuntu.com intrepid/main Packages
wpasupplicant:
  Installed: 0.6.4-2
  Candidate: 0.6.4-2
  Version table:
 *** 0.6.4-2 0
        500 http://us.archive.ubuntu.com intrepid/main Packages
        100 /var/lib/dpkg/status

Either of these commands will tell you if you have openssl and wpasupplicant installed, or just open your gui pacakge manager (like Synaptic) and search for them.


Older Script

If you are using an older version of Network Manager and want to use a script to hook into wpa_supplicant.conf, see Cavalier Helper for details. However, new versions of Network Manager require now wpa_supplicant.conf hacking; with the above instructions, it just works.

Personal tools