Wireless: Difference between revisions

From CSCWiki
Jump to navigation Jump to search
(→‎netctl: update ArchLinux path; also add domain_suffix_match for extra security)
 
(37 intermediate revisions by 6 users not shown)
Line 1: Line 1:
'''csc-wireless no longer exists. Members are advised to use eduroam or uw-unsecured.'''
=== Motivation ===


The UW wireless network has a couple of major deficiencies:


== Rosetta Stone ==
# Weak signal in MC 3036, preventing some laptops from connecting
See IST's page http://ist.uwaterloo.ca/cs/wireless.html for Windows and other devices.
# Aggressive throttling of bandwidth, even to wired systems within the club office


The ca_cert line is only needed to verify the authenticity of the eduroam AP, and is otherwise not actually needed to connect to it. Keep in mind that removing it from your config means that you are technically vulnerable to someone creating a fake eduroam access point and using it to grab your Quest login, though honestly the chances of this ever happening on campus are extremely unlikely.
The second point is quite important: UW's wireless will begin to throttle high bandwidth connections after a minute or two, decreasing bandwidth slowly from 1MB/s or more down to 100KB/s or less. Members can expect to sit in the office for an hour or more if they want to download many packages off of the CSC mirror.


=== Linux ===
To work around this problem we have an access point in the Computer Science Club.
If you don't wish to have your password floating around in a text file in /etc, then (at least for the wpa_supplicant based network managers) you may take the output of
echo -n "hunter2" | iconv -t utf16le | openssl md4
and replace the password line with
password=hash:HASH_HERE


=== Configuration ===


==== netctl ====
* ESSID: csc-wireless
Toss this into /etc/netctl/, making sure you edit identity and password. Replace wlan0 with the correct interface. Your correct interface can probably be seen in the output of
* AP: 00:19:5B:7D:DB:FE
ip link
* Channel: 36 (5.18 GHz)
and probably is the one that starts with 'w'.
* Network: auth3net (129.96.192.0/23)


To connect, run sudo netctl start eduroam
Clients must authenticate to the Network Authentication Appliance (NAA) as with uw-wireless, in accordance with [http://ist.uwaterloo.ca/ns/Admin/wireless/ this IST policy], points #2 through #4.


Connection='wireless'
=== Technical Overview ===
Interface=wlan0
Security='wpa-configsection'
IP='dhcp'
WPAConfigSection=(
'identity="userid@uwaterloo.ca"'
'password="hunter2"'
'ssid="eduroam"'
'key_mgmt=WPA-EAP'
'eap=PEAP'
'ca_cert="/etc/ssl/certs/GlobalSign_Root_CA.pem"'
'domain_suffix_match="uwaterloo.ca"'
)


==== wicd ====
The AP connects to acesulfame-potassium through a secondary NIC. On acesulfame-potassium, the following decision is made:
Toss this into /etc/wicd/encryption/templates/ and edit /etc/wicd/encryption/templates/active to include a line with eduroam.


name = Eduroam UW
* IP packets destined for mathstudentorgsnet are brouted with SNAT to wireless-nat.csclub.uwaterloo.ca
author = Steven She
* All other ethernet frames are bridged to auth3net
version = 1
require username *Username password *Password
-----
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="$_ESSID"
scan_ssid="$_SCAN"
proto=RSN
key_mgmt=WPA-EAP
pairwise=CCMP
group=CCMP
eap=PEAP
identity="$_USERNAME"
password="$_PASSWORD"
ca_cert="/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt"
phase2="auth=MSCHAPV2"
}


==== wpa_supplicant ====
The network is identical to connection through uw-wireless in all respects, except for the special treatment of mathstudentorgs traffic. This special treatment bypasses uw-wireless throttling for machines on our network.
add this to a file in /etc/wpa_supplicant/.


network={
=== Wireless Performance ===
ssid="eduroam"
proto=RSN
key_mgmt=WPA-EAP
pairwise=CCMP
group=CCMP
eap=PEAP
identity="userid@uwaterloo.ca"
password="hunter2"
ca_cert="/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt"
phase2="auth=MSCHAPV2"
}


Tests were done on a 700MB Ubuntu ISO at an off peak time.


The previous setup has been [http://wiki.csclub.uwaterloo.ca/Wireless?oldid=2297 archived] for posterity.
* uw-wireless
** Initial speed: 1.3MB/s
** Final speed: 40KB/s
** Time: aborted after 27 minutes (got bored) with 67% remaining, ETA increased steadily throughout


[[Category:Systems]]
mike@freyr:/tmp$ time wget http://mirror.csclub.uwaterloo.ca/ubuntu-releases/7.10/ubuntu-7.10-desktop-i386.iso
--23:54:09-- http://mirror.csclub.uwaterloo.ca/ubuntu-releases/7.10/ubuntu-7.10-desktop-i386.iso
Resolving mirror.csclub.uwaterloo.ca... 129.97.134.71
Connecting to mirror.csclub.uwaterloo.ca|129.97.134.71|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://citric-acid.csclub.uwaterloo.ca/iso/ubuntu-gutsy/ubuntu-7.10-desktop-i386.iso [following]
--23:54:09-- http://citric-acid.csclub.uwaterloo.ca/iso/ubuntu-gutsy/ubuntu-7.10-desktop-i386.iso
Resolving citric-acid.csclub.uwaterloo.ca... 129.97.134.37
Connecting to citric-acid.csclub.uwaterloo.ca|129.97.134.37|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 729608192 (696M) [application/x-iso9660-image]
Saving to: `ubuntu-7.10-desktop-i386.iso'
11% [===> ] 86,583,824 377K/s eta 13m 34ss
33% [========================> ] 241,791,104 39.5K/s eta 55m 48s
real 27m40.165s
user 0m1.008s
sys 0m4.252s

* csc-wireless
** Initial speed: 1.83MB/s
** Final speed: 1.93MB/s
** Time: aborted after 6 minutes (ran out of disk) with 10% remaining, steady progress
--00:27:07-- http://mirror.csclub.uwaterloo.ca/ubuntu-releases/7.10/ubuntu-7.10-desktop-i386.iso
Resolving mirror.csclub.uwaterloo.ca... 129.97.134.71
Connecting to mirror.csclub.uwaterloo.ca|129.97.134.71|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://citric-acid.csclub.uwaterloo.ca/iso/ubuntu-gutsy/ubuntu-7.10-desktop-i386.iso [following]
--00:27:07-- http://citric-acid.csclub.uwaterloo.ca/iso/ubuntu-gutsy/ubuntu-7.10-desktop-i386.iso
Resolving citric-acid.csclub.uwaterloo.ca... 129.97.134.37
Connecting to citric-acid.csclub.uwaterloo.ca|129.97.134.37|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 729608192 (696M) [application/x-iso9660-image]
Saving to: `ubuntu-7.10-desktop-i386.iso'
1% [> ] 14,380,544 1.83M/s eta 6m 29s
33% [========================> ] 243,488,896 1.92M/s eta 4m 46s
65% [=================================================> ] 475,945,024 1.90M/s eta 2m 21s
91% [=====================================================================> ] 670,317,304 1.93M/s in 6m 5s
Cannot write to `ubuntu-7.10-desktop-i386.iso' (No space left on device).
real 6m4.935s
user 0m2.124s
sys 0m11.161s

While these are quite unscientific, they do demonstrate the huge performance advantage of csc-wireless. I will repeat them without aborting, when I have time.

=== Detailed Configuration ===

==== Required Packages ====

To install required packages, type:

sudo aptitude install madwifi-source madwifi-tools wireless-tools vlan bridge-utils ebtables iptables

Then build the modules for the installed kernel via:

sudo m-a a-i madwifi

==== Wireless Interface Configuration ====

Insert the following snippet into /etc/network/interfaces, replacing BRIDGE by a free bridge name and IFACE by the interface that has auth3net packets (examples would be br0 and eth0.192):

auto ath0
iface ath0 inet manual
pre-up wlanconfig ath0 destroy || true
pre-up wlanconfig ath0 create wlandev wifi0 wlanmode ap
post-down wlanconfig ath0 destroy
wireless-mode master
wireless-channel 36
wireless-essid csc-wireless
auto BRIDGE
iface BRIDGE inet manual
bridge_ports IFACE ath0
bridge_stp yes
up brctl setbridgeprio BRIDGE 40000
up ip route add 129.97.192.0/23 dev BRIDGE

You will also need to enable routing, by adding this to sysctl.conf:

net.ipv4.ip_forward=1

Finally, add 129.97.134.85 as a secondary address on the 134 interface.

=== External Links ===

* [http://www.gentoo-wiki.com/HARDWARE_ar5212 Gentoo Guide]

Latest revision as of 20:58, 19 June 2018

csc-wireless no longer exists. Members are advised to use eduroam or uw-unsecured.


Rosetta Stone

See IST's page http://ist.uwaterloo.ca/cs/wireless.html for Windows and other devices.

The ca_cert line is only needed to verify the authenticity of the eduroam AP, and is otherwise not actually needed to connect to it. Keep in mind that removing it from your config means that you are technically vulnerable to someone creating a fake eduroam access point and using it to grab your Quest login, though honestly the chances of this ever happening on campus are extremely unlikely.

Linux

If you don't wish to have your password floating around in a text file in /etc, then (at least for the wpa_supplicant based network managers) you may take the output of

echo -n "hunter2" | iconv -t utf16le | openssl md4

and replace the password line with

password=hash:HASH_HERE


netctl

Toss this into /etc/netctl/, making sure you edit identity and password. Replace wlan0 with the correct interface. Your correct interface can probably be seen in the output of

ip link

and probably is the one that starts with 'w'.

To connect, run sudo netctl start eduroam

Connection='wireless'
Interface=wlan0
Security='wpa-configsection'
IP='dhcp'
WPAConfigSection=(
    'identity="userid@uwaterloo.ca"'
    'password="hunter2"'
    'ssid="eduroam"'
    'key_mgmt=WPA-EAP'
    'eap=PEAP'
    'ca_cert="/etc/ssl/certs/GlobalSign_Root_CA.pem"'
    'domain_suffix_match="uwaterloo.ca"'
)

wicd

Toss this into /etc/wicd/encryption/templates/ and edit /etc/wicd/encryption/templates/active to include a line with eduroam.

name = Eduroam UW
author = Steven She
version = 1
require username *Username password *Password
-----
ctrl_interface=/var/run/wpa_supplicant
network={
    ssid="$_ESSID"
    scan_ssid="$_SCAN"
    proto=RSN
    key_mgmt=WPA-EAP
    pairwise=CCMP
    group=CCMP
    eap=PEAP
    identity="$_USERNAME"
    password="$_PASSWORD"
    ca_cert="/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt"
    phase2="auth=MSCHAPV2"
}

wpa_supplicant

add this to a file in /etc/wpa_supplicant/.

network={
    ssid="eduroam"
    proto=RSN
    key_mgmt=WPA-EAP
    pairwise=CCMP
    group=CCMP
    eap=PEAP                                      
    identity="userid@uwaterloo.ca"
    password="hunter2"
    ca_cert="/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt"
    phase2="auth=MSCHAPV2"
}


The previous setup has been archived for posterity.