Wireless: Difference between revisions
(→netctl: update ArchLinux path; also add domain_suffix_match for extra security) |
|||
(37 intermediate revisions by 6 users not shown) | |||
Line 1: | Line 1: | ||
'''csc-wireless no longer exists. Members are advised to use eduroam or uw-unsecured.''' |
|||
=== Motivation === |
|||
The UW wireless network has a couple of major deficiencies: |
|||
== Rosetta Stone == |
|||
# Weak signal in MC 3036, preventing some laptops from connecting |
|||
See IST's page http://ist.uwaterloo.ca/cs/wireless.html for Windows and other devices. |
|||
# Aggressive throttling of bandwidth, even to wired systems within the club office |
|||
The ca_cert line is only needed to verify the authenticity of the eduroam AP, and is otherwise not actually needed to connect to it. Keep in mind that removing it from your config means that you are technically vulnerable to someone creating a fake eduroam access point and using it to grab your Quest login, though honestly the chances of this ever happening on campus are extremely unlikely. |
|||
The second point is quite important: UW's wireless will begin to throttle high bandwidth connections after a minute or two, decreasing bandwidth slowly from 1MB/s or more down to 100KB/s or less. Members can expect to sit in the office for an hour or more if they want to download many packages off of the CSC mirror. |
|||
=== Linux === |
|||
To work around this problem we have an access point in the Computer Science Club. |
|||
If you don't wish to have your password floating around in a text file in /etc, then (at least for the wpa_supplicant based network managers) you may take the output of |
|||
echo -n "hunter2" | iconv -t utf16le | openssl md4 |
|||
and replace the password line with |
|||
password=hash:HASH_HERE |
|||
=== Configuration === |
|||
==== netctl ==== |
|||
* ESSID: csc-wireless |
|||
Toss this into /etc/netctl/, making sure you edit identity and password. Replace wlan0 with the correct interface. Your correct interface can probably be seen in the output of |
|||
* AP: 00:19:5B:7D:DB:FE |
|||
ip link |
|||
* Channel: 36 (5.18 GHz) |
|||
and probably is the one that starts with 'w'. |
|||
* Network: auth3net (129.96.192.0/23) |
|||
To connect, run sudo netctl start eduroam |
|||
Clients must authenticate to the Network Authentication Appliance (NAA) as with uw-wireless, in accordance with [http://ist.uwaterloo.ca/ns/Admin/wireless/ this IST policy], points #2 through #4. |
|||
Connection='wireless' |
|||
=== Technical Overview === |
|||
Interface=wlan0 |
|||
Security='wpa-configsection' |
|||
IP='dhcp' |
|||
WPAConfigSection=( |
|||
'identity="userid@uwaterloo.ca"' |
|||
'password="hunter2"' |
|||
'ssid="eduroam"' |
|||
'key_mgmt=WPA-EAP' |
|||
'eap=PEAP' |
|||
'ca_cert="/etc/ssl/certs/GlobalSign_Root_CA.pem"' |
|||
'domain_suffix_match="uwaterloo.ca"' |
|||
) |
|||
==== wicd ==== |
|||
The AP connects to acesulfame-potassium through a secondary NIC. On acesulfame-potassium, the following decision is made: |
|||
Toss this into /etc/wicd/encryption/templates/ and edit /etc/wicd/encryption/templates/active to include a line with eduroam. |
|||
name = Eduroam UW |
|||
* IP packets destined for mathstudentorgsnet are brouted with SNAT to wireless-nat.csclub.uwaterloo.ca |
|||
author = Steven She |
|||
* All other ethernet frames are bridged to auth3net |
|||
version = 1 |
|||
require username *Username password *Password |
|||
----- |
|||
ctrl_interface=/var/run/wpa_supplicant |
|||
network={ |
|||
ssid="$_ESSID" |
|||
scan_ssid="$_SCAN" |
|||
proto=RSN |
|||
key_mgmt=WPA-EAP |
|||
pairwise=CCMP |
|||
group=CCMP |
|||
eap=PEAP |
|||
identity="$_USERNAME" |
|||
password="$_PASSWORD" |
|||
ca_cert="/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt" |
|||
phase2="auth=MSCHAPV2" |
|||
} |
|||
==== wpa_supplicant ==== |
|||
The network is identical to connection through uw-wireless in all respects, except for the special treatment of mathstudentorgs traffic. This special treatment bypasses uw-wireless throttling for machines on our network. |
|||
add this to a file in /etc/wpa_supplicant/. |
|||
network={ |
|||
=== Wireless Performance === |
|||
ssid="eduroam" |
|||
proto=RSN |
|||
key_mgmt=WPA-EAP |
|||
pairwise=CCMP |
|||
group=CCMP |
|||
eap=PEAP |
|||
identity="userid@uwaterloo.ca" |
|||
password="hunter2" |
|||
ca_cert="/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt" |
|||
phase2="auth=MSCHAPV2" |
|||
} |
|||
Tests were done on a 700MB Ubuntu ISO at an off peak time. |
|||
The previous setup has been [http://wiki.csclub.uwaterloo.ca/Wireless?oldid=2297 archived] for posterity. |
|||
* uw-wireless |
|||
** Initial speed: 1.3MB/s |
|||
** Final speed: 40KB/s |
|||
** Time: aborted after 27 minutes (got bored) with 67% remaining, ETA increased steadily throughout |
|||
[[Category:Systems]] |
|||
mike@freyr:/tmp$ time wget http://mirror.csclub.uwaterloo.ca/ubuntu-releases/7.10/ubuntu-7.10-desktop-i386.iso |
|||
--23:54:09-- http://mirror.csclub.uwaterloo.ca/ubuntu-releases/7.10/ubuntu-7.10-desktop-i386.iso |
|||
Resolving mirror.csclub.uwaterloo.ca... 129.97.134.71 |
|||
Connecting to mirror.csclub.uwaterloo.ca|129.97.134.71|:80... connected. |
|||
HTTP request sent, awaiting response... 302 Found |
|||
Location: http://citric-acid.csclub.uwaterloo.ca/iso/ubuntu-gutsy/ubuntu-7.10-desktop-i386.iso [following] |
|||
--23:54:09-- http://citric-acid.csclub.uwaterloo.ca/iso/ubuntu-gutsy/ubuntu-7.10-desktop-i386.iso |
|||
Resolving citric-acid.csclub.uwaterloo.ca... 129.97.134.37 |
|||
Connecting to citric-acid.csclub.uwaterloo.ca|129.97.134.37|:80... connected. |
|||
HTTP request sent, awaiting response... 200 OK |
|||
Length: 729608192 (696M) [application/x-iso9660-image] |
|||
Saving to: `ubuntu-7.10-desktop-i386.iso' |
|||
11% [===> ] 86,583,824 377K/s eta 13m 34ss |
|||
33% [========================> ] 241,791,104 39.5K/s eta 55m 48s |
|||
real 27m40.165s |
|||
user 0m1.008s |
|||
sys 0m4.252s |
|||
* csc-wireless |
|||
** Initial speed: 1.83MB/s |
|||
** Final speed: 1.93MB/s |
|||
** Time: aborted after 6 minutes (ran out of disk) with 10% remaining, steady progress |
|||
--00:27:07-- http://mirror.csclub.uwaterloo.ca/ubuntu-releases/7.10/ubuntu-7.10-desktop-i386.iso |
|||
Resolving mirror.csclub.uwaterloo.ca... 129.97.134.71 |
|||
Connecting to mirror.csclub.uwaterloo.ca|129.97.134.71|:80... connected. |
|||
HTTP request sent, awaiting response... 302 Found |
|||
Location: http://citric-acid.csclub.uwaterloo.ca/iso/ubuntu-gutsy/ubuntu-7.10-desktop-i386.iso [following] |
|||
--00:27:07-- http://citric-acid.csclub.uwaterloo.ca/iso/ubuntu-gutsy/ubuntu-7.10-desktop-i386.iso |
|||
Resolving citric-acid.csclub.uwaterloo.ca... 129.97.134.37 |
|||
Connecting to citric-acid.csclub.uwaterloo.ca|129.97.134.37|:80... connected. |
|||
HTTP request sent, awaiting response... 200 OK |
|||
Length: 729608192 (696M) [application/x-iso9660-image] |
|||
Saving to: `ubuntu-7.10-desktop-i386.iso' |
|||
1% [> ] 14,380,544 1.83M/s eta 6m 29s |
|||
33% [========================> ] 243,488,896 1.92M/s eta 4m 46s |
|||
65% [=================================================> ] 475,945,024 1.90M/s eta 2m 21s |
|||
91% [=====================================================================> ] 670,317,304 1.93M/s in 6m 5s |
|||
Cannot write to `ubuntu-7.10-desktop-i386.iso' (No space left on device). |
|||
real 6m4.935s |
|||
user 0m2.124s |
|||
sys 0m11.161s |
|||
While these are quite unscientific, they do demonstrate the huge performance advantage of csc-wireless. I will repeat them without aborting, when I have time. |
|||
=== Detailed Configuration === |
|||
==== Required Packages ==== |
|||
To install required packages, type: |
|||
sudo aptitude install madwifi-source madwifi-tools wireless-tools vlan bridge-utils ebtables iptables |
|||
Then build the modules for the installed kernel via: |
|||
sudo m-a a-i madwifi |
|||
==== Wireless Interface Configuration ==== |
|||
Insert the following snippet into /etc/network/interfaces, replacing BRIDGE by a free bridge name and IFACE by the interface that has auth3net packets (examples would be br0 and eth0.192): |
|||
auto ath0 |
|||
iface ath0 inet manual |
|||
pre-up wlanconfig ath0 destroy || true |
|||
pre-up wlanconfig ath0 create wlandev wifi0 wlanmode ap |
|||
post-down wlanconfig ath0 destroy |
|||
wireless-mode master |
|||
wireless-channel 36 |
|||
wireless-essid csc-wireless |
|||
auto BRIDGE |
|||
iface BRIDGE inet manual |
|||
bridge_ports IFACE ath0 |
|||
bridge_stp yes |
|||
up brctl setbridgeprio BRIDGE 40000 |
|||
up ip route add 129.97.192.0/23 dev BRIDGE |
|||
You will also need to enable routing, by adding this to sysctl.conf: |
|||
net.ipv4.ip_forward=1 |
|||
Finally, add 129.97.134.85 as a secondary address on the 134 interface. |
|||
=== External Links === |
|||
* [http://www.gentoo-wiki.com/HARDWARE_ar5212 Gentoo Guide] |
Latest revision as of 20:58, 19 June 2018
csc-wireless no longer exists. Members are advised to use eduroam or uw-unsecured.
Rosetta Stone
See IST's page http://ist.uwaterloo.ca/cs/wireless.html for Windows and other devices.
The ca_cert line is only needed to verify the authenticity of the eduroam AP, and is otherwise not actually needed to connect to it. Keep in mind that removing it from your config means that you are technically vulnerable to someone creating a fake eduroam access point and using it to grab your Quest login, though honestly the chances of this ever happening on campus are extremely unlikely.
Linux
If you don't wish to have your password floating around in a text file in /etc, then (at least for the wpa_supplicant based network managers) you may take the output of
echo -n "hunter2" | iconv -t utf16le | openssl md4
and replace the password line with
password=hash:HASH_HERE
netctl
Toss this into /etc/netctl/, making sure you edit identity and password. Replace wlan0 with the correct interface. Your correct interface can probably be seen in the output of
ip link
and probably is the one that starts with 'w'.
To connect, run sudo netctl start eduroam
Connection='wireless' Interface=wlan0 Security='wpa-configsection' IP='dhcp' WPAConfigSection=( 'identity="userid@uwaterloo.ca"' 'password="hunter2"' 'ssid="eduroam"' 'key_mgmt=WPA-EAP' 'eap=PEAP' 'ca_cert="/etc/ssl/certs/GlobalSign_Root_CA.pem"' 'domain_suffix_match="uwaterloo.ca"' )
wicd
Toss this into /etc/wicd/encryption/templates/ and edit /etc/wicd/encryption/templates/active to include a line with eduroam.
name = Eduroam UW author = Steven She version = 1 require username *Username password *Password ----- ctrl_interface=/var/run/wpa_supplicant network={ ssid="$_ESSID" scan_ssid="$_SCAN" proto=RSN key_mgmt=WPA-EAP pairwise=CCMP group=CCMP eap=PEAP identity="$_USERNAME" password="$_PASSWORD" ca_cert="/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt" phase2="auth=MSCHAPV2" }
wpa_supplicant
add this to a file in /etc/wpa_supplicant/.
network={ ssid="eduroam" proto=RSN key_mgmt=WPA-EAP pairwise=CCMP group=CCMP eap=PEAP identity="userid@uwaterloo.ca" password="hunter2" ca_cert="/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt" phase2="auth=MSCHAPV2" }
The previous setup has been archived for posterity.