Wireless: Difference between revisions

From CSCWiki
Jump to navigation Jump to search
(→‎netctl: update ArchLinux path; also add domain_suffix_match for extra security)
 
(16 intermediate revisions by 6 users not shown)
Line 1: Line 1:
'''csc-wireless no longer exists. Members are advised to use eduroam or uw-unsecured.'''
=== Motivation ===


The UW wireless network has a couple of major deficiencies:


== Rosetta Stone ==
# Weak signal in MC 3036, preventing some laptops from connecting
See IST's page http://ist.uwaterloo.ca/cs/wireless.html for Windows and other devices.
# Aggressive throttling of bandwidth, even to wired systems within the club office
# Ignorance of the "Don't Count" list


The ca_cert line is only needed to verify the authenticity of the eduroam AP, and is otherwise not actually needed to connect to it. Keep in mind that removing it from your config means that you are technically vulnerable to someone creating a fake eduroam access point and using it to grab your Quest login, though honestly the chances of this ever happening on campus are extremely unlikely.
The second point is quite important: UW's wireless will begin to throttle high bandwidth connections after a minute or two, decreasing bandwidth slowly from 1MB/s or more down to 40KB/s or less. Members can expect to sit in the office for an hour or more if they want to download many packages off of the CSC mirror.


=== Linux ===
To work around this problem we have an access point in the Computer Science Club.
If you don't wish to have your password floating around in a text file in /etc, then (at least for the wpa_supplicant based network managers) you may take the output of
echo -n "hunter2" | iconv -t utf16le | openssl md4
and replace the password line with
password=hash:HASH_HERE


=== Configuration ===


==== netctl ====
* ESSID: csc-wireless
Toss this into /etc/netctl/, making sure you edit identity and password. Replace wlan0 with the correct interface. Your correct interface can probably be seen in the output of
* AP: 00:11:95:ff:da:ec
ip link
* Channel: 36 (5.18 GHz)
and probably is the one that starts with 'w'.
* Network: auth3net (129.96.192.0/23)


To connect, run sudo netctl start eduroam
Clients must authenticate to the Network Authentication Appliance (NAA) as with uw-wireless, in accordance with [http://ist.uwaterloo.ca/ns/Admin/wireless/ this IST policy], points #2 through #4.


Connection='wireless'
=== Technical Overview ===
Interface=wlan0
Security='wpa-configsection'
IP='dhcp'
WPAConfigSection=(
'identity="userid@uwaterloo.ca"'
'password="hunter2"'
'ssid="eduroam"'
'key_mgmt=WPA-EAP'
'eap=PEAP'
'ca_cert="/etc/ssl/certs/GlobalSign_Root_CA.pem"'
'domain_suffix_match="uwaterloo.ca"'
)


==== wicd ====
The AP connects to acesulfame-potassium through a secondary NIC. On acesulfame-potassium, the following decision is made:
Toss this into /etc/wicd/encryption/templates/ and edit /etc/wicd/encryption/templates/active to include a line with eduroam.


name = Eduroam UW
* IP packets destined for mathstudentorgsnet are brouted with SNAT to wireless-nat.csclub.uwaterloo.ca
author = Steven She
* All other ethernet frames are bridged to auth3net
version = 1
require username *Username password *Password
-----
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="$_ESSID"
scan_ssid="$_SCAN"
proto=RSN
key_mgmt=WPA-EAP
pairwise=CCMP
group=CCMP
eap=PEAP
identity="$_USERNAME"
password="$_PASSWORD"
ca_cert="/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt"
phase2="auth=MSCHAPV2"
}


==== wpa_supplicant ====
The network is identical to connection through uw-wireless in all respects, except for the special treatment of mathstudentorgs traffic. This special treatment bypasses uw-wireless throttling for machines on our network.
add this to a file in /etc/wpa_supplicant/.


network={
=== Wireless Performance ===
ssid="eduroam"
proto=RSN
key_mgmt=WPA-EAP
pairwise=CCMP
group=CCMP
eap=PEAP
identity="userid@uwaterloo.ca"
password="hunter2"
ca_cert="/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt"
phase2="auth=MSCHAPV2"
}


* uw-wireless
** 400MB Ubuntu CD image
** Initial speed: 2.13MB/s
** Final speed: 19.9KB/s
** Time: finished in 1h 41m, ETA increased for first half.


The previous setup has been [http://wiki.csclub.uwaterloo.ca/Wireless?oldid=2297 archived] for posterity.
mike@freyr:/tmp/test$ wget http://mirror.cs.uwaterloo.ca/ubuntu-releases/dapper/ubuntu-6.06.2-server-sparc.iso
--2008-04-22 15:56:53-- http://mirror.cs.uwaterloo.ca/ubuntu-releases/dapper/ubuntu-6.06.2-server-sparc.iso
Resolving mirror.cs.uwaterloo.ca... 129.97.152.77
Connecting to mirror.cs.uwaterloo.ca|129.97.152.77|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 412856320 (394M) [text/plain]
Saving to: `ubuntu-6.06.2-server-sparc.iso'


[[Category:Systems]]
0% [ ] 942,080 2.13M/s
1% [ ] 5,607,872 2.19M/s
4% [> ] 19,587,072 1.97M/s eta 3m 3s
8% [==> ] 33,109,664 2.24M/s eta 2m 51s
12% [===> ] 50,850,640 2.19M/s eta 2m 42s
16% [=====> ] 69,363,112 2.22M/s eta 2m 32s
23% [========> ] 98,991,832 2.25M/s eta 2m 18s
36% [=============> ] 148,809,128 2.25M/s eta 1m 56s
38% [==============> ] 157,883,088 140K/s eta 2m 2s
38% [==============> ] 160,275,112 140K/s eta 2m 26s
41% [===============> ] 170,110,968 117K/s eta 3m 58s
42% [===============> ] 175,448,880 101K/s eta 4m 50s
43% [================> ] 180,703,184 99.7K/s eta 5m 44s
43% [================> ] 181,581,296 88.5K/s eta 5m 52s
44% [================> ] 184,742,376 77.8K/s eta 6m 26s
48% [==================> ] 200,324,016 57.6K/s eta 9m 34s
50% [===================> ] 208,982,344 46.3K/s eta 11m 27s
50% [===================> ] 209,633,064 46.2K/s eta 11m 37s
52% [====================> ] 216,817,944 25.9K/s eta 13m 39s
53% [====================> ] 218,983,984 58.8K/s eta 14m 6s
54% [====================> ] 224,401,792 28.9K/s eta 15m 20s
55% [=====================> ] 227,171,400 27.4K/s eta 15m 56s
56% [=====================> ] 232,991,392 28.8K/s eta 17m 2s
56% [=====================> ] 233,810,808 36.9K/s eta 17m 10s
57% [=====================> ] 236,375,144 37.0K/s eta 17m 35s
58% [======================> ] 241,916,248 54.0K/s eta 18m 22s
60% [=======================> ] 247,920,448 37.2K/s eta 19m 2s
64% [========================> ] 265,272,456 37.3K/s eta 20m 8s
65% [=========================> ] 269,241,248 37.3K/s eta 20m 14s
67% [=========================> ] 278,040,112 37.4K/s eta 20m 15s
68% [==========================> ] 281,901,936 37.4K/s eta 20m 11s
69% [==========================> ] 287,954,592 29.1K/s eta 19m 59s
72% [============================> ] 300,107,216 25.1K/s eta 19m 19s
73% [============================> ] 302,555,672 36.6K/s eta 19m 8s
77% [=============================> ] 319,476,656 54.3K/s eta 17m 30s
77% [==============================> ] 320,267,688 37.8K/s eta 17m 24s
78% [==============================> ] 322,482,128 36.8K/s eta 17m 9s
78% [==============================> ] 323,057,312 23.9K/s eta 17m 5s
80% [===============================> ] 332,393,496 37.0K/s eta 15m 52s
81% [===============================> ] 338,212,672 37.1K/s eta 15m 2s
82% [================================> ] 341,035,936 36.7K/s eta 14m 36s
84% [================================> ] 346,986,264 31.9K/s eta 13m 40s
89% [==================================> ] 368,645,832 38.0K/s eta 9m 47s
91% [===================================> ] 378,088,272 42.9K/s eta 7m 53s
96% [=====================================> ] 398,174,800 37.5K/s eta 3m 29s
99% [======================================> ] 411,232,768 37.5K/s eta 24s
100%[=======================================>] 412,856,320 19.9K/s in 1h 41m
2008-04-22 17:37:55 (66.5 KB/s) - `ubuntu-6.06.2-server-sparc.iso' saved [412856320/412856320]

* csc-wireless
** 700MB Ubuntu CD image
** Initial speed: 2.12MB/s
** Final speed: 2.43MB/s
** Time: finished in 3m 31s
mike@freyr:/tmp/test$ wget http://mirror.csclub.uwaterloo.ca/ubuntu-releases/hardy/ubuntu-8.04-beta-server-i386.iso
--2008-04-17 05:34:44-- http://mirror.csclub.uwaterloo.ca/ubuntu-releases/hardy/ubuntu-8.04-beta-server-i386.iso
Resolving mirror.csclub.uwaterloo.ca... 129.97.134.71
Connecting to mirror.csclub.uwaterloo.ca|129.97.134.71|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://taurine.csclub.uwaterloo.ca/iso/ubuntu-8.04-beta-server-i386.iso [following]
--2008-04-17 05:34:44-- http://taurine.csclub.uwaterloo.ca/iso/ubuntu-8.04-beta-server-i386.iso
Resolving taurine.csclub.uwaterloo.ca... 129.97.134.34
Connecting to taurine.csclub.uwaterloo.ca|129.97.134.34|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 526323712 (502M) [application/x-iso9660-image]
Saving to: `ubuntu-8.04-beta-server-i386.iso'
2% [ ] 10,988,599 2.12M/s eta 4m 36s
4% [> ] 21,247,679 2.43M/s eta 3m 58s
6% [=> ] 31,897,719 2.41M/s eta 3m 41s
16% [=====> ] 85,867,575 2.40M/s eta 3m 2s
27% [=========> ] 143,900,519 2.36M/s eta 2m 38s
38% [==============> ] 203,245,351 2.36M/s eta 2m 11s
43% [================> ] 228,489,783 2.43M/s eta 2m 2s
51% [===================> ] 269,462,391 2.41M/s eta 1m 45s
58% [======================> ] 309,395,335 2.48M/s eta 88s
67% [=========================> ] 354,638,095 2.41M/s eta 70s
78% [==============================> ] 410,898,984 2.41M/s eta 47s
84% [================================> ] 444,207,328 2.42M/s eta 33s
94% [====================================> ] 498,937,384 2.39M/s eta 12s
97% [======================================> ] 514,212,336 2.39M/s eta 5s
99% [======================================> ] 524,255,664 2.43M/s eta 1s
100%[=======================================>] 526,323,712 2.43M/s in 3m 31s
2008-04-17 05:38:15 (2.38 MB/s) - `ubuntu-8.04-beta-server-i386.iso' saved [526323712/526323712]

These tests are sloppily done, to be sure, but still demonstrate the huge performance advantage of csc-wireless. I will repeat them without aborting, when I have time.

=== Detailed Configuration ===

==== Required Packages ====

To install required packages, type:

sudo aptitude install madwifi-source madwifi-tools wireless-tools vlan bridge-utils ebtables iptables iproute

Then build the modules for the installed kernel via:

sudo m-a a-i madwifi

==== Wireless Interface Configuration ====

First, load the Atheros and 802.11q modules:

modprobe ath_pci 8021q

These need to be loaded early in the boot, so add them to /etc/modules:

ath_pci
8021q

Next, configure the wireless interface. Use the following snippet:

auto ath0
iface ath0 inet manual
pre-up wlanconfig ath0 destroy || true
pre-up wlanconfig ath0 create wlandev wifi0 wlanmode ap
post-down wlanconfig ath0 destroy
wireless-mode master
wireless-channel 36
wireless-essid csc-wireless

Finally, make a bridge between the wireless and auth3net. Use the following snippet, replacing IFACE by the interface connected to auth3net
auto br192
iface br192 inet manual
bridge_ports IFACE ath0
bridge_stp yes
up brctl setbridgeprio br192 40000
up ip route add 129.97.192.0/23 dev br192

==== Brouting Configuration ====

Additional setup is needed to enable fast communication between mathstudentorgsnet and auth3net. We take the minimally invasive approach of pulling packets destined for mathstudentorgsnet off the bridge and routing them, masquerading as wireless-nat.csclub.uwaterloo.ca. Masquerading is needed to ensure responses are routed correctly.

First, add 129.97.134.85 as a secondary IP address. You might do so by adding this snippet, replacing IFACE by the interface connected to mathstudentorgsnet:

auto IFACE:nat
iface IFACE:nat inet static
address 129.97.134.85
netmask 255.255.255.0
network 129.97.134.0

Second, enable routing, by typing the following:

echo 1 >> /proc/sys/net/ipv4/ip_forward

To make this permanent, add the following snippet to sysctl.conf:

net.ipv4.ip_forward=1

Third, configure ebtables to pull packets off the bridge. Type:

ebtables -t broute --flush
ebtables -t broute -A BROUTING -i ath0 \
-p ipv4 --ip-src 129.97.192.0/23 --ip-dst 129.97.134.0/24 \
-j redirect --redirect-target DROP
invoke-rc.d ebtables save

Finally, configure iptables to masquerade wireless users as wireless-nat.csclub. Type the following, replacing IFACE by the interface connected to mathstudentorgsnet:

iptables -t nat --flush
iptables -t nat -A POSTROUTING -o IFACE \
-s 129.97.192.0/23 -d 129.97.134.0/24 \
-j SNAT --to-source 129.97.134.85
invoke-rc.d iptables save

Ensure the appropriate routing table entry for auth3net exists--masquerading will not work without it. It is included in the bridge configuration snippet above.

=== External Links ===

* [http://www.gentoo-wiki.com/HARDWARE_ar5212 Gentoo Guide]

Latest revision as of 20:58, 19 June 2018

csc-wireless no longer exists. Members are advised to use eduroam or uw-unsecured.


Rosetta Stone

See IST's page http://ist.uwaterloo.ca/cs/wireless.html for Windows and other devices.

The ca_cert line is only needed to verify the authenticity of the eduroam AP, and is otherwise not actually needed to connect to it. Keep in mind that removing it from your config means that you are technically vulnerable to someone creating a fake eduroam access point and using it to grab your Quest login, though honestly the chances of this ever happening on campus are extremely unlikely.

Linux

If you don't wish to have your password floating around in a text file in /etc, then (at least for the wpa_supplicant based network managers) you may take the output of 

echo -n "hunter2" | iconv -t utf16le | openssl md4

and replace the password line with 

password=hash:HASH_HERE


netctl

Toss this into /etc/netctl/, making sure you edit identity and password. Replace wlan0 with the correct interface. Your correct interface can probably be seen in the output of 

ip link

and probably is the one that starts with 'w'.

To connect, run sudo netctl start eduroam 

Connection='wireless'
Interface=wlan0
Security='wpa-configsection'
IP='dhcp'
WPAConfigSection=(
    'identity="userid@uwaterloo.ca"'
    'password="hunter2"'
    'ssid="eduroam"'
    'key_mgmt=WPA-EAP'
    'eap=PEAP'
    'ca_cert="/etc/ssl/certs/GlobalSign_Root_CA.pem"'
    'domain_suffix_match="uwaterloo.ca"'
)

wicd

Toss this into /etc/wicd/encryption/templates/ and edit /etc/wicd/encryption/templates/active to include a line with eduroam. 

name = Eduroam UW
author = Steven She
version = 1
require username *Username password *Password
-----
ctrl_interface=/var/run/wpa_supplicant
network={
    ssid="$_ESSID"
    scan_ssid="$_SCAN"
    proto=RSN
    key_mgmt=WPA-EAP
    pairwise=CCMP
    group=CCMP
    eap=PEAP
    identity="$_USERNAME"
    password="$_PASSWORD"
    ca_cert="/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt"
    phase2="auth=MSCHAPV2"
}

wpa_supplicant

add this to a file in /etc/wpa_supplicant/. 

network={
    ssid="eduroam"
    proto=RSN
    key_mgmt=WPA-EAP
    pairwise=CCMP
    group=CCMP
    eap=PEAP                                      
    identity="userid@uwaterloo.ca"
    password="hunter2"
    ca_cert="/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt"
    phase2="auth=MSCHAPV2"
}


The previous setup has been archived for posterity.

Retrieved from "https://wiki.csclub.uwaterloo.ca/index.php?title=Wireless&oldid=4221"