Difference between revisions of "Wireless"

From CSCWiki
Jump to navigation Jump to search
m (802.1Q, not 802.11q)
(→‎netctl: update ArchLinux path; also add domain_suffix_match for extra security)
 
(11 intermediate revisions by 4 users not shown)
Line 1: Line 1:
'''csc-wireless no longer exists. Members are advised to use uw-wireless or uw-secure.'''
+
'''csc-wireless no longer exists. Members are advised to use eduroam or uw-unsecured.'''
  
=== Motivation ===
 
  
The UW wireless network has a couple of major deficiencies:
+
== Rosetta Stone ==
 +
See IST's page http://ist.uwaterloo.ca/cs/wireless.html for Windows and other devices.
  
# Weak signal in MC 3036, preventing some laptops from connecting
+
The ca_cert line is only needed to verify the authenticity of the eduroam AP, and is otherwise not actually needed to connect to it. Keep in mind that removing it from your config means that you are technically vulnerable to someone creating a fake eduroam access point and using it to grab your Quest login, though honestly the chances of this ever happening on campus are extremely unlikely.
# Aggressive throttling of bandwidth, even to wired systems within the club office
 
# Ignorance of the "Don't Count" list
 
  
The second point is quite important: UW's wireless will begin to throttle high bandwidth connections after a minute or two, decreasing bandwidth slowly from 1MB/s or more down to 40KB/s or less. Members can expect to sit in the office for an hour or more if they want to download many packages off of the CSC mirror.
+
=== Linux ===
 +
If you don't wish to have your password floating around in a text file in /etc, then (at least for the wpa_supplicant based network managers) you may take the output of  
 +
echo -n "hunter2" | iconv -t utf16le | openssl md4
 +
and replace the password line with
 +
password=hash:HASH_HERE
  
To work around this problem we have an access point in the Computer Science Club.
 
  
=== Configuration ===
+
==== netctl ====
 +
Toss this into /etc/netctl/, making sure you edit identity and password. Replace wlan0 with the correct interface. Your correct interface can probably be seen in the output of
 +
ip link
 +
and probably is the one that starts with 'w'.
  
* ESSID: csc-wireless
+
To connect, run sudo netctl start eduroam
* AP: 00:11:95:ff:da:ec
 
* Channel: 36 (5.18 GHz)
 
* Network: auth3net (129.96.192.0/23)
 
  
Clients must authenticate to the Network Authentication Appliance (NAA) as with uw-wireless, in accordance with [http://ist.uwaterloo.ca/ns/Admin/wireless/ this IST policy], points #2 through #4.
+
Connection='wireless'
 +
Interface=wlan0
 +
Security='wpa-configsection'
 +
IP='dhcp'
 +
WPAConfigSection=(
 +
    'identity="userid@uwaterloo.ca"'
 +
    'password="hunter2"'
 +
    'ssid="eduroam"'
 +
    'key_mgmt=WPA-EAP'
 +
    'eap=PEAP'
 +
    'ca_cert="/etc/ssl/certs/GlobalSign_Root_CA.pem"'
 +
    'domain_suffix_match="uwaterloo.ca"'
 +
)
  
=== Technical Overview ===
+
==== wicd ====
 +
Toss this into /etc/wicd/encryption/templates/ and edit /etc/wicd/encryption/templates/active to include a line with eduroam.
  
The AP connects to glucose-fructose through a secondary NIC. On glucose-fructose, the following decision is made:
+
name = Eduroam UW
 +
author = Steven She
 +
version = 1
 +
require username *Username password *Password
 +
-----
 +
ctrl_interface=/var/run/wpa_supplicant
 +
network={
 +
    ssid="$_ESSID"
 +
    scan_ssid="$_SCAN"
 +
    proto=RSN
 +
    key_mgmt=WPA-EAP
 +
    pairwise=CCMP
 +
    group=CCMP
 +
    eap=PEAP
 +
    identity="$_USERNAME"
 +
    password="$_PASSWORD"
 +
    ca_cert="/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt"
 +
    phase2="auth=MSCHAPV2"
 +
}
  
* IP packets destined for mathstudentorgsnet are brouted with SNAT to wireless-nat.csclub.uwaterloo.ca
+
==== wpa_supplicant ====
* All other ethernet frames are bridged to auth3net
+
add this to a file in /etc/wpa_supplicant/.
  
The network is identical to connection through uw-wireless in all respects, except for the special treatment of mathstudentorgs traffic. This special treatment bypasses uw-wireless throttling for machines on our network.
+
network={
 +
    ssid="eduroam"
 +
    proto=RSN
 +
    key_mgmt=WPA-EAP
 +
    pairwise=CCMP
 +
    group=CCMP
 +
    eap=PEAP                                     
 +
    identity="userid@uwaterloo.ca"
 +
    password="hunter2"
 +
    ca_cert="/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt"
 +
    phase2="auth=MSCHAPV2"
 +
}
  
=== Wireless Performance ===
 
  
* uw-wireless
+
The previous setup has been [http://wiki.csclub.uwaterloo.ca/Wireless?oldid=2297 archived] for posterity.
** 400MB Ubuntu CD image
 
** Initial speed: 2.13MB/s
 
** Final speed: 19.9KB/s
 
** Time: finished in 1h 41m, ETA increased for first half.
 
  
mike@freyr:/tmp/test$ wget http://mirror.cs.uwaterloo.ca/ubuntu-releases/dapper/ubuntu-6.06.2-server-sparc.iso
+
[[Category:Systems]]
--2008-04-22 15:56:53--  http://mirror.cs.uwaterloo.ca/ubuntu-releases/dapper/ubuntu-6.06.2-server-sparc.iso
 
Resolving mirror.cs.uwaterloo.ca... 129.97.152.77
 
Connecting to mirror.cs.uwaterloo.ca|129.97.152.77|:80... connected.
 
HTTP request sent, awaiting response... 200 OK
 
Length: 412856320 (394M) [text/plain]
 
Saving to: `ubuntu-6.06.2-server-sparc.iso'
 
 
  0% [                                        ] 942,080    2.13M/s           
 
  1% [                                        ] 5,607,872  2.19M/s           
 
  4% [>                                      ] 19,587,072  1.97M/s  eta 3m 3s 
 
  8% [==>                                    ] 33,109,664  2.24M/s  eta 2m 51s
 
12% [===>                                    ] 50,850,640  2.19M/s  eta 2m 42s
 
16% [=====>                                  ] 69,363,112  2.22M/s  eta 2m 32s
 
23% [========>                              ] 98,991,832  2.25M/s  eta 2m 18s
 
36% [=============>                          ] 148,809,128 2.25M/s  eta 1m 56s
 
38% [==============>                        ] 157,883,088  140K/s  eta 2m 2s 
 
38% [==============>                        ] 160,275,112  140K/s  eta 2m 26s
 
41% [===============>                        ] 170,110,968  117K/s  eta 3m 58s
 
42% [===============>                        ] 175,448,880  101K/s  eta 4m 50s
 
43% [================>                      ] 180,703,184 99.7K/s  eta 5m 44s
 
43% [================>                      ] 181,581,296 88.5K/s  eta 5m 52s
 
44% [================>                      ] 184,742,376 77.8K/s  eta 6m 26s
 
48% [==================>                    ] 200,324,016 57.6K/s  eta 9m 34s
 
50% [===================>                    ] 208,982,344 46.3K/s  eta 11m 27s
 
50% [===================>                    ] 209,633,064 46.2K/s  eta 11m 37s
 
52% [====================>                  ] 216,817,944 25.9K/s  eta 13m 39s
 
53% [====================>                  ] 218,983,984 58.8K/s  eta 14m 6s
 
54% [====================>                  ] 224,401,792 28.9K/s  eta 15m 20s
 
55% [=====================>                  ] 227,171,400 27.4K/s  eta 15m 56s
 
56% [=====================>                  ] 232,991,392 28.8K/s  eta 17m 2s
 
56% [=====================>                  ] 233,810,808 36.9K/s  eta 17m 10s
 
57% [=====================>                  ] 236,375,144 37.0K/s  eta 17m 35s
 
58% [======================>                ] 241,916,248 54.0K/s  eta 18m 22s
 
60% [=======================>                ] 247,920,448 37.2K/s  eta 19m 2s
 
64% [========================>              ] 265,272,456 37.3K/s  eta 20m 8s
 
65% [=========================>              ] 269,241,248 37.3K/s  eta 20m 14s
 
67% [=========================>              ] 278,040,112 37.4K/s  eta 20m 15s
 
68% [==========================>            ] 281,901,936 37.4K/s  eta 20m 11s
 
69% [==========================>            ] 287,954,592 29.1K/s  eta 19m 59s
 
72% [============================>          ] 300,107,216 25.1K/s  eta 19m 19s
 
73% [============================>          ] 302,555,672 36.6K/s  eta 19m 8s
 
77% [=============================>          ] 319,476,656 54.3K/s  eta 17m 30s
 
77% [==============================>        ] 320,267,688 37.8K/s  eta 17m 24s
 
78% [==============================>        ] 322,482,128 36.8K/s  eta 17m 9s
 
78% [==============================>        ] 323,057,312 23.9K/s  eta 17m 5s
 
80% [===============================>        ] 332,393,496 37.0K/s  eta 15m 52s
 
81% [===============================>        ] 338,212,672 37.1K/s  eta 15m 2s
 
82% [================================>      ] 341,035,936 36.7K/s  eta 14m 36s
 
84% [================================>      ] 346,986,264 31.9K/s  eta 13m 40s
 
89% [==================================>    ] 368,645,832 38.0K/s  eta 9m 47s
 
91% [===================================>    ] 378,088,272 42.9K/s  eta 7m 53s
 
96% [=====================================>  ] 398,174,800 37.5K/s  eta 3m 29s
 
99% [======================================> ] 411,232,768 37.5K/s  eta 24s   
 
100%[=======================================>] 412,856,320 19.9K/s  in 1h 41m
 
 
2008-04-22 17:37:55 (66.5 KB/s) - `ubuntu-6.06.2-server-sparc.iso' saved [412856320/412856320]
 
 
 
* csc-wireless
 
** 700MB Ubuntu CD image
 
** Initial speed: 2.12MB/s
 
** Final speed: 2.43MB/s
 
** Time: finished in 3m 31s
 
 
 
mike@freyr:/tmp/test$ wget http://mirror.csclub.uwaterloo.ca/ubuntu-releases/hardy/ubuntu-8.04-beta-server-i386.iso
 
--2008-04-17 05:34:44--  http://mirror.csclub.uwaterloo.ca/ubuntu-releases/hardy/ubuntu-8.04-beta-server-i386.iso
 
Resolving mirror.csclub.uwaterloo.ca... 129.97.134.71
 
Connecting to mirror.csclub.uwaterloo.ca|129.97.134.71|:80... connected.
 
HTTP request sent, awaiting response... 302 Found
 
Location: http://taurine.csclub.uwaterloo.ca/iso/ubuntu-8.04-beta-server-i386.iso [following]
 
--2008-04-17 05:34:44--  http://taurine.csclub.uwaterloo.ca/iso/ubuntu-8.04-beta-server-i386.iso
 
Resolving taurine.csclub.uwaterloo.ca... 129.97.134.34
 
Connecting to taurine.csclub.uwaterloo.ca|129.97.134.34|:80... connected.
 
HTTP request sent, awaiting response... 200 OK
 
Length: 526323712 (502M) [application/x-iso9660-image]
 
Saving to: `ubuntu-8.04-beta-server-i386.iso'
 
 
  2% [                                        ] 10,988,599  2.12M/s  eta 4m 36s
 
  4% [>                                      ] 21,247,679  2.43M/s  eta 3m 58s
 
  6% [=>                                      ] 31,897,719  2.41M/s  eta 3m 41s
 
16% [=====>                                  ] 85,867,575  2.40M/s  eta 3m 2s 
 
27% [=========>                              ] 143,900,519 2.36M/s  eta 2m 38s
 
38% [==============>                        ] 203,245,351 2.36M/s  eta 2m 11s
 
43% [================>                      ] 228,489,783 2.43M/s  eta 2m 2s 
 
51% [===================>                    ] 269,462,391 2.41M/s  eta 1m 45s
 
58% [======================>                ] 309,395,335 2.48M/s  eta 88s   
 
67% [=========================>              ] 354,638,095 2.41M/s  eta 70s   
 
78% [==============================>        ] 410,898,984 2.41M/s  eta 47s   
 
84% [================================>      ] 444,207,328 2.42M/s  eta 33s   
 
94% [====================================>  ] 498,937,384 2.39M/s  eta 12s   
 
97% [======================================> ] 514,212,336 2.39M/s  eta 5s   
 
99% [======================================> ] 524,255,664 2.43M/s  eta 1s   
 
100%[=======================================>] 526,323,712 2.43M/s  in 3m 31s 
 
 
2008-04-17 05:38:15 (2.38 MB/s) - `ubuntu-8.04-beta-server-i386.iso' saved [526323712/526323712]
 
 
 
=== Detailed Configuration ===
 
 
 
==== Required Packages ====
 
 
 
To install required packages, type:
 
 
 
sudo aptitude install madwifi-source madwifi-tools wireless-tools vlan bridge-utils ebtables iptables iproute
 
 
 
Then build the modules for the installed kernel via:
 
 
 
sudo m-a a-i madwifi
 
 
 
==== Wireless Interface Configuration ====
 
 
 
First, load the Atheros and 802.1Q modules:
 
 
 
modprobe ath_pci 8021q
 
 
 
These need to be loaded early in the boot, so add them to /etc/modules:
 
 
 
ath_pci
 
8021q
 
 
 
Next, configure the wireless interface. Use the following snippet:
 
 
 
auto ath0
 
iface ath0 inet manual
 
        pre-up wlanconfig ath0 destroy || true
 
        pre-up wlanconfig ath0 create wlandev wifi0 wlanmode ap
 
        post-down wlanconfig ath0 destroy
 
        wireless-mode master
 
        wireless-channel 36
 
        wireless-essid csc-wireless
 
 
 
Finally, make a bridge between the wireless and auth3net. Use the following snippet, replacing IFACE by the interface connected to auth3net
 
 
auto br192
 
iface br192 inet manual
 
        bridge_ports IFACE ath0
 
        bridge_stp yes
 
        up brctl setbridgeprio br192 40000
 
        up ip route add 129.97.192.0/23 dev br192
 
 
 
==== Brouting Configuration ====
 
 
 
Additional setup is needed to enable fast communication between mathstudentorgsnet and auth3net. We take the minimally invasive approach of pulling packets destined for mathstudentorgsnet off the bridge and routing them, masquerading as wireless-nat.csclub.uwaterloo.ca. Masquerading is needed to ensure responses are routed correctly.
 
 
 
First, add 129.97.134.85 as a secondary IP address. You might do so by adding this snippet, replacing IFACE by the interface connected to mathstudentorgsnet:
 
 
 
auto IFACE:nat
 
iface IFACE:nat inet static
 
        address 129.97.134.85
 
        netmask 255.255.255.0
 
        network 129.97.134.0
 
 
 
Second, enable routing, by typing the following:
 
 
 
echo 1 >> /proc/sys/net/ipv4/ip_forward
 
 
 
To make this permanent, add the following snippet to sysctl.conf:
 
 
 
net.ipv4.ip_forward=1
 
 
 
Third, configure ebtables to pull packets off the bridge. Type:
 
 
 
ebtables -t broute --flush
 
 
ebtables -t broute -A BROUTING -i ath0 \
 
    -p ipv4 --ip-src 129.97.192.0/23 --ip-dst 129.97.134.0/24 \
 
    -j redirect --redirect-target DROP
 
 
invoke-rc.d ebtables save
 
 
 
Finally, configure iptables to masquerade wireless users as wireless-nat.csclub. Type the following, replacing IFACE by the interface connected to mathstudentorgsnet:
 
 
 
iptables -t nat --flush
 
 
iptables -t nat -A POSTROUTING -o IFACE \
 
    -s 129.97.192.0/23 -d 129.97.134.0/24 \
 
    -j SNAT --to-source 129.97.134.85
 
 
invoke-rc.d iptables save
 
 
 
Ensure the appropriate routing table entry for auth3net exists--masquerading will not work without it. It is included in the bridge configuration snippet above.
 
 
 
=== External Links ===
 
 
 
* [http://www.gentoo-wiki.com/HARDWARE_ar5212 Gentoo Guide]
 

Latest revision as of 20:58, 19 June 2018

csc-wireless no longer exists. Members are advised to use eduroam or uw-unsecured.


Rosetta Stone

See IST's page http://ist.uwaterloo.ca/cs/wireless.html for Windows and other devices.

The ca_cert line is only needed to verify the authenticity of the eduroam AP, and is otherwise not actually needed to connect to it. Keep in mind that removing it from your config means that you are technically vulnerable to someone creating a fake eduroam access point and using it to grab your Quest login, though honestly the chances of this ever happening on campus are extremely unlikely.

Linux

If you don't wish to have your password floating around in a text file in /etc, then (at least for the wpa_supplicant based network managers) you may take the output of

echo -n "hunter2" | iconv -t utf16le | openssl md4

and replace the password line with

password=hash:HASH_HERE


netctl

Toss this into /etc/netctl/, making sure you edit identity and password. Replace wlan0 with the correct interface. Your correct interface can probably be seen in the output of

ip link

and probably is the one that starts with 'w'.

To connect, run sudo netctl start eduroam

Connection='wireless'
Interface=wlan0
Security='wpa-configsection'
IP='dhcp'
WPAConfigSection=(
    'identity="userid@uwaterloo.ca"'
    'password="hunter2"'
    'ssid="eduroam"'
    'key_mgmt=WPA-EAP'
    'eap=PEAP'
    'ca_cert="/etc/ssl/certs/GlobalSign_Root_CA.pem"'
    'domain_suffix_match="uwaterloo.ca"'
)

wicd

Toss this into /etc/wicd/encryption/templates/ and edit /etc/wicd/encryption/templates/active to include a line with eduroam.

name = Eduroam UW
author = Steven She
version = 1
require username *Username password *Password
-----
ctrl_interface=/var/run/wpa_supplicant
network={
    ssid="$_ESSID"
    scan_ssid="$_SCAN"
    proto=RSN
    key_mgmt=WPA-EAP
    pairwise=CCMP
    group=CCMP
    eap=PEAP
    identity="$_USERNAME"
    password="$_PASSWORD"
    ca_cert="/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt"
    phase2="auth=MSCHAPV2"
}

wpa_supplicant

add this to a file in /etc/wpa_supplicant/.

network={
    ssid="eduroam"
    proto=RSN
    key_mgmt=WPA-EAP
    pairwise=CCMP
    group=CCMP
    eap=PEAP                                      
    identity="userid@uwaterloo.ca"
    password="hunter2"
    ca_cert="/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt"
    phase2="auth=MSCHAPV2"
}


The previous setup has been archived for posterity.