site

text for beau's website
git clone https://git.beauhilton.com/site.git
Log | Files | Refs
commit f841323d5ab857c16b9d43e66a53b426782e7846
parent cb2a4c7059e1584a1df5e811d60b21af113d3ffe
Author: Beau <cbeauhilton@gmail.com>
Date:   Thu, 16 Sep 2021 12:07:52 -0500

employee wifi edits

Diffstat:

Mposts/employee-wifi.md | 127++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-------


1 file changed, 116 insertions(+), 11 deletions(-)

diff --git a/posts/employee-wifi.md b/posts/employee-wifi.md
@@ -4,12 +4,16 @@ This was a little tricky to get working,
 but very worth it,
 so here's a brief outline mostly for my own later benefit.
 
-# VUMCGuest is fine
+Similar steps should be applicable for other enterprise wifi users,
+though this post will unquestionably be out of date before long.
+
+## VUMCGuest is fine
 
 Just a little slow and finicky,
-and it's annoying to have to re-authenticate repeatedly.
+and it's annoying to have to re-authenticate repeatedly
+to use all the HIPAA-compliant things.
 
-# VUMCEmployee is better
+## VUMCEmployee is better
 
 I'll probably put a screenshot here at some point comparing
 speedtest scores. 
@@ -17,29 +21,74 @@ VUMCEmployee gives over
 100 Mbps down, 
 and around 100 up.
 
-It's also more stable, and latency around 10ms.
+It's also more stable, and latency is around 10ms.
+
+## Backend
+
+The personal networking stack 
+of greatest beauty
+on Linux
+at this point is:
+`iwd` + `systemd-networkd` + `systemd-resolved`.
+
+Disable and delete `NetworkManager` and other such nonsense.
+
+If you'd like a GUI, [iwgtk](https://github.com/J-Lentz/iwgtk) is nice,
+but the CLI shipped with `iwd` (`iwctl`) 
+is intuitive, friendly, and well-documented.
+I keep the GUI version around for quickly checking on things 
+via a keyboard shortcut,
+but use the CLI for any heavy lifting,
+which has thankfully become rare since landing on this setup.
 
-# VUMCEmployeeSetup is necessary
+## Start with VUMCEmployeeSetup
 
 First, log on to the VUMCEmployeeSetup wifi.
 Then navigate to one of my favorite websites, <http://neverssl.com/>.
-This will force the redirect to the VUMC Cloudpath enrollment page.
+This will force the redirect to the VUMCEmployee enrollment page
+(I also use this site for connecting to public wifi 
+at airports, libraries, coffee shops, etc.).
 Agree to the terms and conditions. 
 Then click the "Show all operating systems" link at the bottom,
-followed by the "Other Operating Systems" tab that pops up.
+followed by the "Other Operating Systems" tab 
+that pops up at the bottom of the list.
+
+The "Other Operating Systems" tab has
+three steps listed, 
+which are simply the pieces that the 
+various installers put together for you. 
+The first two are downloads for certificates, 
+and the third is a template.
+
+Finding this tab 
+was the gold mine - initially I
+repackaged one of the other Linux installers for Arch,
+because I thought that (since there was an installer)
+the process must be complicated,
+and repackaging things from Debian-based systems
+for Arch-based systems is easy enough.
+The repackaged version of the installer 
+worked well enough at first, 
+but it turns out that 
+the manual process is easier and more reliable.
+I also learned more about enterprise networks in the process,
+which was an added bonus 
+(I'm honestly not sure about the 
+sarcasm:sincerity ratio in the previous sentence).
 
 Download the `PEM` files listed under Steps 1 and 2.
 
-# Make your own `iwd` profile
+## Make your own `iwd` profile
 
-Here's where it goes: `/var/lib/iwd/VUMCEmployee.8021x`
+Here's where it goes: 
+`/var/lib/iwd/VUMCEmployee.8021x`
 
 Below are the contents, 
 sensitive info redacted, 
 then we'll go through some of the key parts
-and niceties.
+and one nicety.
 
-```
+```toml # toml is not "desktop-entry-spec", but close enough
 [IPv6]
 Enabled=true
 
@@ -60,3 +109,59 @@ AutoConnect=true
 *lots of gobbledigook goes here*
 -----END CERTIFICATE-----
 ```
+
+Most of these options are outlined in 
+Step 3 from the VUMCEmployeeSetup,
+cross-referenced against the Arch Wiki page on `iwd`, 
+subsection [Network configuration](https://wiki.archlinux.org/title/Iwd#EAP-PEAP).
+
+An easy-to-miss step: 
+The `EAP-PEAP-Phase2-Method` requirement for `MSCHAPV2` 
+leads to another required install, 
+check the wiki for current instructions.
+
+Put in your own username and password.
+
+My favorite trick in this file is 
+directly embedding the root certificate
+in the line `EAP-PEAP-CACert=`
+with the syntax `embed:root_cert` 
+(any name is fine, 
+doesn't have to be `root_cert`, 
+it's just a pointer).
+Then you add a definition of `root_cert` in a
+`[@pem@root_cert]` section.
+Insert the contents of the root certificate directly
+via copy-paste or `cat`, etc.
+
+Easiest method, as root:
+
+```
+cat /home/beau/dl/root_cert.PEM >> /var/lib/iwd/VUMCEmployee.8021x
+```
+
+With the direct embed method, 
+you don't need to point to the root certificate file 
+or keep it around at all.
+
+Needless to say, 
+this is a sensitive file and should be protected appropriately.
+However, this file or a version of it 
+is what the automated tools would have made anyway,
+so there's no special risk here - 
+AND since you did it all yourself
+you know there was no funny business
+coming from a black-box installer.
+
+## The other certificate
+
+I can't remember what I had to do with the non-root cert,
+probably added using the Chrome/Firefox certificate
+managers.
+
+I had to do this before when getting set up for VA remote access,
+the Arch Wiki comes through again with an article on 
+[Common Access Cards](https://wiki.archlinux.org/title/Common_Access_Card)
+that includes instructions on adding certs to browsers.
+
+## ~~profit~~ Prosper