index.html (9674B)
1 <!DOCTYPE html> 2 <html lang="en"> 3 <head> 4 <link rel="stylesheet" href="/style.css" type="text/css"> 5 <meta charset="utf-8"> 6 <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> 7 <meta name="viewport" content="width=device-width, initial-scale=1.0"> 8 <link rel="stylesheet" type="text/css" href="/style.css"> 9 <link rel="icon" href="data:image/svg+xml,<svg xmlns=%22http://www.w3.org/2000/svg%22 viewBox=%220 0 100 100%22><text y=%22.9em%22 font-size=%2290%22>🏕️</text></svg>"> 10 <title></title> 11 </head> 12 <body> 13 <div id="page-wrapper"> 14 <div id="header" role="banner"> 15 <header class="banner"> 16 <div id="banner-text"> 17 <span class="banner-title"><a href="/">beauhilton</a></span> 18 </div> 19 </header> 20 <nav> 21 <a href="/about">about</a> 22 <a href="/now">now</a> 23 <a href="/thanks">thanks</a> 24 <a class="nav-active" href="/posts">posts</a> 25 <a href="https://notes.beauhilton.com">notes</a> 26 <a href="https://talks.beauhilton.com">talks</a> 27 <a href="https://git.beauhilton.com">git</a> 28 <a href="/contact">contact</a> 29 <a href="/atom.xml">rss</a> 30 </nav> 31 </div> 32 <main> 33 <h1> 34 Set Up Enterprise Wifi on Arch Linux 35 </h1> 36 <p> 37 <time id="post-date">2021-09-17</time> 38 </p> 39 <p id="post-excerpt"> 40 Most big institutions have guest and employee wifi networks. 41 Guest wifi is usually fine, fast enough for the basics, 42 but far inferior to employee wifi. 43 On a custom-built OS, such as a fairly minimalist Linux distribution, 44 getting the employee wifi to work 45 can be a beast. 46 </p> 47 <p> 48 This was a little tricky to get working but very worth it, so here’s 49 an outline, mostly for my own later benefit. 50 </p> 51 <p></p> 52 <p> 53 This post is specific to <a href="https://www.vumc.org">VUMC</a>, 54 with the VUMCEmployee network. 55 </p> 56 <p> 57 Similar steps should be applicable for other enterprise wifi users, 58 though this post will unquestionably be out of date before long, and the 59 intricacies of enterprise wifi are infinite. 60 </p> 61 <h2> 62 VUMCGuest is fine 63 </h2> 64 <p> 65 As with other public networks at large institutions, VUMCGuest is 66 just a little slow and finicky, and it’s annoying to have to 67 re-authenticate repeatedly to use all the HIPAA-compliant things. 68 </p> 69 <h2> 70 VUMCEmployee is better 71 </h2> 72 <p> 73 I’ll probably put a screenshot here at some point comparing speedtest 74 scores. VUMCEmployee gives over 100 Mbps down, and around 100 up. 75 </p> 76 <p> 77 It’s also more stable, and latency is around 10ms. 78 </p> 79 <p> 80 Most practical gain, other than faster everything: When I use 81 VUMCGuest, the keyboard shortcut I use to launch and automatically login 82 to Epic only works intermittently. On VUMCEmployee, it works reliably. 83 No more typing! It’s faster and, again, more reliable than tapping the 84 badge-readers at the VUMC workstations. 85 </p> 86 <h2> 87 Backend 88 </h2> 89 <p> 90 The personal networking stack of greatest beauty on Linux at this 91 point is: 92 </p> 93 <p> 94 <code>systemd-networkd</code> +<code>systemd-resolved</code> + 95 <code>iwd</code> 96 </p> 97 <p> 98 Disable and delete <code>NetworkManager</code> and other such 99 nonsense, if you are unwise like me and installed conflicting and 100 useless things. 101 </p> 102 <p> 103 If you’d like a GUI, <a href="https://github.com/J-Lentz/iwgtk">iwgtk</a> is nice, but the CLI 104 shipped with <code>iwd</code> (<code>iwctl</code>) is intuitive, 105 friendly, and well-documented. I keep the GUI version around for quickly 106 checking on things via a keyboard shortcut, but use the CLI for any 107 heavy lifting, which has thankfully become rare since landing on this 108 setup. 109 </p> 110 <h2> 111 Start with VUMCEmployeeSetup 112 </h2> 113 <p> 114 First, log on to the VUMCEmployeeSetup wifi. Then navigate to one of 115 my favorite websites, <a href="http://neverssl.com/">http://neverssl.com/</a>. This will force 116 the redirect to the VUMCEmployee enrollment page (I also use this site 117 for connecting to public wifi at airports, libraries, coffee shops, 118 etc.). Agree to the terms and conditions. Then click the “Show all 119 operating systems” link at the bottom, followed by the “Other Operating 120 Systems” tab that pops up at the bottom of the list. 121 </p> 122 <p> 123 The “Other Operating Systems” tab has three steps listed, which are 124 simply the pieces that the various installers put together for you. The 125 first two are downloads for certificates, and the third is a 126 template. 127 </p> 128 <p> 129 Finding this tab was the gold mine - initially I repackaged one of 130 the other Linux installers for Arch, because I thought that (since there 131 was an installer) the process must be complicated, and repackaging 132 things from Debian-based systems for Arch-based systems is easy enough. 133 The repackaged version of the installer was decent at first, but it 134 turns out that the manual process is easier and more reliable. I also 135 learned more about enterprise networks in the process, which was an 136 added bonus (I’m honestly not sure about the sarcasm:sincerity ratio in 137 the previous sentence). 138 </p> 139 <p> 140 Download the <code>PEM</code> files listed under Steps 1 (root 141 certificate) and 2 (client certificate). 142 </p> 143 <h2> 144 Make your own <code>iwd</code> profile 145 </h2> 146 <p> 147 Here’s where it goes: 148 <code>/var/lib/iwd/VUMCEmployee.8021x</code> 149 </p> 150 <p> 151 Below are the contents, sensitive info redacted, then we’ll go 152 through some of the key parts and one nicety. 153 </p> 154 <pre tabindex="0"><code class="language-toml"><span class="hl kwa">[IPv6]</span> 155 <span class="hl kwb">Enabled</span><span class="hl opt">=</span><span class="hl kwd">true</span> 156 157 <span class="hl kwa">[Security]</span> 158 <span class="hl kwb">EAP-Method</span><span class="hl opt">=</span>PEAP 159 <span class="hl kwb">EAP-Identity</span><span class="hl opt">=</span>username 160 <span class="hl kwb">EAP-PEAP-CACert</span><span class="hl opt">=</span>embed<span class="hl opt">:</span>root_cert 161 <span class="hl kwb">EAP-PEAP-ServerDomainMask</span><span class="hl opt">=*</span>.radius.service.vumc.org 162 <span class="hl kwb">EAP-PEAP-Phase2-Method</span><span class="hl opt">=</span>MSCHAPV2 163 <span class="hl kwb">EAP-PEAP-Phase2-Identity</span><span class="hl opt">=</span>username 164 <span class="hl kwb">EAP-PEAP-Phase2-Password</span><span class="hl opt">=</span>password 165 166 <span class="hl kwa">[Settings]</span> 167 <span class="hl kwb">AutoConnect</span><span class="hl opt">=</span><span class="hl kwd">true</span> 168 169 <span class="hl kwa">[@pem@root_cert]</span> 170 <span class="hl opt">-----</span>BEGIN CERTIFICATE<span class="hl opt">-----</span> 171 <span class="hl opt">*</span>lots of gobbledigook goes here<span class="hl opt">*</span> 172 <span class="hl opt">-----</span>END CERTIFICATE<span class="hl opt">-----</span> 173 </code></pre> 174 <p> 175 Most of these options are outlined in Step 3 from the 176 VUMCEmployeeSetup, cross-referenced against the Arch Wiki page on 177 <code>iwd</code>, subsection <a href="https://wiki.archlinux.org/title/Iwd#EAP-PEAP">Network 178 configuration</a>, and the <a href="https://iwd.wiki.kernel.org/networkconfigurationsettings"><code>iwd</code> 179 wiki proper</a>. 180 </p> 181 <p> 182 An easy-to-miss step: The <code>EAP-PEAP-Phase2-Method</code> 183 requirement for <code>MSCHAPV2</code> leads to another required install, 184 check the wiki for current instructions. 185 </p> 186 <p> 187 Put in your own username and password. 188 </p> 189 <p> 190 My favorite trick in this file is directly embedding the root 191 certificate in the line <code>EAP-PEAP-CACert=</code> with the syntax 192 <code>embed:root_cert</code> (any name is fine, doesn’t have to be 193 <code>root_cert</code>, it’s just a pointer). Then you add a definition 194 of <code>root_cert</code> in a <code>[@pem@root_cert]</code> section. 195 Insert the contents of the root certificate directly via copy-paste or 196 <code>cat</code>, etc. 197 </p> 198 <p> 199 Easiest method, as root: 200 </p> 201 <pre tabindex="0"><code class="language-shell">cat /home/beau/dl/root_cert.PEM >> /var/lib/iwd/VUMCEmployee.8021x 202 </code></pre> 203 <p> 204 With the direct embed method, you don’t need to point to the root 205 certificate file or keep it around at all. 206 </p> 207 <p> 208 Needless to say, <code>VUMCEmployee.8021x</code> is a sensitive file 209 and should be protected appropriately. However, this file or a version 210 of it is what the automated tools would have made anyway, so there’s no 211 special risk here - AND since you did it all yourself you know there was 212 no funny business coming from a black-box installer. 213 </p> 214 <h2> 215 The other certificate (Client) 216 </h2> 217 <p> 218 I can’t remember what I had to do with the client cert, probably 219 added using the Chrome/Firefox certificate managers. 220 </p> 221 <p> 222 I had to do this before when getting set up for VA remote access, the 223 Arch Wiki comes through again with an article on <a href="https://wiki.archlinux.org/title/Common_Access_Card">Common Access 224 Cards</a> that includes instructions on adding certs to browsers. 225 </p> 226 <p> 227 There’s a chance it’s not even needed? The <a href="https://iwd.wiki.kernel.org/networkconfigurationsettings">specification</a> 228 no longer supports adding a client cert field without a key, which I 229 don’t have, and do not, apparently, need (see the section “EAP-PEAP with 230 tunneled EAP-MSCHAPV2”). At any rate, this setup is working now and I 231 won’t futz with it further until something breaks. 232 </p> 233 <h2> 234 -> ~~Profit~~ Prosper 235 </h2> 236 </main> 237 <div id="footnotes"></div> 238 <footer></footer> 239 </div> 240 </body> 241 </html>