site

source files for beau's website
git clone https://git.beauhilton.com/site.git
Log | Files | Refs

employee-wifi.md (6057B)

      1 # Set Up Enterprise Wifi on Arch Linux
      2 
      3 This was a little tricky to get working
      4 but very worth it,
      5 so here's an outline,
      6 mostly for my own later benefit.
      7 
      8 This post is specific to [VUMC](https://www.vumc.org), 
      9 with the VUMCEmployee network.
     10 
     11 Similar steps should be applicable for other enterprise wifi users,
     12 though this post will unquestionably be out of date before long,
     13 and the intricacies of enterprise wifi are infinite.
     14 
     15 ## VUMCGuest is fine
     16 
     17 As with other public networks at large institutions,
     18 VUMCGuest is just a little slow and finicky,
     19 and it's annoying to have to re-authenticate repeatedly
     20 to use all the HIPAA-compliant things.
     21 
     22 ## VUMCEmployee is better
     23 
     24 I'll probably put a screenshot here at some point 
     25 comparing speedtest scores. 
     26 VUMCEmployee gives 
     27 over 100 Mbps down, 
     28 and around 100 up.
     29 
     30 It's also more stable, 
     31 and latency is around 10ms.
     32 
     33 Most practical gain, 
     34 other than faster everything:
     35 When I use VUMCGuest, 
     36 the keyboard shortcut I use to 
     37 launch and automatically login to Epic
     38 only works intermittently.
     39 On VUMCEmployee, it works reliably. 
     40 No more typing! 
     41 It's faster and, again, more reliable 
     42 than tapping the badge-readers at the VUMC workstations.
     43 
     44 ## Backend
     45 
     46 The personal networking stack 
     47 of greatest beauty
     48 on Linux
     49 at this point is:
     50 
     51 `systemd-networkd` +`systemd-resolved` + `iwd`
     52 
     53 Disable and delete `NetworkManager` 
     54 and other such nonsense,
     55 if you are unwise like me 
     56 and installed conflicting and useless things.
     57 
     58 If you'd like a GUI, [iwgtk](https://github.com/J-Lentz/iwgtk) is nice,
     59 but the CLI shipped with `iwd` (`iwctl`) 
     60 is intuitive, friendly, and well-documented.
     61 I keep the GUI version around for quickly checking on things 
     62 via a keyboard shortcut,
     63 but use the CLI for any heavy lifting,
     64 which has thankfully become rare since landing on this setup.
     65 
     66 ## Start with VUMCEmployeeSetup
     67 
     68 First, log on to the VUMCEmployeeSetup wifi.
     69 Then navigate to one of my favorite websites, <http://neverssl.com/>.
     70 This will force the redirect to the VUMCEmployee enrollment page
     71 (I also use this site for connecting to public wifi 
     72 at airports, libraries, coffee shops, etc.).
     73 Agree to the terms and conditions. 
     74 Then click the "Show all operating systems" link at the bottom,
     75 followed by the "Other Operating Systems" tab 
     76 that pops up at the bottom of the list.
     77 
     78 The "Other Operating Systems" tab has
     79 three steps listed, 
     80 which are simply the pieces that the 
     81 various installers put together for you. 
     82 The first two are downloads for certificates, 
     83 and the third is a template.
     84 
     85 Finding this tab 
     86 was the gold mine - initially I
     87 repackaged one of the other Linux installers for Arch,
     88 because I thought that (since there was an installer)
     89 the process must be complicated,
     90 and repackaging things from Debian-based systems
     91 for Arch-based systems is easy enough.
     92 The repackaged version of the installer 
     93 was decent at first,
     94 but it turns out that 
     95 the manual process is easier and more reliable.
     96 I also learned more about enterprise networks in the process,
     97 which was an added bonus 
     98 (I'm honestly not sure about the 
     99 sarcasm:sincerity ratio in the previous sentence).
    100 
    101 Download the `PEM` files listed under 
    102 Steps 1 (root certificate) and 
    103 2 (client certificate).
    104 
    105 ## Make your own `iwd` profile
    106 
    107 Here's where it goes: 
    108 `/var/lib/iwd/VUMCEmployee.8021x`
    109 
    110 Below are the contents, 
    111 sensitive info redacted, 
    112 then we'll go through some of the key parts
    113 and one nicety.
    114 
    115 ```toml
    116 [IPv6]
    117 Enabled=true
    118 
    119 [Security]
    120 EAP-Method=PEAP
    121 EAP-Identity=username
    122 EAP-PEAP-CACert=embed:root_cert
    123 EAP-PEAP-ServerDomainMask=*.radius.service.vumc.org
    124 EAP-PEAP-Phase2-Method=MSCHAPV2
    125 EAP-PEAP-Phase2-Identity=username
    126 EAP-PEAP-Phase2-Password=password
    127 
    128 [Settings]
    129 AutoConnect=true
    130 
    131 [@pem@root_cert]
    132 -----BEGIN CERTIFICATE-----
    133 *lots of gobbledigook goes here*
    134 -----END CERTIFICATE-----
    135 ```
    136 
    137 Most of these options are outlined in 
    138 Step 3 from the VUMCEmployeeSetup,
    139 cross-referenced against the Arch Wiki page on `iwd`, 
    140 subsection [Network configuration](https://wiki.archlinux.org/title/Iwd#EAP-PEAP),
    141 and the [`iwd` wiki proper](https://iwd.wiki.kernel.org/networkconfigurationsettings).
    142 
    143 An easy-to-miss step: 
    144 The `EAP-PEAP-Phase2-Method` requirement for `MSCHAPV2` 
    145 leads to another required install, 
    146 check the wiki for current instructions.
    147 
    148 Put in your own username and password.
    149 
    150 My favorite trick in this file is 
    151 directly embedding the root certificate
    152 in the line 
    153 `EAP-PEAP-CACert=`
    154 with the syntax 
    155 `embed:root_cert` 
    156 (any name is fine, 
    157 doesn't have to be `root_cert`, 
    158 it's just a pointer).
    159 Then you add a definition of `root_cert` in a
    160 `[@pem@root_cert]` section.
    161 Insert the contents of the root certificate directly
    162 via copy-paste or `cat`, etc.
    163 
    164 Easiest method, as root:
    165 
    166 ```shell
    167 cat /home/beau/dl/root_cert.PEM >> /var/lib/iwd/VUMCEmployee.8021x
    168 ```
    169 
    170 With the direct embed method, 
    171 you don't need to point to the root certificate file 
    172 or keep it around at all.
    173 
    174 Needless to say, 
    175 `VUMCEmployee.8021x` 
    176 is a sensitive file and should be protected appropriately.
    177 However, this file or a version of it 
    178 is what the automated tools would have made anyway,
    179 so there's no special risk here - 
    180 AND since you did it all yourself
    181 you know there was no funny business
    182 coming from a black-box installer.
    183 
    184 ## The other certificate (Client)
    185 
    186 I can't remember what I had to do with the client cert,
    187 probably added using the Chrome/Firefox certificate
    188 managers.
    189 
    190 I had to do this before when getting set up for VA remote access,
    191 the Arch Wiki comes through again with an article on 
    192 [Common Access Cards](https://wiki.archlinux.org/title/Common_Access_Card)
    193 that includes instructions on adding certs to browsers.
    194 
    195 There's a chance it's not even needed? 
    196 The [specification](https://iwd.wiki.kernel.org/networkconfigurationsettings) 
    197 no longer supports 
    198 adding a client cert field
    199 without a key,
    200 which I don't have,
    201 and do not, apparently, need 
    202 (see the section "EAP-PEAP with tunneled EAP-MSCHAPV2").
    203 At any rate, this setup is working now 
    204 and I won't futz with it further 
    205 until something breaks.
    206 
    207 ## -> ~~Profit~~ Prosper