employee-wifi.md (6398B)
1 # Set Up Enterprise Wifi on Arch Linux 2 3 <time id="post-date">2021-09-17</time> 4 5 <p id="post-excerpt"> 6 Most big institutions have guest and employee wifi networks. 7 Guest wifi is usually fine, fast enough for the basics, 8 but far inferior to employee wifi. 9 On a custom-built OS, such as a fairly minimalist Linux distribution, 10 getting the employee wifi to work 11 can be a beast. 12 13 This was a little tricky to get working 14 but very worth it, 15 so here's an outline, 16 mostly for my own later benefit. 17 </p> 18 19 This post is specific to [VUMC](https://www.vumc.org), 20 with the VUMCEmployee network. 21 22 Similar steps should be applicable for other enterprise wifi users, 23 though this post will unquestionably be out of date before long, 24 and the intricacies of enterprise wifi are infinite. 25 26 ## VUMCGuest is fine 27 28 As with other public networks at large institutions, 29 VUMCGuest is just a little slow and finicky, 30 and it's annoying to have to re-authenticate repeatedly 31 to use all the HIPAA-compliant things. 32 33 ## VUMCEmployee is better 34 35 I'll probably put a screenshot here at some point 36 comparing speedtest scores. 37 VUMCEmployee gives 38 over 100 Mbps down, 39 and around 100 up. 40 41 It's also more stable, 42 and latency is around 10ms. 43 44 Most practical gain, 45 other than faster everything: 46 When I use VUMCGuest, 47 the keyboard shortcut I use to 48 launch and automatically login to Epic 49 only works intermittently. 50 On VUMCEmployee, it works reliably. 51 No more typing! 52 It's faster and, again, more reliable 53 than tapping the badge-readers at the VUMC workstations. 54 55 ## Backend 56 57 The personal networking stack 58 of greatest beauty 59 on Linux 60 at this point is: 61 62 `systemd-networkd` +`systemd-resolved` + `iwd` 63 64 Disable and delete `NetworkManager` 65 and other such nonsense, 66 if you are unwise like me 67 and installed conflicting and useless things. 68 69 If you'd like a GUI, [iwgtk](https://github.com/J-Lentz/iwgtk) is nice, 70 but the CLI shipped with `iwd` (`iwctl`) 71 is intuitive, friendly, and well-documented. 72 I keep the GUI version around for quickly checking on things 73 via a keyboard shortcut, 74 but use the CLI for any heavy lifting, 75 which has thankfully become rare since landing on this setup. 76 77 ## Start with VUMCEmployeeSetup 78 79 First, log on to the VUMCEmployeeSetup wifi. 80 Then navigate to one of my favorite websites, <http://neverssl.com/>. 81 This will force the redirect to the VUMCEmployee enrollment page 82 (I also use this site for connecting to public wifi 83 at airports, libraries, coffee shops, etc.). 84 Agree to the terms and conditions. 85 Then click the "Show all operating systems" link at the bottom, 86 followed by the "Other Operating Systems" tab 87 that pops up at the bottom of the list. 88 89 The "Other Operating Systems" tab has 90 three steps listed, 91 which are simply the pieces that the 92 various installers put together for you. 93 The first two are downloads for certificates, 94 and the third is a template. 95 96 Finding this tab 97 was the gold mine - initially I 98 repackaged one of the other Linux installers for Arch, 99 because I thought that (since there was an installer) 100 the process must be complicated, 101 and repackaging things from Debian-based systems 102 for Arch-based systems is easy enough. 103 The repackaged version of the installer 104 was decent at first, 105 but it turns out that 106 the manual process is easier and more reliable. 107 I also learned more about enterprise networks in the process, 108 which was an added bonus 109 (I'm honestly not sure about the 110 sarcasm:sincerity ratio in the previous sentence). 111 112 Download the `PEM` files listed under 113 Steps 1 (root certificate) and 114 2 (client certificate). 115 116 ## Make your own `iwd` profile 117 118 Here's where it goes: 119 `/var/lib/iwd/VUMCEmployee.8021x` 120 121 Below are the contents, 122 sensitive info redacted, 123 then we'll go through some of the key parts 124 and one nicety. 125 126 ```toml 127 [IPv6] 128 Enabled=true 129 130 [Security] 131 EAP-Method=PEAP 132 EAP-Identity=username 133 EAP-PEAP-CACert=embed:root_cert 134 EAP-PEAP-ServerDomainMask=*.radius.service.vumc.org 135 EAP-PEAP-Phase2-Method=MSCHAPV2 136 EAP-PEAP-Phase2-Identity=username 137 EAP-PEAP-Phase2-Password=password 138 139 [Settings] 140 AutoConnect=true 141 142 [@pem@root_cert] 143 -----BEGIN CERTIFICATE----- 144 *lots of gobbledigook goes here* 145 -----END CERTIFICATE----- 146 ``` 147 148 Most of these options are outlined in 149 Step 3 from the VUMCEmployeeSetup, 150 cross-referenced against the Arch Wiki page on `iwd`, 151 subsection [Network configuration](https://wiki.archlinux.org/title/Iwd#EAP-PEAP), 152 and the [`iwd` wiki proper](https://iwd.wiki.kernel.org/networkconfigurationsettings). 153 154 An easy-to-miss step: 155 The `EAP-PEAP-Phase2-Method` requirement for `MSCHAPV2` 156 leads to another required install, 157 check the wiki for current instructions. 158 159 Put in your own username and password. 160 161 My favorite trick in this file is 162 directly embedding the root certificate 163 in the line 164 `EAP-PEAP-CACert=` 165 with the syntax 166 `embed:root_cert` 167 (any name is fine, 168 doesn't have to be `root_cert`, 169 it's just a pointer). 170 Then you add a definition of `root_cert` in a 171 `[@pem@root_cert]` section. 172 Insert the contents of the root certificate directly 173 via copy-paste or `cat`, etc. 174 175 Easiest method, as root: 176 177 ```shell 178 cat /home/beau/dl/root_cert.PEM >> /var/lib/iwd/VUMCEmployee.8021x 179 ``` 180 181 With the direct embed method, 182 you don't need to point to the root certificate file 183 or keep it around at all. 184 185 Needless to say, 186 `VUMCEmployee.8021x` 187 is a sensitive file and should be protected appropriately. 188 However, this file or a version of it 189 is what the automated tools would have made anyway, 190 so there's no special risk here - 191 AND since you did it all yourself 192 you know there was no funny business 193 coming from a black-box installer. 194 195 ## The other certificate (Client) 196 197 I can't remember what I had to do with the client cert, 198 probably added using the Chrome/Firefox certificate 199 managers. 200 201 I had to do this before when getting set up for VA remote access, 202 the Arch Wiki comes through again with an article on 203 [Common Access Cards](https://wiki.archlinux.org/title/Common_Access_Card) 204 that includes instructions on adding certs to browsers. 205 206 There's a chance it's not even needed? 207 The [specification](https://iwd.wiki.kernel.org/networkconfigurationsettings) 208 no longer supports 209 adding a client cert field 210 without a key, 211 which I don't have, 212 and do not, apparently, need 213 (see the section "EAP-PEAP with tunneled EAP-MSCHAPV2"). 214 At any rate, this setup is working now 215 and I won't futz with it further 216 until something breaks. 217 218 ## -> ~~Profit~~ Prosper