index.html (9851B)
1 <!DOCTYPE html> 2 <html lang="en"> 3 <head> 4 <link rel="stylesheet" href="/style.css" type="text/css"> 5 <meta charset="utf-8"> 6 <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> 7 <meta name="viewport" content="width=device-width, initial-scale=1.0"> 8 <link rel="stylesheet" type="text/css" href="/style.css"> 9 <link rel="icon" href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'%3E%3Cstyle%3E %23m %7B opacity:0; %7D%0A@media (prefers-color-scheme: dark) %7B %23m %7B opacity:1; %7D %23e %7B opacity:0 %7D%0A%7D %3C/style%3E%3Ctext id='m' y='.9em' font-size='90'%3E🏕️%3C/text%3E%3Ctext id='e' y='.9em' font-size='90'%3E🌞%3C/text%3E%3C/svg%3E"> 10 <title></title> 11 </head> 12 <body> 13 <div id="page-wrapper"> 14 <div id="header" role="banner"> 15 <header class="banner"> 16 <div id="banner-text"> 17 <span class="banner-title"><a href="/">beauhilton</a></span> 18 </div> 19 </header> 20 <nav> 21 <a href="/about">about</a> 22 <a href="/now">now</a> 23 <a class="nav-active" href="/posts">posts</a> 24 <a href="https://notes.beauhilton.com">notes</a> 25 <a href="https://talks.beauhilton.com">talks</a> 26 <a href="https://git.beauhilton.com">git</a> 27 <a href="/contact">contact</a> 28 <a href="/feed.xml">rss</a> 29 </nav> 30 </div> 31 <main> 32 <h1> 33 Set Up Enterprise Wifi on Arch Linux 34 </h1> 35 <p> 36 <time id="post-date">2021-09-17</time> 37 </p> 38 <p id="post-excerpt"> 39 Most big institutions have guest and employee wifi networks. 40 Guest wifi is usually fine, fast enough for the basics, 41 but far inferior to employee wifi. 42 On a custom-built OS, such as a fairly minimalist Linux distribution, 43 getting the employee wifi to work 44 can be a beast. 45 </p> 46 <p> 47 This was a little tricky to get working but very worth it, so here’s 48 an outline, mostly for my own later benefit. 49 </p> 50 <p></p> 51 <p> 52 This post is specific to <a href="https://www.vumc.org">VUMC</a>, 53 with the VUMCEmployee network. 54 </p> 55 <p> 56 Similar steps should be applicable for other enterprise wifi users, 57 though this post will unquestionably be out of date before long, and the 58 intricacies of enterprise wifi are infinite. 59 </p> 60 <h2> 61 VUMCGuest is fine 62 </h2> 63 <p> 64 As with other public networks at large institutions, VUMCGuest is 65 just a little slow and finicky, and it’s annoying to have to 66 re-authenticate repeatedly to use all the HIPAA-compliant things. 67 </p> 68 <h2> 69 VUMCEmployee is better 70 </h2> 71 <p> 72 I’ll probably put a screenshot here at some point comparing speedtest 73 scores. VUMCEmployee gives over 100 Mbps down, and around 100 up. 74 </p> 75 <p> 76 It’s also more stable, and latency is around 10ms. 77 </p> 78 <p> 79 Most practical gain, other than faster everything: When I use 80 VUMCGuest, the keyboard shortcut I use to launch and automatically login 81 to Epic only works intermittently. On VUMCEmployee, it works reliably. 82 No more typing! It’s faster and, again, more reliable than tapping the 83 badge-readers at the VUMC workstations. 84 </p> 85 <h2> 86 Backend 87 </h2> 88 <p> 89 The personal networking stack of greatest beauty on Linux at this 90 point is: 91 </p> 92 <p> 93 <code>systemd-networkd</code> +<code>systemd-resolved</code> + 94 <code>iwd</code> 95 </p> 96 <p> 97 Disable and delete <code>NetworkManager</code> and other such 98 nonsense, if you are unwise like me and installed conflicting and 99 useless things. 100 </p> 101 <p> 102 If you’d like a GUI, <a href="https://github.com/J-Lentz/iwgtk">iwgtk</a> is nice, but the CLI 103 shipped with <code>iwd</code> (<code>iwctl</code>) is intuitive, 104 friendly, and well-documented. I keep the GUI version around for quickly 105 checking on things via a keyboard shortcut, but use the CLI for any 106 heavy lifting, which has thankfully become rare since landing on this 107 setup. 108 </p> 109 <h2> 110 Start with VUMCEmployeeSetup 111 </h2> 112 <p> 113 First, log on to the VUMCEmployeeSetup wifi. Then navigate to one of 114 my favorite websites, <a href="http://neverssl.com/">http://neverssl.com/</a>. This will force 115 the redirect to the VUMCEmployee enrollment page (I also use this site 116 for connecting to public wifi at airports, libraries, coffee shops, 117 etc.). Agree to the terms and conditions. Then click the “Show all 118 operating systems” link at the bottom, followed by the “Other Operating 119 Systems” tab that pops up at the bottom of the list. 120 </p> 121 <p> 122 The “Other Operating Systems” tab has three steps listed, which are 123 simply the pieces that the various installers put together for you. The 124 first two are downloads for certificates, and the third is a 125 template. 126 </p> 127 <p> 128 Finding this tab was the gold mine - initially I repackaged one of 129 the other Linux installers for Arch, because I thought that (since there 130 was an installer) the process must be complicated, and repackaging 131 things from Debian-based systems for Arch-based systems is easy enough. 132 The repackaged version of the installer was decent at first, but it 133 turns out that the manual process is easier and more reliable. I also 134 learned more about enterprise networks in the process, which was an 135 added bonus (I’m honestly not sure about the sarcasm:sincerity ratio in 136 the previous sentence). 137 </p> 138 <p> 139 Download the <code>PEM</code> files listed under Steps 1 (root 140 certificate) and 2 (client certificate). 141 </p> 142 <h2> 143 Make your own <code>iwd</code> profile 144 </h2> 145 <p> 146 Here’s where it goes: 147 <code>/var/lib/iwd/VUMCEmployee.8021x</code> 148 </p> 149 <p> 150 Below are the contents, sensitive info redacted, then we’ll go 151 through some of the key parts and one nicety. 152 </p> 153 <pre tabindex="0"><code class="language-toml"><span class="hl kwa">[IPv6]</span> 154 <span class="hl kwb">Enabled</span><span class="hl opt">=</span><span class="hl kwd">true</span> 155 156 <span class="hl kwa">[Security]</span> 157 <span class="hl kwb">EAP-Method</span><span class="hl opt">=</span>PEAP 158 <span class="hl kwb">EAP-Identity</span><span class="hl opt">=</span>username 159 <span class="hl kwb">EAP-PEAP-CACert</span><span class="hl opt">=</span>embed<span class="hl opt">:</span>root_cert 160 <span class="hl kwb">EAP-PEAP-ServerDomainMask</span><span class="hl opt">=*</span>.radius.service.vumc.org 161 <span class="hl kwb">EAP-PEAP-Phase2-Method</span><span class="hl opt">=</span>MSCHAPV2 162 <span class="hl kwb">EAP-PEAP-Phase2-Identity</span><span class="hl opt">=</span>username 163 <span class="hl kwb">EAP-PEAP-Phase2-Password</span><span class="hl opt">=</span>password 164 165 <span class="hl kwa">[Settings]</span> 166 <span class="hl kwb">AutoConnect</span><span class="hl opt">=</span><span class="hl kwd">true</span> 167 168 <span class="hl kwa">[@pem@root_cert]</span> 169 <span class="hl opt">-----</span>BEGIN CERTIFICATE<span class="hl opt">-----</span> 170 <span class="hl opt">*</span>lots of gobbledigook goes here<span class="hl opt">*</span> 171 <span class="hl opt">-----</span>END CERTIFICATE<span class="hl opt">-----</span> 172 </code></pre> 173 <p> 174 Most of these options are outlined in Step 3 from the 175 VUMCEmployeeSetup, cross-referenced against the Arch Wiki page on 176 <code>iwd</code>, subsection <a href="https://wiki.archlinux.org/title/Iwd#EAP-PEAP">Network 177 configuration</a>, and the <a href="https://iwd.wiki.kernel.org/networkconfigurationsettings"><code>iwd</code> 178 wiki proper</a>. 179 </p> 180 <p> 181 An easy-to-miss step: The <code>EAP-PEAP-Phase2-Method</code> 182 requirement for <code>MSCHAPV2</code> leads to another required install, 183 check the wiki for current instructions. 184 </p> 185 <p> 186 Put in your own username and password. 187 </p> 188 <p> 189 My favorite trick in this file is directly embedding the root 190 certificate in the line <code>EAP-PEAP-CACert=</code> with the syntax 191 <code>embed:root_cert</code> (any name is fine, doesn’t have to be 192 <code>root_cert</code>, it’s just a pointer). Then you add a definition 193 of <code>root_cert</code> in a <code>[@pem@root_cert]</code> section. 194 Insert the contents of the root certificate directly via copy-paste or 195 <code>cat</code>, etc. 196 </p> 197 <p> 198 Easiest method, as root: 199 </p> 200 <pre tabindex="0"><code class="language-shell">cat /home/beau/dl/root_cert.PEM >> /var/lib/iwd/VUMCEmployee.8021x 201 </code></pre> 202 <p> 203 With the direct embed method, you don’t need to point to the root 204 certificate file or keep it around at all. 205 </p> 206 <p> 207 Needless to say, <code>VUMCEmployee.8021x</code> is a sensitive file 208 and should be protected appropriately. However, this file or a version 209 of it is what the automated tools would have made anyway, so there’s no 210 special risk here - AND since you did it all yourself you know there was 211 no funny business coming from a black-box installer. 212 </p> 213 <h2> 214 The other certificate (Client) 215 </h2> 216 <p> 217 I can’t remember what I had to do with the client cert, probably 218 added using the Chrome/Firefox certificate managers. 219 </p> 220 <p> 221 I had to do this before when getting set up for VA remote access, the 222 Arch Wiki comes through again with an article on <a href="https://wiki.archlinux.org/title/Common_Access_Card">Common Access 223 Cards</a> that includes instructions on adding certs to browsers. 224 </p> 225 <p> 226 There’s a chance it’s not even needed? The <a href="https://iwd.wiki.kernel.org/networkconfigurationsettings">specification</a> 227 no longer supports adding a client cert field without a key, which I 228 don’t have, and do not, apparently, need (see the section “EAP-PEAP with 229 tunneled EAP-MSCHAPV2”). At any rate, this setup is working now and I 230 won’t futz with it further until something breaks. 231 </p> 232 <h2> 233 -> ~~Profit~~ Prosper 234 </h2> 235 </main> 236 <div id="footnotes"></div> 237 <footer></footer> 238 </div> 239 </body> 240 </html>