802.1x

From ITwiki

Revision as of 16:15, 21 February 2007 by Cmilloy (Talk | contribs)
Jump to: navigation, search

Contents

802.1x

This page details how to configure 802.1x, specifically at Stevens.

802.1x is a method for authenticating machines on a network, generally wireless. Please review the wikipedia article for more information.

Specifically, 802.1x is used at Stevens to enable easier access to secure wireless networks. All that is required is a machine that supports 802.1x authentication and a Campus Domain Account.

Windows

Graduate Student Instructions

  • If you are a Graduate Student, you can log into Web For Students Account (currently available at this site]), click on the dropdown menu Student Records, and click the menu item labelled "Graduate Student Disk Storage Space Request".

The instructions are on that page, but all that must be done is change the dropdown box from "Not Requested" to "Requested". The accounts are generated automatically within 24-48 hours. You will not receive an email or other notification confirming this, but you can check Web For Students to see if the drop down box has changed to completed, try accessing this account or contact the Stevens Helpdesk to verify.

Default Credentials

There are a lot of different accounts at Stevens, so it can become a little confusing which is which.

Username

Your username is the same that you use for email (Pipeline Username), namely, everything in your Stevens Email Address before the @ symbol.

Password

Your default Campus Domain Password is the following: StevensYYMMDD <-- YYMMDD is your Birthdate in this format. Last two digits for the year, two digits for the month, two digits for the day (add a zero in front if it is a single digit month/day).

  • If you forgot your password, or typed it in enough times to lock yourself out, please contact the Helpdesk at x5500.

Please read the following information about changing your Campus domain password:

  • 10 passwords are retained in the history and cannot be reused when creating new passwords.
  • The minimum password age is 1 day (i.e. you can't change passwords more than once a day).
  • Password complexity is enforced by the following rules:
    • Must be at least 10 characters long.
    • Must begin with a letter.
    • Cannot contain any elements of your name or username.
And any two of the following three:
  1. Must contain alpha and numeric characters (letters and numbers).
  2. Must contain mixed case characters (upper and lower case).
  3. Must contain special characters.
  • It is also important to keep in mind that your campus domain password can be changed through the Pipeline utility. Also your campus domain password can be used as your Pipeline password; however, the opposite is not true.
  • If a password change attempt is rejected, the error message may not accurately describe the reason. For example, a password may be rejected with an explanation that is too short, when in fact the password meets the 10 character minimum. The error message explanations are sometimes incorrect, but the password itself is in fact being rejected for legitimate reasons, i.e. it doesn't meet one of the five criterion listed above. If your password change attempt is rejected, review the above conditions and confirm that your password meets them. Finally, sometimes a password is rejected for unknown reasons. When that happens, you should simply try a very different password.
  • On a similar subject, the account lockout policy is:
    • Account lockout occurs after 5 invalid attempts.
    • Account lockout duration is 15 minutes.
    • Account lockout counter is reset after 15 minutes.

Setting up 802.1x Wired

  1. Open up Start -> Settings -> Control Panel -> Network Connections
  2. Right click on your Local Area Connection and select Properties. Follow the Wireless section from Step 4 onwards.

Setting Up 802.1x Wireless with Protected EAP (PEAP) using Windows Utility with Windows XP and SP2

This document covers configuring wireless service for use of 802.1x wireless for the Stevens network name (ssid) and residence hall 802.1x wireless network names.

To configure 802.1x wireless, your Windows XP computer must have/use the following three items. (See notes below if your computer has Windows XP with Service Pak 1 software installed. There are also special instructions if you are configuring the Compaq nx7000. See Notes 2 and 3 below.)

  1. Windows XP with Service Pak 2 (see Note 1 below about Service Pak 1)
  2. Microsoft Windows Utility enabled (this will be done during configuration)
  3. Latest wireless card driver installed (update may be needed for some configurations; see Note 3 below)

NOTES:

  1. If your computer runs Windows XP with SP1, Information Technology strongly recommends you upgrade to SP2 before configuring 802.1x wireless. This service pak makes configuration of 802.1x much simpler. You can download SP2 from \\storage01\public\ftp\cc\WinXPSP2 folder. (Or use Windows Update under the Tools menu in Internet Explorer, or go to Microsoft web site).
  2. If you do not upgrade to SP2, you must install both the Advanced Networking Pack and Update for Microsoft Windows XP KB826942 before configuring 802.1x. The two files are on \\storage01\public in the folder named 802.1x. Filenames are WindowsXP-KB817778-x86-ENU.exe and WindowsXP-KB826942-x86-ENU.exe.
  3. Compaq nx7000 laptops distributed to Stevens users currently use the ProSET Utility for wireless. If you have the Compaq nx7000 laptop, go to Start, Control Panel, select Network Connections, choose Uninstall. Then Add (to let Windows redetect the network card). Otherwise, during the configuration, the Windows Utility's Wireless Networks tab will be missing; you will be unable to click a checkbox required so that the Windows Utility will control your wireless card.
  4. Also concerning Compaq nx7000 laptops: If Windows XP has been updated to SP2 (recommended), a wireless driver update is required before configuring 802.1x. To update the wireless driver, map network drive to \\storage01\public; look in the 802.1x folder. Download and install the SoftPaq with the file SP28331.exe. Now you can configure 802.1x with instructions in this document. (Other computers may also need a driver update to configure 802.1x.)

Facts on Using 802.1x with Protected EAP

What is Protected EAP?

802.1x provides a secure way to manage a network and ensure optimal performance. The 802.1x technology allows users to access a network based on a certificate and valid Windows Domain credentials. Extensible Authentication Protocol (EAP) is the protocol tied to the authentication procedure of 802.1x technology. Users authenticate over a protected (secure) channel before getting an IP address.

What else (besides items listed above) do I need before setting up 802.1x?

To use 802.1x with PEAP, you need a valid Windows Domain Account and must know your username and password. Faculty, employees, and undergraduates should already have a Campus Domain account. Your Campus Domain Account username is the same as your Pipeline username. If you are an undergraduate, your initial password is Stevensxxxxxx, where the x's stand for your birthdate in YYMMDD order. If you are a faculty member or employee, your initial password will be Stevensxxxxxx where the x's stand for your Web for Faculty/Employee PIN. Please change your initial password in Pipeline from the School Services tab as soon as possible.

Graduate students may request a Campus Domain account by logging into Web for Students and clicking on Network Disk Storage Request if you have not already done so. Your Domain account (and 250 MB storage space on a server called storage01 for your files and personal web pages) should be ready the next day. The username and password will be the same as for undergraduate students (see paragraph above). If you try to use your account the next day and it does not work, please let us know by sending e-mail to helpdesk@stevens.edu

Where is 802.1x access available?

802.1x with Protected EAP is implemented in parts of the Stevens Wireless Network: Davis Hall, Hayden Hall, and Humphreys Hall, Burchard 6th Floor, Carnegie areas covered by the Vivato panels (lawn areas and areas in and around the Wesley J. Howe Center.

Installation Instructions

Step 1

To set up 802.1x with PEAP, double-click My Computer, then right-click My Network Places. Select Properties from the drop down menu that appears. This will bring you to a screen showing you what network connections are currently available on your system. Networkconnections.PNG

Step 2

Select and right click the Wireless connection. Select Properties from the drop down menu that appears. This will bring up another window. From this window, select the Wireless Networks tab. (Note: If there is no Wireless Networks tab, you need to do a "software uninstall" of your network card, then let Windows redetect the card. See note at beginning of this document. ) This will bring you to the screen below.

Wirelessnetworkcon.PNG

Step 3

Click Add which will bring up the Wireless network properties dialog. Enter the appropriate Network name (SSID) in the field, depending on your location. The currently available network names are as follows:

Hall Name

SSID

Davis Hall

Stevens Davis

Hayden Hall

Stevens Hayden

Humphreys

Stevens Humphreys

Jonas Hall

Stevens Jonas

Castle Point Apartments

Stevens CPA

Stevens Campus

Stevens

Other network names will be added as additional 802.1x network devices are deployed in more residence halls, Greek houses, and other areas. "Stevens" will be the ssid in common areas.

From the Network Authentication select WPA. Then proceed to select TKIP from the Data encryption drop down.

Note: If WPA is not available to select, this means that either your network card does not support the protocols needed to use 802.1x, or you need updated drivers. Please visit the manufacturer of your network card (or of your laptop) and obtain the newest drivers for your network card. If WPA still does not appear after a reboot, you will not be able to use 802.1x with this card.
Wirelessnetworkpro.PNG

Step 4

Next, click on the Authentication tab and match the settings below. Make sure to select Protected EAP from the drop down menu and uncheck the boxes at the bottom of the dialog box.

Wirelessnetworkprop.PNG

Step 5

Next click on the Properties tab. Make sure Enable Fast Reconnect is unchecked. (NOTE: During Step 9, you will be prompted about and should accept the "Secure Server Certification Authority".)

Protectedeap.PNG

Step 6

Click Configure and uncheck the box in the popup window, as shown below.

Eapms.PNG

Step 7

Click on OK to all the windows, and then you should see the wireless profile as shown below.

Wirelessproperties.PNG

Step 8

A popup will come up on the task bar. Click it. Enter your credentials. Put your Windows Domain user name as your username and your Windows Domain Password as your password. For the logon domain, type CAMPUS. Then click OK.

Wirelesspopup.PNG Credentials.PNG

Step 9

Another popup may come up informing you that Windows is ready to process your logon credentials, as shown below. Click it and a certificate validation window will come up (also shown below). Click OK.

Credentialprocess.PNG Validatecertificate.PNG

After the authentication process is done, your wireless connections should show the network name you just configured. It should look like the illustration below.

Networkproperties3.PNG

Linux

Wired 802.1x (linux)

In the dorms and greek houses at Stevens (Also may work in other locations). Credit goes to Grink for troubleshooting the initial problem and providing a working solution. Currently, 802.1x is available in only the dorms and greek houses, however, any machine properly configured for 802.1x on wired will still work in non -802.1x ports.

The quick and dirty

  1. download this config file to /etc/. You must edit this file to contain the correct username and password for your Campus Domain Account.
  2. download this script to anywhere, and chmod +x it
  3. make sure you have wpa_supplicant installed with wired driver compiled in (should be by default)
  4. run the script you downloaded in (2) as root after plugging your wire into an 802.1x port. it will start up wpa_supplicant with the correct configuration, start up the gui, and run dhcpcd on eth0. You may need to modify the script if it doesn't work.
  5. feel free to close the gui, its just a quick way to tell you whats happening.
  6. Here is a link to the original documentation.

If it failes to authenticate, make sure you are plugged into a port correctly. The script from (2) will finish once dhcpcd returns. If it doesn't print out an ip address, just a MAC, then it failed and you will need to run dhcpcd again.

Wireless 802.1x (linux)

for Stevens-class (any network that begins with "Stevens") at Stevens

A little more detail

The above instructions are the fast way, this details a little more. The below configuration file has all the correct settings to connect to the majority (all that I cared to list) of wireless networks at Stevens. Thank Grink if you see him :)

Download the following configuration file to /etc/wpa_supplicant.wireless.conf, excerpted below:

/etc/wpa_supplicant.wireless.conf

# interface
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=root
# this is turned off in windows
fast_reauth=0
# better scanning mode
ap_scan=1


network={
ssid="Stevens"
scan_ssid=1
key_mgmt=WPA-EAP
eap=PEAP
pairwise=CCMP TKIP
group=CCMP TKIP
# authentification info
identity="username"
password="password"
phase1="peaplabel=0"
phase1="auth=MSCHAPV2"
}

Launching authentication

Assuming that you saved the above config file to the suggested location, a modified version of the below script should get you on the wireless shortly.

~/scripts/802.1x.wireless.sh

#!/bin/bash
dhcpcd -k eth1
rmmod ipw2100
modprobe ipw2100
wpa_supplicant -d -D ipw -i eth1 -c /etc/wpa_supplicant.wireless.conf &>/dev/null & 
wpa_gui &
dhcpcd -do eth1

(run this as root)

Modifications

  1. replace eth1 with whichever interface your wireless card resides at
  2. change ipw2100 to coincide with your cards wireless module name
  3. wpa_gui is not required and is not included with older versions of the wpa_supplicant package.
  4. using wpa_gui, you can select which network (from a list of configured networks) you would like to connect to. If you do this, after authentication, you may need to re-dhcp
# dhcpcd -k eth1
# dhcpcd -do eth1

Mac OS

Setting Up 802.1x Wireless with Protected EAP (PEAP) on an Apple computer

This document covers how to connect to the 802.1x wireless services for the Stevens network names (ssid) and residence hall 802.1x wireless network names on an Apple Computer.

To configure 802.1x wireless, your Apple Computer must have/use the following items: (See Note below if your OS X version number is below 10.4 or need to update drivers/software)

  • Mac OS X 10.4 or greater
  • Lastest wireless card driver installed (update may be needed)

NOTE:

  • If your Apple computer is running a version below 10.4 (Tiger), Information Technology strongly recommends you upgrade to 10.4 (Tiger) before using 802.1x wireless. If you would like to check for software updates you can use the Software Update located in System Preferences.

Connecting to the 802.1x Wireless Service

In OS X, connecting to a wireless network does not involve configuring the Network name (SSID) before being able to connect. Follow these steps to connect to the 802.1x Wireless Networks:

  1. First, verify that your Apple's Airport is activated by looking in the top right section of your screen. If the Airport is disabled it will look like this: Wirelessoff.png. To activate the device click on the icon and select Turn AirPort On as shown: WirelessMenuOff.png
  2. Next, click the AirPort icon WirelessOnActive.png and select the wireless network you would like to connect to. (The 802.1x wireless network names (SSID) all begin with Stevens followed by the building name)

    WirelessMenuOn.png

  3. A window should appear containing Wireless Security: WPA Enterprise (should be grayed out), User Name:, Password: and 802.1x Configuration: Automatic
    AuthWindow.png
  4. Enter in your Campus Domain Username and Campus Domain Password and then click Ok
  5. Another window will appear asking if you would like to accept the Network Certificate, click Continue
    WirelessCertificate.png
You are now connected to the Stevens 802.1x Wireless Network.

Personal tools