Connecting to the CSAILPrivate wireless network

---

Description of the CSAILPrivate network

In addition to the public (StataCenter) wireless network, we also provide a private CSAIL-only wireless network, with encryption to ensure a modicum of privacy. Note: encryption of your wireless link is not a substitute for encrypting your communications; while using wireless encryption can prevent some forms of passive eavesdropping, it does not prevent your communications being monitored at other points in the network.

The specific configuration we are using is:

• SSID ("Wireless network name") CSAILPrivate
• WPA2 (Wi-Fi Protected Access version 2)
• AES-CCMP encryption algorithm
• EAP-TLS (certificate-based) authentication and key management (also called "WPA Enterprise")

FYI: The private wireless network is on its own subnet, 128.30.8.0/22. If you desire a static IP address after successfully connecting, register first with WebDNS, then DHCP Registration.

Common problems

1. "I could connect to CSAILPrivate yesterday but not today"
   • The CSAIL certificate you provided when first connecting to CSAILPrivate has expired. You will need to use a different network to renew your certificates, and then follow instructions to replace the certificate that your wireless card looks for.
2. "I can connect with one computer but not a very similar one"
   • WPA2 and EAP-TLS are inconsistently supported by current operating systems and drivers. As a result, you may experience challenges even with hardware that is labeled "WPA2 compliant." That said, we have had reasonable luck connecting to the private network using Windows and Mac clients as listed below.
3. "I can connect in one user profile (local account) but not another"
   • Because connections require CSAIL client certificates that are stored privately in each local profile/account, a network connection to CSAILPrivate will not work across users or before the first user logs in. You may need to manually switch networks when switching users, or employ other workarounds.

Windows XP (SP3 required)

1. Obtain or import CSAIL certificates into Internet Explorer using the instructions at CertificatesIEUnderXP
2. Ensure that your wireless adapter is on: go to Start -> Control Panel -> Network Connections. Make sure "Wireless Network Connection" is not greyed out. If it is, you may need to flip the "Radio On" switch on the laptop case, press Fn+F5 or similar, and/or right-click "Wireless Network Connection" and choose Enable.
3. Right-click "Wireless Network Connection" and choose "Properties" -> "Wireless Networks".
4. Make sure "Use Windows to configure my wireless network settings" is set to YES.
5. Click "Add..." and enter the following:
   • "Network name (SSID):" CSAILPrivate
   • "Connect even if this network is not broadcasting:" YES
   • "Network Authentication:" WPA2
   • "Data encryption:" AES
6. Click "OK" twice to save and connect; wait ~30 seconds.
7. In the system tray (bottom right), Click on the balloon reading "Click here to process your logon information..."
   • Click "OK" to accept the CSAIL Master CA as the basis for SSL negotiation over the CSAILPrivate network.
8. In the "Wireless Network Connection" window, CSAILPrivate should now be Connected.
9. Optional: in the "Wireless Network Connection" window, click "Change Advanced Settings." In the "Wireless Networks" tab, click CSAILPrivate then "Move up" to the top. Remove StataGuest if present.
10. Only if CSAILPrivate has not connected, you may verify security protocol details:
    • Click "Change advanced settings," then "Wireless Networks." When you see "CSAILPrivate" appear, click it, then "Properties."
    • On the first tab ("Association"), "Network Authentication" should be WPA2 and "Data encryption" should be AES.
    • On the second tab ("Authentication"), "EAP type" should be Smart Card or other Certificate. Under "Properties," make sure "Use a certificate on this computer" and "Use simple certificate selection" are selected.

Windows Vista (SP1 strongly recommended)

1. First, install CSAIL certificates in Internet Explorer using the CertificatesIEWorkaround.
2. Go to Start -> Control Panel -> Network and Internet -> Network and Sharing Center -> Manage wireless networks
3. Click "Profile types" and change the setting to "Use all-user and per-user profiles." Save, Continue.
4. Click Add -> Manually create a network profile.
   • "Network name:" CSAILPrivate
   • "Security type:" WPA2-Enterprise
   • "Encryption type:" AES
   • Set "Save this network for me only", "Start this connection automatically", and "Connect even if the network is not broadcasting" all to YES
   • Click Next. It is normal to see a balloon from the bottom right saying "Can't connect."
5. Click "Change connection settings," then "Security." Change "network authentication method" to "Smart Card or other certificate."
6. Click "OK", then "Connect."
7. Click "Enter/select additional log on information" when prompted. (If it doesn't appear, try Disconnecting an existing network and waiting ~30 sec.) Then click "OK" to accept the CSAIL Master CA as the basis for SSL negotiation over the CSAILPrivate network.
8. You should see "Successfully connected to CSAILPrivate."

Mac OS X (10.5 "Leopard" required)

Connecting from Mac OS X requires that you have CSAIL certificates in your Keychain. If you currently have only MIT certificates in Keychain, for use with MIT business applications under Safari, you probably do not want to use the private wireless network.

1. Obtain a CSAIL client certificate following the instructions at CertificatesSafari
   • Verify CSAIL certificate is present in Applications -> Utilities -> Keychain Access -> login -> My Certificates. Should appear as "Your name," "Issued by: Client CA."
2. Apple menu -> System Preferences -> Network -> AirPort
3. If the Lock icon in lower left is closed, click it and enter the password of an administrator of the computer before continuing.
4. For Network Name, choose "Join other network..."
   • Enter Network Name: "CSAILPrivate"
   • Choose Security: "WPA2 Enterprise"
   • Leave User Name and Password BLANK. Click Join.
   • If prompted, "Always Allow" eapolclient access to your certificates to sign network traffic.
5. Within 60 seconds, you should see "Authenticated via TLS."
6. Optional: click "Advanced." In Preferred Networks, remove StataGuest, if present, and drag CSAILPrivate to top of the list.

Known Issues:

• If your user account is a Standard User, subsequent attempts to switch to CSAILPrivate from another network may fail with no IP address. Network Preferences -> unlock may fix this.
• If an initial attempt to connect to CSAILPrivate fails...In Network Preferences -> Airport, click "Advanced," then "802.1X". Click the triangle (and wait up to 15 seconds) and click the User Profile for CSAILPrivate. Under "Authentication," select only TLS and leave everything else UNchecked.
• As a last resort, quit Network Preferences, delete the following files, and try again from Step 1 above:
  • ~/Library/Preferences/com.apple.eap.profiles.plist
  • ~/Library/Preferences/ByHost/com.apple.eap.bindings.ALPHA-NUMERIC-STRING.plist
• Authentication may flicker continuously, failing negotiate an IP address. If the above troubleshooting steps don't help, as a workaround, register your MAC address, then try again.

Apple iPhone

We can offer only limited support for connecting to the CSAILPrivate wireless network from the Apple iPhone, but it does appear to work once you have CSAIL certificates.

1. Obtain CSAIL certificates following the instructions at IPhoneCertsInstall
2. On your iPhone, go to: Settings -> WiFi -> Choose CSAILPrivate
3. Skip username and password and select "EAP-TLS" for your mode, then return back to the Enter Password screen
4. Your name should now appear next to "Identity". Select "Join"
5. You will be prompted to accept a certificate for "ntp-0.csail.mit.edu" or another CSAIL server. Click "Accept" and you should be connected. (It is an iPhone bug that it identifies this certificate as "untrusted" even though it is signed by Master CA.)

Free Software operating systems

Because we require certificate authentication on the private wireless network, connecting to it under most Free Software operating systems (including GNU/Linux) involves extracting a CSAIL certificate and private key from one's browser and storing them, unencrypted, somewhere on your local disk where the WPA client can get to them. We don't think this is a particularly good idea, so we're recommending you do not use the private wireless right now. We are continuing to experiment as as free clients get better, we'll update this section with information on how to take advantage of this service.

The NetworkManager application used by Debian and Ubuntu, among others, claims to support WPA2 and EAP-TLS, but doesn't appear to work in practice. This may be fixed in a future release.

Topic ConnectingToTheCSAILPrivateWirelessNetwork . { Edit Attach Backlinks: Web All webs Printable History: r18 < r17 < r16 < r15 < r14 More }