Connecting to CSAILPrivate

CSAILPrivate is CSAIL's encrypted, authenticated wireless network. Use of CSAILPrivate is required to get a static IP address or to print to CSAIL printers when connected to a wireless network. As a reminder, although your traffic over the wireless network will be encrypted, there are still other points within the CSAIL network and outside CSAIL where your traffic can be monitored, albeit with a slightly higher degree of difficulty. The instructions below describe how to set up access using a CSAIL Kerberos username and password. If you are uncomfortable with using your regular CSAIL Kerberos password, or if the device you wish to connect will be shared by multiple people, please visit the helpdesk: they can create a separate Kerberos principal specifically for that purpose.


Android versions going back at least to 4.1 have supported the necessary authentication protocols. These instructions were tested with Android 4.1.2 on a Motorola DROID4 (Verizon Wireless software load):
  • Open the "Wi-Fi settings" control
  • Tap "CSAILPrivate" in the list of wireless networks
  • Under "EAP method", select "TTLS"
  • Under "Phase 2 authentication", select "PAP"
  • For "Identity", enter your CSAIL Kerberos username
  • For "Anonymous identity", enter
  • For "Password", enter your CSAIL Kerberos password
  • If there are fields for "CA Certificate" and "Domain", choose "Use system certificates and specify (Not all versions of Android have these fields.)
  • Tap "Connect"

Apple iOS

Tested on 7.x
  • From your iOS device, tap on CSAILPrivate Mac OS / iOS profile
    • Tap "Install" when propted
    • Tap "Install Now" when prompted for installing the Root Certificate
  • Enter you device's passcode
  • Enter your CSAIL Kerberos username
    • tap "Next"
  • Enter your CSAIL Kerberos password
    • tap "Next"
  • You should see "Profile Installed" and Verified.
    • tap "Done"
  • Now you can connect to the "CSAILPrivate" network
    • Go to "Settings" > "Wi-Fi" > browse to "CSAILPrivate" and tap it
    • Tap "Accept" to trust the External CA Root
  • You should now be connected to "CSAILPrivate"


Supported on 10.7, 10.8, 10.9, 10.10
  • If you participated in testing the new wireless setup, open the Profiles tool in System Settings and remove the CSAIL Testing profile that was previously installed before continuing.
  • Download and save the CSAILPrivate Mac OS / iOS profile
  • Double click the "CSAILPrivate Wireless.mobileconfig" file you just saved which will prompt you to install "CSAILPrivate Wireless"
    • Click continue and continue again
  • At "Enter settings for "CSAILPrivate Wireless", enter your CSAIL Kerberos username / password.
    • Click Install
  • If you've ever set up CSAILPrivate on your machine before, you may see a confirmation dialog asking you to whether it's OK to overwrite the existing CSAILPrivate settings.
  • Enter your machine password if prompted
  • Your profile should now be installed and Verified. You can now close that window
  • Now you simply choose the "CSAILPrivate" network SSID to connect to.


Tested on 14.04 and 16.04. You might need to repeat this setup a couple times before it succeeds.
  • Select CSAILPrivate from the WIFI drop down menu in the upper right hand corner of the desktop menu bar
  • A window entitled "Wi-Fi Network Authentication Required" should now be visible
    • At "Authentication" drop down menu select: Tunneled TLS
    • At "Anonymous identity" enter: anonymous
    • At "CA certificate" click the CA File button, browse to /etc/ssl/certs, and then select: AddTrust_External_Root.pem
    • At "Inner authentication" select: PAP
    • Enter your CSAIL Kerberos username / password
  • Now you simply click on the "Connect" button . You should now be connected to "CSAILPrivate"

Windows 7

Windows 7 does not include native support for this kind of wireless authentication, but support is bundled with some wireless drivers. This is tested with Intel drivers. Broadcom drivers are believed to work as well, but may have a different configuration dialog. For other Windows 7 systems, you might consider upgrading to Windows 10.

  • Go to Start > type "wireless" > Choose "Manage Wireless Networks"
  • Choose "Add" > Manually Create
    • Network Name: "CSAILPrivate"
    • Security Type: WPA2-Enterprise
    • Leave the rest default > Next
  • As soon as you are prompted, Choose "Change Settings"
  • Click on the "Security" tab
    • Security Type: "WPA2-Enterprise"
    • Encryption Type: "AES"
    • Choose a Network Authentication Method: "[Intel] EAP-TTLS > Settings
      • Authentication Protocol: "PAP"
      • Username: [CSAIL Kerberos Username]
      • Domain: blank
      • Password: [CSAIL Kerberos Password]
      • Roaming Identity:
      • Next
  • Step 2
    • Check, "Validate Server Certificate"
      • Any Trusted CA
    • Click OK > OK > Close
  • Now look for the "CSAILPrivate" SSID as you normally would to connect

Windows 8 and 10

  • Click Start > type "wireless" > choose "Connect to a Network"
  • Browse for "CSAILPrivate" and select it
  • Enter your CSAIL Kerberos username and password when prompted

Generic (any other operating system or wireless device)

The CSAILPrivate wireless uses the following security settings:
  • WPA2-Enterprise (with AES and TKIP)
  • EAP-TLS (with a CSAIL client certificate) or EAP-TTLS (Tunneled TLS)
  • For TTLS:
    • Outer identity should be ""
    • The authentication protocol inside the tunnel may be either EAP-GTC (Generic Token Card) or PAP (plaintext password). Other inner authentication protocols are not supported.
    • The inner identity must be the name of a CSAIL Kerberos principal, which may include multiple components (an "instance") but may not include a realm name (@CSAIL.MIT.EDU).

Using static IP addresses on the CSAILPrivate network

Devices connected to the CSAILPrivate network can have static IP addresses, but those IP addresses must be in the "CSAIL private wireless" address range ( In order to get a static IP address, you must register a domain name for your device in WebDNS (documentation), and then register the IP address WebDNS gives you in DHCP. Then you can configure your device as described above.

Note that CSAILPrivate uses a different network address range than the old StataCenter wireless network (which just used the "Wireless" range). If you have a device that used to have a static IP address via unauthenticated wireless and you're switching it to the CSAILPrivate network, you'll need to delete the old entries for it in WebDNS and dhreg, re-register your device getting a new IP address in the "CSAIL private wireless" range, wait about an hour for the changes to take effect (and perhaps a while longer for them to propagate elsewhere if you're going to be trying to connect to the device by domain name from outside CSAIL), and then follow the steps above to configure your device.

If you have no preference for domain name, we suggest using something like or For instance, I (Jay Sekora) might choose names like
(No, I donít have a network-addressible coffeemaker, moreís the pity.) This is optional, but might help us figure out what's going on or who to contact in case of problems.
Topic attachments
ISorted ascending Attachment Action Size Date Who Comment
CSAILPrivate_Wireless.mobileconfigmobileconfig CSAILPrivate_Wireless.mobileconfig manage 29.2 K 05 Oct 2015 - 01:49 GarrettWollman Apple Configuration Profile for CSAILPrivate
CSAIL_Testing.mobileconfigmobileconfig CSAIL_Testing.mobileconfig manage 20.3 K 22 Apr 2014 - 19:51 JasonDorfman CSAIL Testing Mac OS / iOS profile
Topic revision: 22 May 2018, JasonDorfman

MIT Computer Science and Artificial Intelligence Laboratory


  • About CSAIL
  • Research
  • News + Events
  • Resources
  • People

This site is powered by Foswiki MIT: Massachusetts Institute of Technology