Connecting to the CSAILPrivate wireless network


Description of the CSAILPrivate network

In addition to the public (StataCenter) wireless network, we also provide a private CSAIL-only wireless network, with encryption to ensure a modicum of privacy. Note: encryption of your wireless link is not a substitute for encrypting your communications; while using wireless encryption can prevent some forms of passive eavesdropping, it does not prevent your communications being monitored at other points in the network.

The specific configuration we are using is:
  • SSID ("Wireless network name") CSAILPrivate
  • WPA2 (Wi-Fi Protected Access version 2)
  • AES-CCMP encryption algorithm
  • EAP-TLS (certificate-based) authentication and key management (also called "WPA Enterprise")

FYI: The private wireless network is on its own subnet, 128.30.8.0/22. If you desire a static IP address after successfully connecting, register first with WebDNS, then DHCP Registration (CSAIL certificates required).

Common problems

  1. "I could connect to CSAILPrivate yesterday but not today"
    • The CSAIL certificate you provided when first connecting to CSAILPrivate has expired. You will need to use a different network to renew your certificates, and then follow instructions to replace the certificate that your wireless card looks for.
  2. "I can connect with one computer but not a very similar one"
    • WPA2 and EAP-TLS are inconsistently supported by current operating systems and drivers. As a result, you may experience challenges even with hardware that is labeled "WPA2 compliant." That said, we have had reasonable luck connecting to the private network using Windows and Mac clients as listed below.
  3. "I can connect in one user profile (local account) but not another"
    • Because connections require CSAIL client certificates that are stored privately in each local profile/account, a network connection to CSAILPrivate will not work across users or before the first user logs in. You may need to manually switch networks when switching users, or employ other workarounds.

Windows XP (SP3 required)

  1. Obtain or import CSAIL certificates into Internet Explorer using the instructions at CertificatesIEUnderXP?
  2. Ensure that your wireless adapter is on: go to Start -> Control Panel -> Network Connections. Make sure "Wireless Network Connection" is not greyed out. If it is, you may need to flip the "Radio On" switch on the laptop case, press Fn+F5 or similar, and/or right-click "Wireless Network Connection" and choose Enable.
  3. Right-click "Wireless Network Connection" and choose "Properties" -> "Wireless Networks".
  4. Make sure "Use Windows to configure my wireless network settings" is set to YES.
  5. Click "Add..." and enter the following:
    • "Network name (SSID):" CSAILPrivate
    • "Connect even if this network is not broadcasting:" YES
    • "Network Authentication:" WPA2
    • "Data encryption:" AES
  6. Click "OK" twice to save and connect; wait ~30 seconds.
  7. In the system tray (bottom right), Click on the balloon reading "Click here to process your logon information..."
  8. In the "Wireless Network Connection" window, CSAILPrivate should now be Connected.
  9. Optional: in the "Wireless Network Connection" window, click "Change Advanced Settings." In the "Wireless Networks" tab, click CSAILPrivate then "Move up" to the top. Remove StataGuest if present.
  10. Only if CSAILPrivate has not connected, you may verify security protocol details:
    • Click "Change advanced settings," then "Wireless Networks." When you see "CSAILPrivate" appear, click it, then "Properties."
    • On the first tab ("Association"), "Network Authentication" should be WPA2 and "Data encryption" should be AES.
    • On the second tab ("Authentication"), "EAP type" should be Smart Card or other Certificate. Under "Properties," make sure "Use a certificate on this computer" and "Use simple certificate selection" are selected.

Windows 7

  1. First, install CSAIL certificates in Internet Explorer using the CertificatesIE.
  2. Go to Start -> Control Panel -> Network and Internet -> Network and Sharing Center -> Manage wireless networks
  3. Click "Profile types" and change the setting to "Use all-user and per-user profiles." Save, Continue.
  4. Click Add -> Manually create a network profile.
    • "Network name:" CSAILPrivate
    • "Security type:" WPA2-Enterprise
    • "Encryption type:" AES
    • Set "Save this network for me only", "Start this connection automatically", and "Connect even if the network is not broadcasting" all to YES
    • Click Next. It is normal to see a balloon from the bottom right saying "Can't connect."
  5. Click "Change connection settings," then "Security." Change "Choose a network authentication method" to "Microsoft: Smart Card or other certificate."
  6. Click Settings -> under Trusted Root Certification Authorities, check off "CSAIL Master CA v2"
  7. Click "OK", click "ok" then "Close."
  8. From the Manage Wireless Connections control panel, click Network and Sharing Center -> Connect to a network -> choose "CSAILPrivate" -> click connect
  9. You should see "Successfully connected to CSAILPrivate."

---++ Windows 8 (not yet supported at CSAIL)
The Win 7 instruction will work for Win 8 but the following changes must be made:
Uncheck "Connect even if the network is not broadcasting"
Under the Advanced settings do check "specify authentication mode" and set it to "User or Computer authentication".

Mac OS X (10.5+ required, "Leopard" or "Snow Leopard")

Prerequisites: Your Mac OS login account is a Admin account, with a CSAIL client certificate installed in Keychain (see CertificatesSafariKeychain).

  1. Apple menu -> System Preferences -> Network -> AirPort
  2. If the Lock icon in lower left is closed, click it and enter your password before continuing.
  3. For Network Name, choose "Join other network..."
    • Enter Network Name: "CSAILPrivate"
    • Choose Security: "WPA2 Enterprise"
    • Leave User Name and Password BLANK.
    • Click the down arrow at the far right of "Certificate". Make sure you see "Issued by: Client CA" and "Expires: [date in future]"
    • Click Join.
    • If prompted, "Always Allow" eapolclient access to your certificates to sign network traffic.
  4. Within 60 seconds, you should see "Authenticated via TLS" and an IP address within 128.30.8.1 - 128.30.11.254.
  5. Optional: click "Advanced." In Preferred Networks, drag CSAILPrivate higher than StataCenter.

Mac OS X (10.8)

Prerequisites: Your Mac OS login account is a Admin account, with a CSAIL client certificate installed in Keychain (see CertificatesSafariKeychain).

  1. Apple menu -> System Preferences -> Network -> Wi-Fi
  2. If the Lock icon in lower left is closed, click it and enter your password before continuing.
  3. For Network Name, choose "Join other network..."
    • Enter Network Name: "CSAILPrivate"
    • Choose Security: "WPA2 Enterprise"
    • Change Mode: "EAP-TLS"
    • Leave User Name and Password BLANK.
    • Choose Identity: "Your CSAIL client certificate"
    • Click Join.
    • If prompted, click continue
    • If prompted, click Always Allow
  4. Within 60 seconds, you should see "Authenticated via TLS" and an IP address within 128.30.8.1 - 128.30.11.254.
  5. Optional: click "Advanced." In Preferred Networks, drag CSAILPrivate higher than StataCenter.

Known Issues:

  • If an initial attempt to connect to CSAILPrivate fails...In Network Preferences -> Airport, click "Advanced," then "802.1X". Click the triangle (and wait up to 15 seconds) and click the User Profile for CSAILPrivate. Under "Authentication," select only TLS and leave everything else UNchecked.
    • Then click OK -> Apply -> Turn Airport Off -> [wait 15sec] -> Turn Airport On
  • If System Preferences -> Network -> Airport says "Self-Assigned IP"...remove all traces of expired certificates, even if they don't appear in Keychain Access's default view:
    • Navigate to Applications -> Utilities -> Keychain Access -> login -> Keys
    • Expand all items of Kind: private key which have triangles next to them
    • Delete all private keys and certificates except the still-valid CSAIL certificate and its private key. Leave public keys alone.
    • Back in the Network prefpane, click Advanced -> CSAILPrivate -> [the small pencil icon]. Make sure the settings match step 3 above, especially the certificate expiration date.
    • Then click OK -> Apply -> Turn Airport Off -> [wait 15sec] -> Turn Airport On

Last resorts: [please contact help@csail if you find yourself needing these]
  • Quit Network Preferences, delete the following files, and try again from Step 1 above:
    • ~/Library/Preferences/com.apple.eap.profiles.plist
    • ~/Library/Preferences/ByHost/com.apple.eap.bindings.ALPHA-NUMERIC-STRING.plist
  • Register your MAC address, (CSAIL Certificates required) then try again.

Apple iPhone (Does not work on iOS 4.0)

These instructions are offered "as is". Encrypted wireless is more finicky, and offers less benefit, on iOS devices.

  1. Obtain CSAIL certificates following the instructions at IPhoneCertsInstall
  2. On your iPhone, go to: Settings -> WiFi -> Choose CSAILPrivate
  3. Skip username and password and select "EAP-TLS" for your mode, then return back to the Enter Password screen
  4. Your name should now appear next to "Identity". Select "Join"
  5. You will be prompted to accept a certificate for "ntp-0.csail.mit.edu" or another CSAIL server. Click "Accept" and you should be connected. (It is an iPhone bug that it identifies this certificate as "untrusted" even though it is signed by Master CA.)

Free Software operating systems

Because we require certificate authentication on the private wireless network, connecting to it under most Free Software operating systems (including GNU/Linux) involves extracting a CSAIL certificate and private key from one's browser and storing them, unencrypted, somewhere on your local disk where the WPA client can get to them. We don't think this is a particularly good idea, so we're recommending you do not use the private wireless right now. We are continuing to experiment as as free clients get better, we'll update this section with information on how to take advantage of this service.

The NetworkManager application used by Debian and Ubuntu, among others, claims to support WPA2 and EAP-TLS, but doesn't appear to work in practice. This may be fixed in a future release.
Edit | Attach | Print version | History: r33 | r32 < r31 < r30 < r29 | Backlinks | View wiki text | Edit WikiText | More topic actions...
Topic revision: 22 Apr 2014, JasonDorfman
 

MIT Computer Science and Artificial Intelligence Laboratory

 

  • About CSAIL
  • Research
  • News + Events
  • Resources
  • People

This site is powered by Foswiki MIT: Massachusetts Institute of Technology