Connecting to CSAILPrivate using CSAIL client certificates


Description of the CSAILPrivate network

In addition to the public (StataCenter) wireless network, we also provide a private CSAIL-only wireless network, with encryption to ensure a modicum of privacy. Note: encryption of your wireless link is not a substitute for encrypting your communications; while using wireless encryption can prevent some forms of passive eavesdropping, it does not prevent your communications being monitored at other points in the network.

Most clients will want to use CSAILPrivate by configuring a username and password. For operating systems not mentioned here, see the main CSAILPrivate wiki page for instructions. Users who want to continue to use certificates (including Windows 7 users who do not have the required drivers) should follow the instructions below.

The specific configuration we are using is:
  • SSID ("Wireless network name") CSAILPrivate
  • WPA2 (Wi-Fi Protected Access version 2)
  • AES-CCMP encryption algorithm
  • EAP-TLS (certificate-based) authentication and key management

FYI: The private wireless network is on its own subnet, 128.30.8.0/22. If you desire a static IP address after successfully connecting, register first with WebDNS, then DHCP Registration (CSAIL certificates required).

Common problems

  1. "I could connect to CSAILPrivate yesterday but not today"
    • The CSAIL certificate you provided when first connecting to CSAILPrivate has expired. You will need to use a different network to renew your certificates, and then follow instructions to replace the certificate that your wireless card looks for.
  2. "I can connect with one computer but not a very similar one"
    • WPA2 and EAP-TLS are inconsistently supported by current operating systems and drivers. As a result, you may experience challenges even with hardware that is labeled "WPA2 compliant." That said, we have had reasonable luck connecting to the private network using Windows and Mac clients as listed below.
  3. "I can connect in one user profile (local account) but not another"
    • Because connections require CSAIL client certificates that are stored privately in each local profile/account, a network connection to CSAILPrivate will not work across users or before the first user logs in. You may need to manually switch networks when switching users, or employ other workarounds.

Windows 7

  1. First, install CSAIL certificates in Internet Explorer using the CertificatesIE.
  2. Go to Start -> Control Panel -> Network and Internet -> Network and Sharing Center -> Manage wireless networks
  3. Click "Profile types" and change the setting to "Use all-user and per-user profiles." Save, Continue.
  4. Click Add -> Manually create a network profile.
    • "Network name:" CSAILPrivate
    • "Security type:" WPA2-Enterprise
    • "Encryption type:" AES
    • Set "Save this network for me only", "Start this connection automatically", and "Connect even if the network is not broadcasting" all to YES
    • Click Next. It is normal to see a balloon from the bottom right saying "Can't connect."
  5. Click "Change connection settings," then "Security." Change "Choose a network authentication method" to "Microsoft: Smart Card or other certificate."
  6. Click Settings -> under Trusted Root Certification Authorities, check off "CSAIL Master CA v2"
  7. Click "OK", click "ok" then "Close."
  8. From the Manage Wireless Connections control panel, click Network and Sharing Center -> Connect to a network -> choose "CSAILPrivate" -> click connect
  9. You should see "Successfully connected to CSAILPrivate."

Mac OS X (10.5+ required, "Leopard" or "Snow Leopard")

Prerequisites: Your Mac OS login account is a Admin account, with a CSAIL client certificate installed in Keychain (see CertificatesSafariKeychain).

  1. Apple menu -> System Preferences -> Network -> AirPort
  2. If the Lock icon in lower left is closed, click it and enter your password before continuing.
  3. For Network Name, choose "Join other network..."
    • Enter Network Name: "CSAILPrivate"
    • Choose Security: "WPA2 Enterprise"
    • Leave User Name and Password BLANK.
    • Click the down arrow at the far right of "Certificate". Make sure you see "Issued by: Client CA" and "Expires: [date in future]"
    • Click Join.
    • If prompted, "Always Allow" eapolclient access to your certificates to sign network traffic.
  4. Within 60 seconds, you should see "Authenticated via TLS" and an IP address within 128.30.8.1 - 128.30.11.254.
  5. Optional: click "Advanced." In Preferred Networks, drag CSAILPrivate higher than StataCenter.

Mac OS X (10.8)

Prerequisites: Your Mac OS login account is a Admin account, with a CSAIL client certificate installed in Keychain (see CertificatesSafariKeychain).

  1. Apple menu -> System Preferences -> Network -> Wi-Fi
  2. If the Lock icon in lower left is closed, click it and enter your password before continuing.
  3. For Network Name, choose "Join other network..."
    • Enter Network Name: "CSAILPrivate"
    • Choose Security: "WPA2 Enterprise"
    • Change Mode: "EAP-TLS"
    • Leave User Name and Password BLANK.
    • Choose Identity: "Your CSAIL client certificate"
    • Click Join.
    • If prompted, click continue
    • If prompted, click Always Allow
  4. Within 60 seconds, you should see "Authenticated via TLS" and an IP address within 128.30.8.1 - 128.30.11.254.
  5. Optional: click "Advanced." In Preferred Networks, drag CSAILPrivate higher than StataCenter.

Known Issues:

  • If an initial attempt to connect to CSAILPrivate fails...In Network Preferences -> Airport, click "Advanced," then "802.1X". Click the triangle (and wait up to 15 seconds) and click the User Profile for CSAILPrivate. Under "Authentication," select only TLS and leave everything else UNchecked.
    • Then click OK -> Apply -> Turn Airport Off -> [wait 15sec] -> Turn Airport On
  • If System Preferences -> Network -> Airport says "Self-Assigned IP"...remove all traces of expired certificates, even if they don't appear in Keychain Access's default view:
    • Navigate to Applications -> Utilities -> Keychain Access -> login -> Keys
    • Expand all items of Kind: private key which have triangles next to them
    • Delete all private keys and certificates except the still-valid CSAIL certificate and its private key. Leave public keys alone.
    • Back in the Network prefpane, click Advanced -> CSAILPrivate -> [the small pencil icon]. Make sure the settings match step 3 above, especially the certificate expiration date.
    • Then click OK -> Apply -> Turn Airport Off -> [wait 15sec] -> Turn Airport On

Last resorts: [please contact help@csail if you find yourself needing these]
  • Quit Network Preferences, delete the following files, and try again from Step 1 above:
    • ~/Library/Preferences/com.apple.eap.profiles.plist
    • ~/Library/Preferences/ByHost/com.apple.eap.bindings.ALPHA-NUMERIC-STRING.plist
  • Register your MAC address, (CSAIL Certificates required) then try again.
Edit | Attach | Print version | History: r33 < r32 < r31 < r30 | Backlinks | View wiki text | Edit WikiText | More topic actions...
Topic revision: 21 May 2014, GarrettWollman
 

MIT Computer Science and Artificial Intelligence Laboratory

 

  • About CSAIL
  • Research
  • News + Events
  • Resources
  • People

This site is powered by Foswiki MIT: Massachusetts Institute of Technology