CSAILPrivate
Connecting to CSAILPrivate
CSAILPrivate is CSAIL’s encrypted, authenticated wireless network. Use of CSAILPrivate is required to get a static IP address or to print to CSAIL printers when connected to a wireless network. As a reminder, although your traffic over the wireless network will be encrypted, there are still other points within the CSAIL network and outside CSAIL where your traffic can be monitored, albeit with a slightly higher degree of difficulty. The instructions below describe how to set up access using a CSAIL Kerberos username and password. If you are uncomfortable with using your regular CSAIL Kerberos password, or if the device you wish to connect will be shared by multiple people, please visit the helpdesk: they can create a separate Kerberos principal specifically for that purpose.
Android
Android versions going back at least to 4.1 have supported the necessary authentication protocols. These instructions were tested with Android 9 on an unlocked Samsung Galaxy S9+:
- Open the “Wi-Fi settings” control.
- Tap “CSAILPrivate” in the list of wireless networks.
- Under “EAP method”, select “TTLS”.
- Under “CA certificate”, select “Don’t validate”.
- For “Identity”, enter your CSAIL Kerberos username (or another instance name assigned to you by TIG).
- For “Password”, enter your CSAIL Kerberos password (or the password for the alternate instance if you are given one).
- Tap “Advanced”.
- For “Phase 2 authentication”, select “PAP”.
- For “Anonymous identity”, enter
anonymous@csail.mit.edu. - Do not change other settings.
- Tap “Save” and then “Connect”.
Apple iOS
- From your iOS device, Download the CSAILPrivate Mac OS / iOS profile
- Tap “Allow” when prompted
- Tap “iPhone” when prompted for Choosing a Device
- The Profile will download. Go to settings “Profile Downloaded”
- Tap “CSAILPrivate_Wireless” Install
- Enter your iPhone passcode
- Tap Install Install
- Enter your CSAIL Kerberos username
- tap “Next”
- Enter your CSAIL Kerberos password
- tap “Next”
- You should see “Profile Installed” and Verified.
- tap “Done”
- Now you can connect to the “CSAILPrivate” network
- Go to “Settings” “Wi-Fi” browse to “CSAILPrivate” and tap it
- You should now be connected to “CSAILPrivate”
The CSAILPrivate Mac OS / iOS profile stores your Kerberos password in Keychain. Therefore, if you change your CSAIL Kerberos password, you will temporarily not be able to connect to CSAILPrivate. If Mac OS / iOS does not prompt your for your new password when connecting to CSAILPrivate, you will need to remove / re-add the profile with the new password.
MacOS
Supported on 12+
- Download the CSAILPrivate Mac OS / iOS profile
- Double click the “CSAILPrivate Wireless.mobileconfig” file you just saved which will prompt you to install “CSAILPrivate Wireless”
- Go to “Settings” “Privacy and Security” “Profiles”
- Select “CSAILPrivate_Wireless”
- Click Install
- At “Enter settings for “CSAILPrivate Wireless”, enter your CSAIL
Kerberos username / password.
- Click Install
- If you’ve ever set up CSAILPrivate on your machine before, you may see a confirmation dialog asking you to whether it’s OK to overwrite the existing CSAILPrivate settings.
- Enter your machine password if prompted
- Your profile should now be installed and Verified. You can now close that window
- Now you simply choose the “CSAILPrivate” network SSID to connect to.
The CSAILPrivate Mac OS / iOS profile stores your Kerberos password in Keychain. Therefore, if you change your CSAIL Kerberos password, you will temporarily not be able to connect to CSAILPrivate. If Mac OS / iOS does not prompt your for your new password when connecting to CSAILPrivate, you will need to remove / re-add the profile with the new password.
Ubuntu
Tested on 14.04 and 16.04. You might need to repeat this setup a couple times before it succeeds.
- Select CSAILPrivate from the WIFI drop down menu in the upper right hand corner of the desktop menu bar
- A window entitled “Wi-Fi Network Authentication Required” should now
be visible
- At “Authentication” drop down menu select: Tunneled TLS (TTLS)
- At “Anonymous identity” enter: anonymous
- At “CA certificate” click the CA File button, browse to
/etc/ssl/certs, and then select: USERTrust_RSA_Certification_Authority.pem - At “Inner authentication” select: PAP
- Enter your CSAIL Kerberos username / password
- Now you simply click on the “Connect” button . You should now be connected to “CSAILPrivate”
Windows 10 and 11
- Click Start type “wireless” choose “Connect to a Network”
- Browse for “CSAILPrivate” and select it
- Enter your CSAIL Kerberos username and password when prompted
Generic (any other operating system or wireless device)
The CSAILPrivate wireless uses the following security settings:
- WPA2-Enterprise (with AES and TKIP)
- For TTLS:
- Outer identity should be
anonymous@csail.mit.edu - The authentication protocol inside the tunnel may be either EAP-GTC (Generic Token Card) or PAP (plaintext password). Other inner authentication protocols are not supported.
- The inner identity must be the name of a CSAIL Kerberos
principal, which may include multiple components (an “instance”)
but may not include a realm name
@CSAIL.MIT.EDU
- Outer identity should be
Using static IP addresses on the CSAILPrivate network
Devices connected to the CSAILPrivate network can have static IP addresses, but those IP addresses must be in the “CSAIL private wireless” address range (128.30.8.0/22). In order to get a static IP address, you must register a domain name for your device in WebDNS (documentation), and then register the IP address WebDNS gives you in DHCP. Then you can configure your device as described above. (CSAIL Login required)
Note that CSAILPrivate uses a different network address range than the old StataCenter wireless network (which just used the “Wireless” range). If you have a device that used to have a static IP address via unauthenticated wireless and you’re switching it to the CSAILPrivate network, you’ll need to delete the old entries for it in WebDNS and dhreg, re-register your device getting a new IP address in the “CSAIL private wireless” range, wait about an hour for the changes to take effect (and perhaps a while longer for them to propagate elsewhere if you’re going to be trying to connect to the device by domain name from outside CSAIL), and then follow the steps above to configure your device.
If you have no preference for domain name, we suggest using something
like yourlogin-devicetype.csail.mit.edu or yourlogin-model.csail.mit.edu. For instance, I (Jay Sekora) might choose names like
jsekora-phone.csail.mit.edu
jsekora-laptop.csail.mit.edu
jsekora-nexus7.csail.mit.edu
jsekora-thinkpad.csail.mit.edu
jsekora-coffeemaker.csail.mit.edu
(No, I don’t have a network-addressible coffeemaker, more’s the pity.) This is optional, but might help us figure out what’s going on or who to contact in case of problems.