1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
{# SPDX-License-Identifier: CC-BY-SA-4.0 #}
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>STUWIRELESS</title>
<link rel="stylesheet" href="/static/style.css">
</head>
<body>
<header>
<h1>STUWIRELESS</h1>
</header>
<article>
<p>
This article describes configuring the Songjiang Campus's student WiFi network, STUWIRELESS.
</p>
<section>
<h2>Talk to the IT</h2>
<p>If you have new devices, you must contact the IT and have them record your permanent MAC address and username. They will assign you a fixed IPv4 address on the DHCP server.</p>
</section>
<section>
<h2>NetworkManager for Linux-based systems</h2>
<p>Add the following to <code>/etc/NetworkManager/system-connections/ykps.nmconnection</code></p>
<pre>[connection]
id=YKPS
# Any user-friendly name will do
uuid=980c8380-18e5-4dca-b4ef-f8f8378e9994
# Random UUID, just make sure it doesn't collide
type=wifi
[wifi]
cloned-mac-address=permanent
# https://fedoraproject.org/wiki/Changes/StableSSIDMACAddress
mac-address-randomization=1
# 1 = "never"
mode=infrastructure
ssid=STUWIRELESS
[wifi-security]
key-mgmt=wpa-eap
[802-1x]
# Technically it would be more secure against evil-twin attacks if we
# pinned certificates but I don't want to bother getting a
# certificate because our IT doesn't provide one. Welp.
anonymous-identity=student@ykpaoschool.cn
# Don't change anonymous-identity
eap=peap;
identity=username
# e.g. s22537
password=password
# e.g. supersecretpassword
phase1-auth-flags=32
# Allow insecure TLS 1.0 (used by stuff like eduroam and STUWIRELESS)
phase2-auth=mschapv2
[ipv4]
method=auto
[ipv6]
addr-gen-mode=default
method=auto</pre>
<p>
Remember to set the file ownership to <code>root:root</code> and permissions to <code>0600</code>. Also remember that comments must begin at the start of the line. See <a href="https://man.archlinux.org/man/nm-settings-keyfile.5"><code>nm-settings-keyfile(5)</code></a> for details.
</p>
<p>
Then you should be able to just reload the NetworkManager service, and connect with <code>nmcli connection up YKPS</code> or whatever utility your desktop environment provides.
</p>
<p>
If you wish to use a static IP, replace the <code>[ipv4]</code> block with the following and modify <code>XXX</code> to fit your assigned IPv4 address:
</p>
<pre>[ipv4]
address1=10.2.XXX.XXX/21,10.2.191.253
dns=10.2.20.101;10.2.20.100;10.2.120.21;
dns-search=ykpaoschool.cn;
may-fail=false
method=manual</pre>
<p>
You still need to use the network authentication portal. <a href="https://git.sr.ht/~runxiyu/tooch/tree/master/sjauth">A simple C program</a> is available to automate this process that only depends on <code>libcurl</code>; you may want to run this every 6 AM and at power-on if 6 AM was missed, for example, via <a href="https://manpages.debian.org/bookworm/anacron/anacron.8.en.html"><code>anacron(8)</code></a>.
</p>
<p>
Note that TCP and UDP port 53 (usually used for DNS) is unblocked at all times and can accept arbitrary traffic, which still works if it's past 22:30, or even if you're not logged in. Therefore, if you have a server in Mainland China that, for example, listens on port 53 for IPSec/L2TP/WireGuard/<a href="https://code.kryo.se/iodine/">iodine</a>, the network authentication portal and the night-time block can be bypassed entirely. (Doing so with a server outside of Mainland China will result in blockage.)
</p>
</section>
<section>
<h2><code>wpa_supplicant</code>/<code>iwd</code></h2>
<p>
If you wish to manually use <code>wpa_supplicant</code>, in additional to the "standard" configuration, you need to add <code>tls_disable_tlsv1_0=0</code> to the <code>phase1</code> flags. On most systems, <code>/usr/share/doc/wpa_supplicant/examples/wpa_supplicant.conf</code> is a well-documented example configuration file that should cover all your needs.
</p>
<p>
I do not personally use <code>iwd</code>, and I don't see an option to allow insecure versions of TLS from a quick skim of the man page. Please help document this, if possible.
</p>
</section>
<section>
<h2>OpenBSD</h2>
<p>
OpenBSD's WiFi drivers do not directly support 802.1x (see, for example, <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> for Apple Silicon systems). You need to use <code>wpa_supplicant</code>. The usual guidance on <a href="https://codeberg.org/OpenBSD/ports/raw/branch/master/security/wpa_supplicant/pkg/README">wpa_supplicant on OpenBSD</a> applies.
</p>
<p>
Note that TLS v1.1 and earlier have been removed from LibreSSL; therefore you must use the <code>-openssl</code> variants of the <code>wpa_supplicant</code> package, and add the <code>phase1</code> flags as noted previously, along with <code>phase1="allow_unsafe_renegotiation=1"</code>.
</p>
<pre>rcctl enable wpa_supplicant
rcctl set wpa_supplicant flags -c ${SYSCONFDIR}/wpa_supplicant.conf -s -D openbsd -i bwfm0
</pre>
</section>
<section>
<h2>macOS</h2>
<p>
Connect to the "STUWIRELESS" network with your normal school credentials.
</p>
<p>
Every morning (after 6 AM), you must log in at the network captive portal at <a href="https://sjauth.ykpaoschool.cn:444/"><code>https://sjauth.ykpaoschool.cn:444/</code></a>.
</p>
</section>
<section>
<h2>iPadOS</h2>
<p>
Be sure that "Private WLAN Address" is disabled in the "STUWIRELESS" network's properties. Then connect to the network with your normal school credentials.
</p>
<p>
Every morning (after 6 AM), you must log in at the network captive portal at <a href="https://sjauth.ykpaoschool.cn:444/"><code>https://sjauth.ykpaoschool.cn:444/</code></a>.
</p>
</section>
</article>
<footer>
<a href="{{ url_for("index") }}">Return to the index</a>
</footer>
</body>
</html>
|
