1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
{# SPDX-License-Identifier: CC-BY-SA-4.0 #}
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>STUWIRELESS</title>
<link rel="stylesheet" href="/static/style.css">
</head>
<body>
<header>
<h1>STUWIRELESS</h1>
</header>
<article>
<p>
This article describes configuring the Songjiang Campus's student WiFi network, STUWIRELESS.
</p>
<section>
<h2>Talk to the IT</h2>
<p>If you have new devices, you must contact the IT and have them record your permanent MAC address and username. They will assign you a fixed IPv4 address on the DHCP server.</p>
</section>
<section>
<h2>NetworkManager for Linux-based systems</h2>
<p>Add the following to <code>/etc/NetworkManager/system-connections/ykps.nmconnection</code></p>
<pre>[connection]
id=YKPS
# Any user-friendly name will do
uuid=980c8380-18e5-4dca-b4ef-f8f8378e9994
# Random UUID, just make sure it doesn't collide
type=wifi
[wifi]
cloned-mac-address=permanent
# https://fedoraproject.org/wiki/Changes/StableSSIDMACAddress
mac-address-randomization=1
# 1 = "never"
mode=infrastructure
ssid=STUWIRELESS
[wifi-security]
key-mgmt=wpa-eap
[802-1x]
# Technically it would be more secure against evil-twin attacks if we
# pinned certificates but I don't want to bother getting a
# certificate because our IT doesn't provide one. Welp.
anonymous-identity=student@ykpaoschool.cn
# Don't change anonymous-identity
eap=peap;
identity=username
# e.g. s22537
password=password
# e.g. supersecretpassword
phase1-auth-flags=32
# Allow insecure TLS 1.0 (used by stuff like eduroam and STUWIRELESS)
phase2-auth=mschapv2
[ipv4]
method=auto
[ipv6]
addr-gen-mode=default
method=auto</pre>
<p>
Remember to set the file ownership to <code>root:root</code> and permissions to <code>0600</code>. Also remember that comments must begin at the start of the line. See <a href="https://man.archlinux.org/man/nm-settings-keyfile.5"><code>nm-settings-keyfile(5)</code></a> for details.
</p>
<p>
Then you should be able to just reload the NetworkManager service, and connect with <code>nmcli connection up YKPS</code> or whatever utility your desktop environment provides.
</p>
<p>
If you wish to use a static IP, replace the <code>[ipv4]</code> block with the following and modify <code>XXX</code> to fit your assigned IPv4 address:
</p>
<pre>[ipv4]
address1=10.2.XXX.XXX/21,10.2.191.253
dns=10.2.20.101;10.2.20.100;10.2.120.21;
dns-search=ykpaoschool.cn;
may-fail=false
method=manual</pre>
<p>
You still need to use the network authentication portal. <a href="https://git.sr.ht/~runxiyu/tooch/tree/master/sjauth">A simple C program</a> is available to automate this process that only depends on <code>libcurl</code>; you may want to run this every 6 AM and at power-on if 6 AM was missed, for example, via <a href="https://manpages.debian.org/bookworm/anacron/anacron.8.en.html"><code>anacron(8)</code></a>.
</p>
<p>
Note that TCP and UDP port 53 (usually used for DNS) is unblocked at all times and can accept arbitrary traffic, which still works if it's past 22:30, or even if you're not logged in. Therefore, if you have a server in Mainland China that, for example, listens on port 53 for IPSec/L2TP/WireGuard/<a href="https://code.kryo.se/iodine/">iodine</a>, the network authentication portal and the night-time block can be bypassed entirely. (Doing so with a server outside of Mainland China will result in blockage.)
</p>
</section>
<section>
<h2><code>wpa_supplicant</code>/<code>iwd</code></h2>
<p>
If you wish to manually use <code>wpa_supplicant</code>, in additional to the "standard" configuration, you need to add <code>tls_disable_tlsv1_0=0</code> to the <code>phase1</code> flags. On most systems, <code>/usr/share/doc/wpa_supplicant/examples/wpa_supplicant.conf</code> is a well-documented example configuration file that should cover all your needs.
</p>
<p>
I do not personally use <code>iwd</code>, and I don't see an option to allow insecure versions of TLS from a quick skim of the man page. Please help document this, if possible.
</p>
</section>
<section>
<h2>macOS</h2>
<p>
Connect to the "STUWIRELESS" network with your normal school credentials.
</p>
<p>
Every morning (after 6 AM), you must log in at the network captive portal at <a href="https://sjauth.ykpaoschool.cn:444/"><code>https://sjauth.ykpaoschool.cn:444/</code></a>.
</p>
</section>
<section>
<h2>iPadOS</h2>
<p>
Be sure that "Private WLAN Address" is disabled in the "STUWIRELESS" network's properties. Then connect to the network with your normal school credentials.
</p>
<p>
Every morning (after 6 AM), you must log in at the network captive portal at <a href="https://sjauth.ykpaoschool.cn:444/"><code>https://sjauth.ykpaoschool.cn:444/</code></a>.
</p>
</section>
</article>
<footer>
<a href="{{ url_for("index") }}">Return to the index</a>
</footer>
</body>
</html>
|
