[tech] Secure wireless

Matt Didcoe mattman at ucc.gu.uwa.edu.au
Thu Jul 15 21:23:40 WST 2010 

I've tested it with the iPhone and MacBook Pro - both seem happy
enough to use UCCsec.

Unless anyone has a major objection, let's go ahead and turn it off I say!

Also - thanks to Zanchey for the effort his put in to getting not only
this working, but the Windows 7/Samba stuff as well :D

On Thu, Jul 15, 2010 at 9:15 PM, David Adam <zanchey at ucc.gu.uwa.edu.au> wrote:
> On Sun, 11 Apr 2010, David Adam wrote:
>> Because 4am is the best time to be doing sysadmin stuff, I managed to get
>> the wireless AP providing a WPA2-Enterprise SSID authenticating using UCC
>> usernames and passwords.
>>
>> Connect to 'UCCsec' and you should get prompted for a username and
>> password, possibly a certificate prompt, and then dumped onto the normal
>> wireless VLAN.
>>
>> Most of the technical details of the RADIUS setup are in
>> http://wiki.ucc.asn.au/LDAP/LazySysadmin#FreeRADIUS - the AP configuration
>> is fairly simplistic too.
>>
>> WPA2-Enterprise uses PEAPv0/MS-CHAPv2, which is complex way of saying
>> 'there's an SSL-based tunnel wrapping the password exchange'. That tunnel
>> is currently set up to use the secure.ucc.asn.au certificates, although
>> switching back to the UCC CA self-signed certificates is straightforward.
>>
>> I'm curious how much effect the actual certficate has on the user
>> experience. The iPhone asks you to confirm the certificate regardless of
>> whether it is signed by a trusted CA or not, but I didn't have a chance to
>> test any other devices. If people with Mac OS and Windows laptops could
>> try it out and let me know how they go I would appreciate it - in
>> particular, whether there is a prompt to accept the certificate and if it
>> provides any useful information in working out whether to trust the
>> connection.
>
> The secure AP now works on Windows XP SP3 and newer. It does require some
> custom configuration - you need to basically follow
>  http://www.its.uwa.edu.au/commonpagepool/eduroam/uwa_visitors
> and replace "eduroam" with UCCsec, with the exception that the "Validate
> server certificate" section must have "Connect to these servers" set to
> mussel.ucc.gu.uwa.edu.au
>
> Accept the prompts and enter your UCC username and password, and voila!
>
> [MSH] also tested his N900 this evening, and it seems to work, so I think
> we're now ready to turn off the unsecured SSID (or firewall it closely)
> whenever we're ready.
>
> David Adam
> UCC Wheel Member
> zanchey at ucc.gu.uwa.edu.au
>
>

More information about the tech mailing list