[tech] Secure wireless

David Adam zanchey at ucc.gu.uwa.edu.au
Thu Jul 15 21:15:22 WST 2010 

On Sun, 11 Apr 2010, David Adam wrote:
> Because 4am is the best time to be doing sysadmin stuff, I managed to get 
> the wireless AP providing a WPA2-Enterprise SSID authenticating using UCC 
> usernames and passwords.
> 
> Connect to 'UCCsec' and you should get prompted for a username and 
> password, possibly a certificate prompt, and then dumped onto the normal 
> wireless VLAN.
> 
> Most of the technical details of the RADIUS setup are in 
> http://wiki.ucc.asn.au/LDAP/LazySysadmin#FreeRADIUS - the AP configuration 
> is fairly simplistic too.
> 
> WPA2-Enterprise uses PEAPv0/MS-CHAPv2, which is complex way of saying 
> 'there's an SSL-based tunnel wrapping the password exchange'. That tunnel 
> is currently set up to use the secure.ucc.asn.au certificates, although 
> switching back to the UCC CA self-signed certificates is straightforward. 
> 
> I'm curious how much effect the actual certficate has on the user 
> experience. The iPhone asks you to confirm the certificate regardless of 
> whether it is signed by a trusted CA or not, but I didn't have a chance to 
> test any other devices. If people with Mac OS and Windows laptops could 
> try it out and let me know how they go I would appreciate it - in 
> particular, whether there is a prompt to accept the certificate and if it 
> provides any useful information in working out whether to trust the 
> connection.

The secure AP now works on Windows XP SP3 and newer. It does require some 
custom configuration - you need to basically follow
 http://www.its.uwa.edu.au/commonpagepool/eduroam/uwa_visitors
and replace "eduroam" with UCCsec, with the exception that the "Validate 
server certificate" section must have "Connect to these servers" set to 
mussel.ucc.gu.uwa.edu.au

Accept the prompts and enter your UCC username and password, and voila!

[MSH] also tested his N900 this evening, and it seems to work, so I think 
we're now ready to turn off the unsecured SSID (or firewall it closely) 
whenever we're ready.

David Adam
UCC Wheel Member
zanchey at ucc.gu.uwa.edu.au

More information about the tech mailing list