UVA Networks with Linux

UVA maintains two wifi networks for students and faculty to connect to: the insecure wahoo and the secure eduroam.

I (Luther Tychonievich) wrote this information down because I wanted to remember it. It likely contains some errors. I do not work for UVA’s IT department, have no expertise in networking or security, and offer the following text as-is with no guarantee or support. Further, I my time at UVA is scheduled to come to an end in August 2022 and I have no knowledge of how long this webpage will still be hosted after that, nor am I likely to make updates after the next breaking change ITS makes to the networks here.

1 Connecting to UVa’s flavor of EduRoam

These instructions are current as of July 2022. I’ve been at UVA since 2008 and have had to change how this works 5 times (in 2011, 2014, 2018, 2021, and 2022), leading me to expect these will be valid for only a few years.

Using the Network Manager app1 (the default tool used for network connection in Cinnamon, MATE, Gnome, XFCE, LXDE, Ubuntu, etc.), most of the defaults should work; however, in Wi-Fi Security (which may be all you are shown depending on how you picked the eduroam SSID) you need

Security
WPA & WPA2 Enterprise
Authentication
TLS
Identity
mst3k@virginia.edu (all lower-case)
Domain
leave this blank
CA certificate

This will need to be a file on your computer.

In the summer of 2022, UVA stopped supporting most certificate authorities2 and started requiring their own custom certificate instead, but efforts to get that certificate from ITS without running a closed-source OS have so far failed. However, I obtained a copy of it you can use:

University of Virginia Device Root CA.cer

If you trust this website3, download that as any name you want somewhere you won’t delete it and then browse to its location for this field.

CA certificates expire; mine expires in March 2038. You’ll need a new CA certificate when the old one expires. You can find the expiration date with

openssl x509 -noout -enddate -inform DER -in "University of Virginia Device Root CA.cer"

The CA certificate file contains only a publicly-available signature and does not need to be protected in any particular way. However, it does tell your computer which network it can trust so you should only download it from sites you trust. Note that this website is not an official UVA site and is not backed by any kind of security guarantees.

CA Certificate Password
none; network manager should notice this automatically and may or may not show the field
User certificate

This is the P12 personal digital certificate used for netbadge, etc. UVA issues personal certificates for 13 months, so you’ll be getting a new one every year. You can find the expiration date with

openssl pkcs12 -nokeys -in yourcertificate.p12 | openssl x509 -noout -enddate
User certificate password

The password you set when you downloaded your personal digital certificate.

The network manager may disable this field, defaulting to the user key password field’s value instead

User private key

The same as the user certificate.

The network manager may disable this field, defaulting to the user certificate password field’s value instead

User key password
The password you set when you downloaded your personal digital certificate.

2 Getting a personal digital certificate

In theory, UVA provides instructions for this in multiple places. In practice, they have a few holes when it comes to Linux. I’ve found the following works around those holes:

  1. If you are on UVA Grounds

    1. Connect to the UVA WiFi Setup network.

    2. Navigate to any non-encrypted webpage to get redirected to the portal detector. Your browser may do this for you; mine prompts me to visit http://detectportal.firefox.com/canonical.html

    3. None of the options they provide will work. Instead, edit the URL to replace standard and anything that follows it (for me, standard/?device=Non-specific OS) with just limited/.

      As of September 2021, the resulting URL is https://cloud.securew2.com/public/82116/limited/ but I have no idea how stable the 82116 bit will be over time.

    If you are not on UVA Grounds

    1. Go to any netbadge site, such as https://netbadge.virginia.edu.

    2. Click on the Get one now! link, which currently goes to https://in.virginia.edu/installcert.

    3. Expand the Firefox FAQ to find the UVA Network Setup Tool (Limited), which currently goes to https://cloud.securew2.com/public/82116/limited/.

      The Firefox FAQ also describes how to use the certificate in your Gecko-based browser to simplify authentication.

    4. If there’s no Sign in button,

      1. pick any other OS from the drop down
      2. then select Unknown again to trigger the onchange event that generates the Sign in button.

      In 2018 the source of this page detected Linux, then turned Linux into Unknown before finishing, which round-about pretending to not know your OS prevented the Sign in button from being generated. In 2021, they seem to have fixed this but I’m keeping the documented fix here in case it breaks again.

  2. Sign in, follow the prompts, and save the file.
    • You may get prompts to make the certificate MAC-address specific. This can add security in that the certificate will be refused if used to authenticate on a different MAC address. It’s not much help, though, as MAC spoofing is relatively easy. It may stop a casual hacker from impersonating you, but not a determined one.
      • Each network card has its own 48-bit MAC address. To find yours, run ip address and look for the line beginning number: wsomething (e.g., mine is 3: wlp0s20f3; the exact name varies by Linux distribution). The line after that should have link/ether followed by six bytes in hex separated by colons. That’s the MAC address you want.
      • You likely also have a wired network device, typically beginning with an e (e.g. mine is 2: enp0s31f6); that device’s MAC address is what you’d need if you wanted eduroam to work for a cable plugged in to UVA network (I’ve not tried that though).
      • If you have more than one wireless card, you’ll need to figure out which one is connecting for you (or skip the MAC-specific option in your certificate download).

This file gives anyone that owns it power to impersonate you. You should definitely store it such that only you can read it; I recommend storing it in a hidden directory with owner-only permissions, such as can be created via

mkdir ~/.certificates
chmod 700 ~/.certificates

3 Connecting to Wahoo

Wahoo is an unencrypted wifi network with two forms security from the university’s perspective:

  1. It is hidden, meaning it will not show up when a computer scans for wifi networks. You have to know it exists to connect to it.
  2. It uses a MAC-address permission system, meaning packets you send on the network will be ignored unless you’ve registered your network hardware with UVA.

3.1 Registering your computer

  1. Find your wifi’s MAC address. From the command line,

    1. Run ip address
    2. look for the line beginning number: wsomething (e.g., mine is 3: wlp0s20f3; the exact name varies by Linux distribution).
    3. The line after that should have link/ether followed by six bytes in hex separated by colons, potentially followed by brd and more bytes. The bytes after link/ether but before brd are the MAC address you want.

    if ip address returned this:

    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether ab:cd:ef:01:23:45 brd ff:ff:ff:ff:ff:ff
3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 67:89:0a:bc:de:f1 brd ff:ff:ff:ff:ff:ff
4: eno2s5: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 11:22:33:44:55:66 brd ff:ff:ff:ff:ff:ff
    then the MAC address you want (also called a physical or hardware address) is 67:89:0a:bc:de:f1

    If you have more than one wireless card you are welcome to either try to figure out which one you’re using, or simply register them all.

  2. Register the device with ITS

    1. Go to the registration website http://netreg.itc.virginia.edu/. If that URL changes, they’ll probabbly list the new URL https://in.virginia.edu/network-registration.
    2. Log in with netbadge
    3. Click Register a device for network access
    4. Fill in the form, using the address you found in the first step above

3.2 Connecting to a hidden network

There is a way in the Network Manager app to connect to a hidden network, but the UI to find that option differs depending on how and when you installed Linux.

If you can’t find the hidden network option in the UI, try the following command-line actions:

  1. nmcli device wifi rescan ssid wahoo tells the Network Manager’s command-line interface to explicitly look for a Wi-Fi network with the SSID wahoo
  2. nmcli device wifi connect wahoo connects to the network found

The default settings for the Network Manager on most systems will remember this network after you connect to it once, so you should only have to do the above two steps once per Linux installation.

3.3 What is unsafe on wahoo?

Because wahoo is unsecured, anyone within wifi range of your computer can inspect all of your network traffic. This includes all traffic to and from HTTP websites and the URLs and message sizes for all HTTPS websites. By contrast, if you are on eduroam the same information is visible to UVA and all the computers engaged in your internet traffic routing, but not visible to random people near your computer.

For the most part, this is not a concern: websites that expect any kind of confidentiality use HTTPS, and the fact you visited a particular website is not usually particularly informative to attackers.

Because wahoo is unsecured, it is also possible that the network you connected to is not in fact UVA’s wahoo at all, but rather a different network using the same SSID. Connecting to a network you don’t trust can expose you to many different security problems.

  1. The Network Manager also has a command-line interface via nmcli, and can generally be installed without the app. For example, Arch and Manjaro make it available in the networkmanager package. I have not tested using it purely from the command line, but I believe you can do the following:

    1. use ip address to find the name of your wifi device (see Registering Your Computer for more; in that example the device name is wlp3s0)

    2. as root,

      1. create a connection with nmcli con add type "wifi" con-name "eduroam" ifname "the name of your wifi device"

      2. find the resulting config file, which will have eduroam in the filename and be somewhere under /etc; in a distribution-specific location; mine is /etc/NetworkManager/system-connections/eduroam.nmconnection.

      3. edit that file as follows:

        [connection]
id=leave this unchanged
uuid=leave this unchanged
type=leave this unchanged
interface-name=leave this unchanged
timestamp=run "date +%s" and put its output here

[wifi]
mode=infrastructure
ssid=eduroam

[wifi-security]
key-mgmt=wpa-eap

[802-1x]
ca-cert=abslute path to where you downloaded the UVA Root .cer file
client-cert=absolute path to your personal digital certificate .p12 file
eap=tls;
identity=your computing ID@virginia.edu
private-key=same as client-cert above
private-key-password=the password you created for your personal digital ceritficate when you downloaded it.

[ipv4]
method=auto

[ipv6]
addr-gen-mode=stable-privacy
method=auto

[proxy]

    3. When you want to connet to the network, run nmcli device wifi connect eduroam.

      If it doesn’t find the network, tell the networkmanager to look for it with nmcli device wifi rescan ssid eduroam

    ↩︎

  2. Prior to that, you could use the trusted and widely-supported US Higher Education Root (USHER): http://h1.usherca.org/aia/ca.pem (download link from http://www.usherca.org/). That CA still works eduroam at several other universities I have visited.↩︎

  3. There is some reason not to trust this website given the number of users who can access its server. A slightly more secure copy is stored on a server with many fewer users can be found at https://kytos02.cs.virginia.edu/UVA-root-CA.cer↩︎