Employee Wireless for iOS

Purpose of Knowledge Article:

• How to connect iPhone/iPad to LBNL-Employee Wireless - lbnl-employee SSID
• If you already have the Employee Wireless but need to remove it to reinstall it, see Remove Employee Wireless Profile from iPhone/iPad
  • You will need to remove and reinstall the employee wireless profile if you updated your LDAP password or you are having trouble connecting to the LBNL-employee WiFi

Resolution:

Employee Wireless for Android

Go to Settings > Connections > Wifi > Turn ON > LBNL Employee

Enter the following information:

• Identity: LDAP username
• Domain: lbl.gov
• EAP method: TTLS
• Phase 2 authentication: PAP
• Password: LDAP password
• Privacy: Use device MAC
• Other fields can be left blank/default. Settings may differ depending on model.

Employee Wireless for Chromebooks

1. Click on the bottom right tray
2. Below the WiFi icon, click on “no networks” box
3. Select lbnl-employee

• Use the following:
  • EAP method: EAP-TTLS
  • EAP Phase 2 authentication: PAP
  • Server CA Certificate: Do not check
  • Identity/Password: LDAP username/password

Employee Wireless for FreeBSD

Configuring WPA for Free BSD

This configuration guide is for a user who would like to connect their laptop running FreeBSD 6.0 to the LBLnet secured wireless network. The instructions are specific to laptops running FreeBSD 6.0 kernel and equipped with Cisco Aironet 802.11 a/b/g wireless adapter (AIR-CB21AG-A-K9), though they may apply to other similar operating systems.

All the information contained in this configuration guide was collected from a laptop installed with the freeBSD "user" standard distribution set and the FreeBSD ports collection. If you would like additional information regarding FreeBSD installation, see the following FreeBSD guide:

http://www.freebsd.org/doc/en/books/handbook/network-wireless.html 

From hereafter, we assume a functional FreeBSD 6.0 laptop with the Cisco Aironet wireless adapter, the login user is root and home directory is /root.

The /boot/loader.conf file

Add the following two lines to the loader.conf file:

        wlan_ccmp_load="YES"
        wlan_tkip_load="YES"

These two lines load the crypto services support that is required for the secured wireless connection. The CCMP module provides AES-CCMP crypto support and the TKIP module provides TKIP+Michael crypto support for 802.11 devices.

Build the wpa_supplicant from FreeBSD ports collection

Before building the wpa_supplicant software form the ports collection, take time to verify that there is no other wpa_supplicant installed with the "user" distribution set. The default wpa_supplicant may not be built with the required EAP support.

You may find the wpa_supplicant at /usr/ports/security/wpa_supplicant. The current FreeBSD ports collection of the wpa_supplicant is v0.3.8. Simply cd to the directory and issue the command "make install" will compile and install the executable into /usr/local/sbin.

After installing the wpa_supplicant, you will need to modify the wpa_supplicant.conf with LBLnet site specific connection instructions. There is a sample configuration file at /usr/ports/security/wpa_supplicant/work/wpa_supplicant-0.3.8.

Copy the wpa_supplicant.conf file to your home directory or other designated directory. Please remove all the sample "network" blocks from the wpa_supplicant.conf file (that is everything below the line "# Example blocks:". Some of them may contain options that are not supported with the default build configuration. Add the following LBLnet specific network block to the bottom of the wpa_supplicant.conf file:

network {
        ssid="lblnet AP's ssid"
        proto=RSN WPA
        key_mgmt=WPA-EAP
        pairwise=CCMP TKIP
        group=CCMP TKIP
        eap=TTLS
        identity="your ldap id"
        password="your ldap password"
        phase2="auth=PAP"
        ca_cert="/usr/local/etc/rad.lbl.gov.crt"
        priority=1
}

If you don't know the ssid of the AP, plug-in the Cisco Aironet wireless adapter and use the following command to scan the RF for the AP in range.

        ifconfig wlan0 create wlandev ath0
        ifconfig wlan0 up scan

(The supported Cisco Aironet card uses the Atheros chip, thus the device name is ath0)

Note that you will need a separate network block for each of the SSID you intend to connect to.

Click here to download the latest LBL certificate (valid until August 2024) 

(In some browsers, you may have to right-click and choose Save Link As...)

This file is required for the TTLS tunnel ssl encryption. Please make sure that the file is placed in the directory as specified in the wpa_supplicant.conf ca_cert directive.

Verification

If you would like to verify the authenticity of this file, you can use the below:

Digest:

# openssl dgst -sha1 -c rad.lbl.gov.crt
SHA1(rad.lbl.gov.crt)= 68:2f:9b:9f:55:f2:93:a4:98:a9:36:b1:d5:68:e5:68:87:74:0d:29

# openssl dgst -md5 -c rad.lbl.gov.crt
MD5(rad.lbl.gov.crt)= f0:13:ee:5c:ba:df:a3:90:dc:32:28:98:3d:7b:41:1ez

x509:

# openssl x509 -noout -in rad.lbl.gov.crt -fingerprint -md5
MD5 Fingerprint=55:A8:F0:EB:25:EC:18:D4:45:57:C6:4C:F6:CB:FC:D4

# openssl x509 -noout -in rad.lbl.gov.crt -fingerprint -sha1
SHA1 Fingerprint=2F:6F:1B:4D:D0:47:58:BD:1B:E7:6B:64:B0:D1:7C:37:34:85:15:7A

Connect to the LBLnet Secured Wireless Network

To connect to the LBLnet secured wireless network, bring up the wireless network interface and run the wpa_supplicant software in background mode. After successful AP association and authentication, request the client network IP from LBLnet using the dhclient. The commands are as follow:

        ifconfig wlan0 up
        /usr/local/sbin/wpa_supplicant -B -i wlan0 -c /root/wpa_supplicant.conf
        dhclient wlan0

As you may have noticed, you will need to login first to bring up the wireless connection using those three commands. How to configure the system to connect to the LBLnet secured wireless network at system bootup is beyond the scope of this configuration guide. If you have a suggested system configuration, please share it.

eduroam

Configure eduroam

• You will need your Berkeley Lab username and password before you start configuring eduroam

Berkeley Lab employees on travel

• Before your trip, make sure your devices have been set up with eduroam
• When you change your LDAP password, you have to change it on your device as well
• General instructions to install eduroam using the Configuration Assistant Tool (CAT): https://cat.eduroam.org/
• If you change your password you will need to delete the eduroam network from your device and re-install

Information on Participating Institutions

• eduroam U.S. sites
• eduroam international sites
• eduroam home page

Visitor Wireless is an "open", unencrypted wireless network. Employee Wireless is a secure, encrypted connection to the local network.

• Visitor Wireless only allows limited types of traffic. Most commonly-used applications are supported. 
• Applications such as web servers cannot be operated on the wireless network.

• No User-Installed Wireless Equipment

  • Monitoring is in place to detect 'rogue' access points. They will be removed, confiscated, and Division management notified

• No VirtualBox bridged networking

  • Re-configure to use NAT or the wired network.
• All traffic is fully monitored for unacceptable use and subject to both automated and manual reactive measures, such as blocking hosts
  • RPM http://www.lbl.gov/Workplace/RPM/R9.01.html#_Toc162065214 
• LBL policy prohibits the purchase of any wifi router or printer without IT Division approval
• Request a New Wireless Access Point

  • Send email to [email protected], with a key plan marked to indicate what areas require wireless coverage