Instructions for using Greenpass Guest Network Authentication/Authorization

 

Demo:

Control of network use is important, drive by networking is easy

wireless traffic can be captured easily, encryption is only defense

Can delegate to any certificate, will use Papyrus today

 

Guest should try "Dartmouth User" and should fail to get a connection

Guest can connect to "GreenPass test" but can only connect to Greenpass Web Server

Have Guest use previously acquired Papyrus cert first,

Guest goes through steps 1 through 5

Delegator goes through steps 2 through 7

Guest continues steps 6 through 8

 

Issues:

1. If generated cert from Papyrus in Win IE, may need to export and reimport

2. On Win, if machine has not used 802.1x connection previously, may need to use cert already known to RADIUS

3. Mac 802.1x frequently fails to authenticate, fingerprint mismatch

 

Guest User

  1. on Win turn on TLS (IE ->Tools->Internet Options->Advanced, Security section)
  2. configure wireless connection
    1. Windows: http://drwatson.dartmouth.edu/cgi-bin/wiki.pl?WindowsGuestAccessInstructions
    2. Mac: http://drwatson.dartmouth.edu/cgi-bin/wiki.pl?EapTls
    3. Setupadd SSID for "GreenPass Test" which is broadcast (note different Cap)
    4. accept warning that WEP is not available on Win
  3. connect to any web page (reroutes to Greenpass "grandcentral" on dupin.Dartmouth.edu)
  4. use existing Papyrus cert (SSL)
  5. Get a "delegator" to authorize you for a SPKI delegation cert (need code number)
  6. install Greenpass CA root cert http://www.dartmouth.edu/~deploypki/summit04/GreenpassCA.cer
  7. accept Greenpass server cert, self signed with name= localhost.localdomain
  8. configure wireless connection
    1. add SSID for "Dartmouth User"
    2. for Win turn on WEP, enable 802.1x with smartcard or certificate
  9. Accept server certs
    1. Greenpass CA root
    2. Greenpass RADIUS Server
  10. This should continue to work until the expiration of the delegation cert
    1. Disconnect, reconnect shows delegation persists

 

[Note: To try another cert, visit Greenpass "Grand Central" to clear the browser cookie

you can also revisit grandcentral with same cert introduced with different browser, which will restore cookies]

 

Delegation

  1. To Delegate, you need to have a delegation certificate with the further delegation option turned on
    1. Get one from someone who can already delegate
    2. (a delegator gets extra options on his "Grand Central" web page)
  2. From any network connection, open a web connection with dupin.dartmouth.edu
  3. Look up guest X.509 cert (use code number, choose correct names of person and organization if duplicates)
  4. Compare graphic fingerprint
  5. Delegator selects p12 file with his private key for Java applet (not using keystore)
  6. Issues SPKI delegation cert
  7. Tell guest to continue, verifies delegation present, then needs to change SSID