Generic WLAN Connection Instructions

ITS provides support for connection to the CWU WLAN only for those platforms listed on the wireless web site. However, it may be possible for you to connect your unsupported device to the network utilizing the information in this document. Since these instructions are generic, some technical knowledge of your operating system is required, and ITS offers no additional support nor any guarantee that your device will function on the WLAN.

CWU uses two levels of security on the WLAN − device registration and EAP authentication, so two steps are necessary to get connected:

Registration

The least error-prone method of registration is via the wireless network itself. Registration services are available on an open network with SSID 'hostreg'. Connect to hostreg and access http://hostreg.cwu.edu. Enter your typeless distinguished network (eDirectory) username (e.g. .joliea.j.students.cwu) and your password and click the login button. The system should automatically detect the address of your wireless interface and display it. It will also attempt to determine your operating system based on your browser. You will need to select the building where you will most often use the device and the wireless category from the drop-down lists. If the device is CWU property, enter its tag number. Then click the Agree & submit button.

If your device does not have a browser or you prefer not to register wirelessly, you may access the registration system from a lab or office computer. If you do so, you will need to manually enter the address for your wireless interface. How you retrieve that address is platform specific. You will also need to manually select the operating system of the device. Otherwise the registration process is the same as above.

Once you have registered your device, you will need to wait until the next quarter hour before it will function on the network. A process runs every 15 minutes and updates the servers which provide DHCP services for the university.

Authentication

CWU uses EAP (Extensible Authentication Protocol) for authentication and dynamic generation and rotation of WEP keys. The IEEE 802.1x standard defines a framework for various implementations of EAP. The EAP method used by CWU is EAP-TTLS/PAP. Other EAP methods will not work in our environment. You will need a piece of software known as a supplicant which supports EAP-TTLS/PAP. This software is integrated in some operating systems and/or driver sets, is available in Open Source distributions for others, and is found in several commercial products. Install the supplicant and configure it as follows:

  1. The SSID you will need to connect is 'cwu'. This SSID is not broadcast, so you will not be able to browse for it.

  2. Most EAP-TTLS supplicants support multiple tunneled authentication methods. Be sure you select PAP. Other methods will not work.

  3. EAP-TTLS permits the specification of an outer username. Set this to 'anonymous'.

  4. For the inner credentials which are actually used for authentication, use your network (eDirectory) username and password. Use the short form of your username without the context (e.g. joliea).

  5. Do not enter a WEP key. Configure the software to use the WEP key automatically generated during the EAP authentication process.

  6. In the CWU environment EAP-TTLS uses certificates on the server side only. You do not need to generate a client-side certificate, but you will need to configure your system to accept and verify certificates from the authentication servers. The two RADIUS servers are asherah.cts.cwu.edu and anat.cts.cwu.edu. Their certificates are self-signed, so you may need to add them to your certificate store for them to be accepted. It is important to verify certificates for the authentication servers in order to prevent connection to a rogue access point.