STUWIRELESS

This article describes configuring the Songjiang Campus's student WiFi network, STUWIRELESS.

Talk to the IT

If you have new devices, you must contact the IT and have them record your permanent MAC address and username. They will assign you a fixed IPv4 address on the DHCP server.

NetworkManager for Linux-based systems

Add the following to /etc/NetworkManager/system-connections/ykps.nmconnection

[connection]
id=YKPS
# Any user-friendly name will do
uuid=980c8380-18e5-4dca-b4ef-f8f8378e9994
# Random UUID, just make sure it doesn't collide
type=wifi

[wifi]
cloned-mac-address=permanent              
# https://fedoraproject.org/wiki/Changes/StableSSIDMACAddress
mac-address-randomization=1
# 1 = "never"
mode=infrastructure
ssid=STUWIRELESS

[wifi-security]
key-mgmt=wpa-eap

[802-1x]
# Technically it would be more secure against evil-twin attacks if we
# pinned certificates but I don't want to bother getting a
# certificate because our IT doesn't provide one.  Welp.
anonymous-identity=student@ykpaoschool.cn
# Don't change anonymous-identity
eap=peap;
identity=username
#   e.g. s22537
password=password
#   e.g. supersecretpassword
phase1-auth-flags=32
# Allow insecure TLS 1.0 (used by stuff like eduroam and STUWIRELESS)
phase2-auth=mschapv2

[ipv4]
method=auto

[ipv6]
addr-gen-mode=default
method=auto

Remember to set the file ownership to root:root and permissions to 0600. Also remember that comments must begin at the start of the line. See nm-settings-keyfile(5) for details.

Then you should be able to just reload the NetworkManager service, and connect with nmcli connection up YKPS or whatever utility your desktop environment provides.

If you wish to use a static IP, replace the [ipv4] block with the following and modify XXX to fit your assigned IPv4 address:

[ipv4]
address1=10.2.XXX.XXX/21,10.2.191.253
dns=10.2.20.101;10.2.20.100;10.2.120.21;
dns-search=ykpaoschool.cn;
may-fail=false
method=manual

You still need to use the network authentication portal. A simple C program is available to automate this process that only depends on libcurl; you may want to run this every 6 AM and at power-on if 6 AM was missed, for example, via anacron(8).

Note that TCP and UDP port 53 (usually used for DNS) is unblocked at all times and can accept arbitrary traffic, which still works if it's past 22:30, or even if you're not logged in. Therefore, if you have a server in Mainland China that, for example, listens on port 53 for IPSec/L2TP/WireGuard/iodine, the network authentication portal and the night-time block can be bypassed entirely. (Doing so with a server outside of Mainland China will result in blockage.)

`wpa_supplicant`/`iwd`

If you wish to manually use wpa_supplicant, in additional to the "standard" configuration, you need to add tls_disable_tlsv1_0=0 to the phase1 flags. On most systems, /usr/share/doc/wpa_supplicant/examples/wpa_supplicant.conf is a well-documented example configuration file that should cover all your needs.

I do not personally use iwd, and I don't see an option to allow insecure versions of TLS from a quick skim of the man page. Please help document this, if possible.

OpenBSD

OpenBSD's WiFi drivers do not directly support 802.1x (see, for example, bwfm(4) for Apple Silicon systems). You need to use wpa_supplicant. The usual guidance on wpa_supplicant on OpenBSD applies.

Note that TLS v1.1 and earlier have been removed from LibreSSL; therefore you must use the -openssl variants of the wpa_supplicant package, and add the phase1 flags as noted previously, along with phase1="allow_unsafe_renegotiation=1".

rcctl enable wpa_supplicant
rcctl set wpa_supplicant flags -c ${SYSCONFDIR}/wpa_supplicant.conf -s -D openbsd -i bwfm0

macOS

Connect to the "STUWIRELESS" network with your normal school credentials.

Every morning (after 6 AM), you must log in at the network captive portal at https://sjauth.ykpaoschool.cn:444/.

iPadOS

Be sure that "Private WLAN Address" is disabled in the "STUWIRELESS" network's properties. Then connect to the network with your normal school credentials.