Network Access Gatway

Netwokr Access Gateway at CSIM is based on ZeroShell.

Force disconnection.
Automatic network authentication for Android. New
Known issues.

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.
Search

Network Access

The Computer Crime Act B.E. 2550 of Thailand requires that any person access Internet is properly identified. In order to fulfill this requirement, you must authenticate to the network access gateway before you can access any Internet resource outside of AIT (IP addresses 192.41.170/24 and 203.159/16).

Authentication is performed on the web; the first time you access an external web page from a given computer, you are presented with the gateway page:

You should use your CSIM account and password to authenticate. Alternatively, you can click on the X509 Login button.

Once authenticated, a pop-up window will open. You must allow this pop-up window as it will maintain your computer authenticated to the gateway. If the pop-up window dies for any reason, the authentication will automatically expire within less than 10 minutes.

Once authenticated, you can access any Internet resource. The authentication will remain as long as the pop-up window is alive.

Every ten minutes, the pop-up will send authentication renewal message to the access gateway; in case the gateway does not receive a renewal message, the connection dies; this prevents the next user to steal an open connection associated to a given IP address.

The network authentication gateway makes heavy use of encryption; to avoid reccurent complains about the encryption certificates signes by AIT Certificate Authority, you should install AIT CA on your computer.

The pop-up window displays 4 icons with the following meanings:

Icon Description Empty Green Orange Red
Email messages 0 message 1 – 9 messages 10 – 49 messages 50 or more messages
Disk quota usage No quota defiined Less than 75% 75% – 90% More than 90%
Print quota usage No quota defined Less than 75% 75% – 90% More than 90%
Account expiry Never exprires 60 days or more 7 – 59 days Less than 7 days

Move the mouse cursor to each icon in the pop-up window to get detailled information.

Note: If you let your disk usage run over quota, you will not be allowed to acces Internet.

X509 Login

As an alternative to username and password, you can use a X509 certificate to login. X509 login is easier and simpler: once configure, you only need to click on the button. This proves very useful in the case of mobile devices like smart phones.

An X509 certificate associates a public key (from a private/public encryption system) and the identity of the owner of the key: I hereby certify that this key 56ABG-YUT54-8WSHU7-IYI77 belongs to Mr Olivier Nicole from AIT/CSIM.

There are many ways to create your X509 certificate; the method below works on most of the Unix systems (alternatively you can run the commands below inside an MS-DOS windows on a Microsoft system, after you have installed OpenSSL for Windows from Shining Light Productions, available locally from \\banyan\application\WINAPPS\OpenSSL\Win32OpenSSL-1_0_0e.exe):

  1. Generate a my.key that contains your RSA public/private key:
      openssl genrsa -des3 -out my.key 1024  
    It will ask you to enter a password for your secret key. You will have to type the password twice.
    Make very sure to store the file my.key in a safe place.
  2. For security, change the mode of the file my.key, so that only you can read it:
      chmod 400 my.key  
  3. Generate a certificate request:
      openssl req -new -key my.key -out my.csr  
    And answer the questions:
     
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:TH
    State or Province Name (full name) [Some-State]:Pathumthani
    Locality Name (eg, city) []:Klong Luang
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Asian Institute of Technology
    Organizational Unit Name (eg, section) []:CSIM
    Common Name (eg, YOUR name) []:Olivier Nicole
    Email Address []:on@cs.ait.ac.th
    Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
     
    Use your full name and email address at CSIM.
  4. Send the file my.csr to me (on@cs.ait.ac.th), for certification. I must be able to verify your identity, use CSIM or AIT email to send the file. If I cannot asses your identify, I will not issue the certificate.
    Note: the file my.csr is a plain text file, you can copy/paste it to your mail, no need to attach it.
  5. Within a couple of days, I will send you a reply that contains your X509 certificate file. Save it under the name my.crt.
  6. Your certificate is generated by AIT, using AIT Certification Authority file. You need to download this file before you proceed to the next step; save it under the name ait-itserv.crt.
  7. Generate a PKCS12 file:
     
    openssl pkcs12 -export -inkey my.key -in my.crt -certfile ait-itserv.crt -out my.p12 -name "Olivier Nicole"
     
    Use your full name.
    Note: the "quotes" around the name.
    It will ask you for you password for the secret key (as in 1) and to choose and enter a PKSC12 password. The PKSC12 password can be different from the passowrd for the secret key.
  8. Change the mode of the file my.p12 for safety:
     
    chmod 400 my.p12
     
  9. Import the PKSC12 file in your web browser:

    In Firefox

    In the menu Options.... choose the tab Advanced.

    Click on View Certificates.

    Click on Import... browse to your file my.p12 and entre your PKSC12 password.

    The first time you click on X509 Login button, you will receive a dialogue box that allows you to select which X509 certificate to use. Click OK.

    In Internet Explorer

    In the menu Internet Options choose the tab Content.

    Click on Certificates.

    Click on Import... and use the Certificate Import Wizard.

    Browse to your file my.p12, enter the PKSC12 password; use the default choice for the other parameter.

    Restart Internet Explorer.

    The first time you click on X509 Login button, you will receive a dialogue box that allows you to select which X509 certificate to use. Click OK.

Security wise, X509 certificates are not flawless, but in the case of authentication for network access gateway, it is acceptable.

Note: anyone who access your account on your computer will be able to access Internet under your name.

Force disconnection

In some uncommon cases the connection may end up in an unstable state that makes re-connection difficult. By forcing the disconnection, you will terminate any open connection that is associated with your machine and the IP address you are currently using.

Such situation may occur when you accidentally close the pop-up window; there is a delay when the connection is still open and the login page will not be displayed.

Automatic network authentication for Android New

K Phattarachai Chaimongkol has developped an application that you can download and install on your Android device. Once configured with your username and password, authentication on CSIM network is just one click away.

Known issues

There are cases where authentication with Firefox does not complete. The browser hangs with a blank pop-up window:

It seems the problem is related to JavaScript configurqation. In such case, use Internet Explorer to authenticate.

 

Powered by: ZeroShell OpenSSL

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: May 2014