Network Access Gateway at CSIM is based on ZeroShell.
Use the following URL
With the new firewall, the IP address has changed, please use the following URL:
and update your bookmark.
Network Access
The Computer Crime Act B.E. 2550 of Thailand requires that any person access Internet is properly identified. In order to fulfill this requirement, you must authenticate to the network access gateway before you can access any Internet resource outside of AIT (inside AIT is any IP addresses 192.41.170/24 and 203.159/18, AIT web site is hosted in the cloud and therefore is outside of AIT).
Authentication is performed on the web; the first time you access an external web page from a given computer, you are presented with the gateway page:
You should use your CSIM account and password to authenticate. Alternatively, you can click on the X509 Login button.
Once authenticated, a pop-up window will open. You must allow this pop-up window as it will maintain your computer authenticated to the gateway. If the pop-up window dies for any reason, the authentication will automatically expire within less than 10 minutes.
Once authenticated, you can access any Internet resource. The authentication will remain as long as the pop-up window is alive.
Every ten minutes, the pop-up will send authentication renewal message to the access gateway; in case the gateway does not receive a renewal message, the connection dies; this prevents the next user to steal an open connection associated to a given IP address.
X509 Login
As an alternative to username and password, you can use a X509 identity to login. X509 login is easier and simpler: once configured, you only need to click on the button. This proves very useful in the case of mobile devices like smartphones.
An X509 identity associates a public key (from a private/public encryption system) and the identity of the owner of the key: I hereby certify that this key 56ABG-YUT54-8WSHU7-IYI77 belongs to Mr Olivier Nicole from AIT/CSIM. That X509 identity is then recognized by our firewall.
You can either create your X509 automatically or you can create it manually.
Security wise, X509 certificates are not flawless, but in the case of authentication for network access gateway, it is acceptable. It also means that your CSIM password is not stored in your computer; anyone accessing your computer will not be able to steal your CSIM password. But anyone who access your account on your computer will still be able to access Internet under your name.
Create your X509 automatically
Simply go to CSIM account management page and fill in the password for X509 identity. The Certificate will be sent to you by email in your CSIM mailbox. This is fast and easy.
You can download the file from your email and install your X509 identity. The X509 identity is valid for one year.
Installing your X509 identity
On Windows, you can simply double-click on the file. Once you have entered the password you choose above, you can click on Next at every step. The X509 identity will be automatically installed in your Personal certificates. Once installed, your X509 identity will be available for any web browser you use.
On Linux, you need to install your X509 identity in your web browser. Open the Settings for your browser and search for Certificates
. Then import the file in Your Certificates
. You will need to repeat the same operation with all the web browsers that you are using.
You can use your X509 identity on more than one system.
Note: If you do not delete your X509 identity file right after installing it, remember to protect it against theft.
Using your X509 identity
On the CSIM access gateway page, simply click on the X509
button.
When you use the X509 identity for the first time, your browser will ask you to choose which identity to use; for example with Firefox:
Create your X509 identity manually
Creating your X509 identity manually require many steps, but you keep a full control on the process. You also retain the full rights on your private key.
There are many ways to create your X509 identity; the method below works on most of the Unix systems (alternatively you can run the commands below inside an MS-DOS windows on a Microsoft system, after you have installed OpenSSL for Windows from Shining Light Productions, available locally from \\banyan\application\WINAPPS\OpenSSL\Win64OpenSSL-3_1_1.exe):
- Generate a my.key that contains your RSA public/private key:
openssl genrsa -des3 -out my.key 2048
Make very sure to store the file my.key in a safe place. - For security, change the mode of the file my.key, so that only you can read it:
chmod 400 my.key
- Generate a certificate request:
openssl req -new -sha256 -key my.key -out my.csr
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:TH State or Province Name (full name) [Some-State]:Pathumthani Locality Name (eg, city) []:Klong Luang Organization Name (eg, company) [Internet Widgits Pty Ltd]:AIT Organizational Unit Name (eg, section) []:CSIM Common Name (eg, YOUR name) []:Olivier Nicole Email Address []:on@cs.ait.ac.th
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
- Send the file my.csr to
This email address is being protected from spambots. You need JavaScript enabled to view it. (This email address is being protected from spambots. You need JavaScript enabled to view it. ), for certification. I must be able to verify your identity, use CSIM or AIT email to send the file. If I cannot asses your identify, I will not issue the certificate.
Note: the file my.csr is a plain text file, you can copy/paste it to your mail, no need to attach it. - Within a couple of days, I will send you a reply that contains your X509 certificate file. Save it under the name my.crt.
- Your certificate is generated by CSIM, using CSIM Certification Authority file. You need to download this file before you proceed to the next step; save it under the name cs.ait.ac.th.ca.
- Generate a PKCS12 file for X509 identity:
openssl pkcs12 -export -inkey my.key -in my.crt -certfile cs.ait.ac.th.ca -out my.p12 -name "Olivier Nicole"
Note: the "quotes" around the name.
It will ask you for you password for the secret key (as in 1) and to choose and enter a PKSC12 password. The PKSC12 password can be different from the passowrd for the secret key. - Change the mode of the file my.p12 for safety; the file
my.p12
contains a copy of your private key, keep it as secured as your private key:
chmod 400 my.p12
- Install your X509 identity as described above.
Powered by: |