Copyright 2023 - CSIM - Asian Institute of Technology

Network Access Gateway

Network Access Gateway at CSIM is based on ZeroShell.

Force disconnectionKnown issues.

Use the following URL

Note! You need a browser that support TLS 1.0. In Firefox, go to about:config, search for TLS and change security.tls.version.enable-deprecated to true.

Chrome has removed any support for TLS 1.0 because they want to support security upon their users, without consideration for backward compatibility. It seems that Opera does not support TLS 1.0 either.

The use the following URL:
https://192.41.170.39:12081/cgi-bin/zscp?Section=CPAuth&Action=Show&ZSCPRedirect=www.cs.ait.ac.th:::https://www.cs.ait.ac.th/

Network Access

The Computer Crime Act B.E. 2550 of Thailand requires that any person access Internet is properly identified. In order to fulfill this requirement, you must authenticate to the network access gateway before you can access any Internet resource outside of AIT (inside AIT is any IP addresses 192.41.170/24 and 203.159/18, AIT web site is hosted in the cloud and therefore is outside of AIT).

Authentication is performed on the web; the first time you access an external web page from a given computer, you are presented with the gateway page:

You should use your CSIM account and password to authenticate. Alternatively, you can click on the X509 Login button.

Once authenticated, a pop-up window will open. You must allow this pop-up window as it will maintain your computer authenticated to the gateway. If the pop-up window dies for any reason, the authentication will automatically expire within less than 10 minutes.

Once authenticated, you can access any Internet resource. The authentication will remain as long as the pop-up window is alive.

Every ten minutes, the pop-up will send authentication renewal message to the access gateway; in case the gateway does not receive a renewal message, the connection dies; this prevents the next user to steal an open connection associated to a given IP address.

The network authentication gateway makes heavy use of encryption; to avoid reccurent complains about the encryption certificates tell your browser to always trust that certificate.

X509 Login

As an alternative to username and password, you can use a X509 certificate to login. X509 login is easier and simpler: once configure, you only need to click on the button. This proves very useful in the case of mobile devices like smart phones. The configuration may be a lengthy process, but once it is done, you will never have to type a password anymore.

An X509 certificate associates a public key (from a private/public encryption system) and the identity of the owner of the key: I hereby certify that this key 56ABG-YUT54-8WSHU7-IYI77 belongs to Mr Olivier Nicole from AIT/CSIM.

There are many ways to create your X509 certificate; the method below works on most of the Unix systems (alternatively you can run the commands below inside an MS-DOS windows on a Microsoft system, after you have installed OpenSSL for Windows from Shining Light Productions, available locally from \\banyan\application\WINAPPS\OpenSSL\Win32OpenSSL-1_0_0e.exe):

  1. Generate a my.key that contains your RSA public/private key:
      openssl genrsa -des3 -out my.key 1024  
    It will ask you to enter a password for your secret key. You will have to type the password twice.
    Make very sure to store the file my.key in a safe place.
  2. For security, change the mode of the file my.key, so that only you can read it:
      chmod 400 my.key  
  3. Generate a certificate request:
      openssl req -new -key my.key -out my.csr  
    And answer the questions:
      
    You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TH
State or Province Name (full name) [Some-State]:Pathumthani
Locality Name (eg, city) []:Klong Luang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:AIT
Organizational Unit Name (eg, section) []:CSIM
Common Name (eg, YOUR name) []:Olivier Nicole
Email Address []:This email address is being protected from spambots. You need JavaScript enabled to view it.
    
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
    		  
    Use your full name and email address at CSIM.
  4. Send the file my.csr to This email address is being protected from spambots. You need JavaScript enabled to view it. (This email address is being protected from spambots. You need JavaScript enabled to view it.), for certification. I must be able to verify your identity, use CSIM or AIT email to send the file. If I cannot asses your identify, I will not issue the certificate.
    Note: the file my.csr is a plain text file, you can copy/paste it to your mail, no need to attach it.
  5. Within a couple of days, I will send you a reply that contains your X509 certificate file. Save it under the name my.crt.
  6. Your certificate is generated by AIT, using AIT Certification Authority file. You need to download this file before you proceed to the next step; save it under the name ait-itserv.crt.
  7. Generate a PKCS12 file:
      
    openssl pkcs12 -export -inkey my.key -in my.crt -certfile ait-itserv.crt -out my.p12 -name "Olivier Nicole"
    		  
    Use your full name.
    Note: the "quotes" around the name.
    It will ask you for you password for the secret key (as in 1) and to choose and enter a PKSC12 password. The PKSC12 password can be different from the passowrd for the secret key.
  8. Change the mode of the file my.p12 for safety:
      
    chmod 400 my.p12
    		  
  9. Import the PKSC12 file in your web browser:

    In Firefox: in the menu Options.... choose the tab Advanced.

    Click on View Certificates.

    Click on Import... browse to your file my.p12 and enter your PKSC12 password.

    The first time you click on X509 Login button, you will receive a dialogue box that allows you to select which X509 certificate to use. Click OK.

Security wise, X509 certificates are not flawless, but in the case of authentication for network access gateway, it is acceptable.

Note: anyone who access your account on your computer will be able to access Internet under your name.

Force disconnection

In some uncommon cases the connection may end up in an unstable state that makes re-connection difficult. By forcing the disconnection, you will terminate any open connection that is associated with your machine and the IP address you are currently using.

Such situation may occur when you accidentally close the pop-up window; there is a delay when the connection is still open and the login page will not be displayed.

Automatic network authentication for Android 

K Phattarachai Chaimongkol had once developped an application that you can download and install on your Android device. Once configured with your username and password, authentication on CSIM network is just one click away.

That application has been obsoleted by newer version of Andoid. Any student want to develop a new application?

Known issues

There are cases where authentication with Firefox does not complete. The browser hangs with a blank pop-up window:

It seems the problem is related to JavaScript configurqation. In such case, use Internet Explorer to authenticate.

Powered by: ZeroShell OpenSSL

Login Form

Search

School of Engineering and technologies     Asian Institute of Technology