Network Access Gateway at CSIM is based on ZeroShell.
With the new firewall, the IP address has changed, please use the following URL:
and update your bookmark.
The Computer Crime Act B.E. 2550 of Thailand requires that any person access Internet is properly identified. In order to fulfill this requirement, you must authenticate to the network access gateway before you can access any Internet resource outside of AIT (inside AIT is any IP addresses 192.41.170/24 and 203.159/18, AIT web site is hosted in the cloud and therefore is outside of AIT).
Authentication is performed on the web; the first time you access an external web page from a given computer, you are presented with the gateway page:
You should use your CSIM account and password to authenticate. Alternatively, you can click on the X509 Login button.
Once authenticated, a pop-up window will open. You must allow this pop-up window as it will maintain your computer authenticated to the gateway. If the pop-up window dies for any reason, the authentication will automatically expire within less than 10 minutes.
Once authenticated, you can access any Internet resource. The authentication will remain as long as the pop-up window is alive.
Every ten minutes, the pop-up will send authentication renewal message to the access gateway; in case the gateway does not receive a renewal message, the connection dies; this prevents the next user to steal an open connection associated to a given IP address.
As an alternative to username and password, you can use a X509 identity to login. X509 login is easier and simpler: once configured, you only need to click on the button. This proves very useful in the case of mobile devices like smartphones.
An X509 identity associates a public key (from a private/public encryption system) and the identity of the owner of the key: I hereby certify that this key 56ABG-YUT54-8WSHU7-IYI77 belongs to Mr Olivier Nicole from AIT/CSIM. That X509 identity is then recognized by our firewall.
You can either create your X509 automatically or you can create it manually.
Security wise, X509 certificates are not flawless, but in the case of authentication for network access gateway, it is acceptable. It also means that your CSIM password is not stored in your computer; anyone accessing your computer will not be able to steal your CSIM password. But anyone who access your account on your computer will still be able to access Internet under your name.
Simply go to CSIM account management page and fill in the password for X509 identity. The Certificate will be sent to you by email in your CSIM mailbox. This is fast and easy.
You can download the file from your email and install your X509 identity. The X509 identity is valid for one year.
On Windows, you can simply double-click on the file. Once you have entered the password you choose above, you can click on Next at every step. The X509 identity will be automatically installed in your Personal certificates. Once installed, your X509 identity will be available for any web browser you use.
On Linux, you need to install your X509 identity in your web browser. Open the Settings for your browser and search for Certificates
. Then import the file in Your Certificates
. You will need to repeat the same operation with all the web browsers that you are using.
You can use your X509 identity on more than one system.
Note: If you do not delete your X509 identity file right after installing it, remember to protect it against theft.
On the CSIM access gateway page, simply click on the X509
button.
When you use the X509 identity for the first time, your browser will ask you to choose which identity to use; for example with Firefox:
Creating your X509 identity manually require many steps, but you keep a full control on the process. You also retain the full rights on your private key.
There are many ways to create your X509 identity; the method below works on most of the Unix systems (alternatively you can run the commands below inside an MS-DOS windows on a Microsoft system, after you have installed OpenSSL for Windows from Shining Light Productions, available locally from \\banyan\application\WINAPPS\OpenSSL\Win64OpenSSL-3_1_1.exe):
openssl genrsa -des3 -out my.key 2048 |
chmod 400 my.key |
openssl req -new -sha256 -key my.key -out my.csr |
|
openssl pkcs12 -export -inkey my.key -in my.crt -certfile cs.ait.ac.th.ca -out my.p12 -name "Olivier Nicole" |
my.p12
contains a copy of your private key, keep it as secured as your private key:
chmod 400 my.p12 |
Powered by: |