As an offshoot of the recent Network Renewal Programme, ICTS is introducing Network Access Control (NAC) mechanisms on the UCT wired network across campus. NAC will enhance network security on campus and help us to align with our cyber insurer’s requirements, and comply with  a range of local and international standards and legislation. This new feature will ensure that every device connecting to our network via cable is authenticated and that the user or device owner can be identified by their UCT network account. It will also pave the way for network segmentation – an upcoming security measure which will further enhance control around access to specific UCT servers and services. 

When will this happen?

The change will be implemented to all buildings on campus over October 2023.

What do I need to do?

If your device connects wirelessly, you don’t need to take action.

However, if you connect any device on campus using a network cable, you will need to configure that device by 24th October 2023.

To do so, please follow the instructions below relevant to your operating system for each wired device you use on campus:

Instructions for Linux

You can use the eduroam CAT tool to have the configuration done automatically.

  1. Download the Linux installation file.
  2. Open Terminal and give the file "execute" permission by typing:
    chmod +x /path_to_your_download_folder/eduroam-linux-UoCT.sh
  3. In Terminal, run your script by typing:
    /path_to_your_download_folder/eduroam-linux-UoCT.sh
    (Substitute the text "path_to_your_download_folder" with the actual path.)
  4. When prompted, enter your UCT username@wf.uct.ac.za and UCT network password.
  5. Confirm your password.

Alternatively, you can manually configure your computer by following the steps for your operating system:

Ubuntu 20.04 LTS

For a visual version of these instructions, please watch this video:

Alternatively, follow these text instructions:

WARNING:
Please carry out the procedure below BEFORE plugging in the network cable.

  1. Ensure that the machine is up to date with patches.
  2. Navigate to Settings > Network.
  3. In the network connections dialog box, click + (Add) next to Wired configuration.
  4. In the New Profile window:
    1. Name the profile - e.g. UCT Network.
    2. Click the Security tab.
  5. In the Security tab.
    • Enable 802.1x Security.
    • In the Authentication section, select Protected EAP (PEAP).
    • Under CA certificate, select No CA certificate is required.
    • In the Username field, enter your UCT staff / student number @wf.uct.ac.za.
    • In the Password field, enter your UCT network password.
    • Click Apply.
  6. Close the settings dialogue box.
  7. Plug in the Ethernet cable.

You will now have two wired profiles. When at UCT, use the new profile created in step 4. When you're not on campus and you're using a LAN connection, use your previous profile.

Connection issues after enablement 

After the deadline, if you are having trouble connecting to the internet:

  1. Check if you can access the Service Portal. If so, your issue is NAC-related. Please follow this link to log a NAC request. Or contact the NAC support line on 021 650 8050.
  2. If you cannot access the Service Portal, you are experiencing a different network issue. For example, your device might connect to the network but has no internet access. In such cases, please contact the IT Helpdesk on 021 650 4500 (choose option 1). Alternatively, use your mobile phone to log a request in the Service Portal (eduroam is not impacted by this initiative.)

Ubuntu Server LTS 22.04

 

Initial steps:

  1. Install the necessary packages:

    - Open a terminal on your Ubuntu Server 22.04 system.
    - Update the package lists: sudo apt-get update
    - Install the required packages: sudo apt-get install -y wpasupplicant ifupdown
     
  2. Configure the 802.1x supplicant:

    - Open a text editor and create a new file. For example, you can use the following command to create and open the file using Nano editor: sudo nano /etc/wpa_supplicant/wpa_supplicant.conf
    - Add the following lines to the file:

    ctrl_interface=/run/wpa_supplicant
    ap_scan=0
    network={
          key_mgmt=IEEE8021X
          eap=PEAP
          identity=" your UCT username@wf.uct.ac.za "
          password="your UCT password"
          phase1="peaplabel=0"
          phase2="auth=MSCHAPV2"
    }

     
  3. Configure the network interface:
    - Open the network interface configuration file using a text editor: sudo nano /etc/network/interfaces
    - Add the following lines to the file, replacing eth0 with the correct interface name:
          auto eth0
          iface eth0 inet manual
          pre-up wpa_supplicant -B -Dwired -
    c/etc/wpa_supplicant/wpa_supplicant.conf -ieth0
          post-down killall -q wpa_supplicant

           
  4. Restart the networking service for the changes to take effect: sudo service networking restart
     
  5. To check if the authentication was successful and you have obtained an IP address, use the following command to view the network interface details: ip addr show eth0
    (Replace eth0 with the correct interface name if needed. Look for the inet section to see if an IP address has been assigned. If an IP address is present, the authentication was successful and you are connected to the network.)

Logging information:

To check the system logs for any errors or relevant messages related to the wired 802.1x authentication, use the following command to view the logs:

sudo journalctl -u systemd-networkd

This will display the logs specifically related to the networking service.

Connection issues after enablement 

After the deadline, if you are having trouble connecting to the internet:

  1. Check if you can access the Service Portal. If so, your issue is NAC-related. Please follow this link to log a NAC request. Or contact the NAC support line on 021 650 8050.
  2. If you cannot access the Service Portal, you are experiencing a different network issue. For example, your device might connect to the network but has no internet access ( ). In such cases, please contact the IT Helpdesk on 021 650 4500 (choose option 1). Alternatively, use your mobile phone to log a request in the Service Portal (eduroam is not impacted by this initiative.)


Raspberry Pi

These instructions are applicable to Raspberry Pi Model 3 / Model 4, with the Raspbian 10 operating system.

Note that you should be on campus when applying these instructions. However, if you attempt to begin the process from a remote location, please ensure that you are connected to the UCT VPN so that you can access the Gitlab code.

Initial steps:

  1. Clone the respository from the following location: git clone https://gitlab.uct.ac.za/cis/uct-connectivity/uct-8021x-wired.
  2. Copy the 60-wpa_supplicant_802dot1x located in your cloned folder to /lib/dhcpcd/dhcpcd-hooks/ on the Raspberry Pi: sudo cp uct-8021x-wired/60-wpa_supplicant_802dot1x /lib/dhcpcd/dhcpcd-hooks/.
  3. If you are setting up your Raspberry Pi for the first time, you can successfully copy the wpa_supplicant.conf file to the /etc/wpa_supplicant directory. However, we strongly suggest viewing the file first, especially since you may have credentials used to connect to eduroam. If eduroam is already configured for your Raspberry Pi, do not copy the file across, as your credentials would match those already needed for a successful wired connection.
  4. Edit the /etc/wpa_supplicant/wpa_supplicant.conf file by using a suitable file editor to update the authentication credentials.

    # Wired network details 
    network={
        ssid="tmpSSID"
        key_mgmt=IEEE8021X
        eap=PEAP MSCHAPV2
        identity="uct_credential_id@wf.uct.ac.za"
        password="uct_credential_password"
    }

     
  5. Edit the /etc/dhcpcd.conf file and append the following at the end of the file:

    # Use env to invoke a 802.1x wired wpa_supplicant dhcpcd-hook in /lib/dhcpcd/dhcpcd-hooks/60-wpa_supplicant_802dot1x.
    interface eth0
    env 802dot1x=1

     
  6. Reboot the Raspberry Pi issuing sudo reboot or restart networking with systemctl restart networking.

Logging information:

To find logging information relavent to the services just configured, please execute journalctl --unit=dhcpcd to ensure that a successful authenticated IP address is retrieved.

To find logging information related to the wpa-supplicant, please execute journalctl --unit=wpa_supplicant.

Connection issues after enablement 

After the deadline, if you are having trouble connecting to the internet:

  1. Check if you can access the Service Portal. If so, your issue is NAC-related. Please follow this link to log a NAC request. Or contact the NAC support line on 021 650 8050.
  2. If you cannot access the Service Portal, you are experiencing a different network issue. For example, your device might connect to the network but has no internet access ( ). In such cases, please contact the IT Helpdesk on 021 650 4500 (choose option 1). Alternatively, use your mobile phone to log a request in the Service Portal (eduroam is not impacted by this initiative.)

Instructions for other operating systems

If you have a computing device that isn't covered above, let us know by filling out this form.