Access Keys:
Skip to content (Access Key - 0)

Q: Ubuntu Linux - How to connect to MIT SECURE wireless

Answer

Change your Password
Users who have not changed their password since June 2010 will need to change their password prior to using the MIT SECURE network. Changing your password ensures that the password is synchronized with the authentication servers for the MIT SECURE network.

Ubuntu 10.04 (Lucid) and higher can connect to the MIT SECURE wireless network using NetworkManager.

  1. From the network manager icon in the top panel, select the "MIT SECURE" wireless network.
    List of available networks

  2. In the Authentication required by wireless network window, ensure that the following settings are used:
    • Wireless security: WPA & WPA2 Enterprise
    • Authentication: Protected EAP (PEAP)
    • Anonymous identity: (leave blank)
    • PEAP version: Automatic
    • Inner Authentication: MSCHAPv2
    • Username: (your MIT username)
    • Password: (your Kerberos password)
      Authentication screen

  3. Click Connect. If all goes well, you should be connected to the network.
In mid-2017, the CA used to sign the radius server certs was changed from Geotrust Global CA. If your linux system is suddenly unable to connect to MIT SECURE, change your network settings to no longer use the Geotrust CA.

IS&T Contributions

Documentation and information provided by IS&T staff members


Last Modified:

June 16, 2017

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
c-wireless c-wireless Delete
connect connect Delete
secure secure Delete
wireless wireless Delete
network network Delete
ubuntu ubuntu Delete
linux linux Delete
connection connection Delete
configure configure Delete
wifi wifi Delete
bit bit Delete
access access Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use

This article is:
Helpful
Inaccurate
Obsolete
  1. Aug 23, 2013

    Command line aficionados can also use the following config file entries, which work on Debian, and probably on other Linux distros (where you might have to adjust the path to the certificate). I won't guarantee that this is the best or safest way to do things, though.

    • In /etc/network/interfaces:
    • In /etc/wpa_supplicant/wpa_supplicant.conf:
    • The interface can then be brought up on the command line via:
  2. Jul 08, 2017

    Using this method, the client does not verify the name of the RADIUS server certificate. In the worst case of a MITM attacker with a certificate for his own domain name from the same CA, this nullifies the security of the certificate verification, reducing the security of the Wi-Fi connection to that of MS-CHAP. MS-CHAP is said to be easy to break, which would let the attacker read the IP packets sent over Wi-Fi (though their content may be further encrypted, e.g., by HTTPS) and later impersonate the user to the Wi-Fi access point. However, I'm unsure if the attacker could easily recover the Kerberos password in a form usable for other MIT services as I previously believed. (FWIW, it looks like the documented procedures for many of the other OSes have the same problem, though I haven't ruled out that the OS has an option that the procedure just doesn't use.)

    NetworkManager has had an option to verify the server name for a while, but it isn't exposed in the UI. Example commands to set the server names:

    (The server names are from this page.)

    Caution: Versions of network-manager-applet before 1.4.6 silently remove the server name constraint when the connection is edited in the UI, reopening the vulnerability. Since version 1.4.6, a warning message is displayed when the connection is edited.

  3. Jul 08, 2017

    In June 2017, the instructions were changed to no longer specify a CA certificate. Can anyone confirm whether this will result in the certificate not being verified at all or the system CA bundle being used?

Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki