Dukeblue: Getting connected to Linux

 Duke University has implemented a secure wireless network known as Dukeblue which uses the authentication mechanism WPA-2 Enterprise and 802.1X. When correctly installed and configured, this network will protect your Duke NetID and password, and ensure that your data and transactions are secure and protected.

These steps require local admin rights in order to be successfully completed.  Follow these steps to configure your Dukeblue connection for your Linux computer so you can take advantage of this layer of security.  These instructions are intended for the initial connection to Dukeblue.  After you successfully complete these instructions, if you connect to another wireless network, and re-connect to Dukeblue, you should NOT need these instructions.

These instructions are written for the Ubuntu Linux operating system.

Please Note: Make sure the machine is within range of an 802.11 AP that’s broadcasting the Dukeblue SSID. This can probably be done without that, but it’s easier if you’re in a location where Dukeblue is available.

 

1. Log in to the desktop and wait for the dashboard at the top of the X server screen to fully populate.

2. In the upper right of the screen, right-click on the WiFi icon to bring up its options menu.

3. Select Edit Connections…  from the menu.

4. Depending on the machine’s history, there may be one or more wired or wireless connections listed. Click Add  to set up the Dukeblue network.

5. For Connection type select Wi-Fi, and click Create to create a new WiFi profile.

6. The resulting dialog box will have a number of different tabs in it. On the Wi-Fi tab, set the following values:

 Connection name: Dukeblue

 SSID: Dukeblue

Mode: Infrastructure

MTU:   Automatic

Leave the other options blank (as they will be filled in automatically when the connection is established).

 8. On the Wi-Fi Security tab, set the following values:

 Security: WPA & WPA2 Enterprise

 Authentication: Protected EAP (PEAP)

PEAP version: Version 0

Inner authentication: MSCHAPv2

Username: <your NetID>

Fill in your NetID password in the Password: field or check the Ask for this password every time checkbox in the tab. You must do one or the other in order to continue, however — there is no default.

8. Optionally on that same Wi-Fi Security tab, you may set:

 * Anonymous identity. If set, this will change the outer identity passed to the RADIUS server during the authentication process. This is of little value in the Dukeblue case, since the RADIUS conversation for Dukeblue is directly between the client and our local RADIUS servers. In cases (such as eduroam) where there are intervening proxy RADIUS servers, the anonymous identity controls what the proxy RAIDUS servers see as the user’s identifier. In this case, it’s not really relevant and can safely be left blank.

 * CA Certificate: The 802.1x supplicant wants to be pre-populated with a trusted root CA certificate it can use to verify the signature chain on the TLS certificate presented by the RADIUS server it will be using to authenticate to the WiFi network. It’s possible to operate the 802.1x client without a certificate specified, but doing so will result in a warning message every time the client connects (or until the user suppresses it) indicating that the identity of the RADIUS server can’t be verified and that it’s possible the user is being MITM’d. If you want to avoid that, download the AddTrust External CA root signing certificate to the machine — it’s available and save it in a text file on the machine, then use the “CA Certificate” button in the Wi-Fi Security tab to load the certificate from that file into the wireless profile.

 9. Optionally, you can fill in IPv4 and IPv6 details on the other tabs in the dialog. I think for most users the defaults will be correct — only adjust those settings if you know that you need to.

10.  Click Save to save the profile. If you chose not to load a certificate in step 8, you will get a warning message at this point that will offer to take you back to the configuration for loading a certificate.

11. If you didn’t enter a password in step 8, you’ll be prompted for your password now. Enter it and click Connect in the new dialog pop-up to connect to the Dukeblue network. If you didn’t load a CA certificate in step 8, you’ll get the same warning dialog again.

Once set up, there will be a configuration file containing your configuration in /etc/NetworkManager/system-connections/Dukeblue (or with whatever name you gave to the Wi-Fi connection in step 6 above). If you ever need to forget the Dukeblue network and start over, you can simply remove that file and repeat the process.

 If there is only one network connection defined in the NetworkManager configuration, it is the default for connections. If there are multiple connections defined, it’s not clear which connection will be used first. It is recommended to only have the one connection defined in NetworkManager and to manually attach to any other network(s) as needed.

 If you are still having difficulty connecting to Dukeblue, please consult with your local IT support, or contact the OIT Service Desk at 684-2200.