How to: eduroam wifi and WPA-enterprise [duplicate]

asked 2016-02-09 14:40:58 +0200

nik
178 ●4 ●7 ●13

updated 2016-08-17 10:52:02 +0200

jiit
2678 ●32 ●58 ●59

  admin

Lots of good information in this original how-to: https://together.jolla.com/question/315/how-to-wpa-8021x-enterprise-eduroam-others-gui-wifi-support-needed-workaround/

After some compatibility testing for my Yolla and different authentication types used in eduroam specifically, here is the summary of results and some instructions.

Eduroam is a federated access system, which means that many different organisations provide it. The authentication types used will differ from one place to the next and you have to configure your device so it uses an authentication mechanism that your organisation supports. Once you have done that, it doesn't matter where in Europe/World you connect, your authentication is forwarded to your home institution and handled there, so no need to change configs.

I tried PEAP-MSCHAPv2, EAP-TTLS/PAP and EAP-TLS and all of them worked at my university. None of these you can configure through the GUI however, hence this post.

For the impatient, here are the configs (largely collected from various posts here):

EAP-TLS

[service_eduroam_tls]
Type=wifi
Name=eduroam
EAP=tls
CACertFile=/etc/ssl/certs/organisation_root_certificate.cer
ClientCertFile=/home/nemo/.cert/your_personal_certificate.pem
PrivateKeyFile=/home/nemo/.cert/your_personal_certificate.pem
PrivateKeyPassphrase=your password here
AnonimousIdentity=anonymous@someuniversity.ac.uk
Identity=username@someuniversity.ac.uk

PEAP-MSCHAPv2

[service_eduroam]
Type=wifi
Name=eduroam
EAP=peap
CACertFile=/etc/ssl/certs/organisation_root_certificate.cer
Phase1=0
Phase2=MSCHAPV2
Identity=username@someuniversity.ac.uk
Passphrase=your password here

EAP-TTLS

[service_eduroam_ttls]
Type=wifi
Name=eduroam
EAP=ttls
CACertFile=/etc/ssl/certs/organisation_root_certificate.cer
Phase1=0
Phase2=PAP
AnonimousIdentity=anonimous@someuniversity.ac.uk
Identity=username@someuniversity.ac.uk
Passphrase=your password here

How to put these in place, install certificate authorities, convert your personal certificate (if needed) and how to troubleshoot if it still doesn't work follows.

Start with enabling developer mode and SSH-ing into the device. Doing that over the USB connection works best for me. You could do it all through a terminal app, but it will be a pain. Become root. You can either create the above config file/s on your computer and copy (e.g. scp) it to /var/lib/connman, or create the chosen file in place. You can call the file whatever you want, as long as you keep the .config extension. This also means that if you want you can create all of the above and then change the extensions of the ones you don't currently use. I have found that changing the files does not come into effect until I reboot the phone - hopefully someone will reply here saying what service needs to be restarted so we don't have to go into Windows reboot territory :)

For EAP-TLS (my preferred method) you need to ensure you have a valid user certificate in PEM format, and your organisations Certificate Authority is installed on your phone (is trusted). The first part should be easy, just copy your certificate, as provided by your institution, to some location on your Yolla. If it is provided in .p12 format, you will have to convert it to PEM:

openssl pkcs12 -in certificate.p12 -out username_cert.pem

Installing CA certificates is described in /etc/pki/ca-trust/source/README:

To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system: Copy it to the

/etc/pki/ca-trust/source/anchors/

subdirectory, and run the

update-ca-trust

command. If your certificate is in the extended BEGIN TRUSTED file format, then place it into the main source/ directory instead.

Obviously, the names and paths of your personal certificate and the CA certs should correspond to what you have entered in the configuration file. Once this is done, reboot (unless you know a better way) and you should be able to connect with EAP-TLS.

If it doesn't work and you know your institution supports it, you can either look at the logs as described below to troubleshoot or try some of the other authentication methods below.

For EAP-TTLS and PEAP-MSCHAPv2: Install your institution's root certificates as above and create the corresponding configuration file in /var/lib/connman.

Configuring these is faster and easier, but in my experience the login is slower and if misconfigured (no root CA verification) can be insecure. Additionally, if your organisation requires you to change passwords regularly, you will need to change them on all your devices as well. With certificates, you only need to change them when they expire which is usually in a few years (or the length of your study if you are a student).

Troubleshooting: If after the reboot your connection attempts fail, you can SSH in and (as root) check the logs. Run

journalctl -f

hit enter a few times to clear the screen, and then connect again. You will see some output related to your connection attempt. If it doesn't mean anything to you, ask here - I will try to keep an eye on replies to this post.