Ask / Submit
351

[How-To] WPA-802.1X (enterprise), eduroam +[Others] GUI wifi support needed + workaround

asked 2013-12-24 17:43:42 +0300

updated 2015-04-10 16:31:00 +0300

Jolla needs to add support of using WPA-802.1X for the wifi connections, as a lot of routers + workspaces + universities use it.

So the WPA Supplicant does work now but there is no GUI implementation of adding additional networks, you will need to use a workaround described below. To make things easier try to use SSH connection from your PC to Jolla, that should make it easier than typing it out on screen keyboard.

How to SSH found here

Currently there is an unofficial workaround which people can use.

a) activate developer-mode (Settings->System->DeveloperMode)
b) use the terminal on the device or ssh to the device
c) install vim or any other text editor
d) vim /var/lib/connman/wifi_eduroam.config

wifi_eduroam.config: please note that entries seem to be case sensitive

[service_eduroam]
Type=wifi
Name=eduroam
EAP=peap
CACertFile=/etc/ssl/certs/ca-bundle.crt
Phase2=MSCHAPV2
Identity=user@domain
Passphrase=yoursecret

e) save and exit
f) turn on/off wlan (or reboot phone)

Please feel free to contribute :)

if you want to install vim or nano please use the commands in terminal

nano:

pkcon install nano

vim:

pkcon install zypper
zypper in vim

[update]: nodevel has released a sailfish application which allows to create such networks, Feel free to have a loop at [Roamer](https://openrepos.net/content/nodevel/roamer)

As an example here is my eduroam login for University connection

[service_eduroam]
Type=wifi
Name=eduroam
EAP=peap
Phase1=0
Phase2=MSCHAPV2
Identity=********@glam.ac.uk
Passphrase=********

There was no need to specify the certificate


ChemIst's Eduroam Config for uni-kl.de please note that entries seem to be case sensitive

[service_eduroam]
Type=wifi
Name=eduroam
EAP=ttls
CACertFile=/etc/ssl/certs/ca-bundle.crt
Phase2=PAP
Identity=********@rhrk.uni-kl.de
Passphrase=********
edit retag flag offensive close delete

Comments

12

The title is misleading. You're asking for WPA Enterprise, specifically an EAP variety of it. This is not PSK.

tbr ( 2013-12-24 20:00:32 +0300 )edit
5

Doesn't eduroam use TTLS, PAP, and also needs an anonymous identity? It does at the Heinrich-Heine-University in Düsseldorf at least ;)

Kondou ( 2013-12-24 22:06:49 +0300 )edit
13

eduroam uses quite a variety of EAP methods depending on the home organisation. Some use PEAP, some EAP-TTLS+PAP, some EAP-TTLS+MSCHAPv2, some EAP-TLS, some EAP-PWD. This means that either Jolla should have UI for configuring various wpa_supplicant parameters or way to provision config and certs.

Karri Huhtanen ( 2013-12-27 10:32:23 +0300 )edit

Works great, just connected a wpa2 enterprise network....

BoertjE ( 2013-12-30 11:41:10 +0300 )edit
2

Had a little trouble with Helsinki University Eduroam myself, but got this to work after I realized connman really does require the domain part in the username (as opposed to wpa_supplicant that I normally use). Their CA Cert can be downloaded here: https://www.helsinki.fi/atk/ca/HYAD_ROOT_CA.pem

elakim ( 2014-01-02 18:11:25 +0300 )edit

17 Answers

Sort by » oldest newest most voted
62

answered 2015-01-15 15:40:22 +0300

bijjal gravatar image

We are planning to support this feature. It depends on the availability of certificate management system on the OS. We are in process of completing the middleware bits for this and soon need to implement the UI for certificate manager. Thereafter we should be clear to implement WPA Enterprise support.

edit flag offensive delete publish link more

Comments

1

@bijjal - Seem to be a answering spree! :-) Nice!

anandrkris ( 2015-01-15 17:21:06 +0300 )edit
2

@bijjal

Does this certificate work means that there will be progress to the VPN gui missing (and desperately needed)??

ApB ( 2015-01-19 12:06:25 +0300 )edit

@ApB I'ds suggest to open a separate question about that if there isn't one yet. Please don't spam this item with unrelated questions. This is a very popular question and each change sends a notification to 70+ people.

tbr ( 2015-01-19 12:13:26 +0300 )edit
3

Can I ask if there is any further news about progress on this (6 months later)?

dave ( 2015-07-09 00:00:56 +0300 )edit
2

Any news about this (over a year later)? Sailfish OS 2 still have no way to connect to these WiFi :(

Alessio ( 2016-05-27 13:02:47 +0300 )edit
54

answered 2013-12-25 01:24:20 +0300

llornkcor gravatar image

updated 2014-07-20 21:34:20 +0300

tbr gravatar image

This is a known issue, and Jolla is working on a solution.

For the technical, connman needs a patch to properly support PEAP, as well as needing a config file to connect to WPA enterprise networks.

edit flag offensive delete publish link more

Comments

1

Configuration files, client and CA certificates for WPA Enterprise, mail, web browser should be able to be provisioned via email or WWW browser as configuration packages. There could be for example a specific mime type for configuration packages so that they could be directed to certain confg. app.

Karri Huhtanen ( 2013-12-27 10:30:13 +0300 )edit

Great, thanks! Another question though: Can I use a hash instead of the plain text? Actually I'm using elakim's solution (deny access to users not being root), but I'd like to "encrypt" the password. I've tried md5 and sha and md4, all to no avail. plain-text-password works fine.

mie ( 2014-01-08 16:39:18 +0300 )edit

@mie You should probably check if wpa_supplicant supports hashed password (it might) and then the form you need to enter the password for it (e.g might be something like {md5}hashhere). Then give that to connman configuration?

Karri Huhtanen ( 2014-01-15 17:13:57 +0300 )edit

@mie "Password string for EAP. This field can include either the plaintext password (using ASCII or hex string) or a NtPasswordHash (16-byte MD4 hash of password) in hash:<32 hex digits> format. NtPasswordHash can only be used when the password is for MSCHAPv2 or MSCHAP" -- Not sure if idea works.

Karri Huhtanen ( 2014-01-15 17:17:44 +0300 )edit
6

@Karri Huhtanen

While I agree that configuration should be loadable via config packages, the creation of a config MUST also be possible on device via GUI - you can't expect folks to pester their universities / work IT to support Jolla at this point and neither can expect everybody to learn how to!

MoritzJT ( 2014-01-19 18:21:13 +0300 )edit
24

answered 2014-04-12 00:55:21 +0300

Digital Brains gravatar image

updated 2014-07-20 21:38:53 +0300

tbr gravatar image

[update] Fix was part of Update 8. Info below is no longer relevant.
I've managed to get the workaround working again for 1.0.5.16. The problem is this: commit 51e3eaf in the git of wpa_supplicant added a check that a server certificate should not include a client EKU, but this is a configuration that is used in the wild, including in eduroam here at the University of Twente. All that is needed :) is a revert of that commit and a rebuild of wpa_supplicant.

I tried for the first time to build an rpm package (I'm fairly well versed in Debian, but new at rpm and mer). I tried to be quick about it, so I skimmed tutorials and docs and startpaged error messages as I went. I'm sure I'm not doing everything as I should, but it got my phone working :).

DISCLAIMER: I'm not doing things as I should. I'm not changing any version numbers, and force a reinstall of my custom-built package. I think it's very well possible you may need to get your hands in again when the nice people at Jolla fix this properly. I'm offering this to help you, but it might inadvertently BREAK and you will get to keep both pieces! YOU HAVE BEEN WARNED.

I'm not very gentle in the following description: I presume you have developer mode enabled and generally know what you're doing.

First of all, if you decide to trust my build, you can get the rpm I got out of it here (I reserve the right to take that link down soon if I feel so inclined).

You can install the rpm with, as root:

# zypper in -f wpa_supplicant-2.1-1.3.2.armv7hl.rpm

Note how --force is needed because we're re-installing, as I didn't change the version numbers.

If you're like me, you don't really trust strangers who offer you nice binaries, and you'd rather see what changes you make. I will now outline how I built the package.

I based most things on this CentOS tutorial.

First off, we need some packages installed. I did as root:

# zypper si wpa_supplicant

Although I should have done

# zypper si -d wpa_supplicant

because I need the source as the nemo user, and -d tells it to just get build dependencies.

Furthermore:

# zypper in rpm-build meego-rpm-config

This will install a whole bunch of packages.

The needed patch is the reversal of commit 51e3eaf of the hostap Git. Through the tutorial mentioned, I packaged this patch and edited the .spec file. I didn't touch the version and release because I can't figure out how to choose proper ones. You can get the patch here and the patch to the spec file here. Inspect them and see if you like them.

As the nemo user:

$ zypper si wpa_supplicant
$ cd ~/rpmbuild/SPECS/

Save the patch as ~/rpmbuild/SOURCES/wpa_supplicant-dont-fail-client-cert.patch and the spec patch as ~/rpmbuild/SPECS/wpa_supplicant.spec.patch.

$ patch <wpa_supplicant.spec.patch
$ rpmbuild -bb wpa_supplicant.spec

And as root:

# zypper in -f ~nemo/rpmbuild/RPMS/armv7hl/wpa_supplicant-2.1-1.3.2.armv7hl.rpm

Note how --force is needed because we're re-installing, as I didn't change the version numbers.

edit flag offensive delete publish link more

Comments

1

thanks a lot, it's working again!

till ( 2014-04-14 15:13:11 +0300 )edit

thanks for figuring all of this out, but im kinda scared the next update will fail, so i will wait for the jolla dev's

ozzi ( 2014-04-15 15:17:08 +0300 )edit
6

If zypper is not installed on your phone (which was my case), the following command also works:

# rpm -i --replacepkgs --replacefiles wpa_supplicant-2.1-1.3.2.armv7hl.rpm
vbregier ( 2014-04-16 10:40:30 +0300 )edit

It's working here, at asml.

RobNas ( 2014-04-29 14:03:00 +0300 )edit

Works with Ziggo too.

richhanz ( 2014-05-28 23:29:43 +0300 )edit
14

answered 2014-10-08 16:33:59 +0300

krautjan gravatar image

I am so disappointed from jolla that this is still not fixed.

Sure i can make a workaround work but imho this is on of the most important feature of any mobile device (able to connect) and it should go out of the box without need to customize config files per hand. It has to work, no excuses!

To make it worse i know that it is possible cause it worked already (forgot under which version, it was before folders were introduced if i remember right).

It feels broken and i use it less and less. It drives me mad.

I just can't understand what the thinking on the jolla side here is. What are your priorities? Why is there no communication about this or did i miss it and someone can point me to the discussion/explanation from jolla?

It's a friggin year now.

edit flag offensive delete publish link more

Comments

5

I do know what you mean. For a smart phone not being able to connect to WiFi is pretty bad actually sad. From what it seems we will have this fixed with the next update.

Also I know Jolla said the phone is out of the beta stage but I still think the SailfishOS is a beta, too many things missing and not working.

That said Jolla is working on it, slowly but their working on it, maybe soon we will leave the beta.

Mariusmssj ( 2014-10-08 21:09:39 +0300 )edit
9

answered 2014-04-24 18:13:52 +0300

chemist gravatar image

updated 2014-08-28 11:25:37 +0300

[update] Fix was part of Update 8. Info below is no longer relevant.
For those whom installed this patched version - after upgrading to 1.0.5.19 (MMS hotfix) you need to reinstall the patched version as the release version gets pulled in again.

UPDATE: ongoing, this applies to 1.0.7.16 (Saapunki) too

edit flag offensive delete publish link more

Comments

why did they not just use this hotfix to patch this up?

qrosh ( 2014-04-24 18:53:35 +0300 )edit

@qrosh@Aard will ask the maintainers where they are at - no promises though (he actually read about the problem but never knew that there was already a solution)

chemist ( 2014-04-24 20:44:55 +0300 )edit

Confirmed for 1.0.5.19

RobNas ( 2014-04-29 14:02:29 +0300 )edit

After reinstalling the patched 'wpa_supplicant-2.1-1.3.2.armv7hl.rpm' from Digital Brain it's working fine on SailfishOS 1.0.5.19. I can connect to Eduroam of Leipzig University with the following '/var/lib/connman/wifi_eduroam.config':

[service_eduroam]
Type=wifi
Name=eduroam
EAP=ttls
CACertFile=/etc/ssl/certs/deutsche-telekom-root-ca-2.crt
Phase2=PAP
Identity=username@domain
Passphrase=passphrase

A line like 'Anonymous_Identity=anonymous@domain' (recommended, akin setting for android devices) or something like 'Phase1=PEAPLABEL...' (recommended, akin setting for wpa_supplicant) or something similar isn't necessary, has no affect or isn't supported. I had to reboot my jolla after installing the patched version to get connected. You can download the certificate here: https://www.pki.dfn.de/fileadmin/PKI/zertifikate/deutsche-telekom-root-ca-2.crt and copy it to '/etc/ssl/certs' but it should also work with the existing 'ca-bundle.crt'.

alex ( 2014-05-02 20:29:41 +0300 )edit

Have we to install the patched version even if we opt-in the experimental connman v1.23?

Alex ( 2014-06-10 13:11:04 +0300 )edit
7

answered 2014-09-16 12:53:17 +0300

Stuarty gravatar image

updated 2015-09-15 17:34:41 +0300

I got this working at Uppsala with stock SailfishOS 1.0.8.19. I downloaded the certificate from the university eduroam instructions for ubuntu, copied it to /etc/ssl/certs. Then, as root, created a config file as below.

[service_eduroam]
 Type=wifi
 Name=eduroam
 EAP=ttls
 CACertFile=/etc/ssl/certs/AddTrust-External-CA-Root.crt
 Phase1=0
 Phase2=mschapv2
 Identity=username@user.uu.se
 Passphrase=Password from UU

I saved the .config and and watched the result with wpa_cli.

Sometimes it connects, disconnects & reconnects repeatedly, five or six times in a row, but then sometimes it behaves well, connecting and remaining connected with no problem.

Update

Eduroam still works for me after 1.0.8.21 security hot fix.

# wpa_cli status
ssid=eduroam
id=0
mode=station
pairwise_cipher=CCMP
group_cipher=TKIP
key_mgmt=WPA2/IEEE 802.1X/EAP
wpa_state=COMPLETED
ip_address= [your IP]
address= [MAC address]
Supplicant PAE state=AUTHENTICATED
suppPortStatus=Authorized
EAP state=SUCCESS
selectedMethod=21 (EAP-TTLS)
EAP TLS cipher= [removed]
EAP-TTLSv0 Phase2 method=EAP-MSCHAPV2`

I don't know if that helps anyone.

Update September 2015 with 1.1.9.28 early access.

I had to recreate the 'wifi_eduroam.config' file in '/var/lib/connman' and add the cert as above and it works perfectly.

edit flag offensive delete publish link more
6

answered 2015-06-17 20:23:18 +0300

viking gravatar image

There is a nice tool, eduroam CAT (eduroam Configuration Assistant Tool), which has been around for a while now:

https://cat.eduroam.org/

The creation of eduroam CAT has greatly simplified (by "lightyears" ;-) the complexity of configuring eduroam, as it helps people setup their devices properly for eduroam, asking only a few simple questions.

802.1X and EAP is a complex beast, and there are a lot of things that can be set wrong, e.g. failure to check your home institution certificate (checking this is a vital must, to avoid exposure to MITM and rogue-AP attacks ...).

So, eduroam users are highly encouraged (should really be required :-) to use eduroam CAT. The best way to support eduroam on the jolla will thus be to add support for eduroam CAT.

The unofficial workaround using /var/lib/connman/wifi_eduroam.config works just fine, btw. :-), so the only thing required is for a way to store/create that file, and (vitally) the certificate it should (must!) point to.

eduroam CAT is designed to do exactly that, with the necessary EAP config, certificate, institution realm/domain, etc. (as required/supported by the home institution eduroam servers) already setup by the institution admins.

Users only needs to fetch and run a configurator (the "eduroam CAT") that matches their devices to get them properly configured. The tool only needs to prompt for userid and password - everything else is setup as specified by the home institution.

Jolla devs: You can contact the CAT team (Link: "Become a CAT developer" on the webpage) to make this happen, or use a new (still experimental) feature, which is a downloadable generic EAP config file in the IETF "EAP Metadata -00" XML format: https://tools.ietf.org/html/draft-winter-opsawg-eap-metadata-00.

Make the jolla read (and understand ;-) that format - creating the wifi_eduroam.config and cert files from it - and you have "mission accomplished" :-)

PS: eduroam CAT is really two things:

  • A tool on the CAT webpage to help institution admins create the other.
  • Downloadable configurators for user devices. This is what is usually referred to as "eduroam CAT".
edit flag offensive delete publish link more

Comments

thank you for the hint. I can only emphasize the need to avoid exposure to MITM and rogue-AP attacks! the other thing I am currently missing from connman ist the support for outer (i.e. anonymous) identity...

tad ( 2015-06-18 13:51:28 +0300 )edit

I don't know connman, but wpa_supplicant on Debian does support it (anonymous_identity=...), as well as checking the CN (Common Name, equally important) in the certificate (subject_match=...).

I use this on Debian (laptop) in wpa_supplicant.conf:

network={
  ssid="eduroam"
  scan_ssid=1
  proto=WPA2
  key_mgmt=WPA-EAP
  pairwise=CCMP
  eap=TTLS
  ca_cert="/path/to/cert.pem"
  subject_match="name.of.cert.tld"
  identity="real_identity@realm.tld"
  anonymous_identity="outer_identity@realm.tld"
  phase2="auth=EAP-MSCHAPV2" }
viking ( 2015-06-22 23:27:00 +0300 )edit

@viking well, SailfishOS uses connman, so this doesn't help unfortunately

tad ( 2015-11-04 13:00:39 +0300 )edit
5

answered 2014-09-15 22:43:22 +0300

oku gravatar image

This setup works in Lappeenranta University of Technology. It has been tested with SailfishOS 1.0.8.19 Tahkalampi and you don't need to apply any patches or make any wpa_supplicant config anymore. Only things you need for eduroam to work is a certificate file and a connman configuration file for eduroam.

Here are the steps for getting eduroam working in LUT. It should also work in Saimaa University of Applied Sciences. The domain part of the username should of course be saimia.fi. The certificates are the same.

  1. Get the Comodo AddTrust External CAcertificate file from https://tunnistus.lut.fi/varmenteet/index.html and save it as /etc/ssl/certs/addtrustexternalcaroot.crt
  2. Make a connman configuration file for eduroam by changing your credentials to the text below and save it to /var/lib/connman/wifi_eduroam.config
[service_eduroam]
 Type=wifi
 Name=eduroam
 EAP=peap
 CACertFile=/etc/ssl/certs/addtrustexternalcaroot.crt
 Phase2=MSCHAPV2
 Identity=s1234567@lut.fi
 Passphrase=lutpassword
edit flag offensive delete publish link more
4

answered 2016-12-05 10:26:20 +0300

Dave999 gravatar image

jolla, any plans to fix this soon, like within a month?

edit flag offensive delete publish link more

Comments

2

What exactly does not work for you? Did you try e.g. the Roamer app?

bomo ( 2016-12-05 11:28:16 +0300 )edit
1

im trying the usability with sail just to see how it would work for a user. no hacks, no external software. no workarounds. no tricks if it isent working as default, it isnt working.

im trying to connect to corporation wifi. Boom! sorry. could not connect to selected network!

Dave999 ( 2016-12-05 16:52:27 +0300 )edit

Agreed, it's a bit sad to still not to be able to connect to corporation/enterprise wi-fi networks

cquence ( 2016-12-05 17:36:30 +0300 )edit

Well yeah it needs to support the GUI interface to connect to those networks. I can't tell my friend "oh yeah to connect to the internet just open terminal and create this file!"

Mariusmssj ( 2016-12-05 21:19:54 +0300 )edit

What's Sail? I don't have that.

nthn ( 2016-12-05 22:50:52 +0300 )edit
2

answered 2014-10-08 13:39:02 +0300

oyviaase gravatar image

Managed to make it work at Høgskolen i Gjøvik. No ned for certificate. I used this config:

[service_eduroam]
Type=wifi
Name=eduroam
EAP=peap
Phase2=MSCHAPV2
Identity=studentnumber@hig.no
Passphrase=Your HiG password
edit flag offensive delete publish link more

Comments

2

If you do not specify CA certificate, you make your username and password vulnerable for man-in-the-middle attack.

Karri Huhtanen ( 2014-10-08 16:00:35 +0300 )edit

The "official" guide from HiG specifies that there is no CA certificat in use. http://english.hig.no/it_department/instructions/network/eduroam/ubuntu

oyviaase ( 2014-10-08 18:42:55 +0300 )edit

@oyviasse: I believe that NetworkManager uses the system CAs if none are specified. I'm not sure if connman does the same or not.

hobarrera ( 2014-10-08 20:23:31 +0300 )edit

Oh, scrub that, step 3 on this link proves that they offer no security at all, and used unsigned certificates (and are vulnerable to MITM attacks).

hobarrera ( 2014-10-08 20:24:06 +0300 )edit
1

Shame on them (HiG). Having a proper private CA certificate and checking that would be most secure solution for WPA authentication. This is because ConnMan does not seem to provide any way to check any details like hostname in CN in the certificate ( https://together.jolla.com/question/15292/connman-does-not-support-certificate-detail-verification/ ). If this kind of certificate detail verification is not done, any other certificate, which is validated by selected CA (or in the worst case all system CAs) can be used to perform man-in-the-middle attack. Certificates and WPA Enterprise do not work the same way as WWW server certificate authentication, because there isn't IP connectivity or access to DNS when the server certificate is checked.

Karri Huhtanen ( 2014-10-09 10:26:10 +0300 )edit
Login/Signup to Answer

Question tools

Follow
108 followers

Stats

Asked: 2013-12-24 17:43:42 +0300

Seen: 24,610 times

Last updated: Dec 05 '16