[How-To] WPA-802.1X (enterprise), eduroam +[Others] GUI wifi support needed + workaround [released]

asked 2013-12-24 17:43:42 +0200

Jolla needs to add support of using WPA-802.1X for the wifi connections, as a lot of routers + workspaces + universities use it.

So the WPA Supplicant does work now but there is no GUI implementation of adding additional networks, you will need to use a workaround described below. To make things easier try to use SSH connection from your PC to Jolla, that should make it easier than typing it out on screen keyboard.

How to SSH found here

Currently there is an unofficial workaround which people can use.

a) activate developer-mode (Settings->System->DeveloperMode)
b) use the terminal on the device or ssh to the device
c) install vim or any other text editor
d) vim /var/lib/connman/wifi_eduroam.config


wifi_eduroam.config: please note that entries seem to be case sensitive

[service_eduroam]
Type=wifi
Name=eduroam
EAP=peap
CACertFile=/etc/ssl/certs/ca-bundle.crt
Phase2=MSCHAPV2
Identity=user@domain
Passphrase=yoursecret


e) save and exit
f) turn on/off wlan (or reboot phone)


Please feel free to contribute :)

if you want to install vim or nano please use the commands in terminal

nano:

pkcon install nano


vim:

pkcon install zypper
zypper in vim


[update]: nodevel has released a sailfish application which allows to create such networks, Feel free to have a loop at [Roamer](https://openrepos.net/content/nodevel/roamer)

As an example here is my eduroam login for University connection

[service_eduroam]
Type=wifi
Name=eduroam
EAP=peap
Phase1=0
Phase2=MSCHAPV2
Identity=********@glam.ac.uk
Passphrase=********


There was no need to specify the certificate

ChemIst's Eduroam Config for uni-kl.de please note that entries seem to be case sensitive

[service_eduroam]
Type=wifi
Name=eduroam
EAP=ttls
CACertFile=/etc/ssl/certs/ca-bundle.crt
Phase2=PAP
Identity=********@rhrk.uni-kl.de
Passphrase=********

edit retag reopen delete

Comments

12

The title is misleading. You're asking for WPA Enterprise, specifically an EAP variety of it. This is not PSK.

( 2013-12-24 20:00:32 +0200 )edit
5

Doesn't eduroam use TTLS, PAP, and also needs an anonymous identity? It does at the Heinrich-Heine-University in Düsseldorf at least ;)

( 2013-12-24 22:06:49 +0200 )edit
13

eduroam uses quite a variety of EAP methods depending on the home organisation. Some use PEAP, some EAP-TTLS+PAP, some EAP-TTLS+MSCHAPv2, some EAP-TLS, some EAP-PWD. This means that either Jolla should have UI for configuring various wpa_supplicant parameters or way to provision config and certs.

( 2013-12-27 10:32:23 +0200 )edit

Works great, just connected a wpa2 enterprise network....

( 2013-12-30 11:41:10 +0200 )edit
2

Had a little trouble with Helsinki University Eduroam myself, but got this to work after I realized connman really does require the domain part in the username (as opposed to wpa_supplicant that I normally use). Their CA Cert can be downloaded here: https://www.helsinki.fi/atk/ca/HYAD_ROOT_CA.pem

( 2014-01-02 18:11:25 +0200 )edit

18 Answers

Sort by » oldest newest most voted

answered 2015-01-15 15:40:22 +0200

We are planning to support this feature. It depends on the availability of certificate management system on the OS. We are in process of completing the middleware bits for this and soon need to implement the UI for certificate manager. Thereafter we should be clear to implement WPA Enterprise support.

more

Comments

1

@bijjal - Seem to be a answering spree! :-) Nice!

( 2015-01-15 17:21:06 +0200 )edit
2

@bijjal

Does this certificate work means that there will be progress to the VPN gui missing (and desperately needed)??

( 2015-01-19 12:06:25 +0200 )edit

@ApB I'ds suggest to open a separate question about that if there isn't one yet. Please don't spam this item with unrelated questions. This is a very popular question and each change sends a notification to 70+ people.

( 2015-01-19 12:13:26 +0200 )edit
3

Can I ask if there is any further news about progress on this (6 months later)?

( 2015-07-09 00:00:56 +0200 )edit
2

Any news about this (over a year later)? Sailfish OS 2 still have no way to connect to these WiFi :(

( 2016-05-27 13:02:47 +0200 )edit

answered 2013-12-25 01:24:20 +0200

This is a known issue, and Jolla is working on a solution.

For the technical, connman needs a patch to properly support PEAP, as well as needing a config file to connect to WPA enterprise networks.

more

Comments

1

Configuration files, client and CA certificates for WPA Enterprise, mail, web browser should be able to be provisioned via email or WWW browser as configuration packages. There could be for example a specific mime type for configuration packages so that they could be directed to certain confg. app.

( 2013-12-27 10:30:13 +0200 )edit

Great, thanks! Another question though: Can I use a hash instead of the plain text? Actually I'm using elakim's solution (deny access to users not being root), but I'd like to "encrypt" the password. I've tried md5 and sha and md4, all to no avail. plain-text-password works fine.

( 2014-01-08 16:39:18 +0200 )edit

@mie You should probably check if wpa_supplicant supports hashed password (it might) and then the form you need to enter the password for it (e.g might be something like {md5}hashhere). Then give that to connman configuration?

( 2014-01-15 17:13:57 +0200 )edit

@mie "Password string for EAP. This field can include either the plaintext password (using ASCII or hex string) or a NtPasswordHash (16-byte MD4 hash of password) in hash:<32 hex digits> format. NtPasswordHash can only be used when the password is for MSCHAPv2 or MSCHAP" -- Not sure if idea works.

( 2014-01-15 17:17:44 +0200 )edit
6

@Karri Huhtanen

While I agree that configuration should be loadable via config packages, the creation of a config MUST also be possible on device via GUI - you can't expect folks to pester their universities / work IT to support Jolla at this point and neither can expect everybody to learn how to!

( 2014-01-19 18:21:13 +0200 )edit

answered 2014-04-12 00:55:21 +0200

[update] Fix was part of Update 8. Info below is no longer relevant.
I've managed to get the workaround working again for 1.0.5.16. The problem is this: commit 51e3eaf in the git of wpa_supplicant added a check that a server certificate should not include a client EKU, but this is a configuration that is used in the wild, including in eduroam here at the University of Twente. All that is needed :) is a revert of that commit and a rebuild of wpa_supplicant.

I tried for the first time to build an rpm package (I'm fairly well versed in Debian, but new at rpm and mer). I tried to be quick about it, so I skimmed tutorials and docs and startpaged error messages as I went. I'm sure I'm not doing everything as I should, but it got my phone working :).

DISCLAIMER: I'm not doing things as I should. I'm not changing any version numbers, and force a reinstall of my custom-built package. I think it's very well possible you may need to get your hands in again when the nice people at Jolla fix this properly. I'm offering this to help you, but it might inadvertently BREAK and you will get to keep both pieces! YOU HAVE BEEN WARNED.

I'm not very gentle in the following description: I presume you have developer mode enabled and generally know what you're doing.

First of all, if you decide to trust my build, you can get the rpm I got out of it here (I reserve the right to take that link down soon if I feel so inclined).

You can install the rpm with, as root:

# zypper in -f wpa_supplicant-2.1-1.3.2.armv7hl.rpm


Note how --force is needed because we're re-installing, as I didn't change the version numbers.

If you're like me, you don't really trust strangers who offer you nice binaries, and you'd rather see what changes you make. I will now outline how I built the package.

I based most things on this CentOS tutorial.

First off, we need some packages installed. I did as root:

# zypper si wpa_supplicant


Although I should have done

# zypper si -d wpa_supplicant


because I need the source as the nemo user, and -d tells it to just get build dependencies.

Furthermore:

# zypper in rpm-build meego-rpm-config


This will install a whole bunch of packages.

The needed patch is the reversal of commit 51e3eaf of the hostap Git. Through the tutorial mentioned, I packaged this patch and edited the .spec file. I didn't touch the version and release because I can't figure out how to choose proper ones. You can get the patch here and the patch to the spec file here. Inspect them and see if you like them.

As the nemo user:

$zypper si wpa_supplicant$ cd ~/rpmbuild/SPECS/


Save the patch as ~/rpmbuild/SOURCES/wpa_supplicant-dont-fail-client-cert.patch and the spec patch as ~/rpmbuild/SPECS/wpa_supplicant.spec.patch.

$patch <wpa_supplicant.spec.patch$ rpmbuild -bb wpa_supplicant.spec


And as root:

# zypper in -f ~nemo/rpmbuild/RPMS/armv7hl/wpa_supplicant-2.1-1.3.2.armv7hl.rpm


Note how --force is needed because we're re-installing, as I didn't change the version numbers.

more

Comments

1

thanks a lot, it's working again!

( 2014-04-14 15:13:11 +0200 )edit

thanks for figuring all of this out, but im kinda scared the next update will fail, so i will wait for the jolla dev's

( 2014-04-15 15:17:08 +0200 )edit
6

If zypper is not installed on your phone (which was my case), the following command also works:

# rpm -i --replacepkgs --replacefiles wpa_supplicant-2.1-1.3.2.armv7hl.rpm

( 2014-04-16 10:40:30 +0200 )edit

It's working here, at asml.

( 2014-04-29 14:03:00 +0200 )edit

Works with Ziggo too.

( 2014-05-28 23:29:43 +0200 )edit

answered 2014-10-08 16:33:59 +0200

I am so disappointed from jolla that this is still not fixed.

Sure i can make a workaround work but imho this is on of the most important feature of any mobile device (able to connect) and it should go out of the box without need to customize config files per hand. It has to work, no excuses!

To make it worse i know that it is possible cause it worked already (forgot under which version, it was before folders were introduced if i remember right).

It feels broken and i use it less and less. It drives me mad.

I just can't understand what the thinking on the jolla side here is. What are your priorities? Why is there no communication about this or did i miss it and someone can point me to the discussion/explanation from jolla?

It's a friggin year now.

more

Comments

5

I do know what you mean. For a smart phone not being able to connect to WiFi is pretty bad actually sad. From what it seems we will have this fixed with the next update.

Also I know Jolla said the phone is out of the beta stage but I still think the SailfishOS is a beta, too many things missing and not working.

That said Jolla is working on it, slowly but their working on it, maybe soon we will leave the beta.

( 2014-10-08 21:09:39 +0200 )edit

answered 2014-04-24 18:13:52 +0200

[update] Fix was part of Update 8. Info below is no longer relevant.
For those whom installed this patched version - after upgrading to 1.0.5.19 (MMS hotfix) you need to reinstall the patched version as the release version gets pulled in again.

UPDATE: ongoing, this applies to 1.0.7.16 (Saapunki) too

more

Comments

why did they not just use this hotfix to patch this up?

( 2014-04-24 18:53:35 +0200 )edit

@qrosh@Aard will ask the maintainers where they are at - no promises though (he actually read about the problem but never knew that there was already a solution)

( 2014-04-24 20:44:55 +0200 )edit

Confirmed for 1.0.5.19

( 2014-04-29 14:02:29 +0200 )edit

After reinstalling the patched 'wpa_supplicant-2.1-1.3.2.armv7hl.rpm' from Digital Brain it's working fine on SailfishOS 1.0.5.19. I can connect to Eduroam of Leipzig University with the following '/var/lib/connman/wifi_eduroam.config':

[service_eduroam]
Type=wifi
Name=eduroam
EAP=ttls
CACertFile=/etc/ssl/certs/deutsche-telekom-root-ca-2.crt
Phase2=PAP
Identity=username@domain
Passphrase=passphrase


A line like 'Anonymous_Identity=anonymous@domain' (recommended, akin setting for android devices) or something like 'Phase1=PEAPLABEL...' (recommended, akin setting for wpa_supplicant) or something similar isn't necessary, has no affect or isn't supported. I had to reboot my jolla after installing the patched version to get connected. You can download the certificate here: https://www.pki.dfn.de/fileadmin/PKI/zertifikate/deutsche-telekom-root-ca-2.crt and copy it to '/etc/ssl/certs' but it should also work with the existing 'ca-bundle.crt'.

( 2014-05-02 20:29:41 +0200 )edit

Have we to install the patched version even if we opt-in the experimental connman v1.23?

( 2014-06-10 13:11:04 +0200 )edit

answered 2014-09-16 12:53:17 +0200

I got this working at Uppsala with stock SailfishOS 1.0.8.19. I downloaded the certificate from the university eduroam instructions for ubuntu, copied it to /etc/ssl/certs. Then, as root, created a config file as below.

[service_eduroam]
Type=wifi
Name=eduroam
EAP=ttls
CACertFile=/etc/ssl/certs/AddTrust-External-CA-Root.crt
Phase1=0
Phase2=mschapv2
Identity=username@user.uu.se
Passphrase=Password from UU


I saved the .config and and watched the result with wpa_cli.

Sometimes it connects, disconnects & reconnects repeatedly, five or six times in a row, but then sometimes it behaves well, connecting and remaining connected with no problem.

Update

Eduroam still works for me after 1.0.8.21 security hot fix.

# wpa_cli status
ssid=eduroam
id=0
mode=station
pairwise_cipher=CCMP
group_cipher=TKIP
key_mgmt=WPA2/IEEE 802.1X/EAP
wpa_state=COMPLETED
ip_address= [your IP]
address= [MAC address]
Supplicant PAE state=AUTHENTICATED
suppPortStatus=Authorized
EAP state=SUCCESS
selectedMethod=21 (EAP-TTLS)
EAP TLS cipher= [removed]
EAP-TTLSv0 Phase2 method=EAP-MSCHAPV2


I don't know if that helps anyone.

Update September 2015 with 1.1.9.28 early access.

I had to recreate the 'wifi_eduroam.config' file in '/var/lib/connman' and add the cert as above and it works perfectly.

Update June 2017 with 2.1.0.11

With a new install and no previous config I followed the instructions above and it worked immediately.

more

answered 2015-06-17 20:23:18 +0200

There is a nice tool, eduroam CAT (eduroam Configuration Assistant Tool), which has been around for a while now:

https://cat.eduroam.org/

The creation of eduroam CAT has greatly simplified (by "lightyears" ;-) the complexity of configuring eduroam, as it helps people setup their devices properly for eduroam, asking only a few simple questions.

802.1X and EAP is a complex beast, and there are a lot of things that can be set wrong, e.g. failure to check your home institution certificate (checking this is a vital must, to avoid exposure to MITM and rogue-AP attacks ...).

So, eduroam users are highly encouraged (should really be required :-) to use eduroam CAT. The best way to support eduroam on the jolla will thus be to add support for eduroam CAT.

The unofficial workaround using /var/lib/connman/wifi_eduroam.config works just fine, btw. :-), so the only thing required is for a way to store/create that file, and (vitally) the certificate it should (must!) point to.

eduroam CAT is designed to do exactly that, with the necessary EAP config, certificate, institution realm/domain, etc. (as required/supported by the home institution eduroam servers) already setup by the institution admins.

Users only needs to fetch and run a configurator (the "eduroam CAT") that matches their devices to get them properly configured. The tool only needs to prompt for userid and password - everything else is setup as specified by the home institution.

Jolla devs: You can contact the CAT team (Link: "Become a CAT developer" on the webpage) to make this happen, or use a new (still experimental) feature, which is a downloadable generic EAP config file in the IETF "EAP Metadata -00" XML format: https://tools.ietf.org/html/draft-winter-opsawg-eap-metadata-00.

Make the jolla read (and understand ;-) that format - creating the wifi_eduroam.config and cert files from it - and you have "mission accomplished" :-)

PS: eduroam CAT is really two things:

• A tool on the CAT webpage to help institution admins create the other.
• Downloadable configurators for user devices. This is what is usually referred to as "eduroam CAT".
more

Comments

thank you for the hint. I can only emphasize the need to avoid exposure to MITM and rogue-AP attacks! the other thing I am currently missing from connman ist the support for outer (i.e. anonymous) identity...

( 2015-06-18 13:51:28 +0200 )edit

I don't know connman, but wpa_supplicant on Debian does support it (anonymous_identity=...), as well as checking the CN (Common Name, equally important) in the certificate (subject_match=...).

I use this on Debian (laptop) in wpa_supplicant.conf:

network={
ssid="eduroam"
scan_ssid=1
proto=WPA2
key_mgmt=WPA-EAP
pairwise=CCMP
eap=TTLS
ca_cert="/path/to/cert.pem"
subject_match="name.of.cert.tld"
identity="real_identity@realm.tld"
anonymous_identity="outer_identity@realm.tld"
phase2="auth=EAP-MSCHAPV2" }

( 2015-06-22 23:27:00 +0200 )edit

@viking well, SailfishOS uses connman, so this doesn't help unfortunately

( 2015-11-04 13:00:39 +0200 )edit

answered 2017-07-24 19:57:48 +0200

This is now available in 2.1.1!

more

Comments

Finally!​​

( 2017-07-24 20:45:15 +0200 )edit
2

Well after the update I am unable to connect to my university's eduroam WIFI (my university is using certificates).

Got someone an idea how to make it work again?

( 2017-07-27 16:30:04 +0200 )edit
3

BTW the requested feature is still not fully implemented because the certificate management is still missing.

( 2017-07-27 16:37:34 +0200 )edit

Will the certificate management be part of a future update? Eduroam is not usuable for me either..

( 2017-10-07 15:02:10 +0200 )edit

Same problem as @alex here. Posted https://together.jolla.com/question/173353/wpa-enterprise-8021x-stopped-working-with-211/ about it.

( 2017-11-10 20:48:12 +0200 )edit

answered 2014-09-15 22:43:22 +0200

This setup works in Lappeenranta University of Technology. It has been tested with SailfishOS 1.0.8.19 Tahkalampi and you don't need to apply any patches or make any wpa_supplicant config anymore. Only things you need for eduroam to work is a certificate file and a connman configuration file for eduroam.

Here are the steps for getting eduroam working in LUT. It should also work in Saimaa University of Applied Sciences. The domain part of the username should of course be saimia.fi. The certificates are the same.

1. Get the Comodo AddTrust External CAcertificate file from https://tunnistus.lut.fi/varmenteet/index.html and save it as /etc/ssl/certs/addtrustexternalcaroot.crt
2. Make a connman configuration file for eduroam by changing your credentials to the text below and save it to /var/lib/connman/wifi_eduroam.config
[service_eduroam]
Type=wifi
Name=eduroam
EAP=peap
CACertFile=/etc/ssl/certs/addtrustexternalcaroot.crt
Phase2=MSCHAPV2
Identity=s1234567@lut.fi
Passphrase=lutpassword
`
more

answered 2016-12-05 10:26:20 +0200

jolla, any plans to fix this soon, like within a month?

more

Comments

2

What exactly does not work for you? Did you try e.g. the Roamer app?

( 2016-12-05 11:28:16 +0200 )edit
1

im trying the usability with sail just to see how it would work for a user. no hacks, no external software. no workarounds. no tricks if it isent working as default, it isnt working.

im trying to connect to corporation wifi. Boom! sorry. could not connect to selected network!

( 2016-12-05 16:52:27 +0200 )edit

Agreed, it's a bit sad to still not to be able to connect to corporation/enterprise wi-fi networks

( 2016-12-05 17:36:30 +0200 )edit

Well yeah it needs to support the GUI interface to connect to those networks. I can't tell my friend "oh yeah to connect to the internet just open terminal and create this file!"

( 2016-12-05 21:19:54 +0200 )edit

What's Sail? I don't have that.

( 2016-12-05 22:50:52 +0200 )edit

Stats

Asked: 2013-12-24 17:43:42 +0200

Seen: 27,092 times

Last updated: Jul 24 '17