# [How-To] WPA-802.1X (enterprise), eduroam +[Others] GUI wifi support needed + workaround [released]

Jolla needs to add support of using WPA-802.1X for the wifi connections, as a lot of routers + workspaces + universities use it.

So the WPA Supplicant does work now but there is no GUI implementation of adding additional networks, you will need to use a workaround described below. To make things easier try to use SSH connection from your PC to Jolla, that should make it easier than typing it out on screen keyboard.

How to SSH found here

Currently there is an unofficial workaround which people can use.

a) activate developer-mode (Settings->System->DeveloperMode)
b) use the terminal on the device or ssh to the device
c) install vim or any other text editor
d) vim /var/lib/connman/wifi_eduroam.config


wifi_eduroam.config: please note that entries seem to be case sensitive

[service_eduroam]
Type=wifi
Name=eduroam
EAP=peap
CACertFile=/etc/ssl/certs/ca-bundle.crt
Phase2=MSCHAPV2
Identity=user@domain
Passphrase=yoursecret


e) save and exit
f) turn on/off wlan (or reboot phone)


Please feel free to contribute :)

if you want to install vim or nano please use the commands in terminal

nano:

pkcon install nano


vim:

pkcon install zypper
zypper in vim


[update]: nodevel has released a sailfish application which allows to create such networks, Feel free to have a loop at [Roamer](https://openrepos.net/content/nodevel/roamer)

As an example here is my eduroam login for University connection

[service_eduroam]
Type=wifi
Name=eduroam
EAP=peap
Phase1=0
Phase2=MSCHAPV2
Identity=********@glam.ac.uk
Passphrase=********


There was no need to specify the certificate

ChemIst's Eduroam Config for uni-kl.de please note that entries seem to be case sensitive

[service_eduroam]
Type=wifi
Name=eduroam
EAP=ttls
CACertFile=/etc/ssl/certs/ca-bundle.crt
Phase2=PAP
Identity=********@rhrk.uni-kl.de
Passphrase=********

edit retag reopen delete

### The question has been closed for the following reason "released in a software update"by ApB close date 2017-07-24 20:32:28.836280

12

The title is misleading. You're asking for WPA Enterprise, specifically an EAP variety of it. This is not PSK.

( 2013-12-24 20:00:32 +0300 )edit
5

Doesn't eduroam use TTLS, PAP, and also needs an anonymous identity? It does at the Heinrich-Heine-University in Düsseldorf at least ;)

( 2013-12-24 22:06:49 +0300 )edit
13

eduroam uses quite a variety of EAP methods depending on the home organisation. Some use PEAP, some EAP-TTLS+PAP, some EAP-TTLS+MSCHAPv2, some EAP-TLS, some EAP-PWD. This means that either Jolla should have UI for configuring various wpa_supplicant parameters or way to provision config and certs.

( 2013-12-27 10:32:23 +0300 )edit

Works great, just connected a wpa2 enterprise network....

( 2013-12-30 11:41:10 +0300 )edit
2

Had a little trouble with Helsinki University Eduroam myself, but got this to work after I realized connman really does require the domain part in the username (as opposed to wpa_supplicant that I normally use). Their CA Cert can be downloaded here: https://www.helsinki.fi/atk/ca/HYAD_ROOT_CA.pem

( 2014-01-02 18:11:25 +0300 )edit

Sort by » oldest newest most voted

This is now available in 2.1.1!

more

Finally!​​

( 2017-07-24 20:45:15 +0300 )edit
2

Well after the update I am unable to connect to my university's eduroam WIFI (my university is using certificates).

Got someone an idea how to make it work again?

( 2017-07-27 16:30:04 +0300 )edit
3

BTW the requested feature is still not fully implemented because the certificate management is still missing.

( 2017-07-27 16:37:34 +0300 )edit

Will the certificate management be part of a future update? Eduroam is not usuable for me either..

( 2017-10-07 15:02:10 +0300 )edit

Same problem as @alex here. Posted https://together.jolla.com/question/173353/wpa-enterprise-8021x-stopped-working-with-211/ about it.

( 2017-11-10 20:48:12 +0300 )edit

jolla, any plans to fix this soon, like within a month?

more

2

What exactly does not work for you? Did you try e.g. the Roamer app?

( 2016-12-05 11:28:16 +0300 )edit
2

im trying the usability with sail just to see how it would work for a user. no hacks, no external software. no workarounds. no tricks if it isent working as default, it isnt working.

im trying to connect to corporation wifi. Boom! sorry. could not connect to selected network!

( 2016-12-05 16:52:27 +0300 )edit

Agreed, it's a bit sad to still not to be able to connect to corporation/enterprise wi-fi networks

( 2016-12-05 17:36:30 +0300 )edit

Well yeah it needs to support the GUI interface to connect to those networks. I can't tell my friend "oh yeah to connect to the internet just open terminal and create this file!"

( 2016-12-05 21:19:54 +0300 )edit

What's Sail? I don't have that.

( 2016-12-05 22:50:52 +0300 )edit

Hi Sailors,

I'm at the KU Leuven in Belgium and I tried to setup the Eduroam network but unfortunately I get always: 'Problem with connection'

I used the standard configuration file from the tutorial. Somebody who can help?

Dylan

more

Do you maybe need to install some certificates for eduroam to work at your uni? At mine I do, I simply downloaded them with the browser I think and everything worked fine.

( 2015-09-25 18:24:46 +0300 )edit

Yes, check you university website for instructions. For our WLAN I did not have to use a cert at all for example.

( 2015-09-28 09:43:44 +0300 )edit

KU Leuven has a webpage with the instructions for Linux.

I draw your attention to the section they have at the bottom of the page:

ctrl_interface=/var/run/wpa_supplicant
eapol_version=1
ap_scan=1
fast_reauth=1

network={
ssid="eduroam"
key_mgmt=WPA-EAP
eap=PEAP
identity="u0123456@kuleuven.be"
# Ubuntu
# Mandriva
#ca_cert="/etc/pki/tls/certs/ca-bundle.crt"
phase2="auth=MSCHAPV2"
}


No real idea on how to get it to work. Also note that KU Leuven's eduroam network starts with a capital "E": Eduroam

[service_eduroam]
Type=wifi
Name=Eduroam
EAP=peap
CACertFile=/etc/ssl/certs/ca-bundle.crt
Phase2=MSCHAPV2
Identity=r0123456@kuleuven.be
Passphrase=********


The above configuration for some reason does not work.

( 2015-10-05 18:37:16 +0300 )edit

I upgraded my OS to 1.1.7.28 / Björnträsket. Since then I am no longer able to connect to my office enterprise WLAN. I have tried recreating the connman config file. Checked that the certificate file is okay. Jolla phone does not connect to my office WLAN any longer.

Any pointers would be welcome.

more

WPA Enterprise support is on the Roadmap of Sailfish OS for Q4 2015!

Q4 2015

Platform

• Enable certificate management in the UI
• Investigate WiDi/Miracast on the Tablet
• UPNP/DLNA integration
• Investigate dropping connectivity agent and merging functionality with connman or QML plugins
• Investigate possibility for the platform to have only one file indexer
• Investigate merging commhistoryd and contactd
• WPA Enterprise support
• Allow retaining user data when the user resets the device to factory defaults
• Enable open VPN support on the OS
more

I have installed Sailfish 1.1.7.28 on my Jolla.

It is still not working i can not connect to my enterprise WLAN. All other WLAN networks are working. This here is closed :-(/ https://together.jolla.com/question/39281/bug-wpa2-enterprise-wpa_supplicant-fails-when-server-cert-is-also-client-cert-radius-radsec-eduroam/

more

There is a nice tool, eduroam CAT (eduroam Configuration Assistant Tool), which has been around for a while now:

https://cat.eduroam.org/

The creation of eduroam CAT has greatly simplified (by "lightyears" ;-) the complexity of configuring eduroam, as it helps people setup their devices properly for eduroam, asking only a few simple questions.

802.1X and EAP is a complex beast, and there are a lot of things that can be set wrong, e.g. failure to check your home institution certificate (checking this is a vital must, to avoid exposure to MITM and rogue-AP attacks ...).

So, eduroam users are highly encouraged (should really be required :-) to use eduroam CAT. The best way to support eduroam on the jolla will thus be to add support for eduroam CAT.

The unofficial workaround using /var/lib/connman/wifi_eduroam.config works just fine, btw. :-), so the only thing required is for a way to store/create that file, and (vitally) the certificate it should (must!) point to.

eduroam CAT is designed to do exactly that, with the necessary EAP config, certificate, institution realm/domain, etc. (as required/supported by the home institution eduroam servers) already setup by the institution admins.

Users only needs to fetch and run a configurator (the "eduroam CAT") that matches their devices to get them properly configured. The tool only needs to prompt for userid and password - everything else is setup as specified by the home institution.

Jolla devs: You can contact the CAT team (Link: "Become a CAT developer" on the webpage) to make this happen, or use a new (still experimental) feature, which is a downloadable generic EAP config file in the IETF "EAP Metadata -00" XML format: https://tools.ietf.org/html/draft-winter-opsawg-eap-metadata-00.

Make the jolla read (and understand ;-) that format - creating the wifi_eduroam.config and cert files from it - and you have "mission accomplished" :-)

PS: eduroam CAT is really two things:

• A tool on the CAT webpage to help institution admins create the other.
• Downloadable configurators for user devices. This is what is usually referred to as "eduroam CAT".
more

thank you for the hint. I can only emphasize the need to avoid exposure to MITM and rogue-AP attacks! the other thing I am currently missing from connman ist the support for outer (i.e. anonymous) identity...

( 2015-06-18 13:51:28 +0300 )edit

I don't know connman, but wpa_supplicant on Debian does support it (anonymous_identity=...), as well as checking the CN (Common Name, equally important) in the certificate (subject_match=...).

I use this on Debian (laptop) in wpa_supplicant.conf:

network={
ssid="eduroam"
scan_ssid=1
proto=WPA2
key_mgmt=WPA-EAP
pairwise=CCMP
eap=TTLS
ca_cert="/path/to/cert.pem"
subject_match="name.of.cert.tld"
identity="real_identity@realm.tld"
anonymous_identity="outer_identity@realm.tld"
phase2="auth=EAP-MSCHAPV2" }

( 2015-06-22 23:27:00 +0300 )edit

@viking well, SailfishOS uses connman, so this doesn't help unfortunately

( 2015-11-04 13:00:39 +0300 )edit

I cannot get this to work with my Leiden University account. Any help would be greatly appreciated. The code I use in /var/lib/connman/wifi_eduroam.config:

[service_eduroam]

Type=wifi

Name=eduroam

EAP=ttls

Phase1=0

Phase2=pap

Anonymous_Identity=anonymous@leidenuniv.nl

more

afaik connman doesn't support anonymous identity yet

( 2015-03-16 19:36:32 +0300 )edit
2

I removed that line and Phase1. It still didn't work until I opened the file and saved it again yesterday. Rebooted and voila... When trying to connect to eduroam, it asked for my username and password! As far as I know, it works now!

( 2015-03-18 13:24:00 +0300 )edit

We are planning to support this feature. It depends on the availability of certificate management system on the OS. We are in process of completing the middleware bits for this and soon need to implement the UI for certificate manager. Thereafter we should be clear to implement WPA Enterprise support.

more

1

@bijjal - Seem to be a answering spree! :-) Nice!

( 2015-01-15 17:21:06 +0300 )edit
2

@bijjal

Does this certificate work means that there will be progress to the VPN gui missing (and desperately needed)??

( 2015-01-19 12:06:25 +0300 )edit

@ApB I'ds suggest to open a separate question about that if there isn't one yet. Please don't spam this item with unrelated questions. This is a very popular question and each change sends a notification to 70+ people.

( 2015-01-19 12:13:26 +0300 )edit
3

Can I ask if there is any further news about progress on this (6 months later)?

( 2015-07-09 00:00:56 +0300 )edit
2

Any news about this (over a year later)? Sailfish OS 2 still have no way to connect to these WiFi :(

( 2016-05-27 13:02:47 +0300 )edit

Since the Security Hotfix for Tahkalampi 1.0.8.21, WiFi on eduroam (with conman config file and own certificate) won't work. It shows as connected (ip link is also UP), but DNS won't work. Anyone else having the same problem? I noticed that the NS is set to link local,

> cat /etc/resolv.conf
# Generated by Connection Manager
nameserver 127.0.0.1
nameserver ::1


but this is also the case when I switch to mobile data (2G/3G), so it seems to be normal. Reconnecting does not solve the issue, switching flight mode and rebooting won't solve it either. On some days it works, on some it just doesn't. It's really annoying, I completely agree with @krautjan that this whole range of problems with WPA Enterprise a major issue that needs to be fixed yesterday. I cannot believe that this essential function is still so broken.

more