[How-To] WPA-802.1X (enterprise), eduroam +[Others] GUI wifi support needed + workaround [released]

Jolla needs to add support of using WPA-802.1X for the wifi connections, as a lot of routers + workspaces + universities use it.

So the WPA Supplicant does work now but there is no GUI implementation of adding additional networks, you will need to use a workaround described below. To make things easier try to use SSH connection from your PC to Jolla, that should make it easier than typing it out on screen keyboard.

How to SSH found here

Currently there is an unofficial workaround which people can use.

a) activate developer-mode (Settings->System->DeveloperMode)
b) use the terminal on the device or ssh to the device
c) install vim or any other text editor
d) vim /var/lib/connman/wifi_eduroam.config


wifi_eduroam.config: please note that entries seem to be case sensitive

[service_eduroam]
Type=wifi
Name=eduroam
EAP=peap
CACertFile=/etc/ssl/certs/ca-bundle.crt
Phase2=MSCHAPV2
Identity=user@domain
Passphrase=yoursecret


e) save and exit
f) turn on/off wlan (or reboot phone)


Please feel free to contribute :)

if you want to install vim or nano please use the commands in terminal

nano:

pkcon install nano


vim:

pkcon install zypper
zypper in vim


[update]: nodevel has released a sailfish application which allows to create such networks, Feel free to have a loop at [Roamer](https://openrepos.net/content/nodevel/roamer)

As an example here is my eduroam login for University connection

[service_eduroam]
Type=wifi
Name=eduroam
EAP=peap
Phase1=0
Phase2=MSCHAPV2
Identity=********@glam.ac.uk
Passphrase=********


There was no need to specify the certificate

ChemIst's Eduroam Config for uni-kl.de please note that entries seem to be case sensitive

[service_eduroam]
Type=wifi
Name=eduroam
EAP=ttls
CACertFile=/etc/ssl/certs/ca-bundle.crt
Phase2=PAP
Identity=********@rhrk.uni-kl.de
Passphrase=********

edit retag reopen delete

The question has been closed for the following reason "released in a software update"by ApB close date 2017-07-24 20:32:28.836280

12

The title is misleading. You're asking for WPA Enterprise, specifically an EAP variety of it. This is not PSK.

( 2013-12-24 20:00:32 +0200 )edit
5

Doesn't eduroam use TTLS, PAP, and also needs an anonymous identity? It does at the Heinrich-Heine-University in Düsseldorf at least ;)

( 2013-12-24 22:06:49 +0200 )edit
13

eduroam uses quite a variety of EAP methods depending on the home organisation. Some use PEAP, some EAP-TTLS+PAP, some EAP-TTLS+MSCHAPv2, some EAP-TLS, some EAP-PWD. This means that either Jolla should have UI for configuring various wpa_supplicant parameters or way to provision config and certs.

( 2013-12-27 10:32:23 +0200 )edit

Works great, just connected a wpa2 enterprise network....

( 2013-12-30 11:41:10 +0200 )edit
2

Had a little trouble with Helsinki University Eduroam myself, but got this to work after I realized connman really does require the domain part in the username (as opposed to wpa_supplicant that I normally use). Their CA Cert can be downloaded here: https://www.helsinki.fi/atk/ca/HYAD_ROOT_CA.pem

( 2014-01-02 18:11:25 +0200 )edit

Sort by » oldest newest most voted

This is a known issue, and Jolla is working on a solution.

For the technical, connman needs a patch to properly support PEAP, as well as needing a config file to connect to WPA enterprise networks.

more

1

Configuration files, client and CA certificates for WPA Enterprise, mail, web browser should be able to be provisioned via email or WWW browser as configuration packages. There could be for example a specific mime type for configuration packages so that they could be directed to certain confg. app.

( 2013-12-27 10:30:13 +0200 )edit

Great, thanks! Another question though: Can I use a hash instead of the plain text? Actually I'm using elakim's solution (deny access to users not being root), but I'd like to "encrypt" the password. I've tried md5 and sha and md4, all to no avail. plain-text-password works fine.

( 2014-01-08 16:39:18 +0200 )edit

@mie You should probably check if wpa_supplicant supports hashed password (it might) and then the form you need to enter the password for it (e.g might be something like {md5}hashhere). Then give that to connman configuration?

( 2014-01-15 17:13:57 +0200 )edit

@mie "Password string for EAP. This field can include either the plaintext password (using ASCII or hex string) or a NtPasswordHash (16-byte MD4 hash of password) in hash:<32 hex digits> format. NtPasswordHash can only be used when the password is for MSCHAPv2 or MSCHAP" -- Not sure if idea works.

( 2014-01-15 17:17:44 +0200 )edit
6

@Karri Huhtanen

While I agree that configuration should be loadable via config packages, the creation of a config MUST also be possible on device via GUI - you can't expect folks to pester their universities / work IT to support Jolla at this point and neither can expect everybody to learn how to!

( 2014-01-19 18:21:13 +0200 )edit

[update] Fix was part of Update 8. Info below is no longer relevant.
I've managed to get the workaround working again for 1.0.5.16. The problem is this: commit 51e3eaf in the git of wpa_supplicant added a check that a server certificate should not include a client EKU, but this is a configuration that is used in the wild, including in eduroam here at the University of Twente. All that is needed :) is a revert of that commit and a rebuild of wpa_supplicant.

I tried for the first time to build an rpm package (I'm fairly well versed in Debian, but new at rpm and mer). I tried to be quick about it, so I skimmed tutorials and docs and startpaged error messages as I went. I'm sure I'm not doing everything as I should, but it got my phone working :).

DISCLAIMER: I'm not doing things as I should. I'm not changing any version numbers, and force a reinstall of my custom-built package. I think it's very well possible you may need to get your hands in again when the nice people at Jolla fix this properly. I'm offering this to help you, but it might inadvertently BREAK and you will get to keep both pieces! YOU HAVE BEEN WARNED.

I'm not very gentle in the following description: I presume you have developer mode enabled and generally know what you're doing.

First of all, if you decide to trust my build, you can get the rpm I got out of it here (I reserve the right to take that link down soon if I feel so inclined).

You can install the rpm with, as root:

# zypper in -f wpa_supplicant-2.1-1.3.2.armv7hl.rpm


Note how --force is needed because we're re-installing, as I didn't change the version numbers.

If you're like me, you don't really trust strangers who offer you nice binaries, and you'd rather see what changes you make. I will now outline how I built the package.

I based most things on this CentOS tutorial.

First off, we need some packages installed. I did as root:

# zypper si wpa_supplicant


Although I should have done

# zypper si -d wpa_supplicant


because I need the source as the nemo user, and -d tells it to just get build dependencies.

Furthermore:

# zypper in rpm-build meego-rpm-config


This will install a whole bunch of packages.

The needed patch is the reversal of commit 51e3eaf of the hostap Git. Through the tutorial mentioned, I packaged this patch and edited the .spec file. I didn't touch the version and release because I can't figure out how to choose proper ones. You can get the patch here and the patch to the spec file here. Inspect them and see if you like them.

As the nemo user:

$zypper si wpa_supplicant$ cd ~/rpmbuild/SPECS/


Save the patch as ~/rpmbuild/SOURCES/wpa_supplicant-dont-fail-client-cert.patch and the spec patch as ~/rpmbuild/SPECS/wpa_supplicant.spec.patch.

$patch <wpa_supplicant.spec.patch$ rpmbuild -bb wpa_supplicant.spec


And as root:

# zypper in -f ~nemo/rpmbuild/RPMS/armv7hl/wpa_supplicant-2.1-1.3.2.armv7hl.rpm


Note how --force is needed because we're re-installing, as I didn't change the version numbers.

more

1

thanks a lot, it's working again!

( 2014-04-14 15:13:11 +0200 )edit

thanks for figuring all of this out, but im kinda scared the next update will fail, so i will wait for the jolla dev's

( 2014-04-15 15:17:08 +0200 )edit
6

If zypper is not installed on your phone (which was my case), the following command also works:

# rpm -i --replacepkgs --replacefiles wpa_supplicant-2.1-1.3.2.armv7hl.rpm

( 2014-04-16 10:40:30 +0200 )edit

It's working here, at asml.

( 2014-04-29 14:03:00 +0200 )edit

Works with Ziggo too.

( 2014-05-28 23:29:43 +0200 )edit

[update] Fix was part of Update 8. Info below is no longer relevant.
For those whom installed this patched version - after upgrading to 1.0.5.19 (MMS hotfix) you need to reinstall the patched version as the release version gets pulled in again.

UPDATE: ongoing, this applies to 1.0.7.16 (Saapunki) too

more

why did they not just use this hotfix to patch this up?

( 2014-04-24 18:53:35 +0200 )edit

@qrosh@Aard will ask the maintainers where they are at - no promises though (he actually read about the problem but never knew that there was already a solution)

( 2014-04-24 20:44:55 +0200 )edit

Confirmed for 1.0.5.19

( 2014-04-29 14:02:29 +0200 )edit

After reinstalling the patched 'wpa_supplicant-2.1-1.3.2.armv7hl.rpm' from Digital Brain it's working fine on SailfishOS 1.0.5.19. I can connect to Eduroam of Leipzig University with the following '/var/lib/connman/wifi_eduroam.config':

[service_eduroam]
Type=wifi
Name=eduroam
EAP=ttls
CACertFile=/etc/ssl/certs/deutsche-telekom-root-ca-2.crt
Phase2=PAP
Passphrase=passphrase


A line like 'Anonymous_Identity=anonymous@domain' (recommended, akin setting for android devices) or something like 'Phase1=PEAPLABEL...' (recommended, akin setting for wpa_supplicant) or something similar isn't necessary, has no affect or isn't supported. I had to reboot my jolla after installing the patched version to get connected. You can download the certificate here: https://www.pki.dfn.de/fileadmin/PKI/zertifikate/deutsche-telekom-root-ca-2.crt and copy it to '/etc/ssl/certs' but it should also work with the existing 'ca-bundle.crt'.

( 2014-05-02 20:29:41 +0200 )edit

Have we to install the patched version even if we opt-in the experimental connman v1.23?

( 2014-06-10 13:11:04 +0200 )edit

This setup works in Lappeenranta University of Technology. It has been tested with SailfishOS 1.0.8.19 Tahkalampi and you don't need to apply any patches or make any wpa_supplicant config anymore. Only things you need for eduroam to work is a certificate file and a connman configuration file for eduroam.

Here are the steps for getting eduroam working in LUT. It should also work in Saimaa University of Applied Sciences. The domain part of the username should of course be saimia.fi. The certificates are the same.

1. Get the Comodo AddTrust External CAcertificate file from https://tunnistus.lut.fi/varmenteet/index.html and save it as /etc/ssl/certs/addtrustexternalcaroot.crt
2. Make a connman configuration file for eduroam by changing your credentials to the text below and save it to /var/lib/connman/wifi_eduroam.config
[service_eduroam]
Type=wifi
Name=eduroam
EAP=peap
Phase2=MSCHAPV2
Identity=s1234567@lut.fi

more

I got this working at Uppsala with stock SailfishOS 1.0.8.19. I downloaded the certificate from the university eduroam instructions for ubuntu, copied it to /etc/ssl/certs. Then, as root, created a config file as below.

[service_eduroam]
Type=wifi
Name=eduroam
EAP=ttls
Phase1=0
Phase2=mschapv2


I saved the .config and and watched the result with wpa_cli.

Sometimes it connects, disconnects & reconnects repeatedly, five or six times in a row, but then sometimes it behaves well, connecting and remaining connected with no problem.

Update

Eduroam still works for me after 1.0.8.21 security hot fix.

# wpa_cli status
ssid=eduroam
id=0
mode=station
pairwise_cipher=CCMP
group_cipher=TKIP
key_mgmt=WPA2/IEEE 802.1X/EAP
wpa_state=COMPLETED
Supplicant PAE state=AUTHENTICATED
suppPortStatus=Authorized
EAP state=SUCCESS
selectedMethod=21 (EAP-TTLS)
EAP TLS cipher= [removed]
EAP-TTLSv0 Phase2 method=EAP-MSCHAPV2


I don't know if that helps anyone.

Update September 2015 with 1.1.9.28 early access.

I had to recreate the 'wifi_eduroam.config' file in '/var/lib/connman' and add the cert as above and it works perfectly.

Update June 2017 with 2.1.0.11

With a new install and no previous config I followed the instructions above and it worked immediately.

more

Managed to make it work at Høgskolen i Gjøvik. No ned for certificate. I used this config:

[service_eduroam]
Type=wifi
Name=eduroam
EAP=peap
Phase2=MSCHAPV2
Identity=studentnumber@hig.no

more

2

If you do not specify CA certificate, you make your username and password vulnerable for man-in-the-middle attack.

( 2014-10-08 16:00:35 +0200 )edit

The "official" guide from HiG specifies that there is no CA certificat in use. http://english.hig.no/it_department/instructions/network/eduroam/ubuntu

( 2014-10-08 18:42:55 +0200 )edit

@oyviasse: I believe that NetworkManager uses the system CAs if none are specified. I'm not sure if connman does the same or not.

( 2014-10-08 20:23:31 +0200 )edit

Oh, scrub that, step 3 on this link proves that they offer no security at all, and used unsigned certificates (and are vulnerable to MITM attacks).

( 2014-10-08 20:24:06 +0200 )edit
1

Shame on them (HiG). Having a proper private CA certificate and checking that would be most secure solution for WPA authentication. This is because ConnMan does not seem to provide any way to check any details like hostname in CN in the certificate ( https://together.jolla.com/question/15292/connman-does-not-support-certificate-detail-verification/ ). If this kind of certificate detail verification is not done, any other certificate, which is validated by selected CA (or in the worst case all system CAs) can be used to perform man-in-the-middle attack. Certificates and WPA Enterprise do not work the same way as WWW server certificate authentication, because there isn't IP connectivity or access to DNS when the server certificate is checked.

( 2014-10-09 10:26:10 +0200 )edit

I am so disappointed from jolla that this is still not fixed.

Sure i can make a workaround work but imho this is on of the most important feature of any mobile device (able to connect) and it should go out of the box without need to customize config files per hand. It has to work, no excuses!

To make it worse i know that it is possible cause it worked already (forgot under which version, it was before folders were introduced if i remember right).

It feels broken and i use it less and less. It drives me mad.

I just can't understand what the thinking on the jolla side here is. What are your priorities? Why is there no communication about this or did i miss it and someone can point me to the discussion/explanation from jolla?

It's a friggin year now.

more

5

I do know what you mean. For a smart phone not being able to connect to WiFi is pretty bad actually sad. From what it seems we will have this fixed with the next update.

Also I know Jolla said the phone is out of the beta stage but I still think the SailfishOS is a beta, too many things missing and not working.

That said Jolla is working on it, slowly but their working on it, maybe soon we will leave the beta.

( 2014-10-08 21:09:39 +0200 )edit

Only thing wrong with that guide is not giving users some info of the self signed certificate they're suppose to accept, it's omitted because, well, frankly most users doesn't care or know what the hell we're talking about anyway. Only reason I bother responding is the remark that we don't offer no security at all is forever google searchable and some people with lesser knowledge might think you're not pulling facts out of your ass.

more

1

( 2014-10-10 09:34:46 +0200 )edit

I'm guessing this is a reply to this: https://together.jolla.com/question/315/wpa-8021x-enterprise-others-gui-wifi-support-needed-workaround/#post-id-58172. Though the linked tutorials actually state that the certificate is unsigned.

( 2014-10-10 11:03:12 +0200 )edit
3

It is not a problem if the certificate is signed by a proper private CA. It is actually recommended practice in eduroam to use private CA instead of well-known ones. What is definitely not recommended, and is irresponsible and insecure, is to have instructions, which tell users to turn off certificate checking like they do in the linked instructions. Claiming that most users don't care or know what to do, is a lame excuse of doing instructions properly. All eduroam organisations can use tools like https://cat.eduroam.org/ to provision proper configurations and certificates for their users.

( 2014-11-21 14:11:05 +0200 )edit

Since the Security Hotfix for Tahkalampi 1.0.8.21, WiFi on eduroam (with conman config file and own certificate) won't work. It shows as connected (ip link is also UP), but DNS won't work. Anyone else having the same problem? I noticed that the NS is set to link local,

> cat /etc/resolv.conf
# Generated by Connection Manager
nameserver 127.0.0.1
nameserver ::1
`

but this is also the case when I switch to mobile data (2G/3G), so it seems to be normal. Reconnecting does not solve the issue, switching flight mode and rebooting won't solve it either. On some days it works, on some it just doesn't. It's really annoying, I completely agree with @krautjan that this whole range of problems with WPA Enterprise a major issue that needs to be fixed yesterday. I cannot believe that this essential function is still so broken.

more

We are planning to support this feature. It depends on the availability of certificate management system on the OS. We are in process of completing the middleware bits for this and soon need to implement the UI for certificate manager. Thereafter we should be clear to implement WPA Enterprise support.

more

1

@bijjal - Seem to be a answering spree! :-) Nice!

( 2015-01-15 17:21:06 +0200 )edit
2

@bijjal

Does this certificate work means that there will be progress to the VPN gui missing (and desperately needed)??

( 2015-01-19 12:06:25 +0200 )edit

@ApB I'ds suggest to open a separate question about that if there isn't one yet. Please don't spam this item with unrelated questions. This is a very popular question and each change sends a notification to 70+ people.

( 2015-01-19 12:13:26 +0200 )edit
3

Can I ask if there is any further news about progress on this (6 months later)?

( 2015-07-09 00:00:56 +0200 )edit
2

Any news about this (over a year later)? Sailfish OS 2 still have no way to connect to these WiFi :(

( 2016-05-27 13:02:47 +0200 )edit