Ask / Submit

[How-To] WPA-802.1X (enterprise), eduroam +[Others] GUI wifi support needed + workaround [released]

asked 2013-12-24 17:43:42 +0200

Mariusmssj gravatar image

updated 2019-07-22 15:03:13 +0200

atlochowski gravatar image

Jolla needs to add support of using WPA-802.1X for the wifi connections, as a lot of routers + workspaces + universities use it.

So the WPA Supplicant does work now but there is no GUI implementation of adding additional networks, you will need to use a workaround described below. To make things easier try to use SSH connection from your PC to Jolla, that should make it easier than typing it out on screen keyboard.

How to SSH found here

Currently there is an unofficial workaround which people can use.

a) activate developer-mode (Settings->System->DeveloperMode)
b) use the terminal on the device or ssh to the device
c) install vim or any other text editor
d) vim /home/.system/var/lib/connman/wifi_eduroam.config (it has changed from 3.1)

wifi_eduroam.config: please note that entries seem to be case sensitive


e) save and exit
f) turn on/off wlan (or reboot phone)

Please feel free to contribute :)

if you want to install vim or nano please use the commands in terminal


pkcon install nano


pkcon install zypper
zypper in vim

[update]: nodevel has released a sailfish application which allows to create such networks, Feel free to have a loop at [Roamer](

As an example here is my eduroam login for University connection


There was no need to specify the certificate

ChemIst's Eduroam Config for please note that entries seem to be case sensitive

edit retag flag offensive reopen delete

The question has been closed for the following reason "released in a software update" by ApB
close date 2017-07-24 20:32:28.836280



The title is misleading. You're asking for WPA Enterprise, specifically an EAP variety of it. This is not PSK.

tbr ( 2013-12-24 20:00:32 +0200 )edit

Doesn't eduroam use TTLS, PAP, and also needs an anonymous identity? It does at the Heinrich-Heine-University in Düsseldorf at least ;)

Kondou ( 2013-12-24 22:06:49 +0200 )edit

eduroam uses quite a variety of EAP methods depending on the home organisation. Some use PEAP, some EAP-TTLS+PAP, some EAP-TTLS+MSCHAPv2, some EAP-TLS, some EAP-PWD. This means that either Jolla should have UI for configuring various wpa_supplicant parameters or way to provision config and certs.

Karri Huhtanen ( 2013-12-27 10:32:23 +0200 )edit

Works great, just connected a wpa2 enterprise network....

BoertjE ( 2013-12-30 11:41:10 +0200 )edit

Had a little trouble with Helsinki University Eduroam myself, but got this to work after I realized connman really does require the domain part in the username (as opposed to wpa_supplicant that I normally use). Their CA Cert can be downloaded here:

elakim ( 2014-01-02 18:11:25 +0200 )edit

18 Answers

Sort by » oldest newest most voted

answered 2013-12-25 01:24:20 +0200

llornkcor gravatar image

updated 2014-07-20 21:34:20 +0200

tbr gravatar image

This is a known issue, and Jolla is working on a solution.

For the technical, connman needs a patch to properly support PEAP, as well as needing a config file to connect to WPA enterprise networks.

edit flag offensive delete publish link more



Configuration files, client and CA certificates for WPA Enterprise, mail, web browser should be able to be provisioned via email or WWW browser as configuration packages. There could be for example a specific mime type for configuration packages so that they could be directed to certain confg. app.

Karri Huhtanen ( 2013-12-27 10:30:13 +0200 )edit

Great, thanks! Another question though: Can I use a hash instead of the plain text? Actually I'm using elakim's solution (deny access to users not being root), but I'd like to "encrypt" the password. I've tried md5 and sha and md4, all to no avail. plain-text-password works fine.

mie ( 2014-01-08 16:39:18 +0200 )edit

@mie You should probably check if wpa_supplicant supports hashed password (it might) and then the form you need to enter the password for it (e.g might be something like {md5}hashhere). Then give that to connman configuration?

Karri Huhtanen ( 2014-01-15 17:13:57 +0200 )edit

@mie "Password string for EAP. This field can include either the plaintext password (using ASCII or hex string) or a NtPasswordHash (16-byte MD4 hash of password) in hash:<32 hex digits> format. NtPasswordHash can only be used when the password is for MSCHAPv2 or MSCHAP" -- Not sure if idea works.

Karri Huhtanen ( 2014-01-15 17:17:44 +0200 )edit

@Karri Huhtanen

While I agree that configuration should be loadable via config packages, the creation of a config MUST also be possible on device via GUI - you can't expect folks to pester their universities / work IT to support Jolla at this point and neither can expect everybody to learn how to!

MoritzJT ( 2014-01-19 18:21:13 +0200 )edit

answered 2014-04-12 00:55:21 +0200

Digital Brains gravatar image

updated 2014-07-20 21:38:53 +0200

tbr gravatar image

[update] Fix was part of Update 8. Info below is no longer relevant.
I've managed to get the workaround working again for The problem is this: commit 51e3eaf in the git of wpa_supplicant added a check that a server certificate should not include a client EKU, but this is a configuration that is used in the wild, including in eduroam here at the University of Twente. All that is needed :) is a revert of that commit and a rebuild of wpa_supplicant.

I tried for the first time to build an rpm package (I'm fairly well versed in Debian, but new at rpm and mer). I tried to be quick about it, so I skimmed tutorials and docs and startpaged error messages as I went. I'm sure I'm not doing everything as I should, but it got my phone working :).

DISCLAIMER: I'm not doing things as I should. I'm not changing any version numbers, and force a reinstall of my custom-built package. I think it's very well possible you may need to get your hands in again when the nice people at Jolla fix this properly. I'm offering this to help you, but it might inadvertently BREAK and you will get to keep both pieces! YOU HAVE BEEN WARNED.

I'm not very gentle in the following description: I presume you have developer mode enabled and generally know what you're doing.

First of all, if you decide to trust my build, you can get the rpm I got out of it here (I reserve the right to take that link down soon if I feel so inclined).

You can install the rpm with, as root:

# zypper in -f wpa_supplicant-2.1-1.3.2.armv7hl.rpm

Note how --force is needed because we're re-installing, as I didn't change the version numbers.

If you're like me, you don't really trust strangers who offer you nice binaries, and you'd rather see what changes you make. I will now outline how I built the package.

I based most things on this CentOS tutorial.

First off, we need some packages installed. I did as root:

# zypper si wpa_supplicant

Although I should have done

# zypper si -d wpa_supplicant

because I need the source as the nemo user, and -d tells it to just get build dependencies.


# zypper in rpm-build meego-rpm-config

This will install a whole bunch of packages.

The needed patch is the reversal of commit 51e3eaf of the hostap Git. Through the tutorial mentioned, I packaged this patch and edited the .spec file. I didn't touch the version and release because I can't figure out how to choose proper ones. You can get the patch here and the patch to the spec file here. Inspect them and see if you like them.

As the nemo user:

$ zypper si wpa_supplicant
$ cd ~/rpmbuild/SPECS/

Save the patch as ~/rpmbuild/SOURCES/wpa_supplicant-dont-fail-client-cert.patch and the spec patch as ~/rpmbuild/SPECS/wpa_supplicant.spec.patch.

$ patch <wpa_supplicant.spec.patch
$ rpmbuild -bb wpa_supplicant.spec

And as root:

# zypper in -f ~nemo/rpmbuild/RPMS/armv7hl/wpa_supplicant-2.1-1.3.2.armv7hl.rpm

Note how --force is needed because we're re-installing, as I didn't change the version numbers.

edit flag offensive delete publish link more



thanks a lot, it's working again!

till ( 2014-04-14 15:13:11 +0200 )edit

thanks for figuring all of this out, but im kinda scared the next update will fail, so i will wait for the jolla dev's

ozzi ( 2014-04-15 15:17:08 +0200 )edit

If zypper is not installed on your phone (which was my case), the following command also works:

# rpm -i --replacepkgs --replacefiles wpa_supplicant-2.1-1.3.2.armv7hl.rpm
vbregier ( 2014-04-16 10:40:30 +0200 )edit

It's working here, at asml.

RobNas ( 2014-04-29 14:03:00 +0200 )edit

Works with Ziggo too.

richhanz ( 2014-05-28 23:29:43 +0200 )edit

answered 2014-04-24 18:13:52 +0200

chemist gravatar image

updated 2014-08-28 11:25:37 +0200

[update] Fix was part of Update 8. Info below is no longer relevant.
For those whom installed this patched version - after upgrading to (MMS hotfix) you need to reinstall the patched version as the release version gets pulled in again.

UPDATE: ongoing, this applies to (Saapunki) too

edit flag offensive delete publish link more


why did they not just use this hotfix to patch this up?

qrosh ( 2014-04-24 18:53:35 +0200 )edit

@qrosh@Aard will ask the maintainers where they are at - no promises though (he actually read about the problem but never knew that there was already a solution)

chemist ( 2014-04-24 20:44:55 +0200 )edit

Confirmed for

RobNas ( 2014-04-29 14:02:29 +0200 )edit

After reinstalling the patched 'wpa_supplicant-2.1-1.3.2.armv7hl.rpm' from Digital Brain it's working fine on SailfishOS I can connect to Eduroam of Leipzig University with the following '/var/lib/connman/wifi_eduroam.config':


A line like 'Anonymous_Identity=anonymous@domain' (recommended, akin setting for android devices) or something like 'Phase1=PEAPLABEL...' (recommended, akin setting for wpa_supplicant) or something similar isn't necessary, has no affect or isn't supported. I had to reboot my jolla after installing the patched version to get connected. You can download the certificate here: and copy it to '/etc/ssl/certs' but it should also work with the existing 'ca-bundle.crt'.

alex ( 2014-05-02 20:29:41 +0200 )edit

Have we to install the patched version even if we opt-in the experimental connman v1.23?

Alex ( 2014-06-10 13:11:04 +0200 )edit

answered 2014-09-15 22:43:22 +0200

oku gravatar image

This setup works in Lappeenranta University of Technology. It has been tested with SailfishOS Tahkalampi and you don't need to apply any patches or make any wpa_supplicant config anymore. Only things you need for eduroam to work is a certificate file and a connman configuration file for eduroam.

Here are the steps for getting eduroam working in LUT. It should also work in Saimaa University of Applied Sciences. The domain part of the username should of course be The certificates are the same.

  1. Get the Comodo AddTrust External CAcertificate file from and save it as /etc/ssl/certs/addtrustexternalcaroot.crt
  2. Make a connman configuration file for eduroam by changing your credentials to the text below and save it to /var/lib/connman/wifi_eduroam.config
edit flag offensive delete publish link more

answered 2014-09-16 12:53:17 +0200

Stuarty gravatar image

updated 2017-06-12 12:04:56 +0200

I got this working at Uppsala with stock SailfishOS I downloaded the certificate from the university eduroam instructions for ubuntu, copied it to /etc/ssl/certs. Then, as root, created a config file as below.

 Passphrase=Password from UU

I saved the .config and and watched the result with wpa_cli.

Sometimes it connects, disconnects & reconnects repeatedly, five or six times in a row, but then sometimes it behaves well, connecting and remaining connected with no problem.


Eduroam still works for me after security hot fix.

# wpa_cli status
key_mgmt=WPA2/IEEE 802.1X/EAP
ip_address= [your IP]
address= [MAC address]
Supplicant PAE state=AUTHENTICATED
selectedMethod=21 (EAP-TTLS)
EAP TLS cipher= [removed]
EAP-TTLSv0 Phase2 method=EAP-MSCHAPV2`

I don't know if that helps anyone.

Update September 2015 with early access.

I had to recreate the 'wifi_eduroam.config' file in '/var/lib/connman' and add the cert as above and it works perfectly.

Update June 2017 with

With a new install and no previous config I followed the instructions above and it worked immediately.

edit flag offensive delete publish link more

answered 2014-10-08 13:39:02 +0200

oyviaase gravatar image

Managed to make it work at Høgskolen i Gjøvik. No ned for certificate. I used this config:

Passphrase=Your HiG password
edit flag offensive delete publish link more



If you do not specify CA certificate, you make your username and password vulnerable for man-in-the-middle attack.

Karri Huhtanen ( 2014-10-08 16:00:35 +0200 )edit

The "official" guide from HiG specifies that there is no CA certificat in use.

oyviaase ( 2014-10-08 18:42:55 +0200 )edit

@oyviasse: I believe that NetworkManager uses the system CAs if none are specified. I'm not sure if connman does the same or not.

WhyNotHugo ( 2014-10-08 20:23:31 +0200 )edit

Oh, scrub that, step 3 on this link proves that they offer no security at all, and used unsigned certificates (and are vulnerable to MITM attacks).

WhyNotHugo ( 2014-10-08 20:24:06 +0200 )edit

Shame on them (HiG). Having a proper private CA certificate and checking that would be most secure solution for WPA authentication. This is because ConnMan does not seem to provide any way to check any details like hostname in CN in the certificate ( ). If this kind of certificate detail verification is not done, any other certificate, which is validated by selected CA (or in the worst case all system CAs) can be used to perform man-in-the-middle attack. Certificates and WPA Enterprise do not work the same way as WWW server certificate authentication, because there isn't IP connectivity or access to DNS when the server certificate is checked.

Karri Huhtanen ( 2014-10-09 10:26:10 +0200 )edit

answered 2014-10-08 16:33:59 +0200

krautjan gravatar image

I am so disappointed from jolla that this is still not fixed.

Sure i can make a workaround work but imho this is on of the most important feature of any mobile device (able to connect) and it should go out of the box without need to customize config files per hand. It has to work, no excuses!

To make it worse i know that it is possible cause it worked already (forgot under which version, it was before folders were introduced if i remember right).

It feels broken and i use it less and less. It drives me mad.

I just can't understand what the thinking on the jolla side here is. What are your priorities? Why is there no communication about this or did i miss it and someone can point me to the discussion/explanation from jolla?

It's a friggin year now.

edit flag offensive delete publish link more



I do know what you mean. For a smart phone not being able to connect to WiFi is pretty bad actually sad. From what it seems we will have this fixed with the next update.

Also I know Jolla said the phone is out of the beta stage but I still think the SailfishOS is a beta, too many things missing and not working.

That said Jolla is working on it, slowly but their working on it, maybe soon we will leave the beta.

Mariusmssj ( 2014-10-08 21:09:39 +0200 )edit

answered 2014-10-10 00:53:19 +0200

updated 2014-10-10 02:19:07 +0200

Only thing wrong with that guide is not giving users some info of the self signed certificate they're suppose to accept, it's omitted because, well, frankly most users doesn't care or know what the hell we're talking about anyway. Only reason I bother responding is the remark that we don't offer no security at all is forever google searchable and some people with lesser knowledge might think you're not pulling facts out of your ass.

edit flag offensive delete publish link more



Who are you replying to?

nthn ( 2014-10-10 09:34:46 +0200 )edit

I'm guessing this is a reply to this: Though the linked tutorials actually state that the certificate is unsigned.

WhyNotHugo ( 2014-10-10 11:03:12 +0200 )edit

It is not a problem if the certificate is signed by a proper private CA. It is actually recommended practice in eduroam to use private CA instead of well-known ones. What is definitely not recommended, and is irresponsible and insecure, is to have instructions, which tell users to turn off certificate checking like they do in the linked instructions. Claiming that most users don't care or know what to do, is a lame excuse of doing instructions properly. All eduroam organisations can use tools like to provision proper configurations and certificates for their users.

Karri Huhtanen ( 2014-11-21 14:11:05 +0200 )edit

answered 2014-10-10 16:29:12 +0200

acidicX gravatar image

Since the Security Hotfix for Tahkalampi, WiFi on eduroam (with conman config file and own certificate) won't work. It shows as connected (ip link is also UP), but DNS won't work. Anyone else having the same problem? I noticed that the NS is set to link local,

> cat /etc/resolv.conf
# Generated by Connection Manager
nameserver ::1

but this is also the case when I switch to mobile data (2G/3G), so it seems to be normal. Reconnecting does not solve the issue, switching flight mode and rebooting won't solve it either. On some days it works, on some it just doesn't. It's really annoying, I completely agree with @krautjan that this whole range of problems with WPA Enterprise a major issue that needs to be fixed yesterday. I cannot believe that this essential function is still so broken.

edit flag offensive delete publish link more

answered 2015-01-15 15:40:22 +0200

bijjal gravatar image

We are planning to support this feature. It depends on the availability of certificate management system on the OS. We are in process of completing the middleware bits for this and soon need to implement the UI for certificate manager. Thereafter we should be clear to implement WPA Enterprise support.

edit flag offensive delete publish link more



@bijjal - Seem to be a answering spree! :-) Nice!

anandrkris ( 2015-01-15 17:21:06 +0200 )edit


Does this certificate work means that there will be progress to the VPN gui missing (and desperately needed)??

ApB ( 2015-01-19 12:06:25 +0200 )edit

@ApB I'ds suggest to open a separate question about that if there isn't one yet. Please don't spam this item with unrelated questions. This is a very popular question and each change sends a notification to 70+ people.

tbr ( 2015-01-19 12:13:26 +0200 )edit

Can I ask if there is any further news about progress on this (6 months later)?

dave ( 2015-07-09 00:00:56 +0200 )edit

Any news about this (over a year later)? Sailfish OS 2 still have no way to connect to these WiFi :(

Alessio ( 2016-05-27 13:02:47 +0200 )edit

Question tools



Asked: 2013-12-24 17:43:42 +0200

Seen: 33,943 times

Last updated: Jul 22 '19