Ask / Submit
359

[How-To] WPA-802.1X (enterprise), eduroam +[Others] GUI wifi support needed + workaround [released]

asked 2013-12-24 17:43:42 +0300

updated 2015-04-10 16:31:00 +0300

Jolla needs to add support of using WPA-802.1X for the wifi connections, as a lot of routers + workspaces + universities use it.

So the WPA Supplicant does work now but there is no GUI implementation of adding additional networks, you will need to use a workaround described below. To make things easier try to use SSH connection from your PC to Jolla, that should make it easier than typing it out on screen keyboard.

How to SSH found here

Currently there is an unofficial workaround which people can use.

a) activate developer-mode (Settings->System->DeveloperMode)
b) use the terminal on the device or ssh to the device
c) install vim or any other text editor
d) vim /var/lib/connman/wifi_eduroam.config

wifi_eduroam.config: please note that entries seem to be case sensitive

[service_eduroam]
Type=wifi
Name=eduroam
EAP=peap
CACertFile=/etc/ssl/certs/ca-bundle.crt
Phase2=MSCHAPV2
Identity=user@domain
Passphrase=yoursecret

e) save and exit
f) turn on/off wlan (or reboot phone)

Please feel free to contribute :)

if you want to install vim or nano please use the commands in terminal

nano:

pkcon install nano

vim:

pkcon install zypper
zypper in vim

[update]: nodevel has released a sailfish application which allows to create such networks, Feel free to have a loop at [Roamer](https://openrepos.net/content/nodevel/roamer)

As an example here is my eduroam login for University connection

[service_eduroam]
Type=wifi
Name=eduroam
EAP=peap
Phase1=0
Phase2=MSCHAPV2
Identity=********@glam.ac.uk
Passphrase=********

There was no need to specify the certificate


ChemIst's Eduroam Config for uni-kl.de please note that entries seem to be case sensitive

[service_eduroam]
Type=wifi
Name=eduroam
EAP=ttls
CACertFile=/etc/ssl/certs/ca-bundle.crt
Phase2=PAP
Identity=********@rhrk.uni-kl.de
Passphrase=********
edit retag flag offensive reopen delete

The question has been closed for the following reason "released in a software update" by ApB
close date 2017-07-24 20:32:28.836280

Comments

12

The title is misleading. You're asking for WPA Enterprise, specifically an EAP variety of it. This is not PSK.

tbr ( 2013-12-24 20:00:32 +0300 )edit
5

Doesn't eduroam use TTLS, PAP, and also needs an anonymous identity? It does at the Heinrich-Heine-University in Düsseldorf at least ;)

Kondou ( 2013-12-24 22:06:49 +0300 )edit
13

eduroam uses quite a variety of EAP methods depending on the home organisation. Some use PEAP, some EAP-TTLS+PAP, some EAP-TTLS+MSCHAPv2, some EAP-TLS, some EAP-PWD. This means that either Jolla should have UI for configuring various wpa_supplicant parameters or way to provision config and certs.

Karri Huhtanen ( 2013-12-27 10:32:23 +0300 )edit

Works great, just connected a wpa2 enterprise network....

BoertjE ( 2013-12-30 11:41:10 +0300 )edit
2

Had a little trouble with Helsinki University Eduroam myself, but got this to work after I realized connman really does require the domain part in the username (as opposed to wpa_supplicant that I normally use). Their CA Cert can be downloaded here: https://www.helsinki.fi/atk/ca/HYAD_ROOT_CA.pem

elakim ( 2014-01-02 18:11:25 +0300 )edit

18 Answers

Sort by » oldest newest most voted
2

answered 2014-10-08 13:39:02 +0300

oyviaase gravatar image

Managed to make it work at Høgskolen i Gjøvik. No ned for certificate. I used this config:

[service_eduroam]
Type=wifi
Name=eduroam
EAP=peap
Phase2=MSCHAPV2
Identity=studentnumber@hig.no
Passphrase=Your HiG password
edit flag offensive delete publish link more

Comments

2

If you do not specify CA certificate, you make your username and password vulnerable for man-in-the-middle attack.

Karri Huhtanen ( 2014-10-08 16:00:35 +0300 )edit

The "official" guide from HiG specifies that there is no CA certificat in use. http://english.hig.no/it_department/instructions/network/eduroam/ubuntu

oyviaase ( 2014-10-08 18:42:55 +0300 )edit

@oyviasse: I believe that NetworkManager uses the system CAs if none are specified. I'm not sure if connman does the same or not.

WhyNotHugo ( 2014-10-08 20:23:31 +0300 )edit

Oh, scrub that, step 3 on this link proves that they offer no security at all, and used unsigned certificates (and are vulnerable to MITM attacks).

WhyNotHugo ( 2014-10-08 20:24:06 +0300 )edit
1

Shame on them (HiG). Having a proper private CA certificate and checking that would be most secure solution for WPA authentication. This is because ConnMan does not seem to provide any way to check any details like hostname in CN in the certificate ( https://together.jolla.com/question/15292/connman-does-not-support-certificate-detail-verification/ ). If this kind of certificate detail verification is not done, any other certificate, which is validated by selected CA (or in the worst case all system CAs) can be used to perform man-in-the-middle attack. Certificates and WPA Enterprise do not work the same way as WWW server certificate authentication, because there isn't IP connectivity or access to DNS when the server certificate is checked.

Karri Huhtanen ( 2014-10-09 10:26:10 +0300 )edit
2

answered 2014-10-10 16:29:12 +0300

acidicX gravatar image

Since the Security Hotfix for Tahkalampi 1.0.8.21, WiFi on eduroam (with conman config file and own certificate) won't work. It shows as connected (ip link is also UP), but DNS won't work. Anyone else having the same problem? I noticed that the NS is set to link local,

> cat /etc/resolv.conf
# Generated by Connection Manager
nameserver 127.0.0.1
nameserver ::1

but this is also the case when I switch to mobile data (2G/3G), so it seems to be normal. Reconnecting does not solve the issue, switching flight mode and rebooting won't solve it either. On some days it works, on some it just doesn't. It's really annoying, I completely agree with @krautjan that this whole range of problems with WPA Enterprise a major issue that needs to be fixed yesterday. I cannot believe that this essential function is still so broken.

edit flag offensive delete publish link more
2

answered 2015-09-16 23:16:42 +0300

Sebix gravatar image

updated 2015-09-16 23:17:14 +0300

WPA Enterprise support is on the Roadmap of Sailfish OS for Q4 2015!

Q4 2015

Platform

  • Enable certificate management in the UI
  • Investigate WiDi/Miracast on the Tablet
  • UPNP/DLNA integration
  • Investigate dropping connectivity agent and merging functionality with connman or QML plugins
  • Investigate possibility for the platform to have only one file indexer
  • Investigate merging commhistoryd and contactd
  • WPA Enterprise support
  • Allow retaining user data when the user resets the device to factory defaults
  • Enable open VPN support on the OS
edit flag offensive delete publish link more
1

answered 2015-03-16 15:14:49 +0300

Anne Bergshoeff gravatar image

updated 2015-03-16 15:16:29 +0300

I cannot get this to work with my Leiden University account. Any help would be greatly appreciated. The code I use in /var/lib/connman/wifi_eduroam.config:

[service_eduroam]

Type=wifi

Name=eduroam

EAP=ttls

CACertFile=/etc/ssl/certs/addtrustexternalcaroot.crt

Phase1=0

Phase2=pap

Anonymous_Identity=anonymous@leidenuniv.nl

Identity=username@leidenuniv.nl

Passphrase=secretpassword

edit flag offensive delete publish link more

Comments

afaik connman doesn't support anonymous identity yet

tad ( 2015-03-16 19:36:32 +0300 )edit
2

I removed that line and Phase1. It still didn't work until I opened the file and saved it again yesterday. Rebooted and voila... When trying to connect to eduroam, it asked for my username and password! As far as I know, it works now!

Anne Bergshoeff ( 2015-03-18 13:24:00 +0300 )edit
1

answered 2015-09-09 12:20:20 +0300

Foxping gravatar image

I have installed Sailfish 1.1.7.28 on my Jolla.

It is still not working i can not connect to my enterprise WLAN. All other WLAN networks are working. This here is closed :-(/ https://together.jolla.com/question/39281/bug-wpa2-enterprise-wpa_supplicant-fails-when-server-cert-is-also-client-cert-radius-radsec-eduroam/

edit flag offensive delete publish link more
1

answered 2015-09-22 18:12:17 +0300

noipv4 gravatar image

I upgraded my OS to 1.1.7.28 / Björnträsket. Since then I am no longer able to connect to my office enterprise WLAN. I have tried recreating the connman config file. Checked that the certificate file is okay. Jolla phone does not connect to my office WLAN any longer.

Any pointers would be welcome.

edit flag offensive delete publish link more
1

answered 2015-09-25 15:33:12 +0300

Hi Sailors,

I'm at the KU Leuven in Belgium and I tried to setup the Eduroam network but unfortunately I get always: 'Problem with connection'

I used the standard configuration file from the tutorial. Somebody who can help?

Dylan

edit flag offensive delete publish link more

Comments

Do you maybe need to install some certificates for eduroam to work at your uni? At mine I do, I simply downloaded them with the browser I think and everything worked fine.

qrosh ( 2015-09-25 18:24:46 +0300 )edit

Yes, check you university website for instructions. For our WLAN I did not have to use a cert at all for example.

Nrde ( 2015-09-28 09:43:44 +0300 )edit

KU Leuven has a webpage with the instructions for Linux.

I draw your attention to the section they have at the bottom of the page:

ctrl_interface=/var/run/wpa_supplicant
eapol_version=1
ap_scan=1
fast_reauth=1

network={
    ssid="eduroam"
    key_mgmt=WPA-EAP
    eap=PEAP
    identity="u0123456@kuleuven.be"
    # Ubuntu
    ca_cert="/usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt"
    # Mandriva
    #ca_cert="/etc/pki/tls/certs/ca-bundle.crt"
    phase2="auth=MSCHAPV2"
}

No real idea on how to get it to work. Also note that KU Leuven's eduroam network starts with a capital "E": Eduroam

[service_eduroam]
Type=wifi
Name=Eduroam
EAP=peap
CACertFile=/etc/ssl/certs/ca-bundle.crt
Phase2=MSCHAPV2
Identity=r0123456@kuleuven.be
Passphrase=********

The above configuration for some reason does not work.

oenone ( 2015-10-05 18:37:16 +0300 )edit
0

answered 2014-10-10 00:53:19 +0300

updated 2014-10-10 02:19:07 +0300

Only thing wrong with that guide is not giving users some info of the self signed certificate they're suppose to accept, it's omitted because, well, frankly most users doesn't care or know what the hell we're talking about anyway. Only reason I bother responding is the remark that we don't offer no security at all is forever google searchable and some people with lesser knowledge might think you're not pulling facts out of your ass.

edit flag offensive delete publish link more

Comments

1

Who are you replying to?

nthn ( 2014-10-10 09:34:46 +0300 )edit

I'm guessing this is a reply to this: https://together.jolla.com/question/315/wpa-8021x-enterprise-others-gui-wifi-support-needed-workaround/#post-id-58172. Though the linked tutorials actually state that the certificate is unsigned.

WhyNotHugo ( 2014-10-10 11:03:12 +0300 )edit
3

It is not a problem if the certificate is signed by a proper private CA. It is actually recommended practice in eduroam to use private CA instead of well-known ones. What is definitely not recommended, and is irresponsible and insecure, is to have instructions, which tell users to turn off certificate checking like they do in the linked instructions. Claiming that most users don't care or know what to do, is a lame excuse of doing instructions properly. All eduroam organisations can use tools like https://cat.eduroam.org/ to provision proper configurations and certificates for their users.

Karri Huhtanen ( 2014-11-21 14:11:05 +0300 )edit

Question tools

Follow
106 followers

Stats

Asked: 2013-12-24 17:43:42 +0300

Seen: 27,554 times

Last updated: Jul 24 '17