[How-To] WPA-802.1X (enterprise), eduroam +[Others] GUI wifi support needed + workaround [released]

answered 2015-01-15 15:40:22 +0200

bijjal
26541 ●112 ●133 ●101

moderator

We are planning to support this feature. It depends on the availability of certificate management system on the OS. We are in process of completing the middleware bits for this and soon need to implement the UI for certificate manager. Thereafter we should be clear to implement WPA Enterprise support.

answered 2013-12-25 01:24:20 +0200

llornkcor
4741 ●36 ●37 ●45

updated 2014-07-20 21:34:20 +0200

tbr
3068 ●29 ●32 ●37

moderator

http://blog.ruecker.fi/

This is a known issue, and Jolla is working on a solution.

For the technical, connman needs a patch to properly support PEAP, as well as needing a config file to connect to WPA enterprise networks.

answered 2014-04-12 00:55:21 +0200

Digital Brains
286 ●2 ●5 ●10

updated 2014-07-20 21:38:53 +0200

tbr
3068 ●29 ●32 ●37

moderator

http://blog.ruecker.fi/

[update] Fix was part of Update 8. Info below is no longer relevant.
I've managed to get the workaround working again for 1.0.5.16. The problem is this: commit 51e3eaf in the git of wpa_supplicant added a check that a server certificate should not include a client EKU, but this is a configuration that is used in the wild, including in eduroam here at the University of Twente. All that is needed :) is a revert of that commit and a rebuild of wpa_supplicant.

I tried for the first time to build an rpm package (I'm fairly well versed in Debian, but new at rpm and mer). I tried to be quick about it, so I skimmed tutorials and docs and startpaged error messages as I went. I'm sure I'm not doing everything as I should, but it got my phone working :).

DISCLAIMER: I'm not doing things as I should. I'm not changing any version numbers, and force a reinstall of my custom-built package. I think it's very well possible you may need to get your hands in again when the nice people at Jolla fix this properly. I'm offering this to help you, but it might inadvertently BREAK and you will get to keep both pieces! YOU HAVE BEEN WARNED.

I'm not very gentle in the following description: I presume you have developer mode enabled and generally know what you're doing.

First of all, if you decide to trust my build, you can get the rpm I got out of it here (I reserve the right to take that link down soon if I feel so inclined).

You can install the rpm with, as root:

# zypper in -f wpa_supplicant-2.1-1.3.2.armv7hl.rpm

Note how --force is needed because we're re-installing, as I didn't change the version numbers.

If you're like me, you don't really trust strangers who offer you nice binaries, and you'd rather see what changes you make. I will now outline how I built the package.

I based most things on this CentOS tutorial.

First off, we need some packages installed. I did as root:

# zypper si wpa_supplicant

Although I should have done

# zypper si -d wpa_supplicant

because I need the source as the nemo user, and -d tells it to just get build dependencies.

Furthermore:

# zypper in rpm-build meego-rpm-config

This will install a whole bunch of packages.

The needed patch is the reversal of commit 51e3eaf of the hostap Git. Through the tutorial mentioned, I packaged this patch and edited the .spec file. I didn't touch the version and release because I can't figure out how to choose proper ones. You can get the patch here and the patch to the spec file here. Inspect them and see if you like them.

As the nemo user:

$ zypper si wpa_supplicant
$ cd ~/rpmbuild/SPECS/

Save the patch as ~/rpmbuild/SOURCES/wpa_supplicant-dont-fail-client-cert.patch and the spec patch as ~/rpmbuild/SPECS/wpa_supplicant.spec.patch.

$ patch <wpa_supplicant.spec.patch
$ rpmbuild -bb wpa_supplicant.spec

And as root:

# zypper in -f ~nemo/rpmbuild/RPMS/armv7hl/wpa_supplicant-2.1-1.3.2.armv7hl.rpm

Note how --force is needed because we're re-installing, as I didn't change the version numbers.

answered 2014-10-08 16:33:59 +0200

krautjan
161 ●2 ●4 ●7

I am so disappointed from jolla that this is still not fixed.

Sure i can make a workaround work but imho this is on of the most important feature of any mobile device (able to connect) and it should go out of the box without need to customize config files per hand. It has to work, no excuses!

To make it worse i know that it is possible cause it worked already (forgot under which version, it was before folders were introduced if i remember right).

It feels broken and i use it less and less. It drives me mad.

I just can't understand what the thinking on the jolla side here is. What are your priorities? Why is there no communication about this or did i miss it and someone can point me to the discussion/explanation from jolla?

It's a friggin year now.

answered 2014-04-24 18:13:52 +0200

chemist
41469 ●392 ●542 ●615

moderator

http://talk.maemo.org/

updated 2014-08-28 11:25:37 +0200

[update] Fix was part of Update 8. Info below is no longer relevant.
For those whom installed this patched version - after upgrading to 1.0.5.19 (MMS hotfix) you need to reinstall the patched version as the release version gets pulled in again.

UPDATE: ongoing, this applies to 1.0.7.16 (Saapunki) too

answered 2014-09-16 12:53:17 +0200

Stuarty
143 ●3 ●5 ●8

updated 2017-06-12 12:04:56 +0200

I got this working at Uppsala with stock SailfishOS 1.0.8.19. I downloaded the certificate from the university eduroam instructions for ubuntu, copied it to /etc/ssl/certs. Then, as root, created a config file as below.

[service_eduroam]
 Type=wifi
 Name=eduroam
 EAP=ttls
 CACertFile=/etc/ssl/certs/AddTrust-External-CA-Root.crt
 Phase1=0
 Phase2=mschapv2
 Identity=username@user.uu.se
 Passphrase=Password from UU

I saved the .config and and watched the result with wpa_cli.

Sometimes it connects, disconnects & reconnects repeatedly, five or six times in a row, but then sometimes it behaves well, connecting and remaining connected with no problem.

Update

Eduroam still works for me after 1.0.8.21 security hot fix.

# wpa_cli status
ssid=eduroam
id=0
mode=station
pairwise_cipher=CCMP
group_cipher=TKIP
key_mgmt=WPA2/IEEE 802.1X/EAP
wpa_state=COMPLETED
ip_address= [your IP]
address= [MAC address]
Supplicant PAE state=AUTHENTICATED
suppPortStatus=Authorized
EAP state=SUCCESS
selectedMethod=21 (EAP-TTLS)
EAP TLS cipher= [removed]
EAP-TTLSv0 Phase2 method=EAP-MSCHAPV2`

I don't know if that helps anyone.

Update September 2015 with 1.1.9.28 early access.

I had to recreate the 'wifi_eduroam.config' file in '/var/lib/connman' and add the cert as above and it works perfectly.

Update June 2017 with 2.1.0.11

With a new install and no previous config I followed the instructions above and it worked immediately.

answered 2015-06-17 20:23:18 +0200

viking
71 ●1 ●2 ●3

There is a nice tool, eduroam CAT (eduroam Configuration Assistant Tool), which has been around for a while now:

https://cat.eduroam.org/

The creation of eduroam CAT has greatly simplified (by "lightyears" ;-) the complexity of configuring eduroam, as it helps people setup their devices properly for eduroam, asking only a few simple questions.

802.1X and EAP is a complex beast, and there are a lot of things that can be set wrong, e.g. failure to check your home institution certificate (checking this is a vital must, to avoid exposure to MITM and rogue-AP attacks ...).

So, eduroam users are highly encouraged (should really be required :-) to use eduroam CAT. The best way to support eduroam on the jolla will thus be to add support for eduroam CAT.

The unofficial workaround using /var/lib/connman/wifi_eduroam.config works just fine, btw. :-), so the only thing required is for a way to store/create that file, and (vitally) the certificate it should (must!) point to.

eduroam CAT is designed to do exactly that, with the necessary EAP config, certificate, institution realm/domain, etc. (as required/supported by the home institution eduroam servers) already setup by the institution admins.

Users only needs to fetch and run a configurator (the "eduroam CAT") that matches their devices to get them properly configured. The tool only needs to prompt for userid and password - everything else is setup as specified by the home institution.

Jolla devs: You can contact the CAT team (Link: "Become a CAT developer" on the webpage) to make this happen, or use a new (still experimental) feature, which is a downloadable generic EAP config file in the IETF "EAP Metadata -00" XML format: https://tools.ietf.org/html/draft-winter-opsawg-eap-metadata-00.

Make the jolla read (and understand ;-) that format - creating the wifi_eduroam.config and cert files from it - and you have "mission accomplished" :-)

PS: eduroam CAT is really two things:

• A tool on the CAT webpage to help institution admins create the other.
• Downloadable configurators for user devices. This is what is usually referred to as "eduroam CAT".

answered 2014-09-15 22:43:22 +0200

oku
621 ●10 ●15 ●18

This setup works in Lappeenranta University of Technology. It has been tested with SailfishOS 1.0.8.19 Tahkalampi and you don't need to apply any patches or make any wpa_supplicant config anymore. Only things you need for eduroam to work is a certificate file and a connman configuration file for eduroam.

Here are the steps for getting eduroam working in LUT. It should also work in Saimaa University of Applied Sciences. The domain part of the username should of course be saimia.fi. The certificates are the same.

1. Get the Comodo AddTrust External CAcertificate file from https://tunnistus.lut.fi/varmenteet/index.html and save it as /etc/ssl/certs/addtrustexternalcaroot.crt
2. Make a connman configuration file for eduroam by changing your credentials to the text below and save it to /var/lib/connman/wifi_eduroam.config

[service_eduroam]
 Type=wifi
 Name=eduroam
 EAP=peap
 CACertFile=/etc/ssl/certs/addtrustexternalcaroot.crt
 Phase2=MSCHAPV2
 Identity=s1234567@lut.fi
 Passphrase=lutpassword

answered 2016-12-05 10:26:20 +0200

Dave999
3881 ●32 ●55 ●61

jolla, any plans to fix this soon, like within a month?