eduroam

From Gentoo Wiki
Jump to:navigation Jump to:search
This article is a stub. Please help out by expanding it - how to get started.

eduroam (education roaming) is an international Wi-Fi service based on 802.1x for users at many educational institutions.[1] This article will describe how to configure Gentoo to connect to eduroam.

There exists a map available to see where eduroam networks exist.[2]

Configuration

Configuration assistant tool

Note
IWD needs additional configuration that is not provided by the CAT; see its section below

The eduroam Configuration Assistant Tool (CAT) collects information about RADIUS/EAP deployments and generates secure installation programs for a range of popular PC and smartphone platforms.[3] The installer can be downloaded at cat.eduroam.org. On Linux, it supports PEAP-MSCHAPv2, TLS, TTLS-MSCHAPv2, TTLS-PAP, and Managed IdP.[4] Not all organizations may have a profile on CAT.

NetworkManager (nmcli)

Important
Be careful about storing passwords in configuration files, especially on multi-user systems. Follow standard best practices and don't reuse passwords.

nmcli can be used to manually establish eduroam connections with NetworkManager. The connection-specific configuration files are stored in /etc/NetworkManager/system-connections/.

FILE eduroam-setup.sh
#!/bin/bash
 
CONNAME="eduroam"
USERNAME="firstname.surname@tuni.fi"
PASSWORD=""
 
nmcli connection add type wifi con-name $CONNAME        \
        connection.permissions $LOGNAME                 \
        802-11-wireless.ssid $CONNAME                   \
        802-11-wireless-security.key-mgmt wpa-eap       \
        802-11-wireless-security.group ccmp,tkip        \
        802-11-wireless-security.pairwise ccmp          \
        802-11-wireless-security.proto rsn              \
        802-1x.altsubject-matches DNS:wifi.tuni.fi      \
        802-1x.anonymous-identity anonymous@tuni.fi     \
        802-1x.eap peap                                 \
        802-1x.identity $USERNAME                       \
        802-1x.password $PASSWORD                       \
        802-1x.phase2-auth mschapv2                     \
        ipv4.method auto                                \
        ipv6.addr-gen-mode stable-privacy               \
        ipv6.method auto

The above is specific to Tampere University in Finland. Configuration may differ across institutions, especially parameters like 802-1x.altsubject-matches DNS:wifi.tuni.fi and 802-1x.anonymous-identity anonymous@tuni.fi.

IWD

Tip
Some institutions use alternative EAP methods, like Tunneled TLS (TTLS). These require their own configuration values which can be found in the Documentation

Create the following file and update it with the appropriate settings from the CAT script / NetworkManager profile:

FILE /var/lib/iwd/eduroam.8021x
[Security]
EAP-Method=PEAP
EAP-Identity=anonymous@[domain]
EAP-PEAP-CACert=/etc/ca-certificates/trust-source/anchors/[CACert].crt
EAP-PEAP-ServerDomainMask=radius.[domain]
EAP-PEAP-Phase2-Method=MSCHAPV2
EAP-PEAP-Phase2-Identity=[username]@[domain]
EAP-PEAP-Phase2-Password=[password]

[Settings]
AutoConnect=true

Troubleshooting

On systemd profiles, a conflict may arise between NetworkManager and systemd-networkd.service which results in eduroam connections continually disconnecting after a short time and then reconnecting. In order to ensure that only NetworkManager is managing the eduroam connection, run

root #systemctl stop systemd-networkd.service

and

root #systemctl disable systemd-networkd.service

unless this service is needed for something else.

Roam.fi

https://www.roam.fi/ is a similar networking project like eduroam in Finland. The above script works also for roam.fi, only the SSID is different. Please set the variable CONNAME="roam.fi".

KDE Plasma settings

Below are screenshots from KDE Plasma desktop environment system settings for eduroam wi-fi configuration.

Site-specific tips

For institution-specific guidance, please contact the institution's support team. Some tips have been proposed here, and may be useful for some individual users.

University of Bristol

The University of Bristol has pages on configuring eduroam using NetworkManager, wpa_supplicant, netctl and more.

Technical University of Łódź

The Technical University of Łódź (Politechnika Łódzka) does not provide any official guidance on how to configure eduroam.[5]

Below is a guide that allowed at least one student to use NetworkManager to connect to eduroam.

Note
If NetworkManager isn't compiled with iwd support, it won't even see the network.
  1. Download the tuLodzPem.pem file from the University CA's site.
  2. Start with the IWD config from the NetworkManager section above.
  3. Try to connect to eduroam with nmtui, so networkmanager saves the config.
  4. Replace the config with the file below
FILE /var/lib/iwd/eduroam.8021x
[Security]
EAP-Method=PEAP
EAP-Identity=[student_index_nr]@edu.p.lodz.pl
EAP-PEAP-CACert=/path/to/tuLodzRoot.pem
EAP-PEAP-Phase2-Method=MSCHAPV2
EAP-PEAP-Phase2-Identity=[student_index_nr]@edu.p.lodz.pl
EAP-PEAP-Phase2-Password=[password]

The line EAP-PEAP-ServerDomainMask=*.p.lodz.pl may also be useful.

See also

External resources

References