eduroam

From Gentoo Wiki
Jump to:navigation Jump to:search
This article is a stub. Please help out by expanding it - how to get started.

eduroam (education roaming) is an international Wi-Fi service based on 802.1x for users at many educational institutions.[1] This article will describe how to configure Gentoo to connect to eduroam.

There exists a map available to see where eduroam networks exist.[2]

Configuration

Configuration assistant tool

Note
IWD needs additional configuration that is not provided by the CAT; see its section below

The eduroam Configuration Assistant Tool (CAT) collects information about RADIUS/EAP deployments and generates secure installation programs for a range of popular PC and smartphone platforms.[3] The installer can be downloaded at cat.eduroam.org. On Linux, it supports PEAP-MSCHAPv2, TLS, TTLS-MSCHAPv2, TTLS-PAP, and Managed IdP.[4] Not all organizations may have a profile on CAT.

NetworkManager (nmcli)

Important
Be careful about storing passwords in configuration files, especially on multi-user systems. Follow standard best practices and don't reuse passwords.

nmcli can be used to manually establish eduroam connections with NetworkManager. The connection-specific configuration files are stored in /etc/NetworkManager/system-connections/.

FILE eduroam-setup.sh
#!/bin/bash
 
CONNAME="eduroam"
USERNAME="firstname.surname@tuni.fi"
PASSWORD=""
 
nmcli connection add type wifi con-name $CONNAME        \
        connection.permissions $LOGNAME                 \
        802-11-wireless.ssid $CONNAME                   \
        802-11-wireless-security.key-mgmt wpa-eap       \
        802-11-wireless-security.group ccmp,tkip        \
        802-11-wireless-security.pairwise ccmp          \
        802-11-wireless-security.proto rsn              \
        802-1x.altsubject-matches DNS:wifi.tuni.fi      \
        802-1x.anonymous-identity anonymous@tuni.fi     \
        802-1x.eap peap                                 \
        802-1x.identity $USERNAME                       \
        802-1x.password $PASSWORD                       \
        802-1x.phase2-auth mschapv2                     \
        ipv4.method auto                                \
        ipv6.addr-gen-mode stable-privacy               \
        ipv6.method auto

The above is specific to Tampere University in Finland. Configuration may differ across institutions, especially parameters like 802-1x.altsubject-matches DNS:wifi.tuni.fi and 802-1x.anonymous-identity anonymous@tuni.fi.

IWD

Tip
Some institutions use alternative EAP methods, like Tunneled TLS (TTLS). These require their own configuration values which can be found in the Documentation

Create the following file and update it with the appropriate settings from the CAT script / NetworkManager profile:

FILE /var/lib/iwd/eduroam.8021x
[Security]
EAP-Method=PEAP
EAP-Identity=anonymous@[domain]
EAP-PEAP-CACert=/etc/ca-certificates/trust-source/anchors/[CACert].crt
EAP-PEAP-ServerDomainMask=radius.[domain]
EAP-PEAP-Phase2-Method=MSCHAPV2
EAP-PEAP-Phase2-Identity=[username]@[domain]
EAP-PEAP-Phase2-Password=[password]

[Settings]
AutoConnect=true

Troubleshooting

On systemd profiles, a conflict may arise between NetworkManager and systemd-networkd.service which results in eduroam connections continually disconnecting after a short time and then reconnecting. In order to ensure that only NetworkManager is managing the eduroam connection, run

root #systemctl stop systemd-networkd.service

and

root #systemctl disable systemd-networkd.service

unless this service is needed for something else.

Roam.fi

https://www.roam.fi/ is a similar networking project like eduroam in Finland. The above script works also for roam.fi, only the SSID is different. Please set the variable CONNAME="roam.fi".

KDE Plasma settings

Below are screenshots from KDE Plasma desktop environment system settings for eduroam wi-fi configuration.

  • General configuration

  • Wi-Fi settings

  • Wi-Fi security settings. Cyan dots indicate settings which probably vary from one institution to another.

  • IPv4 settings

  • IPv6 settings

Site-specific tips

For institution-specific guidance, please contact the institution's support team. Some tips have been proposed here, and may be useful for some individual users.

University of Bristol

The University of Bristol has pages on configuring eduroam using NetworkManager, wpa_supplicant, netctl and more.

Technical University of Łódź

The Technical University of Łódź (Politechnika Łódzka) does not provide any official guidance on how to configure eduroam.[5]

Note
If NetworkManager isn't compiled with iwd support, it won't even see the network.

Below is a config that allowed at least one student to use NetworkManager to connect to eduroam.

  1. Download the tuLodzPem.pem file from the University CA's site and save it to /etc/ca-certificates/trust-source/
  2. Copy this file to /var/lib/iwd/eduroam.8021x and replace the stuff [in brackets]
FILE /var/lib/iwd/eduroam.8021x
[Security]
EAP-Method=PEAP
EAP-Identity=[student_id]@edu.p.lodz.pl
EAP-PEAP-CACert=/etc/ca-certificates/trust-source/tuLodzRoot.pem
EAP-PEAP-ServerDomainMask=*.p.lodz.pl
EAP-PEAP-Phase2-Method=MSCHAPV2
EAP-PEAP-Phase2-Identity=[student_id]@edu.p.lodz.pl
EAP-PEAP-Phase2-Password=[password]

This should work already. However just to be safe go to nmtui and check the eduroam connection. Once you save it the file above should begin with # Auto-generated from NetworkManager connection "eduroam".

See also

External resources

References

  1. https://en.wikipedia.org/wiki/Eduroam
  2. https://eduroam.org/where/
  3. https://eduroam.org/configuration-assistant-tool-cat/
  4. https://cat.eduroam.org/ (About → About eduroam CAT)
  5. https://uci.p.lodz.pl/node/261
Retrieved from "https://wiki.gentoo.org/index.php?title=Eduroam&oldid=1310547"