When connecting to the eduroam wifi SSID on a Linux computer.
Connecting to the eduroam network is very similar to shares some similarities with connecting to UVA's VPN on linux. See VPN Setup for details there.
Step-by-step guide
Info | ||||
---|---|---|---|---|
This guide has been updated as of . You may view previous versions of this guide by looking at the "Page History" information.
If something in this guide does not work for you, please comment on the page (with your system version) or suggest an edit to the guide. |
For this tutorial, our example compute ID will be "jjruv4
".
To start, you 'll will need three different files to connect to the eduroam network: an usher/CA certificate file, a to download your personal/user certificate file, and a private key file
...
.
...
- Download your combined certificate (.p12 file)
- Head to https://in.virginia.edu/limited (alternative link: https://cloud.securew2.com/public/82116/limited/?device=Unknown) and log in with Netbadge (if not logged in already)
- The "Operating System" field should be "Unknown", give a short description of this where this certificate will be used.
(Optional) Enter the MAC/hardware address of the wireless network card for your device. If you don't know your MAC address, you can find it by opening a terminal and using the
ip
a
command, then finding the interface that corresponds to your wifi network card. It may begin with "wlp" in the ID. Then, the hexadecimal string following "link/ether" will be your MAC address.Enter a passphrase for your private key.
Info This is not your netbadge login password, or any other UVA password. This is a unique passphrase used only for this certificate file. Warning Make sure to record this passphrase and put it somewhere safe! This passphrase is required to use your certificate, and no one can recover it after the fact, not even UVA ITITS.
- You should now be able to download a file with the suffix "
.p12
".
This is your certificate file, but it has the user certificate and the private key merged into one file. So, we need to split the it into two components.
- Enter a terminal and navigate to the directory that has your
.p12
file. Use the - Similar to the previous step, enter your terminal and navigate to the directory with your
.p12
file (if you haven't already). Use openssl with a different set of parameters to extract your private key file: - This will ask for your import password, which is the passphrase you created to download your
.p12
file from UVA. It will then ask for a PEM passphrase. This is a passphrase that you set now that will encrypt the contents of your .key file. This the first time you are setting this passphrase, so it is not your import passphrase, your UVA netbadge login password, or any other password.
(Optional) This step is not recommended. You can, and should, skip this step. Alternatively, you can create yourWarning Make sure to record and store your PEM passphrase in a safe location! You cannot connect to the network without it. If you lose your PEM passphrase, there is no way to recover it, and you will have to extract the .key file again.
.key
file without a PEM passphrase and, therefore without any encryption, but this is very insecure! You can add the-nodes
flag to the previousopenssl
command:openssl pkcs12 -in jjruv4.p12 -nocerts -nodes -out jjruv4.key
See https://stackoverflow.com/a/54719547 for more details.- Configure your network connection
- Finally, you have everything you need to configure your eduroam connection. Open your network connection configuration menu. This will look different for every flavor of Linux/GUI framework, but this should generally be found under "System Settings" or on the task bar. You should be in the correct menu when you see a list of Wi-Fi networks that you can connect to.
- Enter the configuration menu for the eduroam network, and navigate to the "Security" tab (may also be named "Wi-Fi Security"
Set your configuration as follows. Please note that the exact option names may be different on your OS. If a configuration option is not listed here, then it should (most likely) be on its default setting:
Security WPA/WPA2 Enterprise Authentication TLS Identity <Your compute ID email address in all lower-case letters. Example: "jjruv4@virginia.edu"> User Certificate <The full path to your .crt p12 file. Use the file selection menu if possible. Otherwise, you may need to prefix the file path with the "file://" URI. Example: "file:///home/jjruv4/.certs/jjruv4.crtp12"> CA Certificate <The full file path to your usher certificate (usher.cer). Use the file selection menu if possible. Otherwise, you may need to prefix the file path with the "file://" URI. Example: "file:///home/jjruv4/.certs/usher.cer"><Leave Empty> Private Key <The full file path to your private key ( .key) p12 file. Use the file selection menu if possible. Otherwise, you may need to prefix the file path with the "file://" URI. Example: "file:///home/jjruv4/.certs/jjruv4.keyp12"> Private Key Password <The password given when you created and downloaded the .p12 file from UVA in Step 2. This is not your UVA netbadge password, nor is it your PEM passphrase.> Make sure to uncheck the "All users may connect to this network" option in the "General" tab. This may also be named as "Available to all users", or similar.
Connect to the network. You should now be able to click on the eduroam network and connect! See below for troubleshooting suggestions.
openssl
command as described in https://serverfault.com/a/413836. Assuming your file name is jjruv4.p12
:openssl pkcs12 -in jjruv4.p12 -clcerts -nokeys -out jjruv4_user_cert.crt
Extract your private key (.key file)openssl pkcs12 -in jjruv4.p12 -nocerts -out jjruv4.key
Troubleshooting
Eduroam uses deprecated security protocols
Eduroam networks sometimes rely on deprecated security configurations which may force your system to block connections.This is a pervasive issue with many eduroam networks (not just UVA) that depends on the network configuration, your OS and package versions, network device configuration, and network connection configuration. Here are some suggestions that have worked for others:
- Remove CA certificate requirements for WPA2 connections
- This requires that you use Network Manager as a network connection manager (the default in Ubuntu, Debian, and most Linux systems), and that Network Manager is managing your Wi-Fi card. You can check on this by typing
nmcli device
and looking at the "STATE" column for your wireless device; if it says "unmanaged", then you must set up Network Manager to manage that device. - As root, edit the file
/etc/NetworkManager/system-connections/eduroam.nmconnection
(or something similar) using your favorite text editor (nano, vim, gedit, etc.). Remove the linesystem-ca-cert=true
. If that line is not present, you may add this field and set a PEM passphrase, the network manager software will need this to de-crypt and use your private key file, so enter the passphrase whenit to false by adding the linesystem-ca-cert=false
. - Taken from (and described) here https://askubuntu.com/a/295600
- This requires that you use Network Manager as a network connection manager (the default in Ubuntu, Debian, and most Linux systems), and that Network Manager is managing your Wi-Fi card. You can check on this by typing
- Enable deprecated security renegotiation protocols in
wpa_supplicant
- Basically, some eduroam setups may still be using SHA-1 cryptography, which is blocked by default on many newer systems (like Ubuntu 22.04). There are a couple of methods for unblocking this:
- Edit your
wpa_supplicant
(the program that handles WPA/WPA2 networks) configuration. There are several steps, see https://askubuntu.com/a/1405397 for details. - Downgrade
wpasupplicant
andlibssl
packages (not recommended)- Basically requires downloading older versions of these two packages and installing them onto your system. More details can be found at http://galileo.phys.virginia.edu/compfac/faq/linux-eduroam.html under "Option 2: Manual Setup."
- Note that this is very unsafe and, in my opinion, more likely to end up with package conflicts in the long term. Your machine would almost certainly be vulnerable to a number of attacks, as
libssl
is a core library used in many other security programs in Linux (not just your network connections). Also, many other programs will require newer versions of these packages, which could block you from installing critical updates in the future. Preventing future updates makes all of this even worse.
- Edit your
- Basically, some eduroam setups may still be using SHA-1 cryptography, which is blocked by default on many newer systems (like Ubuntu 22.04). There are a couple of methods for unblocking this:
For more information on the WPA2/CA Certificate problems, see:
- https://ubuntuforums.org/showthread.php?t=2474436&p=14094091
- https://askubuntu.com/questions/279762/how-to-connect-to-wpa2-peap-mschapv2-enterprise-wifi-networks-that-dont-use-a-c
- https://bugs.launchpad.net/ubuntu/+source/network-manager-applet/+bug/1104476
Example eduroam.nmconnection
file
Below I have posted an example eduroam connection config file that does work, as of . This is not guaranteed to work on your setup, but it provides a point of reference. If you are using Network Manager, you should be able to find your connection configuration in /etc/NetworkManager/system-connections/eduroam.nmconnection
. Modify fields as necessary for your system.
Code Block | ||
---|---|---|
| ||
[connection]
id=eduroam
uuid= # your connection UUID
type=wifi
autoconnect-priority=1
permissions=user:jjruv4:;
[wifi]
mac-address= #your wireless network card's MAC address
mode=infrastructure
ssid=eduroam
[wifi-security]
key-mgmt=wpa-eap
[802-1x]
client-cert=#path to your .p12 file
eap=tls;
identity=jjruv4@virginia.edu
private-key=#path to your .p12 file
private-key-password=#REDACTED. It should be encrypted anyway!
[ipv4]
method=auto
[ipv6]
addr-gen-mode=stable-privacy
method=auto
[proxy] |
...
Information for this how-to was taken from the UVA Physics site:
...