This repository is hereby deprecated, and will be taken down shortly after August 22, 2018 AOE. That is, the provided configuration will become unavailable in the interest of not spreading security malpractice further.
The eduroam Configuration Assistant Tool (CAT) does the task that this repository was meant to do, but better. For for Linux, they offer shellscript installers that will generate a wpa_supplicant configuration for you, if they fail to find Network Manager installed.
CAT does a better job because it also provisions you with a certificate which you can use to verify the RADIUS server of your home institution before talking to it. The configuration provided here did not do that, and this is bad practice—you may have exposed your password to unintended parties.
Using CAT, rather than this configuration, also means that you should from now on keep an eye on when the configuration or certificate at your home institution is subject to change, and upgrade your configuration accordingly.
It is recommended that you change your password if you used this configuration.
See also issues #23, #24, and #25.
TLDR; This wpa_supplicant
configuration for
eduroam seems to be rather
robust.
Eduroam is a secure, wireless access service made available to the education and research community by many educational institutions around the world. It was designed so that you as a student or researcher have to exert minimal effort to connect to a secure wireless network, no matter which educational institution you happen to be at today. This encourages educational exchange and scientific collaboration around the world. (This video explains eduroam using cartoons!)
wpa_supplicant
is a generic
"IEEE 802.1X supplicant"
(i.e., the tool that can make sure your wireless connection is secure). Most
Linux-based networking managers use wpa_supplicant
behind the scenes. Of
course, wpa_supplicant
has a command-line interface, and it is fairly
straight-forward to exert grand control over your configuration. (There are no
cartoons about wpa_supplicant
☹.)
To this end, it is a shame that the generic eduroam
web-site seemingly (i.e., correct me if I'm wrong)
offers no documentation on how to set up your wpa_supplicant
. Instead, they
offer installers to end-users, including a shell-script for Linux users (which
could be regarded as primitive, but honest documentation). Some institutions do
offer raw wpa_supplicant
documentation, but do so in an ad-hoc fashion —
without any guarantee that the configuration will work at any other
institution, defeating the purpose of Eduroam.
This is an attempt to establish a unified wpa_supplicant
configuration, that
works across the board. For now however, this is just an undocumented
wpa_supplicant
configuration that seems to work rather
well across a number of institutions. Lend a hand, and document it, or just let
me know if this configuration also works for you.
identity
to [email protected]
, if your username is
abc123
, and your home university domain is ku.dk
.anonymous_identity
to either [email protected]
or simply @ku.dk
. Using an anonymous identity does not reveal your
identity to anyone but the home university — eduroam calls home to
verify your identity and password every time you login from another
location.The password hash needs to be an MD4 hash of the little-endian UTF16 encoding
of your password. For instance, if your password is hamster
, you can hash it
as follows:
$ echo -n 'hamster' | iconv -t utf16le | openssl md4
(Note the use of single-quotes to avoid escaping in the shell.)
(See also the HISTCONTROL
bash
variable
for keeping commands out of your ~/.bash_history
.)
If you are using pass
, or another
password-manager with a command-line interface, you might consider
a pipeline like this instead:
$ pass eduroam | tr -d 'n' | iconv -t utf16le | openssl md4
Once you have the MD4 hash, write it into your configuration as follows:
password=hash:2fd23a...456cef
NB! MD4 is an obsolete hashing algorithm and should not be considered secure.
If you prefer to roll without a network manager, here is the quick and dirty
way to run wpa_supplicant
with this config:
$ sudo wpa_supplicant -Dnl80211 -iwlp3s0 -c supplicant.conf -B
Where nl80211
is the kernel driver to use.
nl80211
is the new default 802.11 netlink interface, intended to replace the
older wext
(Wireless-Extensions). If you do not have nl80211
lying
around, you may try wext
, but wext
can fail with the error
ioctl[SIOCGIWSCAN]: Argument list too long
in the face of too many
access points. If you have an Intel card, another alternative is
iwlwifi
.
One way to find the driver you need is using lspci
:
$ lspci -k
wlp3s0
is the network interface name for your wireless card. You can find
this using ip link
:
$ ip link
Optionally, use the -B
option to move the wpa_supplicant
process to
background. Leaving it out, however, provides you with useful insights if you
otherwise cannot connect.
Additionally, start up dhcpcd
if it doesn't start automatically.
On Raspbian Stretch you would also have to add the following lines (courtesy of @patrick-nits):
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=root
country=<2-letter country code>
ctrl_interface
is needed because Raspbian Stretch uses
wpa_cli
by default. ctrl_interface
is needed whenever you
use wpa_cli
.country
is needed "for regulatory purposes".
In particular, this alters the frequency bands that wpa_supplicant
will use. The country code must be an ISO 3166-1 Alpha-2 Code.