Connecting to the eduroam Wireless Network

Connecting to the eduroam network shares some similarities with connecting to UVA's VPN on linux. See VPN Setup for details there.

Step-by-step guide

This guide has been updated as of . You may view previous versions of this guide by looking at the "Page History" information.

If something in this guide does not work for you, please comment on the page (with your system version) or suggest an edit to the guide.

For this tutorial, our example compute ID will be "jjruv4".

2. The "Operating System" field should be "Unknown", give a short description of this where this certificate will be used.
3. (Optional) Enter the MAC/hardware address of the wireless network card for your device. If you don't know your MAC address, you can find it by opening a terminal and using the ip a command, then finding the interface that corresponds to your wifi network card. It may begin with "wlp" in the ID. Then, the hexadecimal string following "link/ether" will be your MAC address.

4. Enter a passphrase for your private key.

Make sure to record this passphrase and put it somewhere safe! This passphrase is required to use your certificate, and no one can recover it after the fact, not even UVA ITS.

5. You should now be able to download a file with the suffix ".p12".
1. Open your network connection configuration menu. This will look different for every flavor of Linux/GUI framework, but this should generally be found under "System Settings" or on the task bar. You should be in the correct menu when you see a list of Wi-Fi networks that you can connect to.
2. Enter the configuration menu for the eduroam network, and navigate to the "Security" tab (may also be named "Wi-Fi Security"
3. Set your configuration as follows. Please note that the exact option names may be different on your OS. If a configuration option is not listed here, then it should (most likely) be on its default setting:

 Security WPA/WPA2 Enterprise Authentication TLS Identity User Certificate CA Certificate Private Key Private Key Password
4. Make sure to uncheck the "All users may connect to this network" option in the "General" tab. This may also be named as "Available to all users", or similar.

3. Connect to the network. You should now be able to click on the eduroam network and connect! See below for troubleshooting suggestions.

Troubleshooting

Eduroam uses deprecated security protocols

Eduroam networks sometimes rely on deprecated security configurations which may force your system to block connections.This is a pervasive issue with many eduroam networks (not just UVA) that depends on the network configuration, your OS and package versions, network device configuration, and network connection configuration. Here are some suggestions that have worked for others:

1. Remove CA certificate requirements for WPA2 connections
1. This requires that you use Network Manager as a network connection manager (the default in Ubuntu, Debian, and most Linux systems), and that Network Manager is managing your Wi-Fi card. You can check on this by typing nmcli device and looking at the "STATE" column for your wireless device; if it says "unmanaged", then you must set up Network Manager to manage that device.
2. As root, edit the file /etc/NetworkManager/system-connections/eduroam.nmconnection (or something similar) using your favorite text editor (nano, vim, gedit, etc.). Remove the line system-ca-cert=true. If that line is not present, you may add this field and set it to false by adding the line system-ca-cert=false.
3. Taken from (and described) here https://askubuntu.com/a/295600
2. Enable deprecated security renegotiation protocols in wpa_supplicant. Basically, some eduroam setups may still be using SHA-1 cryptography, which is blocked by default on many newer systems (like Ubuntu 22.04). There are a couple of methods for unblocking this:
1. Edit your wpa_supplicant (the program that handles WPA/WPA2 networks) configuration. There are several steps, see https://askubuntu.com/a/1405397 for details.
2. Downgrade wpasupplicant  and libssl  packages (not recommended)
1. Basically requires downloading older versions of these two packages and installing them onto your system. More details can be found at http://galileo.phys.virginia.edu/compfac/faq/linux-eduroam.html under "Option 2: Manual Setup."
2. Note that this is very unsafe and, in my opinion, more likely to end up with package conflicts in the long term. Your machine would almost certainly be vulnerable to a number of attacks, as libssl  is a core library used in many other security programs in Linux (not just your network connections). Also, many other programs will require newer versions of these packages, which could block you from installing critical updates in the future. Preventing future updates makes all of this even worse.

Example eduroam.nmconnection file

Below I have posted an example eduroam connection config file that does work, as of . This is not guaranteed to work on your setup, but it provides a point of reference. If you are using Network Manager, you should be able to find your connection configuration in /etc/NetworkManager/system-connections/eduroam.nmconnection. Modify fields as necessary for your system.

eduroam.nmconnection
[connection]
id=eduroam
type=wifi
autoconnect-priority=1
permissions=user:jjruv4:;

[wifi]
mode=infrastructure
ssid=eduroam

[wifi-security]
key-mgmt=wpa-eap

[802-1x]
eap=tls;
identity=jjruv4@virginia.edu
private-key-password=#REDACTED. It should be encrypted anyway!

[ipv4]
method=auto

[ipv6]
method=auto

[proxy]

Information for this how-to was taken from the UVA Physics site:

http://galileo.phys.virginia.edu/compfac/faq/linux-eduroam.html

Some of their steps did not work for my setup, and were edited accordingly in this write-up. Their configuration may work for you if you are having trouble with this one.

• Page:
• Page:
• Page: