Date: Thu, 28 Mar 2024 11:54:21 -0400 (EDT) Message-ID: <1511113863.2894.1711641261754@3844c1e05b81> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_2893_355105146.1711641261754" ------=_Part_2893_355105146.1711641261754 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Connecting to the eduroam network shares some similarities with = connecting to UVA's VPN on linux. See = VPN Setup for details there.
This guide has been updated as of . You may view previous versions of this gui= de by looking at the "Page History" information.
If something in this guide does not work for you, please comment on the = page (with your system version) or suggest an edit to the guide.
For this tutorial, our example compute ID will be "jjruv4<=
/code>
".
To start, you will need to download your personal/user certificate file.=
(Optional) Enter the MAC/hardware addre=
ss of the wireless network card for your device. If you don't know your MAC=
address, you can find it by opening a terminal and using the ip
a
command, then finding the interface that corresponds to y=
our wifi network card. It may begin with "wlp" in the ID. Then, the hexadec=
imal string following "link/ether" will be your MAC address.
Enter a passphrase for your private key=
.
Make sure to record this passphrase and put it somewhere safe! This pass= phrase is required to use your certificate, and no one can recover it after= the fact, not even UVA ITS.
.p12=
code>".
Set your configuration as follows. Plea= se note that the exact option names may be different on your OS. If a confi= guration option is not listed here, then it should (most likely) be on its = default setting:
Security | WPA/WPA2 Enterprise |
Authentication | TLS |
Identity | <Your compute ID email address in all lower-c= ase letters. Example: "jjruv4@virginia.edu"> |
User Certificate | <The full path to your .p12 file. Use the fil= e selection menu if possible. Otherwise, you may need to prefix the file pa= th with the "file://" URI. Example: "file:///home/jjruv4/.certs/jjruv4.p12"= > |
CA Certificate | <Leave Empty> |
Private Key | <The full file path to your private .p12 file= . Use the file selection menu if possible. Otherwise, you may need to prefi= x the file path with the "file://" URI. Example: "fi= le:///home/jjruv4/.certs/jjruv4.p12"> |
Private Key Password | <The password given when you created and down= loaded the .p12 file from UVA in Step 2. This is not your UVA netb= adge password, nor is it your PEM passphrase.> |
Make sure to uncheck the "All users may=
connect to this network" option in the "General" tab. This may also be nam=
ed as "Available to all users", or similar.
Connect to the network. You sh= ould now be able to click on the eduroam network and connect! See below for= troubleshooting suggestions.
Eduroam networks sometimes rely on deprecated security configurations wh= ich may force your system to block connections.This is a pervasive issue wi= th many eduroam networks (not just UVA) that depends on the network configu= ration, your OS and package versions, network device configuration, and net= work connection configuration. Here are some suggestions that have worked f= or others:
/etc/NetworkManager/system-connections/edu=
roam.nmconnection
(or something similar) using your favorite text ed=
itor (nano, vim, gedit, etc.). Remove the line system-ca-cert=3Dtrue<=
/code>. If that line is not present, you may add this field and set it to f=
alse by adding the line system-ca-cert=3Dfalse
.
wpa_supplic=
ant
. Basically, some eduroam setups may still be using SHA-1 cryptog=
raphy, which is blocked by default on many newer systems (like Ubuntu 22.04=
). There are a couple of methods for unblocking this:
wpa_supplicant
(the program that handles WPA/WPA=
2 networks) configuration. There are several steps, see https://a=
skubuntu.com/a/1405397 for details.wpasupplicant
and libssl
 =
; packages (not recommended)
libssl
is a =
core library used in many other security programs in Linux (not just your n=
etwork connections). Also, many other programs will require newer versions =
of these packages, which could block you from installing critical updates i=
n the future. Preventing future updates makes all of this even worse.For more information on the WPA2/CA Certificate problems, see:
eduroam.nmconnection
fileBelow I have posted an example eduroam connection config file that does = work, as of
[connec= tion] id=3Deduroam uuid=3D # your connection UUID type=3Dwifi autoconnect-priority=3D1 permissions=3Duser:jjruv4:; [wifi] mac-address=3D #your wireless network card's MAC address mode=3Dinfrastructure ssid=3Deduroam [wifi-security] key-mgmt=3Dwpa-eap [802-1x] client-cert=3D#path to your .p12 file eap=3Dtls; identity=3Djjruv4@virginia.edu private-key=3D#path to your .p12 file private-key-password=3D#REDACTED. It should be encrypted anyway! [ipv4] method=3Dauto [ipv6] addr-gen-mode=3Dstable-privacy method=3Dauto [proxy]
Information for this how-to was taken from the UVA Physics site:
http://galileo.phys.virginia.e= du/compfac/faq/linux-eduroam.html
Some of their steps did not work for my setup, and were edited according= ly in this write-up. Their configuration may work for you if you are having= trouble with this one.