Versions Compared

Old Version 2

changes.mady.by.user Tyler Spears

Saved on

compared with

New Version 3

changes.mady.by.user Tyler Spears

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Previous method no longer worked, updated to a new method that worked (for me, at least). Was able to remove .key/.crt file splitting step and usher CA certificate step. Added troubleshooting & instructions for dealing with eduroam deprecated protocols.

When connecting to the eduroam wifi SSID on a Linux computer.

Connecting to the eduroam network is very similar to shares some similarities with connecting to UVA's VPN on linux. See VPN Setup for details there.

Step-by-step guide

Info

This guide has been updated as of . You may view previous versions of this guide by looking at the "Page History" information.

Change History
limit3

If something in this guide does not work for you, please comment on the page (with your system version) or suggest an edit to the guide.


For this tutorial, our example compute ID will be "jjruv4".

To start, you 'll will need three different files to connect to the eduroam network: an usher/CA certificate file, a to download your personal/user certificate file, and a private key file

...

.

...



  1. Download your combined certificate (.p12 file)
    1. Head to https://in.virginia.edu/limited (alternative link: https://cloud.securew2.com/public/82116/limited/?device=Unknown) and log in with Netbadge (if not logged in already)
    2. The "Operating System" field should be "Unknown", give a short description of this where this certificate will be used.

    3. (Optional) Enter the MAC/hardware address of the wireless network card for your device. If you don't know your MAC address, you can find it by opening a terminal and using the ip a command, then finding the interface that corresponds to your wifi network card. It may begin with "wlp" in the ID. Then, the hexadecimal string following "link/ether" will be your MAC address.

    4. Enter a passphrase for your private key.

      Info
      This is not your netbadge login password, or any other UVA password. This is a unique passphrase used only for this certificate file.


      Warning

      Make sure to record this passphrase and put it somewhere safe! This passphrase is required to use your certificate, and no one can recover it after the fact, not even UVA ITITS.


    5. You should now be able to download a file with the suffix ".p12".
      This is your certificate file, but it has the user certificate and the private key merged into one file. So, we need to split the it into two components.
    Extract your personal/user certificate (.crt file)
  2. Enter a terminal and navigate to the directory that has your .p12 file.
    3. Use the openssl command as described in https://serverfault.com/a/413836. Assuming your file name is jjruv4.p12:
    openssl pkcs12 -in jjruv4.p12 -clcerts -nokeys -out jjruv4_user_cert.crt
    Extract your private key (.key file)
    1. Similar to the previous step, enter your terminal and navigate to the directory with your .p12 file (if you haven't already).
      2. Use openssl with a different set of parameters to extract your private key file:
      openssl pkcs12 -in jjruv4.p12 -nocerts -out jjruv4.key
    2. This will ask for your import password, which is the passphrase you created to download your .p12 file from UVA.

    3. It will then ask for a PEM passphrase. This is a passphrase that you set now that will encrypt the contents of your .key file. This the first time you are setting this passphrase, so it is not your import passphrase, your UVA netbadge login password, or any other password.

      Warning

      Make sure to record and store your PEM passphrase in a safe location! You cannot connect to the network without it. If you lose your PEM passphrase, there is no way to recover it, and you will have to extract the .key file again.

      (Optional) This step is not recommended. You can, and should, skip this step. Alternatively, you can create your .key file without a PEM passphrase and, therefore without any encryption, but this is very insecure! You can add the -nodes flag to the previous openssl command:
      openssl pkcs12 -in jjruv4.p12 -nocerts -nodes -out jjruv4.key
      See https://stackoverflow.com/a/54719547 for more details.
  3. Configure your network connection
    1. Finally, you have everything you need to configure your eduroam connection. Open your network connection configuration menu. This will look different for every flavor of Linux/GUI framework, but this should generally be found under "System Settings" or on the task bar. You should be in the correct menu when you see a list of Wi-Fi networks that you can connect to.
    2. Enter the configuration menu for the eduroam network, and navigate to the "Security" tab (may also be named "Wi-Fi Security"

    3. Set your configuration as follows. Please note that the exact option names may be different on your OS. If a configuration option is not listed here, then it should (most likely) be on its default setting:

      SecurityWPA/WPA2 Enterprise
      AuthenticationTLS
      Identity<Your compute ID email address in all lower-case letters. Example: "jjruv4@virginia.edu">
      User Certificate<The full path to your .crt p12 file. Use the file selection menu if possible. Otherwise, you may need to prefix the file path with the "file://" URI. Example: "file:///home/jjruv4/.certs/jjruv4.crtp12">
      CA Certificate<The full file path to your usher certificate (usher.cer). Use the file selection menu if possible. Otherwise, you may need to prefix the file path with the "file://" URI. Example: "file:///home/jjruv4/.certs/usher.cer"><Leave Empty>
      Private Key<The full file path to your private key ( .key) p12 file. Use the file selection menu if possible. Otherwise, you may need to prefix the file path with the "file://" URI. Example: "file:///home/jjruv4/.certs/jjruv4.keyp12">
      Private Key Password<The password given when you created and downloaded the .p12 file from UVA in Step 2. This is not your UVA netbadge password, nor is it your PEM passphrase.>


    4. Make sure to uncheck the "All users may connect to this network" option in the "General" tab. This may also be named as "Available to all users", or similar.

  4. Connect to the network. You should now be able to click on the eduroam network and connect! See below for troubleshooting suggestions.

Troubleshooting

Eduroam uses deprecated security protocols

Eduroam networks sometimes rely on deprecated security configurations which may force your system to block connections.This is a pervasive issue with many eduroam networks (not just UVA) that depends on the network configuration, your OS and package versions, network device configuration, and network connection configuration. Here are some suggestions that have worked for others:

  1. Remove CA certificate requirements for WPA2 connections
    1. This requires that you use Network Manager as a network connection manager (the default in Ubuntu, Debian, and most Linux systems), and that Network Manager is managing your Wi-Fi card. You can check on this by typing nmcli device and looking at the "STATE" column for your wireless device; if it says "unmanaged", then you must set up Network Manager to manage that device.
    2. As root, edit the file /etc/NetworkManager/system-connections/eduroam.nmconnection (or something similar) using your favorite text editor (nano, vim, gedit, etc.). Remove the line system-ca-cert=true. If that line is not present, you may add this field and set a PEM passphrase, the network manager software will need this to de-crypt and use your private key file, so enter the passphrase whenit to false by adding the line system-ca-cert=false.
    3. Taken from (and described) here https://askubuntu.com/a/295600
  2. Enable deprecated security renegotiation protocols in wpa_supplicant
    1. Basically, some eduroam setups may still be using SHA-1 cryptography, which is blocked by default on many newer systems (like Ubuntu 22.04). There are a couple of methods for unblocking this:
      1. Edit your wpa_supplicant (the program that handles WPA/WPA2 networks) configuration. There are several steps, see https://askubuntu.com/a/1405397 for details.
      2. Downgrade wpasupplicant  and libssl  packages (not recommended)
        1. Basically requires downloading older versions of these two packages and installing them onto your system. More details can be found at http://galileo.phys.virginia.edu/compfac/faq/linux-eduroam.html under "Option 2: Manual Setup."
        2. Note that this is very unsafe and, in my opinion, more likely to end up with package conflicts in the long term. Your machine would almost certainly be vulnerable to a number of attacks, as libssl  is a core library used in many other security programs in Linux (not just your network connections). Also, many other programs will require newer versions of these packages, which could block you from installing critical updates in the future. Preventing future updates makes all of this even worse.

For more information on the WPA2/CA Certificate problems, see:

Example eduroam.nmconnection file

Below I have posted an example eduroam connection config file that does work, as of . This is not guaranteed to work on your setup, but it provides a point of reference. If you are using Network Manager, you should be able to find your connection configuration in /etc/NetworkManager/system-connections/eduroam.nmconnection. Modify fields as necessary for your system.

Code Block
titleeduroam.nmconnection
[connection]
id=eduroam
uuid= # your connection UUID
type=wifi
autoconnect-priority=1
permissions=user:jjruv4:;

[wifi]
mac-address= #your wireless network card's MAC address
mode=infrastructure
ssid=eduroam

[wifi-security]
key-mgmt=wpa-eap

[802-1x]
client-cert=#path to your .p12 file
eap=tls;
identity=jjruv4@virginia.edu
private-key=#path to your .p12 file
private-key-password=#REDACTED. It should be encrypted anyway!

[ipv4]
method=auto

[ipv6]
addr-gen-mode=stable-privacy
method=auto

[proxy]


...

Information for this how-to was taken from the UVA Physics site:

...