TLDR; This wpa_supplicant
configuration for
eduroam seems to be rather
robust.
Eduroam is a secure, wireless access service made available to the education and research community by many educational institutions around the world. It was designed so that you as a student or researcher have to exert minimal effort to connect to a secure wireless network, no matter which educational institution you happen to visiting. This encourages educational exchange and scientific collaboration around the world. (This video explains eduroam using cartoons!)
wpa_supplicant
is a generic
"IEEE 802.1X supplicant"
(i.e., the tool that can make sure your wireless connection is secure). Most
Linux-based networking managers use wpa_supplicant
behind the scenes. Of
course, wpa_supplicant
has a command-line interface, and it is fairly
straight-forward to exert grand control over your configuration. (There are no
cartoons about wpa_supplicant
☹.)
To this end, it is a shame that the generic eduroam
web-site seemingly (i.e., correct me if I'm wrong)
offers no documentation on how to set up your wpa_supplicant
. Instead, they
offer installers to end-users, including a shell-script for Linux users (which
could be regarded as primitive, but honest documentation). Some institutions do
offer raw wpa_supplicant
documentation, but do so in an ad-hoc fashion (i.e.,
without any guarantee that the configuration will work at another institution).
This is an attempt to establish a unified wpa_supplicant
configuration, that
works across the board. For now however, this is just an undocumented
wpa_supplicant
configuration that seems to work rather
well across a number of institutions. Lend a hand, and document it, or just let
me know if this configuration also works for you.
- University of Cambridge, United Kingdom: February 2018 (@rspencer01)
- University of Sheffield, United Kingdom: January 2018 (@ewnh)
- INSA Lyon, France: January 2018 (@sfrenot)
- Univeristy of Oslo, Norway: January 2018 (@oleks)
- University of Copenhagen, Denmark: January 2018 (@oleks)
- California State University, Sacramento, USA: December 2017 (@leaptthroughtime)
- University of California, Berkeley, USA: August 2017 (@wizh)
- Malmö Airport, Sweden: July 2017 (@oleks)
- University of Budapest, Hungary: May 2017 (@oleks)
- Oslo Airport, Norway: April 2017 (@oleks)
- Sapienza, University of Rome, Italy: November 2016 (@Enrico204)
- RISC Institute, Pond Building, Hagenberg, Austria: September 2016 (@oleks)
- Den Sorte Diamant, Copenhagen, Denmark: September 2016 (@oleks)
- DTU, Lyngby, Denmark: August 2016 (@oleks)
- Stanford University, Palo Alto, USA: June 2016 (@oleks)
- University of Oregon, Eugene, USA: June 2016 (@oleks)
- Oxford, United Kingdom: July 2015 (@oleks)
- ITU, Copenhagen, Denmark: May 2015 (@oleks)
- See supplicant.conf.
- Set
identity
toabc123@ku.dk
, if your username isabc123
, and your home university domain isku.dk
. - Similarly, set the
anonymous_identity
to eitheranonymous@ku.dk
or simply@ku.dk
. Using an anonymous identity does not reveal your identity to anyone but the home university — eduroam calls home to verify your identity and password every time you login from another location. - Set the password hash to match your university password (see below).
The password hash needs to be an MD4 hash of the little-endian UTF16 encoding
of your password. For instance, if your password is hamster
, you can hash it
as follows:
$ echo -n 'hamster' | iconv -t utf16le | openssl md4
(Note the use of single-quotes to avoid escaping in the shell.)
(See also the HISTCONTROL
bash
variable
for keeping commands out of your ~/.bash_history
.)
If you are using pass
, or another
password-manager with a command-line interface, you might consider
a pipeline like this instead:
$ pass eduroam | tr -d '\n' | iconv -t utf16le | openssl md4
Once you have the MD4 hash, write it into your configuration as follows:
password=hash:2fd23a...456cef
NB! MD4 is an obsolete hashing algorithm and should not be considered secure.
If you prefer to roll without a network manager, here is the quick and dirty
way to run wpa_supplicant
with this config:
$ sudo wpa_supplicant -Diwlwifi -iwlp3s0 -c supplicant.conf -B
Where iwlwifi
is the kernel driver stated for your wireless card. (wext
is a deprecated driver that often works as well.) You can find your standard
driver using lspci
:
$ lspci -k
wlp3s0
is the network interface name for your wireless card. You can find
this using ip link
:
$ ip link
Optionally, use the -B
option to move the wpa_supplicant
process to
background. Leaving it out, however, provides you with useful insights if you
otherwise cannot connect.
Additionally, start up dhcpcd
if it doesn't start automatically.