Has anybody managed to successfully connect to “eduroam” (international WiFi for educational institutions) using SFOS 4.2?
A long time ago, I was successful when using SFOS 3.0 and an application called “roamer”. Now I am using a “new” XA2 with SFOS 4.2 and was delighted to see that WPA2 enterprise has been implemented into the GUI. Alas, I have not been successful in actually connecting to “eduroam” at my university in Germany.
They use TTLS/PAP with a certificate from Telekom.
If you have successfully connected to eduroam, what are your settings? Which certificate did you choose? Was it a built-in one (i.e. one provided by SFOS)? How did you type in your username, just the name or did you add username@university.tld?
Encryption: WPA-EAP(TTLS)
EAP method: TTLS
Inne authentication: PAP
CA Certificate: No verfication
Identity: your email address
Password: your password
I have successfully connected to eduroam. (almost) same settings as @atalochowski
WPA-EAP (PEAP)
PEAP
PEAP-version: auto
Inner auth: MSCHAPv2
CA Cert: no verification
anonymous identity: none
But mind: eduroam allows each University / Organization to use different authentication methods and different rules for usernames / pwds.
Also: it may happen that you are able to use eduroam at your local university, but have problems abroad, as the whole radius stuff may fail.
You can do it from terminal for exaple if you want
devel-su
vi /home/nemo/.local/share/system/privileged/connman/wifi_eduroam.config
paste it
[service_eduroam]
Type=wifi
Name=eduroam
EAP=ttls
CACertFile=/etc/ssl/certs/exampleCA.crt #path to your CA certificate (if you really need certificate)
Phase2=PAP
Identity=your email address
Passphrase=your password
Save file
for newer OS will be vi /home/defaultuser/.local/share/system/privileged/connman/wifi_eduroam.config
atlochowski and gaelic, thank you both so much for your help! It took me a while, but eventually I got it up and running. I really appreciate your assistance!
According to the information provided by the university’s data centre, it was supposed to be TTLS and PAP only (which actually works on my laptop - Manjaro/NetworkManager). In fact, there was a stern warning not to try anything else because it would fail. So, TTLS/PAP is what I kept trying. When I didn’t provide a certificate, the connection would invariably fail with a “wrong password” error (the password was correct, of course). Though, when providing the same certificate as on the laptop, the connection would just hit a timeout.
At some point I more or less accidentally chose PEAP/MSCHAPv2, and lo and behold, it finally connected. Yay!
This may be a stupid question. Roamer is still around. Doesn’t it work anymore?
Since I do not work at the University anymore I didn’t use Eduroam for a year or so.
Hello Forum,
our university recently changed the whole process for Eduroam. I need to use a user-specific certificate, which has to be renewed every 3 month. The certificate is distributed by Easyroam. Has anybody managed to connect to eduroam since Easyroam is mandatory? There are instructions for linux, but I can’t apply them on my sailfish phone. The user-specific certificate is a *.p12 file.
I slightly changed the script I used to use for NetworkManager to also work with Connman.
Save the script somewhere
Download Easyroam Certificate
Run the script with the path to the Certiifacte as argument
Repeat step 2 and 3 once Certificate needs renewal.
(The connman dbus interface needs elevated permissions, so there is a devel-su in the script and therefore the requirement to have Developer mode active and a password set)
You can also do this manually. Run the openssl commands in the script to convert the *.p12 into a bunch of .pem's and Configure the network manually. (Add network → Set “EAP method” to “TLS”, add the Certificate and key files generated previously, “Identity” is the common name in the certificate)
Script
#!/bin/sh
# easyroam.sh cert - install pkcs12 certificate as Easyroam NetworkManager Profile
helpString="Usage $0 <certificate>"
if [ $# -lt 1 ]; then
echo "$helpString" >&2
exit 1
fi
case "$1" in
-h|--help)
echo "$helpString"
exit;;
esac
ClientCertificate="$1"
connection="Easyroam"
[ -f /etc/os-release ] && source /etc/os-release
check_nmcli() {
# check for nmcli
if ! type nmcli >/dev/null 2>&1; then
echo "ERROR: nmcli not found!" >&2
echo "This wizard assumes that your network connections are managed by NetworkManager." >&2
exit 1
fi
}
check_gdbus() {
if !type gdbus >/dev/nulll 2>&1; then
echo "ERROR: gdbus not found!" >&2
echo "This wizard assumes that your network connections are managed by NetworkManager." >&2
exit 1
fi
}
cleanup_networkmanager() {
# Remove existing connections
for conn in $connection eduroam; do
for uuid in $(nmcli connection show | awk '$1==c{ print $2 }' c="$conn"); do
nmcli connection delete uuid "$uuid"
done
done
}
add_networkmanager() {
# Create new connection
nmcli connection add \
type wifi \
con-name "$connection" \
ssid "$SSID" \
-- \
wifi-sec.key-mgmt wpa-eap \
802-1x.eap tls \
802-1x.identity "$OuterIdentity" \
802-1x.ca-cert "$root_ca_file" \
802-1x.client-cert "$client_cert_file" \
802-1x.private-key-password "$Passphrase" \
802-1x.private-key "$client_key_file"
}
add_connman() {
ssid_hx=$(echo $SSID | xxd -p)
service="wifi_3c01ef794697_${ssid_hx}_managed_ieee8021x"
ca_cert=""
devel-su gdbus call --system --dest net.connman --object-path / --method net.connman.Manager.CreateService \
"" \
"" \
"" \
"[('AutoConnect', 'true'), ('CACert', '(cat $root_ca_file)'),('ClientCertFile', '$client_cert_file'),
('PrivateKeyFile', '$client_key_file'), ('PrivateKeyPassphrase', '$Passphrase'),
('EAP', 'tls'), ('Hidden', 'false'), ('Identity', '$OuterIdentity'), ('Name', 'eduroam'),
('Phase2', 'PAP'), ('Security', 'ieee8021x')]"
}
if [ $ID == "sailfishos" ]; then
check_connmanctl
else
check_gdbus
fi
# check prerequisites
for d in openssl awk; do
type "$d" >/dev/null 2>&1 && continue
echo "ERROR: $d not found!" >&2
echo >&2
echo "You may fix this using:" >&2
type apt >/dev/null 2>&1 && echo "sudo apt install -y $d" >&2
type dnf >/dev/null 2>&1 && echo "sudo dnf install -y $d" >&2
type zypper >/dev/null 2>&1 && echo "sudo zypper install $d" >&2
type pacman >/dev/null 2>&1 && echo "sudo pacman -Syu $d" >&2
type pkcon >/dev/null 2>&1 && echo "devel-su pkconf install $d" >&2
type xbps-install >/dev/null 2>&1 && echo "sudo xbps-install -Su $d" >&2
echo >&2
exit 2
done
conf_dir="$HOME/.easyroam"
client_cert_file="$conf_dir/easyroam_client_cert.pem"
client_key_file="$conf_dir/easyroam_client_key.pem"
root_ca_file="$conf_dir/easyroam_root_ca.pem"
[ -d "$conf_dir" ] || mkdir -p "$conf_dir"
openssl_extra=
version=$(openssl version | awk -F "[ .]" '{print $2}')
[ "${version:-2}" -ge 3 ] && openssl_extra="-legacy"
SSID=eduroam
OuterIdentity="$(openssl pkcs12 $openssl_extra -info -passin "pass:" -in "$ClientCertificate" -nodes 2>/dev/null | awk '/subject=CN/{print $3}' | sed -e 's/,$//g')"
Passphrase=$(openssl rand -base64 24)
printf "Extracting client cert ... "
openssl pkcs12 $openssl_extra -in "$ClientCertificate" -passin "pass:" -nokeys -out "$client_cert_file"
printf "success\n"
printf "Extracting client key ... "
openssl pkcs12 $openssl_extra -in "$ClientCertificate" -passin "pass:" -passout "pass:$Passphrase" -nodes -nocerts | \
openssl rsa -passout "pass:$Passphrase" -aes128 -out "$client_key_file"
printf "Extracting CA cert ... "
openssl pkcs12 $openssl_extra -passin "pass:" -passout "pass:" -nokeys -in "$ClientCertificate" -cacerts -out "$root_ca_file"
printf "success\n"
if [ $ID == "sailfishos" ]; then
add_connman
else
cleanup_networkmanager
add_networkmanager
fi
I fat fingered some bugs into the script (especially one crucial missing $-sign that resulted in the ca cert not being written into the config).
Updated script here. (And I actually got close to a eduroam wifi to test it, works for me :))
Script
#!/bin/sh
# easyroam.sh cert - install pkcs12 certificate as Easyroam NetworkManager Profile
helpString="Usage $0 <certificate>"
if [ $# -lt 1 ]; then
echo "$helpString" >&2
exit 1
fi
case "$1" in
-h|--help)
echo "$helpString" >&2
exit;;
esac
ClientCertificate="$1"
connection="Easyroam"
[ -f /etc/os-release ] && . /etc/os-release
check_nmcli() {
# check for nmcli
if ! type nmcli >/dev/null 2>&1; then
echo "ERROR: nmcli not found!" >&2
echo "This wizard assumes that your network connections are managed by NetworkManager." >&2
exit 1
fi
}
check_gdbus() {
if ! type gdbus >/dev/null 2>&1; then
echo "ERROR: gdbus not found!" >&2
echo "This wizard assumes that your network connections are managed by NetworkManager." >&2
exit 1
fi
}
cleanup_networkmanager() {
# Remove existing connections
for conn in $connection eduroam; do
for uuid in $(nmcli connection show | awk '$1==c{ print $2 }' c="$conn"); do
nmcli connection delete uuid "$uuid"
done
done
}
add_networkmanager() {
# Create new connection
nmcli connection add \
type wifi \
con-name "$connection" \
ssid "$SSID" \
-- \
wifi-sec.key-mgmt wpa-eap \
802-1x.eap tls \
802-1x.identity "$OuterIdentity" \
802-1x.ca-cert "$root_ca_file" \
802-1x.client-cert "$client_cert_file" \
802-1x.private-key-password "$Passphrase" \
802-1x.private-key "$client_key_file"
}
add_connman() {
devel-su gdbus call --system --dest net.connman --object-path / --method net.connman.Manager.CreateService \
"" \
"" \
"" \
"[('AutoConnect', 'true'), ('CACert', '$(cat "$root_ca_file")'),('ClientCertFile', '$client_cert_file'),
('PrivateKeyFile', '$client_key_file'), ('PrivateKeyPassphrase', '$Passphrase'),
('EAP', 'tls'), ('Hidden', 'false'), ('Identity', '$OuterIdentity'), ('Name', 'eduroam'),
('Phase2', 'PAP'), ('Security', 'ieee8021x')]"
}
if [ "$ID" = "sailfishos" ]; then
check_gdbus
else
check_nmcli
fi
# check prerequisites
for d in openssl awk; do
type "$d" >/dev/null 2>&1 && continue
echo "ERROR: $d not found!" >&2
echo >&2
echo "You may fix this using:" >&2
type apt >/dev/null 2>&1 && echo "sudo apt install -y $d" >&2
type dnf >/dev/null 2>&1 && echo "sudo dnf install -y $d" >&2
type zypper >/dev/null 2>&1 && echo "sudo zypper install $d" >&2
type pacman >/dev/null 2>&1 && echo "sudo pacman -Syu $d" >&2
type pkcon >/dev/null 2>&1 && echo "devel-su pkconf install $d" >&2
type xbps-install >/dev/null 2>&1 && echo "sudo xbps-install -Su $d" >&2
echo >&2
exit 2
done
conf_dir="$HOME/.easyroam"
client_cert_file="$conf_dir/easyroam_client_cert.pem"
client_key_file="$conf_dir/easyroam_client_key.pem"
root_ca_file="$conf_dir/easyroam_root_ca.pem"
[ -d "$conf_dir" ] || mkdir -p "$conf_dir"
openssl_extra=
version=$(openssl version | awk -F "[ .]" '{print $2}')
[ "${version:-2}" -ge 3 ] && openssl_extra="-legacy"
SSID=eduroam
OuterIdentity="$(openssl pkcs12 $openssl_extra -info -passin "pass:" -in "$ClientCertificate" -nodes 2>/dev/null | awk '/subject=CN/{print $3}' | sed -e 's/,$//g')"
Passphrase=$(openssl rand -base64 24)
printf "Extracting client cert ... "
openssl pkcs12 $openssl_extra -in "$ClientCertificate" -passin "pass:" -nokeys -out "$client_cert_file"
printf "success\n"
printf "Extracting client key ... "
openssl pkcs12 $openssl_extra -in "$ClientCertificate" -passin "pass:" -passout "pass:$Passphrase" -nodes -nocerts | \
openssl rsa -passout "pass:$Passphrase" -aes128 -out "$client_key_file"
printf "Extracting CA cert ... "
openssl pkcs12 $openssl_extra -passin "pass:" -passout "pass:" -nokeys -in "$ClientCertificate" -cacerts -out "$root_ca_file"
printf "success\n"
if [ "$ID" = "sailfishos" ]; then
add_connman
else
cleanup_networkmanager
add_networkmanager
fi
Hey, unfortunately I am unable to run through the script successfully. I have to enter a passphrase, but auth fails. I tried “pkcs12” & “” & my user password neither of them worked.
Ok, thank you very much for bothering with my problem. I tried my root password too.
These are the steps:
# Save the script to Documents
# make it executable (chmod +x eduroam_sript.sh)
# Download and save easyroam certificate //*.p12 file // to the same folder
devel-su
./eduroam_script.sh easyroam_certificate.p12
I executed the script with root permissions otherwise there are lots of errors like “Cant open easyroam_certificate.p12”.
Dear John,
last month, I went to a conference at a different university. My Eduroam Connection did not work. We were advised to enter different credentials (username & password… which didn’t work). Since then I am not able to connect to eduroam via easyroam anymore. I did already try to “forget eduroam” && re-run the script. The script runs smoothly. However afterwards I can’t connect with eduroam.
I would really appreciate if you could again offer some help.
