Eduroam (WPA2 enterprise)

Has anybody managed to successfully connect to “eduroam” (international WiFi for educational institutions) using SFOS 4.2?

A long time ago, I was successful when using SFOS 3.0 and an application called “roamer”. Now I am using a “new” XA2 with SFOS 4.2 and was delighted to see that WPA2 enterprise has been implemented into the GUI. Alas, I have not been successful in actually connecting to “eduroam” at my university in Germany.

They use TTLS/PAP with a certificate from Telekom.

If you have successfully connected to eduroam, what are your settings? Which certificate did you choose? Was it a built-in one (i.e. one provided by SFOS)? How did you type in your username, just the name or did you add username@university.tld?

Any help would be highly appreciated!

Encryption: WPA-EAP(TTLS)
EAP method: TTLS
Inne authentication: PAP
CA Certificate: No verfication
Identity: your email address
Password: your password

I have successfully connected to eduroam. (almost) same settings as @atalochowski

WPA-EAP (PEAP)
PEAP
PEAP-version: auto
Inner auth: MSCHAPv2
CA Cert: no verification

anonymous identity: none

But mind: eduroam allows each University / Organization to use different authentication methods and different rules for usernames / pwds.
Also: it may happen that you are able to use eduroam at your local university, but have problems abroad, as the whole radius stuff may fail.

You can do it from terminal for exaple if you want

devel-su
vi /home/nemo/.local/share/system/privileged/connman/wifi_eduroam.config
paste it
[service_eduroam]
Type=wifi
Name=eduroam
EAP=ttls
CACertFile=/etc/ssl/certs/exampleCA.crt #path to your CA certificate (if you really need certificate)
Phase2=PAP
Identity=your email address
Passphrase=your password

Save file

for newer OS will be
vi /home/defaultuser/.local/share/system/privileged/connman/wifi_eduroam.config

1 Like

atlochowski and gaelic, thank you both so much for your help! It took me a while, but eventually I got it up and running. I really appreciate your assistance! :pray:

According to the information provided by the university’s data centre, it was supposed to be TTLS and PAP only (which actually works on my laptop - Manjaro/NetworkManager). In fact, there was a stern warning not to try anything else because it would fail. So, TTLS/PAP is what I kept trying. When I didn’t provide a certificate, the connection would invariably fail with a “wrong password” error (the password was correct, of course). Though, when providing the same certificate as on the laptop, the connection would just hit a timeout.

At some point I more or less accidentally chose PEAP/MSCHAPv2, and lo and behold, it finally connected. Yay! :partying_face:

This may be a stupid question. Roamer is still around. Doesn’t it work anymore?
Since I do not work at the University anymore I didn’t use Eduroam for a year or so.

Good to hear. Often the ZID guys are just [censored] :wink:

I think main reason to create Roamer was innability to connect to Eduroam through SailfishOS GUI.
Now it is possible in SailfishOS GUI.

2 Likes

Hello Forum,
our university recently changed the whole process for Eduroam. I need to use a user-specific certificate, which has to be renewed every 3 month. The certificate is distributed by Easyroam. Has anybody managed to connect to eduroam since Easyroam is mandatory? There are instructions for linux, but I can’t apply them on my sailfish phone. The user-specific certificate is a *.p12 file.

I would appreciate an solution.

I slightly changed the script I used to use for NetworkManager to also work with Connman.

  1. Save the script somewhere
  2. Download Easyroam Certificate
  3. Run the script with the path to the Certiifacte as argument

Repeat step 2 and 3 once Certificate needs renewal.
(The connman dbus interface needs elevated permissions, so there is a devel-su in the script and therefore the requirement to have Developer mode active and a password set)

You can also do this manually. Run the openssl commands in the script to convert the *.p12 into a bunch of .pem's and Configure the network manually. (Add network → Set “EAP method” to “TLS”, add the Certificate and key files generated previously, “Identity” is the common name in the certificate)

Script
#!/bin/sh
# easyroam.sh cert - install pkcs12 certificate as Easyroam NetworkManager Profile
helpString="Usage $0 <certificate>"
if [ $# -lt 1 ]; then
	echo "$helpString" >&2
	exit 1
fi

case "$1" in
-h|--help)
	echo "$helpString"
	exit;;
esac

ClientCertificate="$1"
connection="Easyroam"

[ -f /etc/os-release ] && source /etc/os-release

check_nmcli() {
	# check for nmcli
	if ! type nmcli >/dev/null 2>&1; then
		echo "ERROR: nmcli not found!" >&2
		echo "This wizard assumes that your network connections are managed by NetworkManager." >&2
		exit 1
	fi
}

check_gdbus() {
	if !type gdbus >/dev/nulll 2>&1; then
		echo "ERROR: gdbus not found!" >&2
		echo "This wizard assumes that your network connections are managed by NetworkManager." >&2
		exit 1
	fi
}

cleanup_networkmanager() {
	# Remove existing connections
	for conn in $connection eduroam; do
		for uuid in $(nmcli connection show | awk '$1==c{ print $2 }' c="$conn"); do
			nmcli connection delete uuid "$uuid"
		done
	done
}

add_networkmanager() {
	# Create new connection
	nmcli connection add \
		type wifi \
		con-name "$connection" \
		ssid "$SSID" \
		-- \
		wifi-sec.key-mgmt wpa-eap \
		802-1x.eap tls \
		802-1x.identity "$OuterIdentity" \
		802-1x.ca-cert "$root_ca_file" \
		802-1x.client-cert "$client_cert_file" \
		802-1x.private-key-password "$Passphrase" \
		802-1x.private-key "$client_key_file"
}

add_connman() {
	ssid_hx=$(echo $SSID | xxd -p)
	service="wifi_3c01ef794697_${ssid_hx}_managed_ieee8021x"
	ca_cert=""
	devel-su gdbus call --system --dest net.connman  --object-path / --method net.connman.Manager.CreateService \
	"" \
	"" \
	"" \
	"[('AutoConnect', 'true'), ('CACert', '(cat $root_ca_file)'),('ClientCertFile', '$client_cert_file'),
	('PrivateKeyFile', '$client_key_file'), ('PrivateKeyPassphrase', '$Passphrase'),
	('EAP', 'tls'), ('Hidden', 'false'), ('Identity', '$OuterIdentity'), ('Name', 'eduroam'),
	('Phase2', 'PAP'), ('Security', 'ieee8021x')]"

}

if [ $ID == "sailfishos" ]; then
	check_connmanctl
else
	check_gdbus
fi

# check prerequisites
for d in openssl awk; do
	type "$d" >/dev/null 2>&1 && continue
	echo "ERROR: $d not found!" >&2
	echo >&2
	echo "You may fix this using:" >&2
	type apt          >/dev/null 2>&1 && echo "sudo apt install -y $d" >&2
	type dnf          >/dev/null 2>&1 && echo "sudo dnf install -y $d" >&2
	type zypper       >/dev/null 2>&1 && echo "sudo zypper install $d" >&2
	type pacman       >/dev/null 2>&1 && echo "sudo pacman -Syu $d" >&2
	type pkcon        >/dev/null 2>&1 && echo "devel-su pkconf install $d" >&2
	type xbps-install >/dev/null 2>&1 && echo "sudo xbps-install -Su $d" >&2
	echo >&2
	exit 2
done

conf_dir="$HOME/.easyroam"
client_cert_file="$conf_dir/easyroam_client_cert.pem"
client_key_file="$conf_dir/easyroam_client_key.pem"
root_ca_file="$conf_dir/easyroam_root_ca.pem"

[ -d "$conf_dir" ] || mkdir -p "$conf_dir"

openssl_extra=
version=$(openssl version | awk -F "[ .]" '{print $2}')
[ "${version:-2}" -ge 3 ] && openssl_extra="-legacy"

SSID=eduroam
OuterIdentity="$(openssl pkcs12 $openssl_extra -info -passin "pass:" -in "$ClientCertificate" -nodes 2>/dev/null | awk '/subject=CN/{print $3}' | sed -e 's/,$//g')"
Passphrase=$(openssl rand -base64 24)

printf "Extracting client cert ... "
openssl pkcs12 $openssl_extra -in "$ClientCertificate" -passin "pass:" -nokeys -out "$client_cert_file"
printf "success\n"

printf "Extracting client key ... "
openssl pkcs12 $openssl_extra -in "$ClientCertificate" -passin "pass:" -passout "pass:$Passphrase" -nodes -nocerts | \
	openssl rsa -passout "pass:$Passphrase" -aes128 -out "$client_key_file"

printf "Extracting CA cert ... "
openssl pkcs12 $openssl_extra -passin "pass:" -passout "pass:" -nokeys -in "$ClientCertificate" -cacerts -out "$root_ca_file"
printf "success\n"

if [ $ID == "sailfishos" ]; then
	add_connman
else
	cleanup_networkmanager
	add_networkmanager
fi
1 Like

Hey John,
that is really great. Thank you for sharing the script. I will try the script as soon as possible.

I fat fingered some bugs into the script (especially one crucial missing $-sign that resulted in the ca cert not being written into the config).
Updated script here. (And I actually got close to a eduroam wifi to test it, works for me :))

Script
#!/bin/sh
# easyroam.sh cert - install pkcs12 certificate as Easyroam NetworkManager Profile
helpString="Usage $0 <certificate>"
if [ $# -lt 1 ]; then
        echo "$helpString" >&2
        exit 1
fi

case "$1" in
-h|--help)
        echo "$helpString" >&2
        exit;;
esac

ClientCertificate="$1"
connection="Easyroam"

[ -f /etc/os-release ] &&  . /etc/os-release

check_nmcli() {
        # check for nmcli
        if ! type nmcli >/dev/null 2>&1; then
                echo "ERROR: nmcli not found!" >&2
                echo "This wizard assumes that your network connections are managed by NetworkManager." >&2
                exit 1
        fi
}

check_gdbus() {
        if ! type gdbus >/dev/null 2>&1; then
                echo "ERROR: gdbus not found!" >&2
                echo "This wizard assumes that your network connections are managed by NetworkManager." >&2
                exit 1
        fi
}

cleanup_networkmanager() {
        # Remove existing connections
        for conn in $connection eduroam; do
                for uuid in $(nmcli connection show | awk '$1==c{ print $2 }' c="$conn"); do
                        nmcli connection delete uuid "$uuid"
                done
        done
}

add_networkmanager() {
        # Create new connection
        nmcli connection add \
                type wifi \
                con-name "$connection" \
                ssid "$SSID" \
                -- \
                wifi-sec.key-mgmt wpa-eap \
                802-1x.eap tls \
                802-1x.identity "$OuterIdentity" \
                802-1x.ca-cert "$root_ca_file" \
                802-1x.client-cert "$client_cert_file" \
                802-1x.private-key-password "$Passphrase" \
                802-1x.private-key "$client_key_file"
}

add_connman() {
        devel-su gdbus call --system --dest net.connman  --object-path / --method net.connman.Manager.CreateService \
        "" \
        "" \
        "" \
        "[('AutoConnect', 'true'), ('CACert', '$(cat "$root_ca_file")'),('ClientCertFile', '$client_cert_file'),
        ('PrivateKeyFile', '$client_key_file'), ('PrivateKeyPassphrase', '$Passphrase'),
        ('EAP', 'tls'), ('Hidden', 'false'), ('Identity', '$OuterIdentity'), ('Name', 'eduroam'),
        ('Phase2', 'PAP'), ('Security', 'ieee8021x')]"

}

if [ "$ID" = "sailfishos" ]; then
        check_gdbus
else
        check_nmcli
fi

# check prerequisites
for d in openssl awk; do
        type "$d" >/dev/null 2>&1 && continue
        echo "ERROR: $d not found!" >&2
        echo >&2
        echo "You may fix this using:" >&2
        type apt          >/dev/null 2>&1 && echo "sudo apt install -y $d" >&2
        type dnf          >/dev/null 2>&1 && echo "sudo dnf install -y $d" >&2
        type zypper       >/dev/null 2>&1 && echo "sudo zypper install $d" >&2
        type pacman       >/dev/null 2>&1 && echo "sudo pacman -Syu $d" >&2
        type pkcon        >/dev/null 2>&1 && echo "devel-su pkconf install $d" >&2
        type xbps-install >/dev/null 2>&1 && echo "sudo xbps-install -Su $d" >&2
        echo >&2
        exit 2
done

conf_dir="$HOME/.easyroam"
client_cert_file="$conf_dir/easyroam_client_cert.pem"
client_key_file="$conf_dir/easyroam_client_key.pem"
root_ca_file="$conf_dir/easyroam_root_ca.pem"

[ -d "$conf_dir" ] || mkdir -p "$conf_dir"

openssl_extra=
version=$(openssl version | awk -F "[ .]" '{print $2}')
[ "${version:-2}" -ge 3 ] && openssl_extra="-legacy"

SSID=eduroam
OuterIdentity="$(openssl pkcs12 $openssl_extra -info -passin "pass:" -in "$ClientCertificate" -nodes 2>/dev/null | awk '/subject=CN/{print $3}' | sed -e 's/,$//g')"
Passphrase=$(openssl rand -base64 24)

printf "Extracting client cert ... "
openssl pkcs12 $openssl_extra -in "$ClientCertificate" -passin "pass:" -nokeys -out "$client_cert_file"
printf "success\n"

printf "Extracting client key ... "
openssl pkcs12 $openssl_extra -in "$ClientCertificate" -passin "pass:" -passout "pass:$Passphrase" -nodes -nocerts | \
        openssl rsa -passout "pass:$Passphrase" -aes128 -out "$client_key_file"

printf "Extracting CA cert ... "
openssl pkcs12 $openssl_extra -passin "pass:" -passout "pass:" -nokeys -in "$ClientCertificate" -cacerts -out "$root_ca_file"
printf "success\n"

if [ "$ID" = "sailfishos" ]; then
        add_connman
else
        cleanup_networkmanager
        add_networkmanager
fi

Hey, unfortunately I am unable to run through the script successfully. I have to enter a passphrase, but auth fails. I tried “pkcs12” & “” & my user password neither of them worked.

- Extracting client cert ...success
- Extracting client key ... writing rsa key
- Extracting CA Cert ... success
- Password:
- Auth failed

That password prompt is the devel-su in the script, so it is the root password set in “Developer tools” in the Sailfish OS Settings

Ok, thank you very much for bothering with my problem. I tried my root password too.

These are the steps:

#   Save the script to Documents
 # make it executable (chmod +x eduroam_sript.sh)
#    Download and save easyroam certificate  //*.p12 file // to the same folder
	devel-su  
 	./eduroam_script.sh easyroam_certificate.p12

I executed the script with root permissions otherwise there are lots of errors like “Cant open easyroam_certificate.p12”.

Remove the devel-su inside the script if you run the whole script already with devel-su

1 Like

Wow. Immediately a stream of new messages was send to my phone! It works. Thank you so much!

Dear John,
last month, I went to a conference at a different university. My Eduroam Connection did not work. We were advised to enter different credentials (username & password… which didn’t work). Since then I am not able to connect to eduroam via easyroam anymore. I did already try to “forget eduroam” && re-run the script. The script runs smoothly. However afterwards I can’t connect with eduroam.

I would really appreciate if you could again offer some help.