Eduroam (WPA2 enterprise)

linguist · 2 November 2021 07:57

Has anybody managed to successfully connect to “eduroam” (international WiFi for educational institutions) using SFOS 4.2?

A long time ago, I was successful when using SFOS 3.0 and an application called “roamer”. Now I am using a “new” XA2 with SFOS 4.2 and was delighted to see that WPA2 enterprise has been implemented into the GUI. Alas, I have not been successful in actually connecting to “eduroam” at my university in Germany.

They use TTLS/PAP with a certificate from Telekom.

If you have successfully connected to eduroam, what are your settings? Which certificate did you choose? Was it a built-in one (i.e. one provided by SFOS)? How did you type in your username, just the name or did you add username@university.tld?

Any help would be highly appreciated!

atlochowski · 2 November 2021 08:20

Encryption: WPA-EAP(TTLS)
EAP method: TTLS
Inne authentication: PAP
CA Certificate: No verfication
Identity: your email address
Password: your password

gaelic · 2 November 2021 08:26

I have successfully connected to eduroam. (almost) same settings as @atalochowski

WPA-EAP (PEAP)
PEAP
PEAP-version: auto
Inner auth: MSCHAPv2
CA Cert: no verification

anonymous identity: none

But mind: eduroam allows each University / Organization to use different authentication methods and different rules for usernames / pwds.
Also: it may happen that you are able to use eduroam at your local university, but have problems abroad, as the whole radius stuff may fail.

atlochowski · 2 November 2021 11:14

You can do it from terminal for exaple if you want

devel-su
vi /home/nemo/.local/share/system/privileged/connman/wifi_eduroam.config
paste it
[service_eduroam]
Type=wifi
Name=eduroam
EAP=ttls
CACertFile=/etc/ssl/certs/exampleCA.crt #path to your CA certificate (if you really need certificate)
Phase2=PAP
Identity=your email address
Passphrase=your password

Save file

for newer OS will be
vi /home/defaultuser/.local/share/system/privileged/connman/wifi_eduroam.config

linguist · 5 November 2021 12:33

atlochowski and gaelic, thank you both so much for your help! It took me a while, but eventually I got it up and running. I really appreciate your assistance!

According to the information provided by the university’s data centre, it was supposed to be TTLS and PAP only (which actually works on my laptop - Manjaro/NetworkManager). In fact, there was a stern warning not to try anything else because it would fail. So, TTLS/PAP is what I kept trying. When I didn’t provide a certificate, the connection would invariably fail with a “wrong password” error (the password was correct, of course). Though, when providing the same certificate as on the laptop, the connection would just hit a timeout.

At some point I more or less accidentally chose PEAP/MSCHAPv2, and lo and behold, it finally connected. Yay!

WT.Sane · 9 November 2021 09:48

This may be a stupid question. Roamer is still around. Doesn’t it work anymore?
Since I do not work at the University anymore I didn’t use Eduroam for a year or so.

gaelic · 9 November 2021 10:06

Good to hear. Often the ZID guys are just [censored]

atlochowski · 9 November 2021 10:44

I think main reason to create Roamer was innability to connect to Eduroam through SailfishOS GUI.
Now it is possible in SailfishOS GUI.

FelixWilke · 19 January 2024 07:24

Hello Forum,
our university recently changed the whole process for Eduroam. I need to use a user-specific certificate, which has to be renewed every 3 month. The certificate is distributed by Easyroam. Has anybody managed to connect to eduroam since Easyroam is mandatory? There are instructions for linux, but I can’t apply them on my sailfish phone. The user-specific certificate is a *.p12 file.

I would appreciate an solution.

John · 25 January 2024 14:08

I slightly changed the script I used to use for NetworkManager to also work with Connman.

Save the script somewhere
Download Easyroam Certificate
Run the script with the path to the Certiifacte as argument

Repeat step 2 and 3 once Certificate needs renewal.
(The connman dbus interface needs elevated permissions, so there is a devel-su in the script and therefore the requirement to have Developer mode active and a password set)

You can also do this manually. Run the openssl commands in the script to convert the *.p12 into a bunch of .pem's and Configure the network manually. (Add network → Set “EAP method” to “TLS”, add the Certificate and key files generated previously, “Identity” is the common name in the certificate)

Script

#!/bin/sh
# easyroam.sh cert - install pkcs12 certificate as Easyroam NetworkManager Profile
helpString="Usage $0 <certificate>"
if [ $# -lt 1 ]; then
	echo "$helpString" >&2
	exit 1
fi

case "$1" in
-h|--help)
	echo "$helpString"
	exit;;
esac

ClientCertificate="$1"
connection="Easyroam"

[ -f /etc/os-release ] && source /etc/os-release

check_nmcli() {
	# check for nmcli
	if ! type nmcli >/dev/null 2>&1; then
		echo "ERROR: nmcli not found!" >&2
		echo "This wizard assumes that your network connections are managed by NetworkManager." >&2
		exit 1
	fi
}

check_gdbus() {
	if !type gdbus >/dev/nulll 2>&1; then
		echo "ERROR: gdbus not found!" >&2
		echo "This wizard assumes that your network connections are managed by NetworkManager." >&2
		exit 1
	fi
}

cleanup_networkmanager() {
	# Remove existing connections
	for conn in $connection eduroam; do
		for uuid in $(nmcli connection show | awk '$1==c{ print $2 }' c="$conn"); do
			nmcli connection delete uuid "$uuid"
		done
	done
}

add_networkmanager() {
	# Create new connection
	nmcli connection add \
		type wifi \
		con-name "$connection" \
		ssid "$SSID" \
		-- \
		wifi-sec.key-mgmt wpa-eap \
		802-1x.eap tls \
		802-1x.identity "$OuterIdentity" \
		802-1x.ca-cert "$root_ca_file" \
		802-1x.client-cert "$client_cert_file" \
		802-1x.private-key-password "$Passphrase" \
		802-1x.private-key "$client_key_file"
}

add_connman() {
	ssid_hx=$(echo $SSID | xxd -p)
	service="wifi_3c01ef794697_${ssid_hx}_managed_ieee8021x"
	ca_cert=""
	devel-su gdbus call --system --dest net.connman  --object-path / --method net.connman.Manager.CreateService \
	"" \
	"" \
	"" \
	"[('AutoConnect', 'true'), ('CACert', '(cat $root_ca_file)'),('ClientCertFile', '$client_cert_file'),
	('PrivateKeyFile', '$client_key_file'), ('PrivateKeyPassphrase', '$Passphrase'),
	('EAP', 'tls'), ('Hidden', 'false'), ('Identity', '$OuterIdentity'), ('Name', 'eduroam'),
	('Phase2', 'PAP'), ('Security', 'ieee8021x')]"

}

if [ $ID == "sailfishos" ]; then
	check_connmanctl
else
	check_gdbus
fi

# check prerequisites
for d in openssl awk; do
	type "$d" >/dev/null 2>&1 && continue
	echo "ERROR: $d not found!" >&2
	echo >&2
	echo "You may fix this using:" >&2
	type apt          >/dev/null 2>&1 && echo "sudo apt install -y $d" >&2
	type dnf          >/dev/null 2>&1 && echo "sudo dnf install -y $d" >&2
	type zypper       >/dev/null 2>&1 && echo "sudo zypper install $d" >&2
	type pacman       >/dev/null 2>&1 && echo "sudo pacman -Syu $d" >&2
	type pkcon        >/dev/null 2>&1 && echo "devel-su pkconf install $d" >&2
	type xbps-install >/dev/null 2>&1 && echo "sudo xbps-install -Su $d" >&2
	echo >&2
	exit 2
done

conf_dir="$HOME/.easyroam"
client_cert_file="$conf_dir/easyroam_client_cert.pem"
client_key_file="$conf_dir/easyroam_client_key.pem"
root_ca_file="$conf_dir/easyroam_root_ca.pem"

[ -d "$conf_dir" ] || mkdir -p "$conf_dir"

openssl_extra=
version=$(openssl version | awk -F "[ .]" '{print $2}')
[ "${version:-2}" -ge 3 ] && openssl_extra="-legacy"

SSID=eduroam
OuterIdentity="$(openssl pkcs12 $openssl_extra -info -passin "pass:" -in "$ClientCertificate" -nodes 2>/dev/null | awk '/subject=CN/{print $3}' | sed -e 's/,$//g')"
Passphrase=$(openssl rand -base64 24)

printf "Extracting client cert ... "
openssl pkcs12 $openssl_extra -in "$ClientCertificate" -passin "pass:" -nokeys -out "$client_cert_file"
printf "success\n"

printf "Extracting client key ... "
openssl pkcs12 $openssl_extra -in "$ClientCertificate" -passin "pass:" -passout "pass:$Passphrase" -nodes -nocerts | \
	openssl rsa -passout "pass:$Passphrase" -aes128 -out "$client_key_file"

printf "Extracting CA cert ... "
openssl pkcs12 $openssl_extra -passin "pass:" -passout "pass:" -nokeys -in "$ClientCertificate" -cacerts -out "$root_ca_file"
printf "success\n"

if [ $ID == "sailfishos" ]; then
	add_connman
else
	cleanup_networkmanager
	add_networkmanager
fi

FelixWilke · 26 January 2024 10:44

Hey John,
that is really great. Thank you for sharing the script. I will try the script as soon as possible.

John · 26 January 2024 16:38

I fat fingered some bugs into the script (especially one crucial missing $-sign that resulted in the ca cert not being written into the config).
Updated script here. (And I actually got close to a eduroam wifi to test it, works for me :))

Script

#!/bin/sh
# easyroam.sh cert - install pkcs12 certificate as Easyroam NetworkManager Profile
helpString="Usage $0 <certificate>"
if [ $# -lt 1 ]; then
        echo "$helpString" >&2
        exit 1
fi

case "$1" in
-h|--help)
        echo "$helpString" >&2
        exit;;
esac

ClientCertificate="$1"
connection="Easyroam"

[ -f /etc/os-release ] &&  . /etc/os-release

check_nmcli() {
        # check for nmcli
        if ! type nmcli >/dev/null 2>&1; then
                echo "ERROR: nmcli not found!" >&2
                echo "This wizard assumes that your network connections are managed by NetworkManager." >&2
                exit 1
        fi
}

check_gdbus() {
        if ! type gdbus >/dev/null 2>&1; then
                echo "ERROR: gdbus not found!" >&2
                echo "This wizard assumes that your network connections are managed by NetworkManager." >&2
                exit 1
        fi
}

cleanup_networkmanager() {
        # Remove existing connections
        for conn in $connection eduroam; do
                for uuid in $(nmcli connection show | awk '$1==c{ print $2 }' c="$conn"); do
                        nmcli connection delete uuid "$uuid"
                done
        done
}

add_networkmanager() {
        # Create new connection
        nmcli connection add \
                type wifi \
                con-name "$connection" \
                ssid "$SSID" \
                -- \
                wifi-sec.key-mgmt wpa-eap \
                802-1x.eap tls \
                802-1x.identity "$OuterIdentity" \
                802-1x.ca-cert "$root_ca_file" \
                802-1x.client-cert "$client_cert_file" \
                802-1x.private-key-password "$Passphrase" \
                802-1x.private-key "$client_key_file"
}

add_connman() {
        devel-su gdbus call --system --dest net.connman  --object-path / --method net.connman.Manager.CreateService \
        "" \
        "" \
        "" \
        "[('AutoConnect', 'true'), ('CACert', '$(cat "$root_ca_file")'),('ClientCertFile', '$client_cert_file'),
        ('PrivateKeyFile', '$client_key_file'), ('PrivateKeyPassphrase', '$Passphrase'),
        ('EAP', 'tls'), ('Hidden', 'false'), ('Identity', '$OuterIdentity'), ('Name', 'eduroam'),
        ('Phase2', 'PAP'), ('Security', 'ieee8021x')]"

}

if [ "$ID" = "sailfishos" ]; then
        check_gdbus
else
        check_nmcli
fi

# check prerequisites
for d in openssl awk; do
        type "$d" >/dev/null 2>&1 && continue
        echo "ERROR: $d not found!" >&2
        echo >&2
        echo "You may fix this using:" >&2
        type apt          >/dev/null 2>&1 && echo "sudo apt install -y $d" >&2
        type dnf          >/dev/null 2>&1 && echo "sudo dnf install -y $d" >&2
        type zypper       >/dev/null 2>&1 && echo "sudo zypper install $d" >&2
        type pacman       >/dev/null 2>&1 && echo "sudo pacman -Syu $d" >&2
        type pkcon        >/dev/null 2>&1 && echo "devel-su pkconf install $d" >&2
        type xbps-install >/dev/null 2>&1 && echo "sudo xbps-install -Su $d" >&2
        echo >&2
        exit 2
done

conf_dir="$HOME/.easyroam"
client_cert_file="$conf_dir/easyroam_client_cert.pem"
client_key_file="$conf_dir/easyroam_client_key.pem"
root_ca_file="$conf_dir/easyroam_root_ca.pem"

[ -d "$conf_dir" ] || mkdir -p "$conf_dir"

openssl_extra=
version=$(openssl version | awk -F "[ .]" '{print $2}')
[ "${version:-2}" -ge 3 ] && openssl_extra="-legacy"

SSID=eduroam
OuterIdentity="$(openssl pkcs12 $openssl_extra -info -passin "pass:" -in "$ClientCertificate" -nodes 2>/dev/null | awk '/subject=CN/{print $3}' | sed -e 's/,$//g')"
Passphrase=$(openssl rand -base64 24)

printf "Extracting client cert ... "
openssl pkcs12 $openssl_extra -in "$ClientCertificate" -passin "pass:" -nokeys -out "$client_cert_file"
printf "success\n"

printf "Extracting client key ... "
openssl pkcs12 $openssl_extra -in "$ClientCertificate" -passin "pass:" -passout "pass:$Passphrase" -nodes -nocerts | \
        openssl rsa -passout "pass:$Passphrase" -aes128 -out "$client_key_file"

printf "Extracting CA cert ... "
openssl pkcs12 $openssl_extra -passin "pass:" -passout "pass:" -nokeys -in "$ClientCertificate" -cacerts -out "$root_ca_file"
printf "success\n"

if [ "$ID" = "sailfishos" ]; then
        add_connman
else
        cleanup_networkmanager
        add_networkmanager
fi

FelixWilke · 30 January 2024 14:42

Hey, unfortunately I am unable to run through the script successfully. I have to enter a passphrase, but auth fails. I tried “pkcs12” & “” & my user password neither of them worked.

- Extracting client cert ...success
- Extracting client key ... writing rsa key
- Extracting CA Cert ... success
- Password:
- Auth failed

John · 30 January 2024 14:57

That password prompt is the devel-su in the script, so it is the root password set in “Developer tools” in the Sailfish OS Settings

FelixWilke · 30 January 2024 15:07

Ok, thank you very much for bothering with my problem. I tried my root password too.

These are the steps:

#   Save the script to Documents
 # make it executable (chmod +x eduroam_sript.sh)
#    Download and save easyroam certificate  //*.p12 file // to the same folder
	devel-su  
 	./eduroam_script.sh easyroam_certificate.p12

I executed the script with root permissions otherwise there are lots of errors like “Cant open easyroam_certificate.p12”.

John · 30 January 2024 15:34

Remove the devel-su inside the script if you run the whole script already with devel-su

FelixWilke · 30 January 2024 15:53

Wow. Immediately a stream of new messages was send to my phone! It works. Thank you so much!

FelixWilke · 12 March 2024 12:33

Dear John,
last month, I went to a conference at a different university. My Eduroam Connection did not work. We were advised to enter different credentials (username & password… which didn’t work). Since then I am not able to connect to eduroam via easyroam anymore. I did already try to “forget eduroam” && re-run the script. The script runs smoothly. However afterwards I can’t connect with eduroam.

I would really appreciate if you could again offer some help.