Sinan Kurtulmuş

wpa_supplicant 2: Eduroam Networks

Apr 10, 2021

 

The previous guide on wpa_supplicant walks through the steps necessary to connect to WPA-encrypted wireless networks. Eduroam connections require additional authentication information.

In the previous guide, we configured a single wireless network connection, and appended the information to the etc/wpa_supplicant/wpa_supplicant.conf configuration file using wpa_passphrase. The file, with multiple configurations added for different wireless networks, might look something like this:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
update_config=1
network={
    ssid="Home_Network"
    psk="..."
}
network={
    ssid="Office_Network"
    psk="..."
}
network={
    ssid="Other_Network"
    psk="..."
}
Note: It is also possible to provide passwords in plain text using a psk="..." entry, instead of a WPA PSK that was generated by wpa_passphrase.

Now, we need to provide the necessary authentication information. We can do this by editing the configuration file manually.

[root@void: ~]# cd /etc/wpa_supplicant/
[root@void: ~]# vim wpa_supplicant.conf
Note: The exact configuration in this guide might not work for every institution, depending on how the network is implemented. University websites usually provide information on the authentication methods and protocols used. PEAP or TTLS (or both) may be supported as an authentication framework. For the inner authentication (phase 2), you might need to use MSCHAPv2 or PAP depending on the network. A separate guide for wpa_supplicant might not be included, but the information should still be useful.

We add the following network configuration to the file:

network={
    ssid="eduroam" # Eduroam network SSID
    key_mgmt=WPA-EAP # Use EAP
    eap=TTLS# Use tunneled TLS for authentication
    phase2="auth=PAP" # Use PAP for phase 2 authentication
    identity="user@mail" # University username/e-mail address
    anonymous_identity="anonymous@mail" # For phase 1 security
    password="..." # The actual password, in plain text
}

The password is now in the configuration file. It is a good idea to make sure that the file can only be read by the root user.

[root@void: ~]# chmod 600 wpa_supplicant.conf

We should now be able to connect to the Eduroam network after restarting the wpa_supplicant service (The command to do so will be different on systems other than Void Linux).

[root@void: ~]# sv restart wpa_supplicant