How do I get the eduroam network settings right on Linux? With that CA certificate, and without the installer from the eduroam website?

Question

I tried to follow an eduroam guide on a university site. That you can download the public installer from http://www.eduroam.org/, choose the university, and that is all. For Linux, this was a Python file which I had to start with python eduroam-linux-xyz.py, and it installs to ~/.config/cat_installer, but this did not get eduroam to work.

Network Manager configuration failed, but we may generate a WPA_supplicant configuration file if you wish:

I entered my user id, or was the mail needed here?

"Installation successful", but I still had to enter the same network settings as below, and the internet did not work:

The WPA-EAP configuration (more pricesely WPA/EAP-TTLS-PAP) requires following items:

SSID: eduroam  
Encryption: WPA Enterprise | WPA2 Enterprise (recommended)
EAP method: TTLS
Key: TKIP | AES (recommended)
Authentification: PAP
Anonymous identity: [email protected]
Identity: [email protected]

If you enter these settings, you are asked for a CA (certificate authority) certificate, which is not listed in that guide (why not???).

This CA certificate can be found at /etc/ssl/certs/T-TeleSec_GlobalRoot_Class_2.pem, no need to download, something I had to fish from SSL Certificate Location on UNIX/Linux and Eduroam requires installation of a CA Certificate - can they decrypt TLS traffic?.

If I then entered the rest of the settings, it still did not work, and I also tried the class_3 certificate like here, since class_2 might be outdated:

How do you "eduroam" so that it just works?

I have Linux Mint, but this should be the same on all Linux OS.

Answer 1

The Q/A was not about what changes from network setup to network setup, but about the world-wide default eduroam network settings of:

There cannot be a world-wide default for the CA certificate, as it isn't used for connecting to the eduroam network itself – it is for connecting to your institution's EAP server specifically. (In other words, the CA certificate setting belongs to the specific "outer authentication" method such as PEAP or EAP-TTLS that your institution uses. The TLS handshake happens inside PEAP/TTLS.)

The only global requirement is that the "anonymous identity" field (aka "outer identity") must be in user@domain format, and the domain must match your home organization's domain – that's how eduroam routes the EAP requests towards the home organization.

(The eduroam network does not validate the outer username, however, so it's typical to specify [email protected] or even just @the.domain as the outer identity – hence "anonymous identity".)

The inner identity field, on the other hand, is completely invisible to the visited organization or to eduroam as a whole – it is sent encrypted within the EAP TLS tunnel to your home organization and validated there. Because of that, it cannot have a "world-wide default" format either; it's up to each organization to decide what it accepts.

There is a mistake in the entries of the settings above. As a Username, you have to enter your full email, not just the username. This was also in the guide, but can be misunderstood in the settings.

Some organizations accept usernames without a @domain suffix (typically if they use the same RADIUS servers for other purposes besides eduroam), while other organizations deliberately reject such usernames, as it almost always indicates that the user forgot to enter a @domain at all (i.e. their "outer/anon. identity" field is missing one as well, and such a configuration would stop working as soon as the user visited another organization). Generally you should always include the domain.

It is possible that either a) the guide was written by someone whose organization did not have a @domain requirement (at the time), or b) the guide was written with Eduroam CAT in mind, which adds the domain automatically.

If you enter these settings, you are asked for a CA (certificate authority) certificate, which is not listed in that guide (why not???).

Because many such guides date back to when WPA-EAP clients would default to no verification at all – i.e. it would still work without a CA specified; the UI wouldn't indicate anything about it being insecure; so specifying the correct CA was effort that most students wouldn't go through anyway.

Additionally, your home organization is using a public CA, so it's not very useful to specify it here anyway (as there's nothing that would prevent any other customer of that CA from using literally any random HTTPS certificate to perform a MITM attack).

What the tutorial should have suggested is using system CAs but specifying a domain to match against the EAP server's "leaf" certificate (similar to how the URL is matched against an HTTPS certificate). Unfortunately, the NetworkManager GUI in your screenshot is also old and doesn't offer this as an option – you would need to specify the domain through CLI. Eduroam CAT does this automatically though.

Answer 2

There is a mistake in the entries of the settings above. As a Username, you have to enter your full email, not just the username. This was also in the guide, but can be misunderstood in the settings.

Do not take T-TeleSec_GlobalRoot_Class_3.pem as I tried above. With that, my internet worked only for some 10m. I needed to take the Class_2 certificate again to get it work.

Mind that the login can be just the student number 123456, and not the full mail [email protected] that you enter as the username of the settings.

Mind that this is just one eduroam network setup of one university. Others can have other entries at:

• Security,
• Authentication, or
• Inner authentication.

The Q/A was not about what changes from network setup to network setup, but about the world-wide default eduroam network settings of:

• Anonymous identity
• CA certificate
• Username (pattern)