Eduroam: Difference between revisions

eduroam (for education roaming) (wikipedia:en:eduroam) is the secure, world-wide roaming access service developed for the international research and education community.^[1]

For manual setup using wpa_supplicant, iwd, NetworkManager et. al. you can follow the instructions in the Arch Linux Wiki. Note that for wpa_supplicant users, additional restrictions are placed on where certificates can be located. Also note that configuration of eduroam highly depends on the way your institution implemented it. That's why you should consult their guidelines first and adapt accordingly.

Declarative setup on Nix is possible for wpa_supplicant#eduroam, iwd#eduroam (example in the respective articles) and NetworkManager. For the latter, an exemplary setup is described below.

First, you should download the necessary certificates and key files (if applicable) from your university. If provided as a PKCS#12 certificate bundle (.p12-file), you may unpack the individual components using openssl. A password may be provided using the -passin pass: flag or entered interactively.

openssl pkcs12 -in eduroam.p12 -nocerts -nodes -out private.key
openssl pkcs12 -in eduroam.p12 -nokeys -out cert.pem

It may be advisable to move them to /etc/ssl/certs/eduroam / /etc/wpa_supplicant and adjust permissions.

sudo mkdir -p /etc/ssl/certs/eduroam
sudo mkdir -p /etc/wpa_supplicant
sudo mv cert.pem /etc/ssl/certs/eduroam/
sudo mv private.key /etc/wpa_supplicant/private.key
sudo chmod 644 /etc/ssl/certs/eduroam/cert.pem
sudo chown root:root /etc/ssl/certs/eduroam/*
sudo chown wpa_supplicant:wpa_supplicant /etc/wpa_supplicant/private.key
sudo chmod 400 /etc/wpa_supplicant/private.key

Note that some universities just require a certificate some .crt or .pem certificate and authenticate via password, eliminating the need for a .key-file. Stick to your universities instructions for this.

Next, you may setup NetworkManager.

## should be enabled already if you're using NetworkManager
networking.networkmanager.enable = true;

networking.networkmanager.ensureProfiles.profiles = {
  eduroam = {
    connection = {
      id = "eduroam";
      type = "wifi";
      interface-name = "wlp192s0"; ## replace with your interface-name as displayed by "ip a" 
    };
    wifi = {
      mode = "infrastructure";
      ssid = "eduroam";
    };
    wifi-security = {
      key-mgmt = "wpa-eap"; ## adapt according to your universities setup
    };
    "802-1x" = { ## not all or even some additional values may be needed here according to your institution
      eap = "tls"; ## adapt according to your universities setup
      identity = "likely-youremail@youruniversity.edu";
      client-cert = "/etc/ssl/certs/eduroam/cert.pem";
      private-key = "/etc/wpa_supplicant/private.key";
      private-key-password = "p@ssw0rd-of-your-.key-file"; ## warning, this should only be done for testing purposes, as it makes the password world-readable. You should replace this with some form of secrets-management using sops-nix or agenix. 
      ca-cert = "/etc/ssl/certs/certs.pem";
    };
    ipv4 = {
      method = "auto";
    };
    ipv6 = {
      method = "auto";
    };
  };
};

After rebuilding and switching, you can verify the presence of your newly configured eduroam.nmconnection and check for issues:

ls /run/NetworkManager/system-connections/
nmcli -f NAME,TYPE,ACTIVE c s | grep eduroam
sudo journalctl -u NetworkManager -f

• wpa_supplicant#eduroam
• NetworkManager
• iwd#eduroam
• SecureW2 JoinNow
• …

• (german) article eduroam meets NixOS (with configuration) (instance University of Applied Sciences Dresden: The eduroam installer for GNU/Linux works for example for Ubuntu but not NixOS)