Eduroam: Difference between revisions

(2 intermediate revisions by one other user not shown)

Line 1:

'''[https://eduroam.org/ {{lcfirst:{{PAGENAMEE}}}}]''' (for ''edu''cation ''roam''ing) ([[wikipedia:en:{{lcfirst:{{PAGENAMEE}}}}]]) is the secure, world-wide roaming access service developed for the international research and education community.<ref>https://eduroam.org/what-is-eduroam/</ref>

== Setup ==

For manual setup using wpa_supplicant, iwd, NetworkManager et. al. you can follow the instructions in the [https://wiki.archlinux.org/title/Network_configuration/Wireless#eduroam Arch Linux Wiki]. Note that configuration of eduroam highly depends on the way your institution implemented it. That's why you should consult their guidelines first and adapt accordingly.

Declarative setup on Nix is possible for [[wpa_supplicant#eduroam]], [[iwd#eduroam]] (example in the respective articles) and [[NetworkManager]]. For the latter, an exemplary setup is described below.

First, you should download the necessary certificates and key files (if applicable) from your university.

If provided as a PKCS#12 certificate bundle (.p12-file), you may unpack the individual components using openssl. A password may be provided using the <code>-passin pass:</code> flag or entered interactively.

<syntaxhighlight lang="console">openssl pkcs12 -in eduroam.p12 -nocerts -nodes -out private.key

openssl pkcs12 -in eduroam.p12 -nokeys -out cert.pem</syntaxhighlight>

It may be advisable to move them to <code>/etc/ssl/certs/eduroam</code> and adjust permissions.

sudo mkdir -p /etc/ssl/certs/eduroam

sudo mv private.key cert.pm /etc/ssl/certs/eduroam/

sudo chmod 600 /etc/ssl/certs/eduroam/private.key

sudo chmod 644 /etc/ssl/certs/eduroam/cert.pem

sudo chown root:root /etc/ssl/certs/eduroam/*</syntaxhighlight>

Note that some universities just require a certificate some .crt or .pem certificate and authenticate via password, eliminating the need for a .key-file. Stick to your universities instructions for this.

Next, you may setup NetworkManager.

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

## should be enabled already if you're using NetworkManager

networking.networkmanager.enable = true;

networking.networkmanager.ensureProfiles.profiles = {

eduroam = {

connection = {

id = "eduroam";

type = "wifi";

interface-name = "wlp192s0"; ## replace with your interface-name as displayed by "ip a"

};

wifi = {

mode = "infrastructure";

ssid = "eduroam";

};

wifi-security = {

key-mgmt = "wpa-eap"; ## adapt according to your universities setup

};

"802-1x" = { ## not all or even some additional values may be needed here according to your institution

eap = "tls"; ## adapt according to your universities setup

identity = "likely-youremail@youruniversity.edu";

client-cert = "/etc/ssl/certs/eduroam/cert.pem";

private-key = "/etc/ssl/certs/eduroam/private.key";

private-key-password = "p@ssw0rd-of-your-.key-file"; ## warning, this should only be done for testing purposes, as it makes the password world-readable. You should replace this with some form of secrets-management using sops-nix or agenix.

ca-cert = "/etc/ssl/certs/certs.pem";

};

ipv4 = {

method = "auto";

};

ipv6 = {

method = "auto";

};

</nowiki>}}

After rebuilding and switching, you can verify the presence of your newly configured eduroam.nmconnection and check for issues:

ls /run/NetworkManager/system-connections/

nmcli -f NAME,TYPE,ACTIVE c s | grep eduroam

sudo journalctl -u NetworkManager -f

</syntaxhighlight>

== See also ==

Line 16:

Line 82:

== References ==

[[Category:Networking]]

@@ Line 1: / Line 1: @@
 {{lowercase title}}
 '''[https://eduroam.org/ {{lcfirst:{{PAGENAMEE}}}}]''' (for ''edu''cation ''roam''ing) ([[wikipedia:en:{{lcfirst:{{PAGENAMEE}}}}]]) is the secure, world-wide roaming access service developed for the international research and education community.<ref>https://eduroam.org/what-is-eduroam/</ref>
+== Setup ==
+For manual setup using wpa_supplicant, iwd, NetworkManager et. al. you can follow the instructions in the [https://wiki.archlinux.org/title/Network_configuration/Wireless#eduroam Arch Linux Wiki]. Note that configuration of eduroam highly depends on the way your institution implemented it. That's why you should consult their guidelines first and adapt accordingly.
+Declarative setup on Nix is possible for [[wpa_supplicant#eduroam]], [[iwd#eduroam]] (example in the respective articles) and [[NetworkManager]]. For the latter, an exemplary setup is described below.
+First, you should download the necessary certificates and key files (if applicable) from your university.
+If provided as a PKCS#12 certificate bundle (.p12-file), you may unpack the individual components using openssl. A password may be provided using the <code>-passin pass:</code> flag or entered interactively.
+<syntaxhighlight lang="console">openssl pkcs12 -in eduroam.p12 -nocerts -nodes -out private.key
+openssl pkcs12 -in eduroam.p12 -nokeys -out cert.pem</syntaxhighlight>
+It may be advisable to move them to <code>/etc/ssl/certs/eduroam</code> and adjust permissions.
+<syntaxhighlight lang="console">
+sudo mkdir -p /etc/ssl/certs/eduroam
+sudo mv private.key cert.pm /etc/ssl/certs/eduroam/
+sudo chmod 600 /etc/ssl/certs/eduroam/private.key
+sudo chmod 644 /etc/ssl/certs/eduroam/cert.pem
+sudo chown root:root /etc/ssl/certs/eduroam/*</syntaxhighlight>
+Note that some universities just require a certificate some .crt or .pem certificate and authenticate via password, eliminating the need for a .key-file. Stick to your universities instructions for this.
+Next, you may setup NetworkManager.
+{{file|/etc/nixos/configuration.nix|nix|<nowiki>
+## should be enabled already if you're using NetworkManager
+networking.networkmanager.enable = true;
+networking.networkmanager.ensureProfiles.profiles = {
+  eduroam = {
+    connection = {
+      id = "eduroam";
+      type = "wifi";
+      interface-name = "wlp192s0"; ## replace with your interface-name as displayed by "ip a"
+    };
+    wifi = {
+      mode = "infrastructure";
+      ssid = "eduroam";
+    };
+    wifi-security = {
+      key-mgmt = "wpa-eap"; ## adapt according to your universities setup
+    };
+    "802-1x" = { ## not all or even some additional values may be needed here according to your institution
+      eap = "tls"; ## adapt according to your universities setup
+      identity = "likely-youremail@youruniversity.edu";
+      client-cert = "/etc/ssl/certs/eduroam/cert.pem";
+      private-key = "/etc/ssl/certs/eduroam/private.key";
+      private-key-password = "p@ssw0rd-of-your-.key-file"; ## warning, this should only be done for testing purposes, as it makes the password world-readable. You should replace this with some form of secrets-management using sops-nix or agenix.
+      ca-cert = "/etc/ssl/certs/certs.pem";
+    };
+    ipv4 = {
+      method = "auto";
+    };
+    ipv6 = {
+      method = "auto";
+    };
+  };
+};
+</nowiki>}}
+After rebuilding and switching, you can verify the presence of your newly configured eduroam.nmconnection and check for issues:
+<syntaxhighlight lang="console">
+ls /run/NetworkManager/system-connections/
+nmcli -f NAME,TYPE,ACTIVE c s | grep eduroam
+sudo journalctl -u NetworkManager -f
+</syntaxhighlight>
 == See also ==
@@ Line 16: / Line 82: @@
 == References ==
 <references />
+[[Category:Networking]]