Eduroam: Difference between revisions
No edit summary Tags: Mobile edit Mobile web edit |
No edit summary |
||
| Line 1: | Line 1: | ||
{{lowercase title}} | {{lowercase title}} | ||
'''[https://eduroam.org/ {{lcfirst:{{PAGENAMEE}}}}]''' (for ''edu''cation ''roam''ing) ([[wikipedia:en:{{lcfirst:{{PAGENAMEE}}}}]]) is the secure, world-wide roaming access service developed for the international research and education community.<ref>https://eduroam.org/what-is-eduroam/</ref> | '''[https://eduroam.org/ {{lcfirst:{{PAGENAMEE}}}}]''' (for ''edu''cation ''roam''ing) ([[wikipedia:en:{{lcfirst:{{PAGENAMEE}}}}]]) is the secure, world-wide roaming access service developed for the international research and education community.<ref>https://eduroam.org/what-is-eduroam/</ref> | ||
== Setup == | |||
For manual setup using wpa_supplicant, iwd, NetworkManager et. al. you can follow the instructions in the [https://wiki.archlinux.org/title/Network_configuration/Wireless#eduroam Arch Linux Wiki]. Note that configuration of eduroam highly depends on the way your institution implemented it. That's why you should consult their guidelines first and adapt accordingly. | |||
Declarative setup on Nix is possible for both [[wpa_supplicant#eduroam]] (example in the article) and [[NetworkManager]]. For the latter, an examplary setup is described below. | |||
First, you should download the necessary certificates and key files (if applicable) from your university. | |||
If provided as a PKCS#12 certificate bundle (.p12-file), you may unpack the individual components using openssl. A password may be provided using the <code>-passin pass:</code> flag or entered interactively. | |||
<syntaxhighlight lang="console">openssl pkcs12 -in eduroam.p12 -nocerts -nodes -out private.key | |||
openssl pkcs12 -in eduroam.p12 -nokeys -out cert.pem</syntaxhighlight> | |||
It may be advisable to move them to <code>/etc/ssl/certs/eduroam</code> and adjust permissions. | |||
<syntaxhighlight lang="console"> | |||
sudo mkdir -p /etc/ssl/certs/eduroam | |||
sudo mv private.key cert.pm /etc/ssl/certs/eduroam/ | |||
sudo chmod 600 /etc/ssl/certs/eduroam/private.key | |||
sudo chmod 644 /etc/ssl/certs/eduroam/cert.pem | |||
sudo chown root:root /etc/ssl/certs/eduroam/*</syntaxhighlight> | |||
Note that some universities just require a certificate some .crt or .pem certificate and authenticate via password, eliminating the need for a .key-file. Stick to your universities instructions for this. | |||
Next, you may setup NetworkManager. | |||
{{file|/etc/nixos/configuration.nix|nix|<nowiki> | |||
## should be enabled already if you're using NetworkManager | |||
networking.networkmanager.enable = true; | |||
networking.networkmanager.ensureProfiles.profiles = { | |||
eduroam = { | |||
connection = { | |||
id = "eduroam"; | |||
type = "wifi"; | |||
interface-name = "wlp192s0"; ## replace with your interface-name as displayed by "ip a" | |||
}; | |||
wifi = { | |||
mode = "infrastructure"; | |||
ssid = "eduroam"; | |||
}; | |||
wifi-security = { | |||
key-mgmt = "wpa-eap"; ## adapt according to your universities setup | |||
}; | |||
"802-1x" = { ## not all or even some additional values may be needed here according to your institution | |||
eap = "tls"; ## adapt according to your universities setup | |||
identity = "likely-youremail@youruniversity.edu"; | |||
client-cert = "/etc/ssl/certs/eduroam/cert.pem"; | |||
private-key = "/etc/ssl/certs/eduroam/private.key"; | |||
private-key-password = "p@ssw0rd-of-your-.key-file"; ## warning, this should only be done for testing purposes, as it makes the password world-readable. You should replace this with some form of secrets-management using sops-nix or agenix. | |||
ca-cert = "/etc/ssl/certs/certs.pem"; | |||
}; | |||
ipv4 = { | |||
method = "auto"; | |||
}; | |||
ipv6 = { | |||
method = "auto"; | |||
}; | |||
}; | |||
}; | |||
</nowiki>}} | |||
After rebuilding and switching, you can verify the presence of your newly configured eduroam.nmconnection and check for issues: | |||
<syntaxhighlight lang="console"> | |||
ls /run/NetworkManager/system-connections/ | |||
nmcli -f NAME,TYPE,ACTIVE c s | grep eduroam | |||
sudo journalctl -u NetworkManager -f | |||
</syntaxhighlight> | |||
== See also == | == See also == | ||
Revision as of 11:02, 16 December 2025
eduroam (for education roaming) (wikipedia:en:eduroam) is the secure, world-wide roaming access service developed for the international research and education community.[1]
Setup
For manual setup using wpa_supplicant, iwd, NetworkManager et. al. you can follow the instructions in the Arch Linux Wiki. Note that configuration of eduroam highly depends on the way your institution implemented it. That's why you should consult their guidelines first and adapt accordingly.
Declarative setup on Nix is possible for both wpa_supplicant#eduroam (example in the article) and NetworkManager. For the latter, an examplary setup is described below.
First, you should download the necessary certificates and key files (if applicable) from your university.
If provided as a PKCS#12 certificate bundle (.p12-file), you may unpack the individual components using openssl. A password may be provided using the -passin pass: flag or entered interactively.
openssl pkcs12 -in eduroam.p12 -nocerts -nodes -out private.key
openssl pkcs12 -in eduroam.p12 -nokeys -out cert.pem
It may be advisable to move them to /etc/ssl/certs/eduroam and adjust permissions.
sudo mkdir -p /etc/ssl/certs/eduroam
sudo mv private.key cert.pm /etc/ssl/certs/eduroam/
sudo chmod 600 /etc/ssl/certs/eduroam/private.key
sudo chmod 644 /etc/ssl/certs/eduroam/cert.pem
sudo chown root:root /etc/ssl/certs/eduroam/*
Note that some universities just require a certificate some .crt or .pem certificate and authenticate via password, eliminating the need for a .key-file. Stick to your universities instructions for this.
Next, you may setup NetworkManager.
❄︎ /etc/nixos/configuration.nix
## should be enabled already if you're using NetworkManager
networking.networkmanager.enable = true;
networking.networkmanager.ensureProfiles.profiles = {
eduroam = {
connection = {
id = "eduroam";
type = "wifi";
interface-name = "wlp192s0"; ## replace with your interface-name as displayed by "ip a"
};
wifi = {
mode = "infrastructure";
ssid = "eduroam";
};
wifi-security = {
key-mgmt = "wpa-eap"; ## adapt according to your universities setup
};
"802-1x" = { ## not all or even some additional values may be needed here according to your institution
eap = "tls"; ## adapt according to your universities setup
identity = "likely-youremail@youruniversity.edu";
client-cert = "/etc/ssl/certs/eduroam/cert.pem";
private-key = "/etc/ssl/certs/eduroam/private.key";
private-key-password = "p@ssw0rd-of-your-.key-file"; ## warning, this should only be done for testing purposes, as it makes the password world-readable. You should replace this with some form of secrets-management using sops-nix or agenix.
ca-cert = "/etc/ssl/certs/certs.pem";
};
ipv4 = {
method = "auto";
};
ipv6 = {
method = "auto";
};
};
};
After rebuilding and switching, you can verify the presence of your newly configured eduroam.nmconnection and check for issues:
ls /run/NetworkManager/system-connections/
nmcli -f NAME,TYPE,ACTIVE c s | grep eduroam
sudo journalctl -u NetworkManager -f
See also
External links
- (german) article eduroam meets NixOS (with configuration) (instance University of Applied Sciences Dresden: The eduroam installer for GNU/Linux works for example for Ubuntu but not NixOS)