eduroam
eduroam (for education roaming) (wikipedia:en:eduroam) is the secure, world-wide roaming access service developed for the international research and education community.[1]
Setup
For manual setup using wpa_supplicant, iwd, NetworkManager et. al. you can follow the instructions in the Arch Linux Wiki. Note that configuration of eduroam highly depends on the way your institution implemented it. That's why you should consult their guidelines first and adapt accordingly.
Declarative setup on Nix is possible for wpa_supplicant#eduroam, iwd#eduroam (example in the respective articles) and NetworkManager. For the latter, an exemplary setup is described below.
First, you should download the necessary certificates and key files (if applicable) from your university.
If provided as a PKCS#12 certificate bundle (.p12-file), you may unpack the individual components using openssl. A password may be provided using the -passin pass: flag or entered interactively.
openssl pkcs12 -in eduroam.p12 -nocerts -nodes -out private.key
openssl pkcs12 -in eduroam.p12 -nokeys -out cert.pem
It may be advisable to move them to /etc/ssl/certs/eduroam and adjust permissions.
sudo mkdir -p /etc/ssl/certs/eduroam
sudo mv private.key cert.pm /etc/ssl/certs/eduroam/
sudo chmod 600 /etc/ssl/certs/eduroam/private.key
sudo chmod 644 /etc/ssl/certs/eduroam/cert.pem
sudo chown root:root /etc/ssl/certs/eduroam/*
Note that some universities just require a certificate some .crt or .pem certificate and authenticate via password, eliminating the need for a .key-file. Stick to your universities instructions for this.
Next, you may setup NetworkManager.
## should be enabled already if you're using NetworkManager
networking.networkmanager.enable = true;
networking.networkmanager.ensureProfiles.profiles = {
eduroam = {
connection = {
id = "eduroam";
type = "wifi";
interface-name = "wlp192s0"; ## replace with your interface-name as displayed by "ip a"
};
wifi = {
mode = "infrastructure";
ssid = "eduroam";
};
wifi-security = {
key-mgmt = "wpa-eap"; ## adapt according to your universities setup
};
"802-1x" = { ## not all or even some additional values may be needed here according to your institution
eap = "tls"; ## adapt according to your universities setup
identity = "likely-youremail@youruniversity.edu";
client-cert = "/etc/ssl/certs/eduroam/cert.pem";
private-key = "/etc/ssl/certs/eduroam/private.key";
private-key-password = "p@ssw0rd-of-your-.key-file"; ## warning, this should only be done for testing purposes, as it makes the password world-readable. You should replace this with some form of secrets-management using sops-nix or agenix.
ca-cert = "/etc/ssl/certs/certs.pem";
};
ipv4 = {
method = "auto";
};
ipv6 = {
method = "auto";
};
};
};
After rebuilding and switching, you can verify the presence of your newly configured eduroam.nmconnection and check for issues:
ls /run/NetworkManager/system-connections/
nmcli -f NAME,TYPE,ACTIVE c s | grep eduroam
sudo journalctl -u NetworkManager -f
See also
External links
- (german) article eduroam meets NixOS (with configuration) (instance University of Applied Sciences Dresden: The eduroam installer for GNU/Linux works for example for Ubuntu but not NixOS)