Manual eduroam connection

Chris Noxz

April 03, 2023

This article is based somewhat on a similar text written by Anders Damsgaard, but has been generalized to fit various universities that use the eduroam roaming service. Although eduroam provides a solution for connection using Linux, it is only written for Linux and not *nix systems in general, and it relies somewhat on certain prerequisites that all *nix users may not have. The solution I will discuss only relies on the wpa_supplicant.

Provided that you have wpa_supplicant installed, you need to extract the certificate that your university uses to authorize connectivity to the roaming service. Start by browsing https://cat.eduroam.org/ using your favorite web browser. I would recommend using adji. Once there, click the button that says something like "Click here to download your eduroam installer". You should then be asked to select your university. Select the university you are affiliated with. Depending on your browser’s user agent, an operating system will be suggested to you. If Linux is not suggested, click the link that says "Choose another installer to download" and click "Linux." An installer script will be downloaded to your client. Within this script, there exists a configuration section that contains one or multiple PEM certificates.

You can extract the PEM certificate either manually or by using sed, for example like so (replacing installer.py with the name of the installer script you’ve downloaded):

echo -----BEGIN CERTIFICATE-----; \ 
sed -n '/^Config.CA = """/,/"""/{/^Config.CA = """/!{/"""/!p;};}' installer.py

The extracted PEM certificates should begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

Now, save the extracted PEM certificate to a place that your wpa_supplicant have access. Such a place could be /etc/ssl/certs/my_eduroam_cert.pem. What you name the file is up to you, but in this example, I will use the name my_eduroam_cert.pem.

Depending on your current wpa_supplicant configuration, the file /etc/wpa_supplicant/wpa_supplicant.conf may be empty or populated with known networks. In either case, append the following lines to that file:

network={ 
    ssid="eduroam" 
    key_mgmt=WPA-EAP 
    eap=TTLS PEAP 
    identity="<your eduroam username>" 
    password="<your eduroam password>" 
    ca_cert="/etc/ssl/certs/my_eduroam_cert.pem" 
    phase2="auth=MSCHAPV2" 
    mesh_fwding=1 
    frequency=5200 
}

You will, of course, have to change the strings <your eduroam ...> to match your eduroam identity that is registered with your university. That’s it. The next time you use wpa_supplicant to connect to the wireless network at your university, you should be connected to the eduroam roaming service.

Keep in mind that you should always treat public networks as insecure and consider any data you transmit through them as potentially collected by unauthorized parties, including the network owner. This can compromise your privacy and safety. To protect your data, consider using Tor or even better, a personally owned and controlled proxy instead of consumerized VPNs, which pose the same trust issues as a public network.