Access Keys:
Skip to content (Access Key - 0)

How do I connect to eduroam on Linux?

For other systems go to: Eduroam Landing Page

Answer

You may need to change your password
MIT users who have not changed their MIT password since June 2010 will need to change their password prior to connecting to the eduroam wifi network. Changing your password ensures that it is synchronized with the network's authentication servers.

Ubuntu 10.04 (Lucid) and higher can connect to the eduroam wireless network using NetworkManager.

  1. From the network manager icon in the top panel, select the "eduroam" wireless network.

  2. In the Authentication required by wireless network window, ensure that the following settings are used:
    • Wireless security: WPA & WPA2 Enterprise
    • Authentication: Protected EAP (PEAP)
    • Anonymous identity: (leave blank)
    • PEAP version: Automatic
    • Inner Authentication: MSCHAPv2
    • Username: (Enter your full school email address)
    • Password: (Enter your school password)

      For the username box, MIT users should enter their Kerberos username with "@mit.edu" on the end: username@mit.edu

  3. Click on CA certificate. Navigate to /usr/share/ca-certificates/mozilla and select the file "AddTrust_External_Root.crt". Click Open. Alternatively, if this file is missing from your Firefox installation, you can always download AddTrust's public key file from their website.

  4. Returning to the Authentication required window, click Connect. If all goes well, you should be connected to the network.

IS&T Contributions

Documentation and information provided by IS&T staff members


Last Modified:

September 28, 2016

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
eduroam eduroam Delete
c-eduroam c-eduroam Delete
linux linux Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use

This article is:
Helpful
Inaccurate
Obsolete
  1. May 11, 2015

    MSCHAPv2 is insecure, see e.g https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ and http://www.brambonne.com/docs/robyns14wpa2enterprise.pdf.

    See e.g an Arch Linux wiki article: https://wiki.archlinux.org/index.php/WPA2_Enterprise#connman for a good solution. In short, it recommends use of EAP-TTLS + PAP as authentication mechanism, since it is more secure than the broken MSCHAPv2. I can confirm that EAP-TTLS + PAP works on my laptop.

    Note that https://en.wikipedia.org/wiki/EAP-TTLS shows that this mechanism is supported only on Windows 8 onwards (no XP, Vista, or 7). However, this article is specifically for Linux, so this should not apply here.

    1. Jul 08, 2017

      I don't believe this analysis is correct. AIUI, using either PEAP or EAP-TTLS, the client makes a TLS connection to the MIT eduroam RADIUS server, and the inner authentication protocol (such as PAP or MSCHAPv2) runs inside that TLS connection. Assuming the client authenticates the server properly by verifying its certificate, a MITM cannot intercept this TLS connection, so it does not matter whether the inner protocol resists MITM attacks.

      Additional note: IIUC, when the anonymous identity is left blank as in the instructions above, it defaults to the same as the username, and the access point uses the domain part of the anonymous identity to decide which RADIUS server to proxy the client to. Once an eduroam access point decides to proxy a user to the MIT eduroam RADIUS server, the security model is identical to that of MIT SECURE, except that presumably the MIT eduroam RADIUS server (*-eduroam-radius-*.mit.edu) is configured to return the negotiated session key to any eduroam access point, while the main MIT RADIUS server (*-wireless-radius-*.mit.edu) returns it only to MIT access points. Thus, as always, verifying the RADIUS server name (not the SSID) is what provides a guarantee on what access points might be at the other end of your WPA connection.

      (None of this information is inherently specific to MIT, but I haven't run across a good explanation elsewhere. Hopefully this is useful to at least some MIT users.)

  2. Jul 08, 2017

    Just as with MIT SECURE, the documentation is missing the step of verifying the RADIUS server name. See my comment there for details. Based on this page, the example commands to specify the server name for eduroam would be:

Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki