How do I connect to eduroam on Linux?
For other systems go to: Eduroam Landing Page
Answer
You may need to change your password MIT users who have not changed their MIT password since June 2010 will need to change their password prior to connecting to the eduroam wifi network. Changing your password ensures that it is synchronized with the network's authentication servers. |
Ubuntu 10.04 (Lucid) and higher can connect to the eduroam wireless network using NetworkManager.
- From the network manager icon in the top panel, select the "eduroam" wireless network.
- In the Authentication required by wireless network window, ensure that the following settings are used:
- Wireless security: WPA & WPA2 Enterprise
- Authentication: Protected EAP (PEAP)
- Anonymous identity: (leave blank)
- PEAP version: Automatic
- Inner Authentication: MSCHAPv2
- Username: (Enter your full school email address)
- Password: (Enter your school password)
For the username box, MIT users should enter their Kerberos username with "@mit.edu" on the end: username@mit.edu
- Click on CA certificate. Navigate to /usr/share/ca-certificates/mozilla and select the file "USERTrust_RSA_Certification_Authority.crt". Click Open. Alternatively, if this file is missing from your Firefox installation, you can always download AddTrust's public key file from their website.
- Returning to the Authentication required window, click Connect. If all goes well, you should be connected to the network.
4 Comments
comments.show.hideMay 11, 2015
Ganesh Ajjanagadde
MSCHAPv2 is insecure, see e.g https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ and http://www.brambonne.com/docs/robyns14wpa2enterprise.pdf.
See e.g an Arch Linux wiki article: https://wiki.archlinux.org/index.php/WPA2_Enterprise#connman for a good solution. In short, it recommends use of EAP-TTLS + PAP as authentication mechanism, since it is more secure than the broken MSCHAPv2. I can confirm that EAP-TTLS + PAP works on my laptop.
Note that https://en.wikipedia.org/wiki/EAP-TTLS shows that this mechanism is supported only on Windows 8 onwards (no XP, Vista, or 7). However, this article is specifically for Linux, so this should not apply here.
Jul 08, 2017
Richard Matthew McCutchen
I don't believe this analysis is correct. AIUI, using either PEAP or EAP-TTLS, the client makes a TLS connection to the MIT eduroam RADIUS server, and the inner authentication protocol (such as PAP or MSCHAPv2) runs inside that TLS connection. Assuming the client authenticates the server properly by verifying its certificate, a MITM cannot intercept this TLS connection, so it does not matter whether the inner protocol resists MITM attacks.
Additional note: IIUC, when the anonymous identity is left blank as in the instructions above, it defaults to the same as the username, and the access point uses the domain part of the anonymous identity to decide which RADIUS server to proxy the client to. Once an eduroam access point decides to proxy a user to the MIT eduroam RADIUS server, the security model is identical to that of MIT SECURE, except that presumably the MIT eduroam RADIUS server (*-eduroam-radius-*.mit.edu) is configured to return the negotiated session key to any eduroam access point, while the main MIT RADIUS server (*-wireless-radius-*.mit.edu) returns it only to MIT access points. Thus, as always, verifying the RADIUS server name (not the SSID) is what provides a guarantee on what access points might be at the other end of your WPA connection.
(None of this information is inherently specific to MIT, but I haven't run across a good explanation elsewhere. Hopefully this is useful to at least some MIT users.)
Jul 08, 2017
Richard Matthew McCutchen
Just as with MIT SECURE, the documentation is missing the step of verifying the RADIUS server name. See my comment there for details. Based on this page, the example commands to specify the server name for eduroam would be:
Sep 11, 2022
Matin Ghavamizadeh
The link given for certificates is incorrect as of May 30th, 2020. See here for more details. If you don't have the certificate on your device download the USERTrust RSA Certification Authority under Root certificates at https://support.sectigo.com/articles/Knowledge/Sectigo-Intermediate-Certificates.