oleks / eduroam-wpa_supplicant Goto Github PK

This repository is hereby deprecated, and will be taken down shortly after August 22, 2018 AOE. That is, the provided configuration will become unavailable in the interest of not spreading security malpractice further.

The eduroam Configuration Assistant Tool (CAT) does the task that this repository was meant to do, but better. For for Linux, they offer shellscript installers that will generate a wpa_supplicant configuration for you, if they fail to find Network Manager installed.

CAT does a better job because it also provisions you with a certificate which you can use to verify the RADIUS server of your home institution before talking to it. The configuration provided here did not do that, and this is bad practice—you may have exposed your password to unintended parties.

Using CAT, rather than this configuration, also means that you should from now on keep an eye on when the configuration or certificate at your home institution is subject to change, and upgrade your configuration accordingly.

It is recommended that you change your password if you used this configuration.

See also issues #23 and #24.

Confirming that this configuration (EAP-PEAP with MSCHAPv2) will work with @ukolegija.lt and @utenos-kolegija.lt accounts.

(Not that I want to encourage using a configuration that broadcasts your easily-crackable password hash literally everywhere you go, but if it does the job for you...)

Just made it work at Hogeschool Gent.

The staff didn't know about this method so I'll make sure they get a reference to this repo.

Thanks a lot!

Confirmed that this works at a Hackathon at CSUS (12/2/2017)

Some institutions do offer raw wpa_supplicant documentation, but do so in an ad-hoc fashion — without any guarantee that the configuration will work at any other institution, defeating the purpose of Eduroam.

This part does not make sense; the reality is practically the opposite.

• The purpose of Eduroam is that someone could get an account from one institution (the "home" institution), and use that account anywhere else in their travels (the "visited" institutions).

  This is implemented by forwarding all authentication requests (based on your identity's …@realm suffix) to the corresponding "home" institution. No matter where you are, your wpa_supplicant still ends up talking to your "home" institution's RADIUS server. Your "visited" institution always sees the exact same thing: just your anonymous_identity followed by opaque EAP packets.

• Different home institutions configure their RADIUS servers differently. One home institution may use password hashes via EAP-PEAP/MSCHAPv2, another may use plain passwords via EAP-TTLS/GTC, yet another may use client certificates via EAP-TLS.

• This means that the diverging settings, which are practically always related to authentication (EAP and subprotocols), depend only on the home institution and not on the visited institution.

  (The link layer settings, which do depend on the visited institution, are identical everywhere: eduroam is always provided over WPA2-AES-Enterprise.)

The conclusion is that whether a config works or not depends mainly on your home institution, not on your physical location. If you got an account at foo.edu, you can use the configuration from foo.edu and it will work everywhere.

On the other hand, if you attempt to use "generic" instructions, those are not guaranteed to work (depending on how much of a BOFH the home institution's sysadmin is). Fortunately, most home institutions implement PEAP/MSCHAPv2 because that's what generic Windows systems want, but that does not mean that all of them will.

No anonymous_identity required

I'm wondering whether anonymous_identity should be added so that when roaming the personal identity is only revealed to the home university?

The config works at the University Koblenz-Landau (March 13 2018).

However, for Raspbian Stretch you need to add the following line(s)

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=root
country=<2 Letter Country Code>

Please add to documented university list.

I did not use a hashed password, cleartext works fine.

tested with raspbian stretch

Confirming that this configuration (EAP-PEAP with MSCHAPv2) will work on the @uwaterloo.ca accounts, with the Anonymous Identity deleted.

Thanks for putting this together, and although I would like to encourage security, I would still love to see this available with a huge warning instead of just being taken down...

Sometimes, seemingly in the presence of too many access points, this configuration fails.

This bug has been experienced at:

• Mathematics Library at the University of Copenhagen
• EMU Center at the University of Oregon.
• Nasjonalbiblioteket, Oslo, Norway