How to setup a *secure* eduroam connection for University of Warsaw students on Linux

secure_eduroam.md

Introduction

This tutorial covers using NetworkManager with either wpa_supplicant or IWD backend. If you did not heard of IWD, it is propbable your NetworkManager uses wpa_supplicant.

UW authorization server uses DSK-NET CA certificate that is self-signed, so we need to specify it manually.

wpa_supplicant

1. Download the DSK-NET CA certificate:

curl https://it.uw.edu.pl/pl/uslugi/UslugiInternetWiFiEduroam/dsk_net_ca.crt | sudo tee /etc/dsk_net_ca.crt

2. Edit connection and set:

• Authentication to Protected EAP (PEAP)
• Anonymous identity to anonymous@uw.edu.pl
• Domain to eduroam.uw.edu.pl
• Download
• CA certificate to file located at /etc/dsk_net_ca.crt
• Uncheck No CA certifcate is required
• PEAP version to Automatic
• Inner authentication to MSCHAPv2
• Username to your PESEL@uw.edu.pl
• Password to your CAS password

Image contains an old certificate - use the one in the instructions above!

3. Connect to eduroam.

IWD

1. Create file /var/lib/iwd/eduroam.8021x with contents:

[Security]
EAP-Method=PEAP
EAP-Identity=anonymous@uw.edu.pl
EAP-PEAP-CACert=embed:dsk_net_ca_cert
EAP-PEAP-Phase2-Method=MSCHAPV2
EAP-PEAP-Phase2-Identity=XXXXXXXXXXX@uw.edu.pl
EAP-PEAP-Phase2-Password=
EAP-PEAP-ServerDomainMask=eduroam.uw.edu.pl

[Settings]
Autoconnect=true

# Downloaded from: https://it.uw.edu.pl/pl/uslugi/UslugiInternetWiFiEduroam/dsk_net_ca.crt (see https://it.uw.edu.pl/pl/uslugi/UslugiInternetWiFiEduroam/)
[@pem@dsk_net_ca_cert]
-----BEGIN CERTIFICATE-----
MIIB+DCCAX+gAwIBAgIULH0vIbhkVlJymFI5gQwyx22jPqQwCgYIKoZIzj0EAwIw
FTETMBEGA1UEAwwKRFNLLU5FVCBDQTAeFw0yMDEyMjExNDU1NTNaFw0zMDEyMTkx
NDU1NTNaMBUxEzARBgNVBAMMCkRTSy1ORVQgQ0EwdjAQBgcqhkjOPQIBBgUrgQQA
IgNiAAT+RPtHx8RfnjccidientUmbOuTJP99c5fC+pih03TcsQC3OovULeeqkf9t
q5S+Fd7GMlZ9SMOChd8WxR5CkdwqML2eCuJPqZhsGpys6dwT4Enlro6teg8VMtGI
rpWurr+jgY8wgYwwHQYDVR0OBBYEFLvJqgJvT3Wjoh/eC8/cjY1VjczIMFAGA1Ud
IwRJMEeAFLvJqgJvT3Wjoh/eC8/cjY1VjczIoRmkFzAVMRMwEQYDVQQDDApEU0st
TkVUIENBghQsfS8huGRWUnKYUjmBDDLHbaM+pDAMBgNVHRMEBTADAQH/MAsGA1Ud
DwQEAwIBBjAKBggqhkjOPQQDAgNnADBkAjBscKs+RH/zZGBZZwK5DCWeB1W2hzYJ
Tk0I1HGRhvq8+Abd8D5oFGFqpqaYxsTaiGQCMBiop9yMMYz5NdmsZrx1nS6PMmkF
0CM6rBO3zNfQk6p3L4JyN3eyHogsJLKaDCc1bw==
-----END CERTIFICATE-----

Remember to change XXXXXXXXXXX to your PESEL and type your password in plain text after EAP-PEAP-Phase2-Password= e.g. EAP-PEAP-Phase2-Password=tajnehaslo

2. Connect to eduroam.

FAQ

Why DSK-NET CA certificate?

Because it is the certificate of the root CA in the UW's certificate chain. And wpa_supplicant accepts only a root CA's certificate i.e. fails with "self-signed certificate" error. IWD works with UW's certificate as well.

Since the Comodo_AAA_Services_root certificate has expired, you'll need a different one. You can download the current certificate (valid until 2030) signed by DSK-NET from here (direct link).

GUI

Same as before, but download the certificate, place it under .config/certs/dsk_net_ca_eduroam_uw.crt and select it in the configuration window under CA Certificate.

IWD

For me the configuration works best if the certificate is embedded in the configuration, but feel free to replace the embed with a file path.

[Security]
EAP-Method=PEAP
EAP-Identity=anonymous@uw.edu.pl
EAP-PEAP-CACert=embed:eduroam_cert
EAP-PEAP-Phase2-Method=MSCHAPV2
EAP-PEAP-Phase2-Identity=XXXXXXXXXXX@uw.edu.pl
EAP-PEAP-Phase2-Password=
EAP-PEAP-ServerDomainMask=eduroam.uw.edu.pl

[Settings]
Autoconnect=true

[@pem@eduroam_cert]
-----BEGIN CERTIFICATE-----
MIIB+DCCAX+gAwIBAgIULH0vIbhkVlJymFI5gQwyx22jPqQwCgYIKoZIzj0EAwIw
FTETMBEGA1UEAwwKRFNLLU5FVCBDQTAeFw0yMDEyMjExNDU1NTNaFw0zMDEyMTkx
NDU1NTNaMBUxEzARBgNVBAMMCkRTSy1ORVQgQ0EwdjAQBgcqhkjOPQIBBgUrgQQA
IgNiAAT+RPtHx8RfnjccidientUmbOuTJP99c5fC+pih03TcsQC3OovULeeqkf9t
q5S+Fd7GMlZ9SMOChd8WxR5CkdwqML2eCuJPqZhsGpys6dwT4Enlro6teg8VMtGI
rpWurr+jgY8wgYwwHQYDVR0OBBYEFLvJqgJvT3Wjoh/eC8/cjY1VjczIMFAGA1Ud
IwRJMEeAFLvJqgJvT3Wjoh/eC8/cjY1VjczIoRmkFzAVMRMwEQYDVQQDDApEU0st
TkVUIENBghQsfS8huGRWUnKYUjmBDDLHbaM+pDAMBgNVHRMEBTADAQH/MAsGA1Ud
DwQEAwIBBjAKBggqhkjOPQQDAgNnADBkAjBscKs+RH/zZGBZZwK5DCWeB1W2hzYJ
Tk0I1HGRhvq8+Abd8D5oFGFqpqaYxsTaiGQCMBiop9yMMYz5NdmsZrx1nS6PMmkF
0CM6rBO3zNfQk6p3L4JyN3eyHogsJLKaDCc1bw==
-----END CERTIFICATE-----

Thanks for the update!
I adjusted the instructions accordingly.