Establishing an Eduroam Connection under Linux (Ubuntu)

The easiest way to configure Eduroam properly is to use Shell-Script under www.lrz.de/services/netz/wlan_en/eduroam_en.

Since the guide below is no longer updated and therefore not secure, please use the link above!

Version 8.10 (intrepid ibex) onwards contains Network Manager Version 0.7, which greatly simplifies configuration. For older versions of Ubuntu, you have to install the Network Manager yourself. This instruction also works for the most other Linux distributions.

There are two ways of establishing the connection. These differ only in terms of the username. For further information, go to the following FAQ: Which username do I have to enter for eduroam connections?

Warning: In order to effectively prevent the Password-fishing, it is necessary to edit file /etc/NetworkManager/system-connections/eduroam (The file is created by the Network Manager, editing is only possible after the configuration described below). In the section [802-1x], the following lines need to be added:
- "subject-match=radius.lrz.de"
- from Ubuntu 16.04: "domain-suffix-match=radius.lrz.de" (applies to LRZ IDs, for other IDs please contact the operator of the authentication server)

Method 1: PEAP/MSCHAPv2

The following window appears the first time you try to connect to WLAN eduroam:

ubuntu-eduroam-peap-legitimation

The certificate is the root certificate “T-TeleSec_GlobalRoot_Class_2.pem” which is available, for example, from https://www.pki.dfn.de/wurzelzertifikate/globalroot2/#c18447. As username, enter your LRZ username followed by eduroam.mwn.de.

If you are not within range of the WLAN with the SSID eduroam, you can also configure the profile manually:

Manual Configuration:

In the network menu, call up the item Edit connections …. Then, under Wireless choose Add

In the Wireless tab, go to SSID and enter eduroam. Leave Mode at Infrastructure.

ubuntu-eduroam-peap-01

In the Security tab, enter the following: Security: WPA & WPA2 Enterprise Authenticate protected EAP (PEAP), the CA certificate is the one mentioned above, PEAP remains at Automatic, the Inner authentication is MSCHAPv2. As Username enter your LRZ username, followed by @eduroam.mwn.de

ubuntu-eduroam-peap-02

 

Methode 2 TTLS/PAP:

In the network menu, call up the item Edit connections. Then, under Wireless, choose Add.

The following dialog window appears. Under Wireless network, you only have to enter the SSID eduroam.

In the Wireless security tab, enter the following connection data: Security: WPA2 & WPA2 Enterprise, Authentication: tunneled TLS (TTLS), Anonymous identity: anonymous@mwn.de. As CA certificate, enter the root certificate of Deutsche Telekom (T-TeleSec_GlobalRoot_Class_2.pem). If it is not already available under /etc/ssl/certs/Deutsche_Telekom_Root_CA_2.pem, you can download it from https://www.pki.dfn.de/wurzelzertifikate/globalroot2/#c18447. The Inner authentication is PAP.