Over the years, setting up a Linux notebook to access Eduroam Wifi networks around the world has become quite easy. While there is a generic installer script that institutions can customize to help their users to set up their Linux notebook, it has become easy enough in the meantime to just set it up with the standard network manager dialog when connecting to ‘Eduroam’ for the first time. As I recently migrated from Ubuntu 16.04 to 20.04, I had a look if anything had changed in the setup.
Fortunately it has not and the screenshot shows which parameters are important to set.
An Eduroam ID pretty much looks like an email address and the ‘Anonymous Identity’ should not contain the full ID but only the @ + the part after it. This part of the identity is required for roaming, so the eduroam network can find the authentication server of your home institution. The full ID can but should not be put in here, as it is sent over their air unencrypted.
In the past, many have Eduroam networks have used their own certificates to authenticate their subscribers, and these had to be downloaded from their website. Fortunately, many institutions now use well known and accepted root certificates that come with the operating system and are stored in /etc/ssl/certs. In my case above, Digicert’s root certificate is used.
The inner authentication method also differs between institutions and in my case, MSCHAPv2 is used. And finally the full Eduroam username has to be given as well as the password. And that’s pretty much it for the basic setup.
For added security, it’s good to check the domain suffix of the certificate given by the home network authentication gateway. This is not done by default and can be exploited by an attacker to get to the password by just sending any certificate that was signed, e.g. by Digicert in the example above. Unfortunately, there is no input field for this and hence, this part of the configuration has to be added manually to the configuration file that is created by NetworkManager. Also, it has to be put back into the configuration file manually whenever something is changed in the graphical network manger. Have a look at this post for the details.