You are not logged in.

Pages: 1

#1 2013-12-16 13:36:26

saiga
Member
Registered: 2013-12-13
Posts: 4

netctl: connect to eduroam

Hi,

I managed to connect to my home network now. However, now I struggle to connect to my university eduroam network.
The error I get is:

WPA association/authentication failed for interface '<interface>'

The same error I got when I tried to connect to my home network. However, the solution posted in my other thread (adding WPADriver=wext, see https://bbs.archlinux.org/viewtopic.php?id=174221 ) did not work..


Maybe this is related to my problem:

dhcpcd <interface>
...
dhcpc: timed out

Regards

Offline

#2 2013-12-16 14:58:37

progandy
Member
Registered: 2012-05-17
Posts: 5,280

Re: netctl: connect to eduroam

The wiki specifically mentions steps to connect to eduroam.
https://wiki.archlinux.org/index.php/Netctl#Eduroam

This is a sanitized version of the eduroam configuration for my university:

Description='MYUNI Wifi (Eduroam)'
Interface=wlp2s0
Connection=wireless
Security=wpa-configsection
IP=dhcp
ESSID={EDUROAM_ESSID}
WPAConfigSection=(
       'ssid="{EDUROAM_ESSID}"'
       'key_mgmt=WPA-EAP'
       'pairwise=CCMP TKIP'
       'group=CCMP TKIP'
       'eap=TTLS'
       'phase2="auth=PAP"'
       'anonymous_identity="{anonymous@MYUNI.EDU}"'
       'identity="{USERID}"'
       'password="{PASSWORD}"'
       'ca_cert="/etc/ssl/certs/{SOME_ROOT_CA}.pem"'
)

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#3 2013-12-16 16:36:16

brain0
Developer
From: Aachen - Germany
Registered: 2005-01-03
Posts: 1,382

Re: netctl: connect to eduroam

progandy wrote:
       'ca_cert="/etc/ssl/certs/{SOME_ROOT_CA}.pem"'

Don't. Instead, use

ca_path="/etc/ssl/certs/"
ca_path2="/etc/ssl/certs/"

This will allow all trusted certificates, but will allow you to connect when roaming to other universities.

Last edited by brain0 (2013-12-16 16:36:25)

Offline

#4 2013-12-16 17:02:48

progandy
Member
Registered: 2012-05-17
Posts: 5,280

Re: netctl: connect to eduroam

brain0 wrote:
ca_path="/etc/ssl/certs/"
ca_path2="/etc/ssl/certs/"

This will allow all trusted certificates, but will allow you to connect when roaming to other universities.

Thanks. I just followed the instructions of my university and copy/pasted the published wpa_supplicant configuraiton.
PS: If ca_path works, why does the wiki rely on ca_cert, too?
Edit: But this reduces security, someone might issue a fake certificate with another root-ca. If you directly specify the necessary ca, then you have a stricter verification.

Last edited by progandy (2013-12-16 17:11:58)

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#5 2013-12-16 18:12:29

brain0
Developer
From: Aachen - Germany
Registered: 2005-01-03
Posts: 1,382

Re: netctl: connect to eduroam

progandy wrote:

PS: If ca_path works, why does the wiki rely on ca_cert, too?
Edit: But this reduces security, someone might issue a fake certificate with another root-ca. If you directly specify the necessary ca, then you have a stricter verification.

Unless there is a rogue certificate authority, this won't happen. The certificate owner has to prove ownership of @your-university.edu in order to get a valid certificate.

You could do this for ca_cert2= - the only place where your (non-anonymous) identify name and password are transferred are through the phase2 channel, which is not affected by ca_cert. Setting the ca_cert= to a specific certificate will limit where your profile will function (note that eduroam works globally, not just for your university).

Offline

Pages: 1

Board footer

Powered by FluxBB