EDUROAM explanation

eduroam (the cross-institution wifi system) moved from a login based authentication system to a certificate based system in early 2022. For anyone using manual wpa_supplicant configurations, it is non-obvious how to interface with this new system.

Getting certs and keys

You will first need to get a valid certificate and private key from UW. Go to UW IT's eduroam-tls page, and select "User-Defined" so that it will just generate a cert, rather than a binary. Randomly generate a high-quality password for the private key, and store somewhere for later. Save the certificate as Client_cert.p12.

Once at the final page, also download the CA cert (save as CA_cert.pem).

p12 (pkcs12) is not a helpful format, since wpa_supplicant cannot parse it, so we need to extract the key and cert.

openssl pkcs12 -in Client_cert.p12 -out tmp_cert -clcerts

This will ask for a password, use the one you entered on UW IT's page. Now manually extract the cert and key from tmp_cert and save to separate files (Client_cert.pem and Client_key.key). You only need the blocks deliniated by "-----BEGIN CERTIFICATE-----" to "-----END CERTIFICATE-----" and similar for the key. Discard the rest.

Writing a wpa_supplicant config

My config is then as follows, modify only the lines with a *:


network={
  ssid="eduroam"
  scan_ssid=1
  key_mgmt=WPA-EAP
  eap=TLS
  phase2="auth=PAP"
  identity="anonymous@uw.edu"
*  ca_cert="FULL_PATH_TO/CA_cert.pem"
*  client_cert="FULL_PATH_TO/Client_cert.pem"
*  private_key="FULL_PATH_TO/Client_key.key"
*  private_key_passwd="PASSWORD_YOU_CHOSE_EARLIER"
}

Good luck!

Android

You can do this with android as well. Choose TLS for the EAP method. Choose the institution CA cert, and domain as e.g. uw.edu. Choose your personal cert, username as anonymous@uw.edu