EDUROAM explanation

eduroam (the cross-institution wifi system) moved from a login based authentication system to a certificate based system in early 2022. For anyone using manual wpa_supplicant configurations, it is non-obvious how to interface with this new system.

Getting certs and keys

You will first need to get a valid certificate and private key from UW. Go to UW IT's eduroam-tls page, and select "User-Defined" so that it will just generate a cert, rather than a binary. Randomly generate a high-quality password for the private key, and store somewhere for later. Save the certificate as Client_cert.p12.

Once at the final page, also download the CA cert (save as CA_cert.pem).

p12 (pkcs12) is not a helpful format, since wpa_supplicant cannot parse it, so we need to extract the key and cert.

openssl pkcs12 -in Client_cert.p12 -out tmp_cert -clcerts
This will ask for a password, use the one you entered on UW IT's page. Now manually extract the cert and key from tmp_cert and save to separate files (Client_cert.pem and Client_key.key). You only need the blocks deliniated by "-----BEGIN CERTIFICATE-----" to "-----END CERTIFICATE-----" and similar for the key. Discard the rest.

Writing a wpa_supplicant config

My config is then as follows, modify only the lines with a *:

network={
  ssid="eduroam"
  scan_ssid=1
  key_mgmt=WPA-EAP
  eap=TLS
  phase2="auth=PAP"
  identity="anonymous@uw.edu"
*  ca_cert="FULL_PATH_TO/CA_cert.pem"
*  client_cert="FULL_PATH_TO/Client_cert.pem"
*  private_key="FULL_PATH_TO/Client_key.key"
*  private_key_passwd="PASSWORD_YOU_CHOSE_EARLIER"
}
Good luck!