Info-beamer OS and eduroam

Hello,

We are currently trying to run the info-beamer OS on Raspberry PI Zeros in eduroam.
We have a working wpa.conf for eduroam however, it seems to have issues with connecting to eduroam on the info-beamer OS.
The API Packet shows me the following result:

I’d be glad to have any kind of help with this issue.

Doesn’t eduroam require some certificate to set up/verify a connection? Is that referenced from the wpa.conf? If not, place that file into the /config directory on the SD card. You can then reference it as /config/ from within the wpa.conf file.

Its in the info-beamer OS

Might make sense to explicitly copy the required cert to the /config directory and then reference it from wpa.conf using a ca_cert="/config/xxxx" line? I’m really no expert in all the details of using wpa_supplicant outside of the bare preshared key methods. I found this regarding wpa_suppliant in combination with eduroam: LRZ: eduroam unter Linux (wpa_supplicant).

Good Day to you all,

I tried that today, but this sadly it didn’t solve the issue.
I also talked with the network administrator of the university.
He sees no error in the configuration, but from the behavior he sees for the device on the Radius server: It apparently looks like the wpa_supplicant package is broken, because it uses the outer identity when it should use the inner identity. He encountered that error with some Samsung smart boards.

Maybe a test .iso with another/fixed wpa_supplicant package?

I don’t really know what inner vs outer identify is and if that’s something that was an issue with wpa_supplicant itself rather than a configuration error. I found this wiki: wpa supplicant › WLAN › Wiki › ubuntuusers.de. Does this help?

network={
  ssid="Netzwerkname" 
  key_mgmt=IEEE8021X
  eap=TTLS                                       #Verschlüsselung während der Authentifizierung
  anonymous_identity="anonymous"                 #Äussere Identität
  identity="Benutzer@Authentifizierungs-Server"  #Innere Identität
  password="Passwort"                            #Passwort
  phase2="auth=PAP"
  #ca_cert="PFAD_ZUM_STAMMZERTIZIKAT/ZERTIFIKAT" #optionale Angabe des zu verwendenden Stammzertifikats
}

Hello, currently, I’m using this:

 network={
   ssid="eduroam"
   proto=RSN
   key_mgmt=WPA-EAP
   ca_cert="/config/T-TeleSec_GlobalRoot_Class_2.pem" 
   eap=PEAP
   identity="account@university.tld"
   domain_suffix_match="university.tld" 
   subject_match="eduroam.university.tld"
   anonymous_identity="eduroam@university.tld" 
   password="something"
   phase1="peaplabel=0"
   phase2="auth=MSCHAPV2"
}

TTLS is not really recommended, but it usually works too, except in this case it didn’t.
I’m not quite sure about the: IEEE8021X I’m no network expert, but if it works I’ll ask our network administrator about it.
However, your example wpa configuration also includes the: anonymous_identity and the regular identity.
Which probably will lead to the same problem: that the anonymous_identity is used in places where the regular identity should be used (radius server). But I can test it next time I’m in range of eduroam.

Thanks for all your help

Nope dosen’t work, sorry, we are trying something else now as a temporary Workaround.
However, it’s probably a good idea fixing the eduroam issues since it’s not just one university.

Hi,

I want to push this again: I cannot connect to eduroam, too. These are my settings:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
country=DE
network={
   ssid="eduroam"
   key_mgmt=WPA-EAP
   proto=RSN
   pairwise=CCMP
   group=CCMP
   eap=PEAP
   phase2="auth=MSCHAPV2"
   anonymous_identity="eduroam@uni-hannover.de"
   identity="XXXX@uni-hannover.de"
   password="XXX"
   ca_cert="/config/T-TeleSec_GlobalRoot_Class_2.pem"
}

I am at Uni Hannover and tried to adapt their tutorial for wpasupplicant on Raspberry PIs, but it doesn’t work:

https://www.luis.uni-hannover.de/de/services/kommunikation/netz/angebote-im-service-netz/wlan/wlan-einrichtung/linux/

I’d like to join Ulf’s opinion: It’s a good idea fixing the eduroam issues since it’s not just one university.

Best,
Christian

The problem is that there’s no way for me to test these setups. The only WiFi environment around here is plain old SSID/Passphrase WPA2. Just to be sure: /config/T-TeleSec_GlobalRoot_Class_2.pem actually exists on the SD’s /config directory? Both ctrl_interface as well as country line shouldn’t be included in the config as those are already added by hosted.

Is there a way for you to set up a device connected to Ethernet in range of eduroam? I might then try to debug this issue remotely and at least try to figure out is there’s a trivial problem somewhere. Maybe the cert files permission are not accepted by wpa_supplicant?

Hi, I have set up a device connected to Ethernet in range of eduroam. Maybe you can debug this issue remotely?

I have tested this device with wpa_supplicant at home and it worked perfectly. But no chance to get it connected to eduroam.

Thank you very much for your help.

Thanks for the device. Quick update: I was indeed able to get some insight on why it fails. And now I’m pretty confused. The reason seems to be:

Jan 1 00:00:36 info-beamer-xxxxxxxxxx daemon.notice wpa_supplicant[342]: OpenSSL: openssl_handshake - SSL_connect error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

So the certificate could not be verified. Problem is: certificate is not yet valid. Which makes sense as the Pi, without RTC, is still in January of 1970 after a reboot as no correct system time has been set yet. That of course usually requires a network connection, which cannot be set up. I’m really confused on how that’s supposed to work.

Found a way to make it work. Whether that’s acceptable in your environment is up to you. Add the following line in the network block for eduroam:

phase1="tls_disable_time_checks=1"

From the manual:

# tls_disable_time_checks=1 - ignore certificate validity time (this requests
#	the TLS library to accept certificates even if they are not currently
#	valid, i.e., have expired or have not yet become valid; this should be
#	used only for testing purposes)

Clearly not optimal, but I’m not sure how to avoid this without an RTC. And even then it would fail to bootstrap for a new device without correct RTC.

Hi Florian,

thank you very much for your help. It’s working in my Raspi 2. I try to reproduce the steps on a Raspi 4 on our EDV-Account but it doesn’t work. Do I miss something?

I’ve copied your changed “wpa.conf” to the new SD card for the Raspi 4:

network={
        ssid="eduroam"
        proto=RSN
        key_mgmt=WPA-EAP
        pairwise=CCMP
        group=CCMP
        eap=PEAP
        phase1="tls_disable_time_checks=1"
        phase2="auth=MSCHAPV2"
        anonymous_identity="eduroam@uni-hannover.de"
        identity="xxx@uni-hannover.de"
        password="xxx"
        ca_cert="/config/T-TeleSec_GlobalRoot_Class_2.pem"
}

I checked the Wifi connection on the new device and it works:

info-beamer-123/space/root # iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11  ESSID:off/any
          Mode:Managed  Frequency:2.437 GHz  Access Point: Not-Associated
          Tx-Power=31 dBm
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:on

info-beamer-123/space/root # wpa_supplicant -i wlan0 -D wext -c /sd/config/wpa.conf -B
Successfully initialized wpa_supplicant
ioctl[SIOCSIWENCODEEXT]: Invalid argument
ioctl[SIOCSIWENCODEEXT]: Invalid argument
info-beamer-123/space/root # iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11  ESSID:"eduroam"
          Mode:Managed  Frequency:2.437 GHz  Access Point: xx:xx:xx:xx:57:D1
          Bit Rate=12 Mb/s   Tx-Power=31 dBm
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:on
          Link Quality=56/70  Signal level=-54 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0
          
info-beamer-123/space/root # ifconfig
eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:DD:12
          inet addr:19x.9x.1xx.74  Bcast:19x.9x.1xx.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9265 errors:0 dropped:455 overruns:0 frame:0
          TX packets:2279 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5569403 (5.3 MiB)  TX bytes:1110682 (1.0 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:3982 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3982 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:259213 (253.1 KiB)  TX bytes:259213 (253.1 KiB)

wlan0     Link encap:Ethernet  HWaddr xx:xx:xx:xx:DD:13
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1233 errors:0 dropped:0 overruns:0 frame:0
          TX packets:117 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:73034 (71.3 KiB)  TX bytes:10416 (10.1 KiB)

But after reboot wifi is not connecting. What did I miss?

Thank you very much.

Can you boot the device with Ethernet and then assign the wpa.conf through the device config editor? The device will try to reboot into the new WiFi setting and try it out. It also creates a /space/log/rollback.gz file if that fails and it rolled back to Ethernet. That will can then be inspected and might provide more insight on what the device was doing while trying to establish a WiFi connection.

Okay, thank you Florian. This works! :slight_smile:

I have edited the wpa.conf in the web based editor via “Edit Configuration…” → Networking → “Additional wpa_supplicant.conf settings”. After that I klicked on “Apply Configuration and reboot device”. Before that I have unchecked *Use WiFi, but prefer Ethernet, if a cable is connected".

After reboot Wifi is working with Eduroam.