Grégory Mounié's Home page CAT Eduroam Linux installer bugs and quirks (at the 3 march 2018)
The eduroam community propose installers for various OS including Linux. But the Linux installer, targeting NetworkManager, has many deficiencies:
- it removes without warning all connections using SSID Eduroam. I have 3 different eduroam accounts from 3 different universities and research institutes. All have some quirks or deficiencies, evolving with time, thus I want to keep all of them.
- it asks for your passwords, to write it in plain text in a file, readable by root only, but, again, in plain text.
- it does not force anonymous outer identity, thus spreading user identity on internet (Note: some router do not allow anonymous identity, like some in my own university)
- all certificates are stored in the same directory (.cat_installer/) with the same name (ca.pem)
My best advice: get the data from the installer, and do it yourself !
Extract the certificates and informations from the installer of CAT and fill it in your Network Manager connection editor (or your favorite connexion editor).
It is quite easy, and you will not harm your own configuration.
nmcli can do a better, simpler, job than the CAT script
On a modern Linux, would be possible to achieve a better results with a one-liner using nmcli and the EAP XML file from cat eduroam installer pages:
- ask user for connection name (argument of nmcli)
- the user will provide the password at the connection (only the first time if he wants to save it in his keyring)
- insert the DER CERT directly in the configuration
My one liner use nmcli opennssl to convert PEM to DER and perl6 to read certificate in the EAP XML (I let to the reader the translation to sed if needed).
It may not work directly for your universities. Check your EAP XML configuration first.
.h2 for UGA, GINP and Inria (PEAP)
mkdir -p ~/.cat_installer && cat "THE LONG CERTIFICATE CONTENT" > ~/.cat_installer/ca.pem && nmcli con add type wifi con-name YOUR_CONNEXION_NAME ssid eduroam ifname wlan0 -- 802-1x.eap peap 802-1x.anonymous-identity anonymous@EXTRACTED_DOMAIN 802-1x.identity LOGIN 802-1x.ca-cert "file://$HOME/.cat_installer/ca.pem" 802-1x.phase2-auth mschapv2 802-1x.password-flags 0x2 802-11-wireless-security.key-mgmt wpa-eap</section>