Eduroam support in Network Manager

Bug #138405 reported by Matej Kovacic on 2007-09-09
This bug affects 1 person
Affects Status Importance Assigned to Milestone
network-manager (Ubuntu)

Bug Description

Binary package hint: network-manager

Eduroam is wide-european academic wireless network used by students and researchers. The idea of a network is quite simple - student or researcher register himself by his/her dometic organization. When user goes to some other academic institution, which is part of Eduroam network, he can register (authenticate) himself with his username and password and gets the access to the internet (this is done trough LDAP servers). I am from Slovenia and almost all bigger faculties are now part of Eduroam network, and network "roaming" works very well. Some of my friends also ent abroad (for instance in Sweden), and were able to use Eduroam network there with no problem. Eduroam network is being developed, but the goal is to be accessible to all european students and researchers. So Eduroam support is quite important by my opinion.

Basically all tools someone needs are already included in Ubuntu (i. e. wpa supplicant). User needs username and password and certificate of his domestic organisation. Unfortunately some organisations know only Windows operating system and gave users certificates in .cer form, while WPA supplicant needs certificate in .pem form. But this is no big problem, since one form of certificate can easily be transformed into other.

However, Eduroam uses WPA2, but in Ubuntu is not working, because it uses WPA2 with LDAP support and some other modifications.

My proposal is to add new feature of Network Manager. Network Manager:
- should be able to configure Eduroam support. It can be done even automatically, since Eduroam has his own unique SSID "eduroam".
- support diferent profiles (for different users on the same machine). The problem here is that there should be mechanisms to hide someone password from other users (profiles). This can be done with some form of encryption (like Firefox's password manager) - user would be able to protect his profile with his own password. The other option is to give the usser possibility not to save his password to his profile.
- automatically support for conversion of .cer to .pem certificates (by running a command "openssl x509 -inform der -in MYCERT.cer -out MYCERT.pem"

Basically configuration file looks like that:

    proto=WPA WPA2
    group=CCMP TKIP
    <email address hidden>"
    <email address hidden>"

Network Manager should be able to prompt user for:
- <email address hidden>" (needs to enter just "")
- ca_cert="/etc/ssl/cacert.pem" (ask user to "load" certificate (and possibly convert it into .pem) and save certificate into /etc/ssl)
- <email address hidden>" (need to enter "<email address hidden>")
- password="PASSWORD" (unfortunately password is in plaintext, but this file is accesible only through root privileges)

In order to connect user, Network Manager should run this two commands:

sudo wpa_supplicant -B -i wlan0 -c /path/to/config/file.conf -D wext
sudo dhclient wlan0

So in configuration there should also be information about the wireless interface (eth1, wlan0,...) and WPA supplicant driver ("-D wext" - wext is the most commond, or some else - they are listed in man wpa_supplicant).

This feature will enable students and researchers accross the Europe to use Eduroam easily with Ubuntu.

unggnu (unggnu) wrote :

This should work fine since Network-Manager 0.6.5 has support for phase 2 authentication. You can test it easily with Gutsy Tribe 5 Desktop CD.


I have a more serious problem for which I cannot find a solution. I
hope that you don't mind that I ask it here.
While I can connect in Windows XP, following your steps I receive:
The signal is week but anyhow?

Thanks and regards

Uwe Brauer

Jorge Juan (jjchico) wrote :

The eduroam link at the University of Sevilla (Spain) works with newer Network Manager in Gutsy. I attach the window with configuration parameters (in Spanish). Note that eduroam access points in other places may need a different configuration.

I think that the bug no longer applies unless there are still eduroam access points not supported by current NM configuration parameters.

Good luck.

I can also connect at the University of Murcia (Spain) with Gutsy beta, although I wasn't able before with Feisty. I suppose this bug can be closed.

unggnu (unggnu) on 2007-10-11
Changed in network-manager:
status: New → Fix Released
Matej Kovacic (matej-kovacic) wrote :

Unfortunately it cannot be closed. I tried to connect to Eduroam and on one computer worked fine (but only once). However, on other computers it is not working (I tried three of them). It is working if I connect manually, but not from Network Manager.

mwm (mwm) wrote :

The problem that persists is different. Now, in network-manager, you have the option to insert a WPA2 Enterprise connection with CA certificate and MSCHAPv2 authentication but in my case, I have like 10 visible access points (APs) and each AP is in its frequency channel. When it loses signal strength, it should try to jump to another one (as m$ windows does) but it simply disconnects and tries to reconnect to the old one.

Any help on this?

Thank you.

virgos (afonsodasilva) wrote :

Same problem as mwm here.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments