Connecting to UW Eduroam with OpenBSD and wpa_supplicant
OpenBSD uses wpa_supplicant to handle WPA-Enterprise authentication like that used for Eduroam. Former Eduroam guides for wpa_supplicant use the older password-based authentication scheme for eduroam. This method was deprecated in 2022, and certificate auth is now required.
Obtaining Eduroam Certificates
- Log into the UW eduroam onboarding site
- Under ‘Select your device:" select “User-Defined”
- Sign In and complete the enrollment to generate P12 certificates. You’ll be asked to supply a device alias as well as the wifi interface’s MAC address. Create a secure passphrase when prompted.
- Download the P12 certificate and the CA Certificate from the last page of the setup wizard.
Extract the certificate and key files
openssl pkcs12 -in <netid>@uw.edu.p12 -nocerts -nodes -out eduroam_key.key
openssl pkcs12 -in <netid>@uw.edu.p12 -clcerts -nokeys -out eduroam_cert.pem
You will be prompted for the passphrase you created upon generating the p12 certificate. Move eduroam_key.key and eduroam_cert.pem to /etc/ssl and move the CA cert to /etc/ssl/eduroam_ca.cer
Configure wpa_supplicant
/etc/wpa_supplicant.conf:
network={
ssid="eduroam"
scan_ssid=1
key_mgmt=WPA-EAP
eap=TLS
phase2="auth=PAP"
identity="anonymous@uw.edu"
ca_cert="/etc/ssl/eduroam_ca.cer"
client_cert="/etc/ssl/eduroam_cert.pem"
private_key="/etc/ssl/eduroam_key.key"
private_key_passwd=""
}
/etc/hostname.iwm0 <- Use the interface name of your wifi card:
join "eduroam" wpa wpaakms 802.1x
enable wpa_supplicant:
doas rcctl enable wpa_supplicant
Note: if you run into trouble, you can stop the wpa_supplicant service and run wpa_supplicant manually with debugging output to troubleshoot issues:
# as root
rcctl stop wpa_supplicant
wpa_supplicant -d -D openbsd -i iwm0 -c /etc/wpa_supplicant.conf
References: