Eduroam on Raspberry Pi

I bought a Raspberry Pi Zero 2 W last week and worked out how to do something I've been wanting to do for a while - get a Raspberry Pi to connect to Eduroam. These instructions will be specific to the University of Leicester but hopefully helpful to others.

1. Eduroam

On the Pi, either go to cat.eduroam.org and then go through the process to find the appropriate Eduroam installer, or download the Linux script from wireless.le.ac.uk/setup/linux.  The link says it's to download the certificate, but that isn't what's downloaded - what you get is a Python script.

2. Generating the certificate and wpa-supplicant file

Run the script (chmod +x first) and it asks for your username and password.  You end up with a directory .cat_installer in your home directory, and this contains ca.pem and cat_installer.conf. The latter file contains your password in plain text, which is not a good thing.

3. Hash your password

echo -n your-actual-password | iconv -t utf16le | openssl md4 > pw.txt

4. Edit wpa_supplicant.conf

Edit /etc/wpa_supplicant/wpa_supplicant.conf and add the contents of ~/.cat_installer/cat_installer.conf.  Replace the line 

password="your-actual-password" 

with the line

password=hash:1234567

Where 1234567 is the contents of the pw.txt file you created in step 3 (which will be a considerably longer hex number).  No quotes.  Now delete that file in ~/.cat_installer which has your plaintext password in it!

I moved the ca.pem file from step 2 to /etc/ssl/certs/leicester.pem, and edited the ca_cert line to reflect the new location and name of the certificate.  I also made some other changes based on this site, and a bit of experimentation to see what worked.  See below for the final version of the file.

5. Reboot

I now found that I was automatically connected to Eduroam, but DNS lookup wasn't working so I couldn't see websites.  I checked the Eduroam settings on my phone, found the IP addresses of the DHCP servers that was using, and entered them on the Pi through the network settings (click on the wifi symbol, change the settings for the Eduroam SSID).  The result was an /etc/resolv.conf file that looked like this:

# Generated by resolvconf

domain le.ac.uk

nameserver 143.210.12.158

nameserver 143.210.12.159

I also had to set priorities for the two networks in wpa_supplicant.conf, because the Pi was sometimes connecting to the Cloud (free wifi) rather than Eduroam.  I use the Cloud sometimes, but it's no good in headless mode because you have to finish the log in process using a browser (and lynx has stopped working for that).  The final file looks like this, and the Pi is now reliably connecting to Eduroam without any further intervention (I often use a Pi Zero in serial gadget mode so a web browser is out of the question).

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=GB

network={
        ssid="_The Cloud"
        key_mgmt=NONE
        priority=10
}

network={
        ssid="eduroam"
        key_mgmt=WPA-EAP
        pairwise=CCMP
        eap=PEAP
        ca_cert="/etc/ssl/certs/leicester.pem"
        identity="nja@leicester.ac.uk"
        anonymous_identity="anonymous@le.ac.uk"
        password=hash:9911066b9816dc8dd0e82209ecc138a4
        altsubject_match="DNS:radius.le.ac.uk;DNS:radius.le.ac.uk"
        phase2="auth=MSCHAPV2"
        priority=20
}