Skip to content

Instantly share code, notes, and snippets.

@varqox

varqox/secure_eduroam.md

Last active October 15, 2025 23:36
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save varqox/6e03a96e4eab10fc98feee5c05dc02a7 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save varqox/6e03a96e4eab10fc98feee5c05dc02a7 to your computer and use it in GitHub Desktop.
Download ZIP
How to setup a *secure* eduroam connection for University of Warsaw students on Linux
Raw
secure_eduroam.md

Introduction

This tutorial covers using NetworkManager with either wpa_supplicant or IWD backend. If you did not heard of IWD, it is propbable your NetworkManager uses wpa_supplicant.

UW authorization server uses DSK-NET CA certificate that is self-signed, so we need to specify it manually.

wpa_supplicant

  1. Download the DSK-NET CA certificate:
curl https://it.uw.edu.pl/pl/uslugi/UslugiInternetWiFiEduroam/dsk_net_ca.crt | sudo tee /etc/dsk_net_ca.crt
  1. Edit connection and set:
  • Authentication to Protected EAP (PEAP)
  • Anonymous identity to [email protected]
  • Domain to eduroam.uw.edu.pl
  • Download
  • CA certificate to file located at /etc/dsk_net_ca.crt
  • Uncheck No CA certifcate is required
  • PEAP version to Automatic
  • Inner authentication to MSCHAPv2
  • Username to your [email protected]
  • Password to your CAS password

Image contains an old certificate - use the one in the instructions above! image

  1. Connect to eduroam.

IWD

  1. Create file /var/lib/iwd/eduroam.8021x with contents:
[Security]
EAP-Method=PEAP
[email protected]
EAP-PEAP-CACert=embed:dsk_net_ca_cert
EAP-PEAP-Phase2-Method=MSCHAPV2
[email protected]
EAP-PEAP-Phase2-Password=
EAP-PEAP-ServerDomainMask=eduroam.uw.edu.pl

[Settings]
Autoconnect=true

# Downloaded from: https://it.uw.edu.pl/pl/uslugi/UslugiInternetWiFiEduroam/dsk_net_ca.crt (see https://it.uw.edu.pl/pl/uslugi/UslugiInternetWiFiEduroam/)
[@pem@dsk_net_ca_cert]
-----BEGIN CERTIFICATE-----
MIIB+DCCAX+gAwIBAgIULH0vIbhkVlJymFI5gQwyx22jPqQwCgYIKoZIzj0EAwIw
FTETMBEGA1UEAwwKRFNLLU5FVCBDQTAeFw0yMDEyMjExNDU1NTNaFw0zMDEyMTkx
NDU1NTNaMBUxEzARBgNVBAMMCkRTSy1ORVQgQ0EwdjAQBgcqhkjOPQIBBgUrgQQA
IgNiAAT+RPtHx8RfnjccidientUmbOuTJP99c5fC+pih03TcsQC3OovULeeqkf9t
q5S+Fd7GMlZ9SMOChd8WxR5CkdwqML2eCuJPqZhsGpys6dwT4Enlro6teg8VMtGI
rpWurr+jgY8wgYwwHQYDVR0OBBYEFLvJqgJvT3Wjoh/eC8/cjY1VjczIMFAGA1Ud
IwRJMEeAFLvJqgJvT3Wjoh/eC8/cjY1VjczIoRmkFzAVMRMwEQYDVQQDDApEU0st
TkVUIENBghQsfS8huGRWUnKYUjmBDDLHbaM+pDAMBgNVHRMEBTADAQH/MAsGA1Ud
DwQEAwIBBjAKBggqhkjOPQQDAgNnADBkAjBscKs+RH/zZGBZZwK5DCWeB1W2hzYJ
Tk0I1HGRhvq8+Abd8D5oFGFqpqaYxsTaiGQCMBiop9yMMYz5NdmsZrx1nS6PMmkF
0CM6rBO3zNfQk6p3L4JyN3eyHogsJLKaDCc1bw==
-----END CERTIFICATE-----

Remember to change XXXXXXXXXXX to your PESEL and type your password in plain text after EAP-PEAP-Phase2-Password= e.g. EAP-PEAP-Phase2-Password=tajnehaslo

  1. Connect to eduroam.

FAQ

Why DSK-NET CA certificate?

Because it is the certificate of the root CA in the UW's certificate chain. And wpa_supplicant accepts only a root CA's certificate i.e. fails with "self-signed certificate" error. IWD works with UW's certificate as well.

@varqox
Copy link
Author

varqox commented Oct 15, 2025

Thanks for the update!
I adjusted the instructions accordingly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment