How to connect a Linux device to eduroam

Summary

To connect to eduroam, your device must authenticate against the University's authentication servers. There are a few different ways to achieve this:

Preferred
  • EAP-TLS. We issue your device a certificate, which your device then uses to authenticate itself.
Optional
  • PEAPv0 with EAP-MSCHAPv2. PEAP provides an encrypted tunnel inside which different authentication mechanisms can be used. The most common is MSCHAPv2 which is a challenge using your University username and password. Or:
  • EAP-TTLS with EAP-MSCHAPv2. Similar to PEAP however the encrypted outer tunnel is TTLS.


Additionally, to ensure your device is communicating with genuine Loughborough University authentication servers, and not a rogue server, your device should be configured to verify the server. This is achieved by using the Loughborough University Authority certificate to verify the server certificate presented by the authentication server and checking the CN is equal to radius.lboro.ac.uk.

Finally, as eduroam is a global system used at most Universities worldwide, you need to configure your device so that your authentication is routed to Loughborough University's authentication servers. This is achieved by the outer identity (sometimes called anonymous identity) ending with @lboro.ac.uk or (if you don't configure an outer identity) the username ending with @lboro.ac.uk.

Step 1 - Obtain a certificate from cloudpath to authenticate your device

  • In a web browser go to https://cloudpath.lboro.ac.uk/ and login using your University Credentials.
  • On the final page click 'Show all operating systems'.
  • Click on 'Other Operating Systems'.
  • For Step 1, click on 'PEM' to download the Loughborough University Certificate Authority certificate move the CA certificate to the CA store on Ubuntu locate at '/etc/ssl/certs/'.

Screenshot of 'PEM' code required to download the Loughborough University Authority certificate

  • Ignore Step 2.
  • For Step 3, Click 'PEM' to download your device certificate, then click 'PVK' to download the private key for the certificate REMEMBER - keep the private key safe and do not share it.

Optional - change the password on the private key. Your private key will be unlocked using your University password. If you don't want this in clear text in the config file you can change the password to unlock the private key using openssl.e.g. 

Screenshot of the code to change the password on the private key

Step 2 - Configuring Ubuntu 24.04 LTS using GUI to connect to eduroam (using EAP-TLS)

Screenshot of wifi-network configuration required

  1. Authentication type should be set to TLS.
  2. Identity is your university username with @lboro.ac.uk e.g. user@lboro.ac.uk
  3. Domain is radius.lboro.ac.uk
  4. CA Certificate is the Loughborough University Certificate Authority certificate downloaded from cloudpath in Step 1. In the example, the file has been renamed to lboro-ca.pem.
  5. User Certificate is your device certificate downloaded from cloudpath.
  6. User private key is the private key for your device certificate downloaded from cloudpath.
  7. User key password is your university password used to unlock the private key. If you have replaced the password for the key (see above) enter the new password.

Alternative step

Step 2 - Configuring Ubuntu 24.04 LTS using the command line to connect to eduroam (using EAP-TLS)

Configure eduroam using netplan

1. Get the name for your wireless adapter e.g. wlp0s20f3.

Screenshot of the name for your wireless adapter

2. Edit the netplan configuration file called 50-cloud-init.yaml (using your preferred file editor).

Screenshot of code to edit the netplan configuration file called 50-cloud-init.yaml

Modify the 'wifis:' section of the file to add the eduroam configuration. In the example below the client certificate has been stored in /home/user/eduroam-certs. The CA cert downloaded from cloudpath has been renamed to lboro-ca.pem and moved to '/etc/ssl/certs/'.

The identity field should contain your Loughborough University username followed by @lboro.ac.uk Screenshot of what the identity field should look likeNOTE: You only need to edit the wifis: section of the configuration file. Do not change any other values.

3. Apply the config using netplan

Screenshot of the code to apply the config using netplan code

After applying your configuration should be visible in the saved wireless networks.

Screenshot of your saved wireless networks

Linux users using wpa_supplicant

Many versions of Linux use wpa_supplicant with a config file. If your version requires you to edit wpa_supplicant.conf add the following section to your config file: 

Screenshot of the section code to edit wpa_supplicant.conf if required