Eduroam unter Linux/en: Unterschied zwischen den Versionen

ZIM HilfeWiki - das Wiki
 
(12 dazwischenliegende Versionen von 3 Benutzern werden nicht angezeigt)
Zeile 4: Zeile 4:
 
|translated title=eduroam on Linux
 
|translated title=eduroam on Linux
 
}}
 
}}
This tutorial describes how to set up the Wi-Fi eduroam on Linux. In this example a Ubuntu 14.04 LTS system with Gnome Desktop is used. Other distributions may look different.
+
<br>
 +
<bootstrap_card color=info header="Fingerprint certificate radius server" collapsible>
  
== What needs to be done? ==
+
The certificate for the radius server will be changed on January 14, 2025. If your device asks you to check a certificate for Eduroam or to trust a new certificate, you should check the certificate’s fingerprint. Most devices should still automatically connect to Eduroam.
* Create and download a user certificate.
 
** <optional> Download the '''USERTrust RSA Certification Authority certificate''' if needed.
 
* Configure the eduroam network.
 
* Delete the webauth network if used.
 
  
== Step-by-step instructions ==
 
===Download certificates ===
 
* Visit the [http://sp.upb.de ServicePortal] with your Browser.
 
* Log in with your university account.
 
* Visit  '''Benutzerverwaltung''' and click on '''Netzwerk Einstellungen'''.
 
* Click on '''Neues Zertifikat erstellen'''.
 
* Give the certificate an identifier like "Laptop".
 
* Click on '''Neues Zertifikat zusenden'''
 
 
<br>
 
<br>
  
[[Datei:Netzwerkzertifikat passwort generierung.PNG|links|mini|ohne|350px]]
+
<pre>sha1 Fingerprint=22:8B:F4:7C:AC:00:BD:F6:77:F9:39:78:B5:AF:BF:66:C0:5C:84:D6</pre>
 +
 
 +
<pre>sha256 Fingerprint=98:A9:22:F8:DC:C9:92:EA:19:B1:97:5A:44:D7:CA:01:30:4E:CB:2F:14:69:79:18:5F:69:8A:25:03:E1:05:88</pre>
 +
 
 +
<pre>sha512 Fingerprint=3D:FA:3B:AA:D4:41:B0:4F:AA:C6:F1:58:CA:D3:A2:B6:1A:23:52:B2:9E:92:6D:C0:2B:B5:ED:50:8D:1D:FF:34:29:FC:D3:B5:6F:4C:8D:7F:A0:85:8B:38:B0:46:C5:17:98:2A:72:25:41:42:5D:39:BA:40:1D:9C:F3:14:24:64</pre>
 +
 
 +
[[Datei:Radius-certificate-warning-macos.png|links|mini|ohne|350px|macOS: Klicken Sie auf Zertifikat einblenden.]]
 +
 
 +
<br clear=all>
 +
 
 +
[[Datei:Radius-certificate-warning-ios.png|links|mini|ohne|350px|iPhone und iPad: Klicken Sie auf Zertifikat anzeigen]]
 +
 
 +
</bootstrap_card>
 
<br>
 
<br>
* Copy the import password.
+
These instructions for setting up the eduroam WLAN at the University of Paderborn apply to devices with Linux via the user interface (GUI). As an example, the network is set up here under Ubuntu 14.04 LTS with Gnome Desktop. Depending on the Linux version, the settings may vary slightly. Please note that the Notebook Café does not offer immediate Linux support.
* Click on '''Netzwerkzertifikat herunterladen'''.
+
 
* Click on '''CA-Zertifikat herunterladen'''.
+
== What to do? ==
<br clear=all>
+
* Create your personal university network certificate
 +
** <optional> Download the root certificate. This is a standard root certificate, so it should already exist.
 +
* Set up the eduroam network.
 +
* Delete any existing webauth profile so that the device automatically connects to eduroam.
 +
* '''Special case:''' Depending on the Linux version, ''uni-paderborn.de'' must be entered under '''Domain/domain'''.
  
* Save the certificates on your computer. Choose your folder wisely. Don't move or delete the certificates afterwards.
+
== Step-by-step instructions ==
* Open the certificates and import them.
+
===Provide certificates ===
 +
Access using a browser such as B. Firefox or Internet Explorer, open the [http://sp.upb.de service portal], log in with your user name and password and apply for a new certificate under "WLAN". Enter the name of the device on which the certificate is to be installed. <br/>
 +
A password will then be automatically generated for the certificate and displayed on the following page. It is best if the password is copied for further installation.
  
===Configure eduroam ===
+
[[Datei:Eduroam-unter-android-4.png|left|mini|without|350px]]
[[Datei:Eduroam unter Linux_01.png|links|mini|ohne|350px]]
 
 
<br>
 
<br>
* Open your '''Networkmanager''' or your prefered tool to configure your Wi-Fi connections:
+
* Click '''"Neues Zertifikat erstellen"'''.
 
<br clear=all>
 
<br clear=all>
  
[[Datei:Eduroam unter Linux_02.png|links|mini|ohne|350px]]
+
[[Datei:Netzwerkzertifikat-container-v2.png|links|mini|without|350px]]
 
<br>
 
<br>
* Create a new connection:
+
* Give the certificate a unique name (Ex: Laptop xy)
 +
* Select '''Version 2''' as the file format.
 +
* Then click on '''"Neues Zertifikat zusenden"'''.
 
<br clear=all>
 
<br clear=all>
  
Choose the following settings:
+
[[Datei:Netzwerkzertifikat-download.png|links|mini|without|350px]]
[[Datei:Eduroam unter Linux_03.png|links|mini|ohne|350px]]
 
 
<br>
 
<br>
* '''Name:''' Free to choose
+
* A new network certificate has been created for you.
 +
* First copy the '''Import Password''' to the clipboard.
 +
* Now click on '''"Netzwerkzertifikat herunterladen"'''.
 +
* Then click '''"CA-Zertifikat herunterladen"'''.
 +
<br clear=all>
 +
 
 +
Save both certificates e.g. B. in your user folder or another safe location. Do not delete/move this folder!
 +
 
 +
===Set up Eduroam===
 +
[[Datei:Eduroam unter Linux_01.png|left|mini|without|350px|status menu]]
 +
<br clear=all>
 +
* Open the status menu.
 +
* Select '''"WLAN-Netzwerke auswählen"'''.
 +
<br clear=all>
 +
 
 +
[[Datei:Eduroam unter Linux_02.png|left|mini|without|350px|WLAN settings]]
 +
<br clear=all>
 +
* Choose eduroam.
 +
<br clear=all>
 +
 
 +
Set up eduroam as follows:
 +
[[Datei:Eduroam unter Linux_03.png|links|mini|without|350px|eduroam setup]]
 +
<br clear=all>
 +
* '''Security:''' WPA & WPA2 Enterprise
 +
* '''Legitimation:''' TLS
 +
* '''Identity:''' <username>@uni-paderborn.de (replace <username> with your university account
 +
* '''Domain (if available):''' radius.uni-paderborn.de
 +
* '''CA Certificate:''' Select the '''USERTrust RSA Certification Authority'' certificate (''USERTrustRSACertificationAuthority.crt'').
 +
* '''Password CA certificate:''' Remains blank.
 +
* '''User certificate:''' Select your personal network certificate (the file that ends in .p12 and contains your university account username).
 +
* '''User certificate password:''' Remains blank.
 +
* '''Secret user key:''' Is usually automatically filled with "User certificate" - otherwise insert it yourself
 +
* '''User key password:''' Import password for your personal network certificate.
 +
<br clear=all>
 +
 
 +
* ''<variable> domain:''
 +
*# ''uni-paderborn.de (Some Linux versions require this entry)''
 +
*# ''radius.uni-paderborn.de (or this one)''
 +
*# ''<leave blank> (or something like that, if it shows at all)''
 +
 
 +
==Troubleshooting==
 +
===Add manually===
 +
You may also be able to add the eduroam network manually:
 +
* '''Connection name:''' Can be freely selected
 
* '''SSID:''' eduroam
 
* '''SSID:''' eduroam
* '''Security:''' WPA & WPA2 Enterprise
+
* See above for remaining settings.
* '''Legitimacy:''' TLS
+
 
* '''Usercertificate:''' None
+
===Ubuntu===
* '''CA-Certificate''' Choose the "T-Telesec Globalroot Class 2".
+
Some customers report problems setting up eduroam on Ubuntu 22.04 and newer. The problem is described here:
* '''Secret Key''' Choose your usercertificate.
+
<br>
* '''Password for the secret key''' The import password for the user certificate - We copied that one in the ServicePortal.
+
* https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1958267
 +
<br>
 +
 
 +
{| width="70%" style="background-color:yellow; border-style:dashed; border-width:3px; border-color:red; padding: 5px; "
 +
| '''Attention:''' <br>
 +
The following solution suggestion comes from a customer. Use at your own risk. There was no examination by the ZIM.
 +
|}
 
<br clear=all>
 
<br clear=all>
  
=== Troubleshooting ===
+
<pre>
In some network manager the field '''Usercertificate''' is not allowed to be empty. You can insert a random file like a 0-byte-file or the telekom cert. Now you should be able to click on '''connect'''.
+
1) Find wpa_supplicant service file with `systemctl status wpa_supplicant`.
 +
    For me, the path is "/lib/systemd/system/wpa_supplicant.service"
 +
2) In that file, (with superuser rights), add the line
 +
    `Environment="OPENSSL_CONF=/usr/lib/ssl/openssl.cnf"`
 +
3) Backup old config:
 +
    `sudo cp /usr/lib/ssl/openssl.cnf /usr/lib/ssl/openssl.cnf.backup`
 +
4) Modify "openssl.cnf" like follows:
 +
    a) Below "[openssl_init]" add the line "ssl_conf = ssl_sect".
 +
    b) At the end of the file, add
 +
      [ssl_sect]
 +
      system_default = system_default_sect
 +
 
 +
      [system_default_sect]
 +
      Options = UnsafeLegacyRenegotiation
 +
      CipherString = DEFAULT:@SECLEVEL=1
 +
5) Restart the service `sudo systemctl restart wpa_supplicant.service`.
 +
    If that doesn't work, reboot.
 +
</pre>
 +
 
 +
<!--
 +
===User certificate ===
 +
* You may be able to leave the User Certificate field blank.
 +
* Some network managers do not save the profile as long as all certificate fields are not filled in, including the '''User Certificate''' field. It is then sufficient to enter any file in the user certificate field (0byte file, or e.g. the telekom-cert). You should then be able to save the profile.
 +
-->
 +
=== Linux Mint ===
 +
On Linux Mint it can happen that the user certificate cannot be selected when selecting it in the network settings. Linux Mint does not recognize the file extension/format .p12 in the selection.
 +
 
 +
==== Solution: ====
 +
Convert user certificate from P12 to PEM format
 +
<pre>openssl pkcs12 -in Network_Certificate_UNIACCOUNTNAME_XXXX.p12 -out Network_Certificate_UNIACCOUNTNAME_XXXX.pem -nodes</pre>
 +
After the conversion you can continue as described.
  
<div style="text-align:right;"><i> Many thanks to Katarina Ebert for the screenshots and Stefan Löwen for the certificate hint!</i></div>
+
==See also==
 +
* [[Netzwerk]]

Aktuelle Version vom 13. Januar 2025, 12:41 Uhr

Die deutsche Version finden Sie auf der Seite Eduroam unter Linux



The certificate for the radius server will be changed on January 14, 2025. If your device asks you to check a certificate for Eduroam or to trust a new certificate, you should check the certificate’s fingerprint. Most devices should still automatically connect to Eduroam. 


sha1 Fingerprint=22:8B:F4:7C:AC:00:BD:F6:77:F9:39:78:B5:AF:BF:66:C0:5C:84:D6
sha256 Fingerprint=98:A9:22:F8:DC:C9:92:EA:19:B1:97:5A:44:D7:CA:01:30:4E:CB:2F:14:69:79:18:5F:69:8A:25:03:E1:05:88
sha512 Fingerprint=3D:FA:3B:AA:D4:41:B0:4F:AA:C6:F1:58:CA:D3:A2:B6:1A:23:52:B2:9E:92:6D:C0:2B:B5:ED:50:8D:1D:FF:34:29:FC:D3:B5:6F:4C:8D:7F:A0:85:8B:38:B0:46:C5:17:98:2A:72:25:41:42:5D:39:BA:40:1D:9C:F3:14:24:64
macOS: Klicken Sie auf Zertifikat einblenden.


iPhone und iPad: Klicken Sie auf Zertifikat anzeigen



These instructions for setting up the eduroam WLAN at the University of Paderborn apply to devices with Linux via the user interface (GUI). As an example, the network is set up here under Ubuntu 14.04 LTS with Gnome Desktop. Depending on the Linux version, the settings may vary slightly. Please note that the Notebook Café does not offer immediate Linux support.

What to do?[Bearbeiten | Quelltext bearbeiten]

  • Create your personal university network certificate
    • <optional> Download the root certificate. This is a standard root certificate, so it should already exist.
  • Set up the eduroam network.
  • Delete any existing webauth profile so that the device automatically connects to eduroam.
  • Special case: Depending on the Linux version, uni-paderborn.de must be entered under Domain/domain.

Step-by-step instructions[Bearbeiten | Quelltext bearbeiten]

Provide certificates[Bearbeiten | Quelltext bearbeiten]

Access using a browser such as B. Firefox or Internet Explorer, open the service portal, log in with your user name and password and apply for a new certificate under "WLAN". Enter the name of the device on which the certificate is to be installed.
A password will then be automatically generated for the certificate and displayed on the following page. It is best if the password is copied for further installation.

without


  • Click "Neues Zertifikat erstellen".


without


  • Give the certificate a unique name (Ex: Laptop xy)
  • Select Version 2 as the file format.
  • Then click on "Neues Zertifikat zusenden".


without


  • A new network certificate has been created for you.
  • First copy the Import Password to the clipboard.
  • Now click on "Netzwerkzertifikat herunterladen".
  • Then click "CA-Zertifikat herunterladen".


Save both certificates e.g. B. in your user folder or another safe location. Do not delete/move this folder!

Set up Eduroam[Bearbeiten | Quelltext bearbeiten]

status menu


  • Open the status menu.
  • Select "WLAN-Netzwerke auswählen".


WLAN settings


  • Choose eduroam.


Set up eduroam as follows:

eduroam setup


  • Security: WPA & WPA2 Enterprise
  • Legitimation: TLS
  • Identity: <username>@uni-paderborn.de (replace <username> with your university account
  • Domain (if available): radius.uni-paderborn.de
  • CA Certificate:' Select the USERTrust RSA Certification Authority certificate (USERTrustRSACertificationAuthority.crt).
  • Password CA certificate: Remains blank.
  • User certificate: Select your personal network certificate (the file that ends in .p12 and contains your university account username).
  • User certificate password: Remains blank.
  • Secret user key: Is usually automatically filled with "User certificate" - otherwise insert it yourself
  • User key password: Import password for your personal network certificate.


  • <variable> domain:
    1. uni-paderborn.de (Some Linux versions require this entry)
    2. radius.uni-paderborn.de (or this one)
    3. <leave blank> (or something like that, if it shows at all)

Troubleshooting[Bearbeiten | Quelltext bearbeiten]

Add manually[Bearbeiten | Quelltext bearbeiten]

You may also be able to add the eduroam network manually:

  • Connection name: Can be freely selected
  • SSID: eduroam
  • See above for remaining settings.

Ubuntu[Bearbeiten | Quelltext bearbeiten]

Some customers report problems setting up eduroam on Ubuntu 22.04 and newer. The problem is described here:


Attention:

The following solution suggestion comes from a customer. Use at your own risk. There was no examination by the ZIM. 


1) Find wpa_supplicant service file with `systemctl status wpa_supplicant`.
    For me, the path is "/lib/systemd/system/wpa_supplicant.service"
2) In that file, (with superuser rights), add the line
    `Environment="OPENSSL_CONF=/usr/lib/ssl/openssl.cnf"`
3) Backup old config:
    `sudo cp /usr/lib/ssl/openssl.cnf /usr/lib/ssl/openssl.cnf.backup`
4) Modify "openssl.cnf" like follows:
    a) Below "[openssl_init]" add the line "ssl_conf = ssl_sect".
    b) At the end of the file, add
      [ssl_sect]
      system_default = system_default_sect

      [system_default_sect]
      Options = UnsafeLegacyRenegotiation
      CipherString = DEFAULT:@SECLEVEL=1
5) Restart the service `sudo systemctl restart wpa_supplicant.service`.
    If that doesn't work, reboot.

Linux Mint[Bearbeiten | Quelltext bearbeiten]

On Linux Mint it can happen that the user certificate cannot be selected when selecting it in the network settings. Linux Mint does not recognize the file extension/format .p12 in the selection.

Solution:[Bearbeiten | Quelltext bearbeiten]

Convert user certificate from P12 to PEM format 

openssl pkcs12 -in Network_Certificate_UNIACCOUNTNAME_XXXX.p12 -out Network_Certificate_UNIACCOUNTNAME_XXXX.pem -nodes

After the conversion you can continue as described.

See also[Bearbeiten | Quelltext bearbeiten]

Education Roaming - WLAN-Netzwerk, das an der Universität Paderborn und an vielen weiteren Institutionen weltweit genutzt werden kann. Zugang zu einem Eduroam-Netzwerk, gewährt Zugang zu allen Eduroam-Netzwerken (WLAN).

Digitaler Datensatz der zum Identitätsnachweis genutzt wird. Bezieht sich unter anderem auf Netzwerkzertifikate (WLAN: eduroam) aber auch auf E-Mail-Zertifikate zum signieren & verschlüsseln von E-Mails.

Education Roaming - WLAN-Netzwerk, das an der Universität Paderborn und an vielen weiteren Institutionen weltweit genutzt werden kann. Zugang zu einem Eduroam-Netzwerk, gewährt Zugang zu allen Eduroam-Netzwerken (WLAN).

Drahtlose Netzwerkverbindung

Unverschlüsseltes WLAN-Netzwerk an der Universität Paderborn – Nur für die Ersteinrichtung von Geräten vorgesehen.

Zentrum für Informations- und Medientechnische Dienste der Universität Paderborn (ZIM) - Ehemals IMT

Sicherheitskopie von dem Daten, die im Fall eines Datenverlustes zurückkopiert oder wiederhergestellt werden können.

Bei Fragen oder Problemen wenden Sie sich bitte telefonisch oder per E-Mail an uns:

Tel. IT: +49 (5251) 60-5544 Tel. Medien: +49 (5251) 60-2821 E-Mail: zim@uni-paderborn.de

Das Notebook-Café ist die Benutzerberatung des ZIM - Sie finden uns in Raum I0.401

Wir sind zu folgenden Zeiten erreichbar:


Mo-Do Fr
Vor-Ort-Support 08:30 - 16:00 08:30 - 14:00
Telefonsupport 08:30 - 16:00 08:30 - 14:00


Das ZIM:Servicecenter Medien auf H1 hat aktuell zu folgenden Zeiten geöffnet:

Mo-Do Fr
08:00 - 16:00 08:00 - 14:30
Abgerufen von „https://hilfe.uni-paderborn.de/index.php?title=Eduroam_unter_Linux/en&oldid=37537
Cookies helfen uns bei der Bereitstellung des ZIM HilfeWikis. Bei der Nutzung vom ZIM HilfeWiki werden die in der Datenschutzerklärung beschriebenen Cookies gespeichert.
Weitere Informationen