Raspberry Pi 4B Setup 3 - Connecting Pi to Eduroam, An Enterprise Wi-Fi

This post guides you on how to connect the Raspberry Pi to Eduroam, an Enterprise Wi-Fi.

Posted Nov 30, 2024

Raspberry Pi 4 Model B

By Min Joh

4 min read

Raspberry Pi 4B Setup 3 - Connecting Pi to Eduroam, An Enterprise Wi-Fi

This document is based on:
Raspberry Pi 4 Model B 4GB
Raspberry Pi OS (legacy, 64-bit)
PuTTY v0.81 64-bit x86 Windows

Introduction

Eduroam is one of the enterprise Wi-Fi networks that requires individual credentials (username and password) for authentication. It is a credential-based network that relies on user-specific credentials, typically provided by the home institution. To connect the Raspberry Pi to Wi-Fi in universities or research institutes, some manual configurations of the network settings are needed, unlike home Wi-Fi.

1. Setup before configurations

It is recommended to turn off the wireless network interfaces on the Raspberry Pi before making modifications to the configuration file.

Log in to the Raspberry Pi using SSH.
Type iwlist wlan0 scan to check if Eduroam is detected. The name of the Wi-Fi will be printed as ESSID: "eduroam".
Type sudo su to elevate to superuser mode.
Type ifdown wlan0, then ifdown eth0 to shut down all network interfaces.
What are wlan0 and eth0?
These are network interfaces:
- wlan0 is the Wi-Fi interface.
- eth0 is the Ethernet interface.
Type killall wpa_supplicant to terminate any process associated with wpa_supplicant.conf.

2. Modify Wi-Fi Network Configuration File

Now, it is safe to modify the configuration file wpa_supplicant.conf.

Open /etc/wpa_supplicant/wpa_supplicant.conf using nano:
1 nano /etc/wpa_supplicant/wpa_supplicant.conf

Scroll to the bottom of the file and add the following network information. Replace the identity and password values with your own credentials.

For typical Eduroam (PEAP with MSCHAPv2):

  
 network={
     ssid="eduroam"
     key_mgmt=WPA-EAP
     eap=PEAP
     identity="your_username@institution.edu"
     password="your_password"
     phase2="auth=MSCHAPV2"
     ca_cert="/etc/ssl/certs/ca-certificates.crt" # optional
 }

For Eduroam with certificate validation (EAP-TLS):

  
 network={
     ssid="eduroam"
     key_mgmt=WPA-EAP
     eap=TLS
     identity="your_username@institution.edu"
     client_cert="/path/to/client-cert.pem"
     private_key="/path/to/private-key.pem"
     ca_cert="/path/to/ca-certificate.pem"
     private_key_passwd="your_key_password"
 }

For anonymous identity to enhance privacy:

  
 network={
     ssid="eduroam"
     key_mgmt=WPA-EAP
     eap=PEAP
     identity="your_username@institution.edu"
     anonymous_identity="anonymous@institution.edu"
     password="your_password"
     phase2="auth=MSCHAPV2"
     ca_cert="/etc/ssl/certs/ca-certificates.crt"
 }

What do these values mean?
For more information about common values used in network configurations, refer to Section A.1.

Once finished, save and exit by pressing Ctrl + X, followed by Y to confirm saving.
Restart the wpa_supplicant service to apply the changes:
1 systemctl restart wpa_supplicant

Initialize the wpa_supplicant.conf file:

  
 wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf

3. Check Connectivity

Now that the modifications to the Wi-Fi network configuration file are complete, let’s check the connectivity.

Type ifup wlan0 followed by ifup eth0 to bring the network interfaces back online.
Use iwconfig to verify that the wlan0 network interface is connected to ESSID:"eduroam".
Ping www.google.com to confirm data transmission:
1 ping -c 3 www.google.com

A. Appendix

A.1. Common values in the Wi-Fi network configuration file

ssid is the name of the Wi-Fi network.
key_mgmt specifies the key management protocol used.
- WPA-EAP for WPA2/WPA3 Enterprise
- IEEE8021X for older 802.1X networks
eap specifies the Extensible Authentication Protocol (EAP) type. Common values:
- PEAP: Protected EAP, commonly used with MSCHAPv2 for username/password authentication.
- TLS: EAP-TLS, used for certificate-based authentication (requires client certificates).
- TTLS: EAP-TTLS, similar to PEAP but supports more inner authentication methods.
- PWD: EAP-PWD, password-based without certificates.
- FAST: EAP-FAST, uses a Protected Access Credential (PAC) instead of certificates.
identity is the username or email address used to authenticate.
password is the user’s password
phase1 specifies the outer authentication method used in WPA2/WPA3 Enterprise networks. It is not required for most standard Eduroam setups using PEAP with MSCHAPv2, as default values often work without it.
- Use phase1="peaplabel=1" if your institution uses PEAP with specific requirements for phase 1.
- Use phase1="include_tls_length=1" for EAP-TLS, which is rarely required.
phase2 specifies the inner authentication method for EAP.
- auth=MSCHAPV2 for PEAP, the most common method for Eduroam
- auth=PAP, auth=CHAP, or auth=GTC used less frequently
ca_cert specifies the path to Certificate Authority (CA) certificate file, required for validating the server certificate.
1 ca_cert="/path/to/ca-certificate.pem"
client cert specifies the path to the client certificate file, required for EAP-TLS.
1 client_cert="/path/to/client-cert.pem"
private_key specifies the path to the private key file, used for EAP-TLS.
1 private_key="/path/to/private-key.pem"
private_key_password is the password for the private key.
anonymous_identity specifies an anonymous identity sent in the first EAP request, protecting the actual username from being revealed during the initial authentication phase.
priority determines the priority of this network compared to others when connecting. Higher values mean higher priority to connect.
proto specifies the Wi-Fi protocol.
- RSN for WPA2/WPA3
- WPA for older WPA1

Useful Links

Connecting to eduroam wifi network

Connecting Linux based Raspberry Pi devices to eduroam

HOWTO Connect Raspberry Pi to Eduroam Wi-Fi

Raspberry Pi Zero OTG Mode

Hardware, Raspberry Pi

Hardware Raspberry Pi

This post is licensed under CC BY 4.0 by the author.