Configuring the eduroam WLAN network at
RWTH Aachen
Written by Bernd Jantzen
This document provides
The usage of the eduroam WLAN network at RWTH Aachen and
abroad is explained at
this
web page of the computer centre.
There you also find links to the web sites of the eduroam
network. This WLAN network can be used with the same configuration as in Aachen
at many other locations of universities and research institutions in Germany
and Europe.
If you haven't configured eduroam yet on your laptop, it might be a
good idea to connect first to the mops WLAN network, which is
unencrypted and does not need a special configuration on your computer.
Afterwards try to visit an arbitrary web page with your browser, and you will be
redirected to the web site of the computer centre. There you find links to all
necessary installation instructions concerning eduroam.
The mops network can also be used permanently, but the access to
non-RWTH servers needs additional authentication:
Either use your VPN login over the mops network
(though this does not seem to be supported any more by the RWTH computer centre
and will probably stop working in future).
Or use the web login (see at the end of
that web page) which is however limited to sessions of 30 minutes.
In order to make the WLAN network available to guests you can configure a
guest account here. (This is quick and easy and should be done e.g. for
seminar speakers).
However, you should use the eduroam WLAN network instead of
mops whenever possible because only this network provides an encrypted
WLAN connection.
In addition, the use of VPN over eduroam is not necessary
unless you want to access RWTH servers which are blocked from the outside
internet by the firewall (internal RWTH web pages or SSH login to office PCs).
For the configuration of the eduroam WLAN network on your laptop the
computer centre has gathered installation instructions with links to
detailed instructions e.g. for Ubuntu Linux, Windows and
Mac OS X, and additionally the
general settings valid for all operating systems.
Unfortunately, there are no detailed instructions for OpenSUSE users,
so I present such instructions in the following.
Important note:
If your WLAN/VPN account already existed on February 1st, 2008 and you
never changed your password since this date, then you probably have to change
or reset your WLAN/VPN password (via the
TIM login manager)
before you can log into the eduroam network.
In contrast to the information from the computer centre, this problem seems to
be relevant for both authentication types TTLS and PEAP
(see below).
Before connections to the eduroam WLAN network can be established,
the RWTH certificate authority (CA) needs to be recognized as a valid
and trusted CA. The RWTH servers use this
RWTH
certificate chain which contains (in PEM format) the certificate of
the RWTH Aachen CA, the intermediate certificate of
the DFN-Verein and the top-level root certificate of
Deutsche Telekom.
This certificate chain allows your computer to identify the server of the WLAN
network before transmitting your password to it.
While it is possible in some Linux operating systems to provide the whole
certificate chain or the top-level root certificate in the context of the
connection settings, this does not seem to work for most of the new Linux
distributions (see the detailed installation
instructions below).
In these cases you have to make sure that your operating system recognizes at
least the top-level root certificate of Deutsche Telekom.
If you are lucky, your operating system (e.g. OpenSUSE 11.2)
has already installed this root certificate. You can find this out by
downloading the root-certificate file
Deutsche_Telekom_Root_CA_2.pem from my web site by choosing
“Save link as ...” in the context menu of the link (this is just
the last part of the RWTH certificate chain in a separate file).
In the direcory where you have saved the root certificate type the command:
openssl verify Deutsche_Telekom_Root_CA_2.pem
In the case of success, the result should simply be:
Deutsche_Telekom_Root_CA_2.pem: OK
If your operating does not yet recognize this root certificate, the output
contains the following line:
error 18 at 0 depth lookup:self signed certificate
In this case I recommend the installation of the RWTH certificate chain in
the OpenSSL certificate database of your computer. This database is
also used by other programs, so the installation of the certificates will
prevent e.g. command-line tools like (al)pine, wget
and cadaver from complaining about missing certificates when accessing
SSL-secured RWTH servers.
The installation of the RWTH certificates is explained in the following
instructions. They are based on this
guide for the certificate installation with OpenSSL.
- Determine the directory which holds the CA certificates of your OpenSSL
installation: By typing
openssl version -d
you will get an output of the form
OPENSSLDIR: "/etc/ssl"
telling that the OpenSSL directory is “/etc/ssl”
like for many Linux distributions.
For Redhat Fedora it is “/etc/pki/tls”,
and a list for more distributions can be found
there.
The CA certificates are stored in a subdirectory named
“certs”, so the complete path of the certificate directory
is e.g. “/etc/ssl/certs”.
This “certs” directory contains either certificate files (*.pem)
with a symbolic link pointing to each of them,
or one file (e.g. “ca-bundle.crt”) which encapsulates several
installed certificates.
- Download the archive
ca-rwth-certs.tar,
save it somewhere and unpack it to the “certs” directory
(as root user):
cd /openssl-directory/certs
tar -xf /download-path/ca-rwth-certs.tar
This will install the root certificate
“Deutsche_Telekom_Root_CA_2.pem”, the intermediate certificate
“DFN-Verein_PCA_Global_-_G01.pem” and the RWTH certificate
“RWTH_Aachen_CA.pem”, together with the symbolic links
”4e18c148.0”, “aaa0e946.0” and
“d2e1303a.0” which help OpenSSL find the certificates by
the hash value.
For most situations the root certificate
“Deutsche_Telekom_Root_CA_2.pem” alone (together with the
symbolic link “4e18c148.0” pointing to it) is sufficient, and the
other two certificates are actually not needed.
- You should not trust me, but check that the CA certificates which you have
installed and are going to accept for verification actually correspond to the
ones they pretend to be:
Display the “fingerprint” of each certificate by typing
e.g.
openssl x509 -noout -fingerprint -in Deutsche_Telekom_Root_CA_2.pem
and compare it to the fingerprint indicated on the
certificate web page of the computer centre
(“SHA1=...”).
After this installation OpenSSL recognizes the RWTH certificate chain as a
set of valid and trusted CA certificates.
As an alternative to using the archive “ca-rwth-certs.tar” provided
by me (see step 2 above), you can prepare these files yourself:
These three certificate files and three symbolic links then have to be placed
into the “certs” directory used by OpenSSL (see
step 1 above).
It is also possible to create the symbolic links by calling the command
c_rehash after having installed the three certificate
files in the “certs” directory. This method recreates all symbolic
links for all certificates installed there.
These instructions are mainly directed to users of the linux
distribution OpenSUSE. But they will also be valid for certain other
linux distributions because the main differences arise from the various
versions of graphical frontends to the NetworkManager which is
nowadays used in many linux systems.
The following sections are dedicated to
These instructions rely on using the window manager
KDE 4 with the KDE network manager
KNetworkManager (for connecting to wireless networks)
in the version provided by OpenSUSE 11.2.
They probably also work for other linux distributions with the same version of
the KNetworkManager.
-
OpenSUSE 11.2 should already have installed the top-level root
certificate of Deutsche Telekom which is necessary for identifying the
WLAN server.
See the instructions above about installing the SSL
certificates of the RWTH certificate authorities for details on how to
check for the existence of the root certificate and on how to install it in the
other case.
This is necessary in OpenSUSE 11.2 because providing one or
several certificates to the configuration of the Network Manager does not seem
to work, so the system certificates have to be used.
-
Click on the icon of the network manager in the system tray of the KDE
control panel. Select the WLAN network “eduroam” from the
list, which makes the following window appear for entering the WLAN security
settings:
Alternatively, you can choose to edit the connections and add
the eduroam network there. Then make sure to enter the
correct “SSID” “eduroam” in the
tab “Wireless” (“Drahtlos”).
-
As shown in the picture above, enter the connection data in the tab
“Wireless Security” (“Drahtlos-Sicherheit”):
- The “Security” type (“Sicherheit”)
is “WPA/WPA2 Enterprise”.
- Choose the “Authentication” type
(“Authentifizierung”) “Tunnelled TLS (TTLS)”
(“Getunneltes TLS (TTLS)”) and, further down,
the “Inner Authentication”
(“Innere Authentifizierung”) “PAP”.
Alternatively the authentication “PEAP” and the
inner authentication “MsCHAPv2” can be used
(see here).
- The “Anonymous Identity” (“Anonyme
Identität”) field should contain
“anonymous@rwth-aachen.de” (where the part before
“@rwth-aachen.de” is arbitrary).
See the “Note on the
anonymous identity” below for details.
- The “CA Certificate”
(“CA-Zertifikat”) entry must be left empty.
As explained above, the system certificates have to be used, so the option
“Use System CA Certs” (“CA-Zertifikate des
Systems verwenden”) must be checked.
- The first part of the “Username”
(“Benutzername”)
is the WLAN/VPN user name which you got from the RWTH computer
centre and which is usually identical to the account name for the
TIM login manager where you can also change the passwords.
This account name normally consists of your initials followed by a 6-digit
number.
Append the realm “@rwth-aachen.de” to this account name
in order to complete the eduroam identity (user name).
- The “Password” (“Passwort”) must be the
one for your WLAN/VPN account.
-
Click on the button “OK”, then the connection should be
established. You can follow the status via the icon of the network manager.
Per default the network manager will save the password
in kwallet, the digital wallet of KDE, and kwallet
will prompt you for a master password which is needed every time the network
manager wants to access the WLAN password. In the settings of the network
manager it is possible to change the location where connection passwords are
stored.
-
The saved configuration of your WLAN connection can be accessed and changed
via the icon of the network manager.
The KNetworkManager saves its configuration data (normally with the
exception of the password) in the file
“~/.kde4/share/config/networkmanagementrc” and in
per-connection files in the directory
“~/.kde4/share/apps/networkmanagement/connections/”,
both under the user's home directory,
but usually these files need not be edited by hand.
These instructions rely on using the window manager
KDE 4 with the KDE network manager
KNetworkManager (for connecting to wireless networks)
in the version provided by OpenSUSE 11.1.
They probably also work for other linux distributions with the same version of
the KNetworkManager.
-
Follow the instructions above for installing the SSL
certificates of the RWTH certificate authorities.
This step is necessary in OpenSUSE 11.1 because
the KNetworkManager seems to ignore whatever CA certificates are
provided to him. The operating system itself (i.e. the
program openssl) has to recognize the CA certificates, otherwise the
connection cannot be established.
-
Click on the icon of the KNetworkManager in the system tray of the KDE
control panel. Choose “Edit Connections” →
“New Connection” → “Wireless”
(“Bearbeite Verbindungen” → “Neue Verbindung”
→ “Drahtlos”)
and select the WLAN network “eduroam” from the list.
Then click on “Next” (“Weiter”) in order to arrive at
the following dialog window for entering the security settings:
-
As shown in the picture above, enter the connection data:
- “Use Wireless Security” (“Benutze
Drahtlos-Sicherheit”) must be checked.
- The “Security” type (“Sicherheit”)
is “WPA Enterprise”.
- Choose the “EAP Method”
(“EAP-Methode”) “TTLS”
and the “Phase 2 Method”
(“Phase 2-Methode”) “PAP”.
Alternatively the EAP method “PEAP” and the
phase 2 method “MsCHAPv2” can be used
(see here).
- The “CA Certificate”
(“CA-Zertifikat”) entry can be left empty. As explained above,
the KNetworkManager seems to ignore what you specify here.
(And when you edit a WLAN connection where you have previously specified
a CA certificate, this field is empty again.)
- The first part of the “Identity”
(“Identität”)
is the WLAN/VPN user name which you got from the RWTH computer
centre and which is usually identical to the account name for the
TIM login manager where you can also change the passwords.
This user name normally consists of your initials followed by a 6-digit
number.
Append the realm “@rwth-aachen.de” to this user name in
order to complete the identity.
- The “Password” (“Passwort”) must be the
one for your WLAN/VPN account.
- The “Anonymous Identity” (“Anonyme
Identität”) field should contain
“anonymous@rwth-aachen.de” (where the part before
“@rwth-aachen.de” is arbitrary).
See the “Note on the
anonymous identity” below for details.
- The other fields are not needed for this type of WLAN authentication and
should be left empty.
-
The subsequent settings reachable through the “Next”
(“Weiter”) button do not have to be changed.
Therefore you can already click on the button “Connect &
Save” (“Verbinden & Speichern”) in this window of
the security settings.
The connection to the eduroam WLAN network and the authentication
should then proceed, and you can watch the status through the appearance of
the KNetworkManager icon in the system tray.
-
The saved configuration of your WLAN connection can be accessed and changed
via “Edit Connections” (“Bearbeite Verbindungen”) from
the KNetworkManager icon.
The KNetworkManager saves its configuration data in the file
“~/.kde/share/config/knetworkmanagerrc” under the user's
home directory.
The password is stored there as well
– in clear text, readable for
everyone with read access to this file!
So make sure that nobody else gets access to
“~/.kde/share/config/knetworkmanagerrc”.
These instructions are dedicated to the window manager GNOME,
using the network manager applet nm-applet for connecting to
wireless networks.
They have been tested successfully with OpenSUSE 11.1 and
Ubuntu 9.04, but they probably also work for other linux
distributions with the same version of the network manager and
the nm-applet.
-
The GNOME window manager uses the program “nm-applet as
a frontend to the network manager. This program displays an icon in the system
tray of the GNOME control panel.
You can either left-click on the nm-applet icon and select the WLAN
network “eduroam” from the list, which makes a window appear
for entering the WLAN security settings.
In this case you can skip step 2 concerning the tabs
“Wireless” and “IPv4 Settings”.
Or you can right-click on the nm-applet icon and choose
“Edit Connections” → “Wireless” →
“Add”
(“Verbindungen bearbeiten” → “Funknetzwerk”
→ “Hinzufügen”).
In this second case a configuration window with three tabs as shown below pops
up:
-
In the tab “Wireless” (“Funknetzwerk”),
- enter “eduroam” as the “SSID” of
the WLAN network and
- make sure that the “Mode” (“Modus”) is
set to “Infrastructure” (“Infrastruktur”).
In the tab “IPv4 Settings”
(“IPv4-Einstellungen”), leave the “Method”
(“Methode”) as “Automatic (DHCP)”
(“Automatisch (DHCP)”).
The settings in these two tabs are automatically configured if you have chosen
the eduroam network from the list in step 1.
-
In the tab “Wireless Security” (“Sicherheit des
Funknetzwerks”), enter the following connection data:
- The “Security” type (“Sicherheit”)
is “WPA & WPA2 Enterprise”.
- Choose the “Authentication” type
(“Authentifizierung”) “Tunneled TLS”
(“Getunneltes TLS”)
and the “Inner Authentication”
(“Innere Authentifizierung”) “PAP”.
Alternatively the authentication “PEAP” and the
inner authentication “MsCHAPv2” can be used
(see here).
- The “Anonymous Identity” (“Anonyme
Identität”) field should contain
“anonymous@rwth-aachen.de” (where the part before
“@rwth-aachen.de” is arbitrary).
See the “Note on the
anonymous identity” below for details.
- For the “CA Certificate”
(“CA-Zertifikat”) you cannot specify the RWTH
certificate chain as in the instructions
for OpenSUSE 10.3 above because the network manager
uses only the first of the three certificates contained in this file
(see the discussion in this
bug report).
Thus only the certificate of the RWTH Aachen CA is provided, which is not
sufficient without the CA certificates from which it is derived.
There are two possible solutions:
- Either specify as CA certificate a file containing only the
top-level root certificate of Deutsche Telekom.
You can download it from here:
Deutsche_Telekom_Root_CA_2.pem
(via “Save link as ...”),
which is just the last part of the
RWTH
certificate chain.
It is also available from the
RWTH
computer centre or via extracting it from the archive
ca-rwth-certs.tar
(see above).
This solution corresponds to the one proposed by the RWTH computer
centre for Ubuntu 9.04 (see
here).
- Or leave the CA certificate field empty
(“None” / “keine”) as in the picture
above, but follow the instructions above for
installing the SSL certificates of the RWTH
certificate authorities.
In this case the network manager will use these system-wide installed
certificates to identify the server, and no CA certificate
must be specified.
Eventually the nm-applet and maybe the NetworkManager
have to be restarted before they recognize the newly installed
certificates.
- The first part of the identity (here called “User
Name” / “Benutzername”)
is the WLAN/VPN user name which you got from the RWTH computer
centre and which is usually identical to the account name for the
TIM login manager where you can also change the passwords.
This user name normally consists of your initials followed by a 6-digit
number.
Append the realm “@rwth-aachen.de” to this user name in
order to complete the identity.
- The “Password” (“Passwort”) must be the
one for your WLAN/VPN account.
-
Click on “Apply” (“Anwenden”) to the save the
network configuration.
Afterwards left-click on the nm-applet icon and select
the eduroam network in order to connect to it.
If, in step 1 above, you have already chosen the eduroam network from
the list of networks and then entered the security settings in the subsequent
pop-up window, you can directly choose to connect there.
-
The saved configuration of your WLAN connection can be accessed and changed
via “Edit Connections” → “Wireless”
(“Verbindungen bearbeiten” → “Funknetzwerk”)
from the nm-applet icon.
The nm-applet saves its configuration data in subdirectories of
“~/.gconf/system/networking/connection” under the user's
home directory which are also accessible via the graphical frontend
gconf-editor.
The password, however, is stored in an encrypted form by the Gnome Keyring
Manager (under “~/.gnome2/keyrings”).
These instructions rely on using the window manager
KDE 3.5 with the corresponding version of the KDE network
manager KNetworkManager for connecting to wireless networks.
They have been tested successfully with OpenSUSE 10.3 and
with Debian Lenny, but they probably also work for other linux
distributions as long as you use the KNetworkManager.
-
The RWTH
certificate chain contains the three CA certificates (in PEM format) which
allow your computer to identify the server of the WLAN network before
transmitting your password to it.
Download this certificate chain (e.g. while connected via the mops
network, see above) by choosing “Save link as
...” in the context menu of the link at the beginning of this paragraph
in order to save this file anywhere on the hard disk of your laptop.
(I have placed this file under “/etc/openvpn/ca-rwth.pem” because I
also need it for VPN connections, but you can choose any location
which is readable for the user account you are normally working with.)
-
KDE by default uses the KNetworkManager to establish
the network connections. This program usually displays an icon in the system
tray of the KDE control panel. Click on this icon and choose the WLAN
network “eduroam” to connect to it.
As this network is encrypted, it needs additional data before the connection
can be established, and so the KNetworkManager opens the following
pop-up window:
-
As shown in the picture above, enter the necessary data:
- The “Encryption” (“Verschlüsselung”)
is “WPA Enterprise”,
using “WPA version” (“WPA-Version”)
“WPA 2”.
(Alternatively the version “WPA 1” can be used on
the WLAN network “eduroam-WPAonly”.)
- Choose the authentication type (“EAP Method” /
“EAP-Methode”) “TTLS”
and the authentication protocol (“Phase Two”)
“PAP”.
Alternatively the authentication type “PEAP” and the
authentication protocol “MsCHAPv2” can be used
(see here).
Older versions of the KNetworkManager (e.g. the one
in OpenSUSE 10.2) do not show a field labelled
“Phase Two”, then the authentication protocol is
(hopefully) selected automatically.
- The “CA Certificate File”
(“CA-Zertifikatdatei”) entry contains the path and filename
where you have saved the certificate chain
(see step 1; in my case “/etc/openvpn/ca-rwth.pem”).
If you can only connect to the eduroam network when leaving
the CA certificate file empty, see the section on
installing the SSL certificates below.
- The first part of the “Identity”
(“Identität”)
is the WLAN/VPN user name which you got from the RWTH computer
centre and which is usually identical to the account name for the
TIM login manager where you can also change the passwords.
This user name normally consists of your initials followed by a 6-digit
number.
Append the realm “@rwth-aachen.de” to this user name in
order to complete the identity.
- The “Password” (“Passwort”) must be the
one for your WLAN/VPN account.
- The “Anonymous Identity” field should contain
“anonymous@rwth-aachen.de” (where the part before
“@rwth-aachen.de” is arbitrary).
See the “Note on the
anonymous identity” below for details.
- The other fields should be grey (i.e. nothing can be entered there) as
they belong to different encryption or authentication types.
-
Click on the button “Connect” (“Verbinden”).
The connection to the eduroam WLAN network and the authentication
should then proceed, and you can watch the status through the appearance of
the KNetworkManager icon in the system tray.
-
The KNetworkManager should save your eduroam configuration
and use it for connecting whenever it detects this WLAN network around
(see the “Note on the
KNetworkManager configuration file” below).
Depending on your configuration of the KNetworkManager, the password
for the connection to the eduroam network will probably be saved
in kwallet, the digital wallet of KDE, and kwallet
will prompt you for the master password which protects the saved passwords.
In this case the KNetworkManager will contact kwallet for the
password every time it connects to the eduroam network, which results
in kwallet prompting you for the master password.
The
KNetworkManager lists its known wireless networks with the
corresponding access points in the window of its configuration settings.
But the authentication details of the network connections can neither be viewed
nor changed there. They are, however, listed in the
KNetworkManager
configuration file which resides in
“
~/.kde/share/config/knetworkmanagerrc” under the user's
home directory. The entry for the
eduroam network in this file looks
like this:
[Network_xxxxxxxxxxxxxxxx]
AnonIdentity=anonymous@rwth-aachen.de
CertCA=/etc/openvpn/ca-rwth.pem
CertClient=
CertPrivate=
Cipher=32
ESSID=eduroam
Encryption=WPA-EAP
Fallback=false
HardwareAddresses=00:11:22:33:44:55,...
Identity=bjxxxxxx@rwth-aachen.de
Method=TTLS
PhaseTwo=PAP
Timestamp=2009,6,18,12,16,55
WPAVersion=WPA2
If necessary, you can look up your configuration settings in this file or even
make changes there.
It seems that the anonymous identity (“Anonyme
Identität”) in the installation
instructions above is used in unencrypted parts of the WLAN
connection, especially before the encrypted connection is established.
If you want to hide your true identity
(WLAN/VPN-account@rwth-aachen.de) from eavesdroppers, you should not
enter it as the anonymous identity.
Instead, for connections at your home institution RWTH Aachen, you can choose
an arbitrary anonymous identity.
When establishing an eduroam WLAN connection at other locations, it
will probably be necessary to specify something of the form
“xxx@rwth-aachen.de” (like the examples above). The correct realm
“@rwth-aachen.de” tells the server of the
access point to forward your login data to the RWTH Aachen for authentication
(see these configuration instructions).
The anonymous identity seems to be identical to the
“Roaming-Identität” mentioned in the
general settings of the RWTH computer centre.
The connection to the eduroam network can also be established if you
leave the anonymous identity field empty. Perhaps the network manager
then uses the true identity for the anonymous identity as
well, spoiling any attempt to keep the true identity secret in
unencrypted parts of the connection. Therefore it would be advisable not
to leave the anonymous identity empty, but to enter
“anonymous@rwth-aachen.de” there.
This help page was written by Bernd Jantzen
in the hope that it might be useful.
Please use it at your own risk.
Comments and suggestions are welcome.
Bernd Jantzen
Contact me: jantzen@physik.rwth-aachen.de