May 29, 2019

OpenBSD: eduroam

As a note to myself, because it took me a while, and for the CSIC server, this is my configuration.

As root, I launch the following script

#!/bin/sh

# Make sure only root can run our script
if [ "$(id -u)" != "0" ]; then
echo ""
echo " This script must be run as root" 1>&2
echo ""
exit 1
fi

# First flush all networt in case of

# These bits are from Eric. Will add link to the original web page when I remember it:
# One thing that might not be obvious on BSD is how to switch from one network to
# another. When switching from wireless to wired for example. First, remove
# remove any IP addresses and set the interface down.

ifconfig iwm0 -inet down
ifconfig em0 -inet down
ifconfig em0 up
ifconfig iwm0 up
sleep 1

# Removing the IP address from an interface also drops any link-local or
# so-called "connected" routes. It may be helpful to nuke all routes.
# -n prevents route from trying to resolve hostnames.

route -n flush
sleep 1

# Delete any existing sockets for the interface, if they exist

if [ -a "/var/run/wpa_supplicant/iwm0" ]; then
echo ""
echo "Found an existing socket, removing it now."
rm /var/run/wpa_supplicant/iwm0
echo ""
else
echo ""
echo "No sockets found, proceeding."
echo ""
fi

# Go for it

ifconfig iwm0 -wpakey
ifconfig iwm0 nwid eduroam wpa wpaakms 802.1x up
wpa_supplicant -Bc /your/path/to/eduroam.conf -D openbsd -i iwm0
sleep 4
dhclient iwm0

And, of course, the most interesting part is the following, the conf file (for CSIC in my case):

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel

eapol_version= 1

network={
ssid="eduroam"
key_mgmt=WPA-EAP
eap=TTLS
ca_cert="/etc/ssl/cert.pem"
anonymous_identity="anonymous@zzzz.zz"
identity="YYYYYYYYYYY"
password="XXXXXXXXXXX"
phase2="auth=PAP"
}