Linux: wpa_supplicant

It is important that you have in place the latest version of firmware and driver for your wireless card and that your firmware supports TKIP encryption or better. Some drivers also has a problem with connecting to access points that does not broadcast it's SSID. Be sure to apply any available patches.

The public key of your Certificate Authority (CA) must be downloaded and placed somewhere your client can reach it locally, for example /etc/ssl/certs/ as used in this example.

wpa_supplicant can be downloaded here.

Be sure to read the README file as it explains about the support in various drivers.

Before the wpa_supplicant can be compiled, you must have 'yes' on the following options in the .config file:

CONFIG_IEEE8021X_EAPOL=y
CONFIG_EAP_MSCHAPV2=y
CONFIG_EAP_TLS=y
CONFIG_EAP_PEAP=y
CONFIG_EAP_TTLS=y

It is strictly only necessary to have TLS, PEAP or TTLS (depending on what your institution uses) but the others might prove useful to have at a later time. For TLS you also need a user's certificate.

You also need to define what driver you are using. For example the MAD WiFi driver:

CONFIG_DRIVER_MADWIFI=y

Then there is

make

before you install with

cp wpa_cli wpa_supplicant /usr/local/bin

...or somewhere else you prefer.

With your favorite editor edit

/etc/wpa_supplicant.conf (or /etc/wpa_supplicant/wpa_supplicant.conf)

so that it contains the following (using TTLS):

        ctrl_interface=/var/run/wpa_supplicant
        ctrl_interface_group=root
        network={
              ssid="eduroam"
              scan_ssid=1
              key_mgmt=WPA-EAP
              eap=TTLS
              anonymous_identity="anonymous@uninett.no"
              ca_cert="/path/to/certificate/uninett-ca.crt"
              identity="brukernavn"
              password="password"
              phase1="peaplabel=0"
              phase2="auth=MSCHAPV2"
        }

Another configuration, almost identical to the above, only using PEAP:

        ctrl_interface=/var/run/wpa_supplicant
        ctrl_interface_group=localadm
        network={
              ssid="eduroam"
              key_mgmt=WPA-EAP
              eap=PEAP
              anonymous_identity="anonymous@uninett.no"
              ca_cert="/path/to/certificate/uninett-ca.crt"
              identity="brukernavn"
              password="password"
              phase2="auth=MSCHAPV2"
        }

Third alternative configuration that uses client certificate and EAP-TLS, and also certificate path to known CAs /etc/wpa_supplicant/certs instead of just one CA:

        ctrl_interface=/var/run/wpa_supplicant
        ctrl_interface_group=wheel
        network={
                ssid="eduroam"
                scan_ssid=0
                key_mgmt=WPA-EAP
                eap=TLS
                ca_path="/etc/wpa_supplicant/certs"
                client_cert="/path/to/client-crt.pem"
                private_key="/path/to/client-key.pem"
                identity="brukernavn@uninett.no"
        }

Start wpa_supplicant like this: wpa_supplicant -D madwifi -c /etc/wpa_supplicant/wpa_supplicant.conf -d -i ath0

(Note that wpa_supplicant support many drivers, chances are high you can use -D wext if you do not have madwifi)

iwconfig should then be able to give you an output like this:

ath0      IEEE 802.11b  ESSID:"eduroam"  Nickname:"mycomputer.uninett.no"
          Mode:Managed  Frequency:2.412GHz  Access Point: 00:07:85:92:22:75  
          Bit Rate:11Mb/s   Tx-Power:50 dBm   Sensitivity=0/3  
          Retry:off   RTS thr:off   Fragment thr:off
          Encryption key:569A-C02F-A312-A56B-2C1A-75FD-A277-BE1C   Security mode:restricted
          Power Management:off
          Link Quality:25/94  Signal level:-70 dBm  Noise level:-95 dBm
          Rx invalid nwid:7003  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:3

Run dhclient ath0 to receive an IP address from the DHCP server.