September 2019. First day at University, I was a freshman.
After attending the first hour lesson (it was either algorithm or digital system), I’ve started to play my favorite game: discovering Wi-Fi networks around me “just for fun”.
It’s been my favorite hobby since around 2008, when I used to play with old Nintendo/Sony consoles. At the time, Wi-Fi wasn’t spread anywhere like now: many access points were (still) secured by WEP, some by WPA and others were… unprotected!
Going back to our story: other than discovering the so-called “meme networks” like “Marco is beautiful, let’s meet outside”, “Not a Wifi Connection”, “Crack me”, or even “5G Antenna”, for a certain time it used to remember me when AirTag became popular to exchange prank messages,
In particular, two networks came to my attention:
<local university network> - free wifi
eduroam - secured
From the official Eduroam website , this project aims to connect other universities around the world in order to create an ubiquitous internet access, provided that you are successfully signed to your University. There’s also an official link to see where Eduroam is available, with supported countries and locations
“Cool” - I thought - “I just need to connect to that Wifi Network, it asks for my identity but it doesn’t work”.
A quick research led to cat.eduroam.org the configuration assistant tool, required to connect to RADIUS server. It says “available for Windows, Linux and MacOS”. There also is an Android app call geteduroam.
On Windows the tool is decent, on Android too. Cannot say for MacOS because I don’t own a Mac.
What about Linux? Well, it turns out that CAT works as well on Linux but… it won’t. Why? That’s why we’re here, let’s break down the entire process.
When we open the python script, we’re greeted by a classic “username, password, repeat password”. We should hit save and be able to connect to Wi-Fi after input our university password.
Troubleshooting
The first thing I run is dmesg. Here’s the output:
feb 20 15:45:40 d wpa_supplicant[995]: wlan0: Associated with xx:xx:xx:xx:xx:xx
feb 20 15:45:40 d wpa_supplicant[995]: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
feb 20 15:45:40 d wpa_supplicant[995]: wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
feb 20 15:45:40 d wpa_supplicant[995]: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
feb 20 15:45:40 d wpa_supplicant[995]: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
feb 20 15:45:40 d wpa_supplicant[995]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
feb 20 15:45:40 d wpa_supplicant[995]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
feb 20 15:45:40 d wpa_supplicant[995]: wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
feb 20 15:45:40 d wpa_supplicant[995]: wlan0: CTRL-EVENT-DISCONNECTED bssid=xx:xx:xx:xx:xx:xx reason=23
feb 20 15:45:40 d wpa_supplicant[995]: wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="eduroam" auth_failures=2 duration=38 reason=AUTH_FAILED
feb 20 15:45:40 d wpa_supplicant[995]: BSSID xx:xx:xx:xx:xx:xx ignore list count incremented to 2, ignoring for 10 seconds
The relevant lines are
feb 20 15:45:40 d wpa_supplicant[995]: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
feb 20 15:45:40 d wpa_supplicant[995]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
The newer versions of Ubuntu (and Debian), uses newer version of TLS by default… TLS v1.0 is deprecated, so we are forced to use the latest TLS version.
Initial solution: update-crypto-policy
On Fedora there is a command called update-crypto-policy that allows to use TLSv1.0 by simply launching a command.
However, this is not available on Debian and Ubuntu. There is an old package in 2019, but even if you install it and try to setup this policy using that package it won’t work.
Therefore, even if you install the package, it won’t work, we must use another (dirty) trick.
What to do
The BEST thing to do, since TLS1.0 has been deprecated, is to update TLS version of the Access Point.
We have notified the head of the infrastructure of our university to let it be aware of this.
Meanwhile we have tried to figure out a fix.
According to NetworkManager Gitlab we can (temporary) fix this behavior by allowing TLSv1.0 tls-1-0-enable (0x20) set phase-1-auth-flags to 32 which in hex is 20.
Practical steps
Run Eduroam CAT for Linux. This is mandatory in order to generate the right config file.
sudo nano /etc/NetworkManager/system-connections/<your-connection-ssid-here>.nmconnectionin our case, eduroamunder
[802-1x]preamble, addphase1-auth-flags=32as the latest line. Save!restart both
NetworkManagerandwpa_supplicantto connect to eduroam from now, run
sudo nmcli --ask connection up eduroam. It will ask for your password: enter your password and enterwait a while and… you’re connected!
NOTE: if you look at your wifi network indicator, something’s really wrong: it looks like you’re connected with each network, and connect / disconnect won’t work
Everytime you need to connect to eduroam, you need to perform the step 5
To disconnect, just connect to another network (using nmcli).
NOTE: Your NetworkManager will be not usable unless you manually disconnect from Eduroam
NOTE for Fedora users: since the command update-crypto-policies is available (on Debian it is not, even if you manually install it from an old version) you also need to launch sudo update-crypto-policies –set DEFAULT:SHA1
Unfortunately right now there’s no alternative than waiting (😴) for TLS update
That’s all folks!
Let’s hope our university will hear us and update TLS. Security is important, especially on “public” usable Wi-Fi.
Special thanks to “X.” for bearing with me for each step. Without it, this article wouldn’t have existed.
If this article has been useful for you, consider to leave a small donation (paypal) or buy me a virtual coffee! Your support is really important, and knowing that, makes me happy.