Linux

WLAN configuration

Connecting to KIT and eduroam

The following shows how to connect to KIT. The configuration for the SSID eduroam is done analogously.

Install Root CA Certificate

The T-TeleSec GlobalRoot Class 2 certificate is required.
It is included in the debian/ubuntu package ca-certificates.
The installed certificate can be found in the file /etc/ssl/certs/T-TeleSec_GlobalRoot_Class_2.pem.

Manual download for the root CA certificate: T-TeleSec_GlobalRoot_Class_2.crt
or use the alternative Link/Format from here: Telekom_Security_ServerID_OV_Class_2_CA.fullchain.pem

You can either use the Network Manager, a graphical user interface for wpa_supplicant, or wpa_supplicant itself.

Network Manager

Choose the network KIT in the Network Manager [figure 1]. Configure the settings and click on "Connect" [figure 2].

  • Wireless security: WPA & WPA Enterprise
  • Authentication: Tunneled TLS
  • Anonymous identity: anonymous@kit.edu
  • Domain: radius-wlan.scc.kit.edu (option is missing in older versions of Network Manager)
  • CA certificate: /etc/ssl/certs/T-TeleSec_GlobalRoot_Class_2.pem
  • Inner authentication: PAP
  • Username: your KIT account (e.g. ab1234@kit.edu or uxxxx@kit.edu)
  • Password: your password
Figure 1: Network Manager
Figure 1: Network Manager
Figure 2: Configuration
Figure 2: Configuration

 

wpa_suppliant

If you want to use wpa_supplicant without a gui, you can use the following settings in your configuration file.

More information on wpa_supplicant can be found in the archlinux wiki.

WPA2/WPA3-Enterprise (mixed/transition)

network={
ssid="KIT"
key_mgmt=WPA-EAP WPA-EAP-SHA256
pairwise=CCMP TKIP
group=CCMP TKIP
eap=TTLS
phase2="auth=PAP"
anonymous_identity="anonymous@kit.edu"
identity="ab1234@kit.edu"
password="password"
ca_cert="/etc/ssl/certs/T-TeleSec_GlobalRoot_Class_2.pem"
altsubject_match="DNS:radius-wlan.scc.kit.edu"
ieee80211w=1
}

WPA3-Enterprise (only/exclusive)

Currently WPA2/WPA3-Enterprise is supported.
A WPA3-only will be provided in the future. Please use the mixed configuration above.

iwd

If you want to use iwd, you must create a configuration file /var/lib/iwd/KIT.8021x that contains the following. ca_cert is configured for Debian/Ubuntu. For other distributions it may differ. See also the information about the CA certificate at the top of this page.

WPA2/WPA3-Enterprise (mixed/transition)

[General]
ManagementFrameProtection=1

[Security]
EAP-Method=TTLS
EAP-Identity=anonymous does-not-exist.kit edu
EAP-TTLS-CACert=/etc/ssl/certs/T-TeleSec_GlobalRoot_Class_2.pem
EAP-TTLS-ServerDomainMask=radius-wlan.scc.kit.edu
EAP-TTLS-Phase2-Method=Tunneled-PAP
EAP-TTLS-Phase2-Identity=ab1234 does-not-exist.kit edu
EAP-TTLS-Phase2-Password=password

[Settings]
AutoConnect=true

WPA3-Enterprise (only/exclusive)

Currently WPA2/WPA3-Enterprise is supported.
A WPA3-only will be provided in the future. Please use the mixed configuration above.