Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Last updated: Wednesday 04 February 2026 @ 07:51:27

Eduroam

[!WARNING]

  • NetworkManager use wpa_supplicant as the backend for wifi connection - even if you set to a different backend - you cannot connect to eduoram
  • We are going to use purely iwd as our wifi manager, this replaces wpa_supplicant

1. Enable/Disable the WiFi-backend

  1. Navigate to sudo vim /etc/NetworkManager/config.d/wifi_backend.conf.

    Code

    [device]
wifi.backend=iwd

  2. We need to disable wpa_supplicant so that we can use iwd.

    Terminal

    sudo systemctl stop wpa_supplicant
sudo systemctl disable wpa_supplicant
sudo systemctl status wpa_supplicant

    Output

    ○ wpa_supplicant.service - WPA supplicant
 Loaded: loaded (/lib/systemd/system/wpa_supplicant.service; disabled; preset: enabled)
 Active: inactive (dead)

    Note

    systemctl is the primary command-line interface for controlling systemd, the init system and service manager used by most modern Linux distributions. It allows administrators and users to inspect, start, stop, enable, disable, restart and otherwise manage system services and the overall system state.

  3. Enable iwd

    Terminal

    sudo systemctl enable iwd
sudo systemctl start iwd
sudo systemctl status iwd

    Output

    ● iwd.service - Wireless service
    Loaded: loaded (/lib/systemd/system/iwd.service; enabled; preset: enabled)
    Active: active (running) since Wed 2026-02-04 06:56:32 GMT; 15min ago
    Docs: man:iwd(8)
            man:iwd.config(5)
            man:iwd.network(5)
            man:iwd.ap(5)
Main PID: 616 (iwd)
    Tasks: 1 (limit: 9577)
        CPU: 25ms
    CGroup: /system.slice/iwd.service
         └─616 /usr/libexec/iwd

    Note

    • iwd (Intel Wireless Deamon`) is the intended modern replacement for wpa_supplicant on contemporary Linux systems.

      • really needed for enterprise networks too!

    • wpa_supplicant remains relevant primarily for legacy hardware and specialised enterprise configurations.

2. Configure iwd eduroam.8021x

  1. Create the following configuration file for the enterprise network

    Terminal

    sudo vim /var/lib/iwd/eduroam.8021x

    Code

    [Security]
EAP-Method=PEAP
EAP-Identity=USERNAME@gre.ac.uk
EAP-PEAP-Phase2-Method=MSCHAPV2
EAP-PEAP-Phase2-Identity=USERNAME@gre.ac.uk
EAP-PEAP-Phase2-Password=UoG_Account_Password
EAP-PEAP-CACERT=/etc/ssl/certs/Gre_Eduroam_CA.pem

    See man 5 iwd.network

    Explanation of eduroam.8021x

    Below is an explanation of each settings. Using the man page for iwd tells you this information.

    • EAP-Identity=

      • What it is:

        • The outer (anonymous-visible) identity presented during the initial EAP exchange.

      • Why it is used:

        • Allows the RADIUS infrastructure to route authentication requests to the correct home institution

        • Often visible to the network before encryption is complete

    • EAP-PEAP-Phase2-Method=MSCHAPV2

      • What it is:

        • Defines the inner authentication protocol used inside the PEAP tunnel.

      • Why it is used:

        • MSCHAPv2 supports username/password authentication

        • Compatible with Active Directory / LDAP-backed RADIUS servers

        • Standard choice for eduroam-style deployments

    • EAP-PEAP-Phase2-Identity=

      • What it is:

        • The inner identity, used during Phase 2 authentication.

      • Why it is used:

        • This identity is sent inside the encrypted tunnel

        • Used by the authentication backend (e.g. AD) to locate the user account

    • AP-PEAP-Phase2-Password=

      • What it is:

        • The password associated with the Phase 2 identity.

      • Why it is used:

        • Authenticates the user against the institution’s directory service

        • Never transmitted in plaintext due to the PEAP TLS tunnel

    • AP-PEAP-CACERT=/etc/ssl/certs/

      • What it is:

        • The trusted Certificate Authority (CA) used to validate the RADIUS server’s TLS certificate.

      • Why it is used (critically important):

        • Prevents evil twin / rogue access point attacks

        • Ensures the client only trusts legitimate university authentication servers

        • Required for secure PEAP operation

    Tip

    You may need to restart the NetworkManager and iwd for the next step

3. Connect to Eduroam

  1. Then use iwctl command, this will open put you in an subshell:

    Terminal

    iwctl 
[iwd]#  station wlan0 connect eduroam
[iwd]#  station wlan0 show

    Output

                                        Station: wlan0
--------------------------------------------------------------------------------------
    Settable   Property             Value
--------------------------------------------------------------------------------------
                Scanning             no
                State                connected
                Connected network    eduroam
                IPv4 address         172.19.105.111
                ....

  2. Confirm by sending a ping to google.com (8.8.8.8)

SUCCESS!