wpa_supplicant.conf configuration for eduroam

This should hopefully work for any OS that uses wpa_supplicant, including Linux and FreeBSD. It's been tested on Raspbian.

network={
     ssid="eduroam"
     scan_ssid=1
     key_mgmt=WPA-EAP
     eap=PEAP
     phase2="MSCHAPV2"
     # Adjust ca_path to wherever your OS keeps its certificates.
     # Quotes around the path are REQUIRED.
     ca_path="/etc/ssl/certs"
     altsubject_match="DNS:eduroam.wireless.ucsb.edu"
     anonymous_identity="anonymous@ucsb.edu"
     identity="user@ucsb.edu"
     password=hash:0123456789abcdef
}

The password hash can be generated as follows:
echo -n password_here | iconv -t utf16le | openssl md4

The hash is a password-equivalent for network purposes, so the wpa_supplicant.conf file should still be protected, but it's more secure than including the plaintext password because it can't be used directly to log in to other services. (It could, however, still potentially be cracked.) If you need to use a plain text password, just put it in quotes, e.g. password="FooBarBiz"

ca_path and altsubject_match are technically optional, but highly recommended. Without them the client will happily send your password hash to any AP with its SSID set to "eduroam". MSCHAPV2 is known to be a weak hash, so this could easily lead to a password compromise.

Troubleshooting

  • While wpa_supplicant's configuration file syntax is obscure, its log messages are verbose and informative. Something like grep wpa_supplicant /var/log/syslog will probably help if you hit trouble.
  • ca_path will depend on your OS, and may not work at all if you don't have a CA bundle installed. It can be temporarily commented out for troubleshooting, but this isn't a recommended configuration, because wpa_supplicant performs no certificate checks at all in that case.
  • wpa_supplicant is very particular about which parameters should and shouldn't be in quotes. If you get parse errors, try adding or removing quotes as needed.