The Pi is a powerful piece of hardware for IoT projects, and once you connect it to eduroam you’ll be able to access the web instantly from all over the world

Connect your Raspberry Pi to eduroam (special instructions for Raspbian Buster)

Connecting your Pi to eduroam is great, coz it means you’ll have net access automatically on more than 600 college campuses worldwide. Getting synced up with eduroam on a Pi is mostly a matter of following the eduroam linux setup instructions, but with a couple caveats:

1. On raspbian buster, there’s a bug in wpa_supplicant which will prevent you from connecting to the web, even though it looks the Pi is talking to eduroam
2. You may have to hack your university’s CA cert on to the pi
3. wpa_supplicant has some strange required fields unique to Raspbian

I’ll walk through dealing with each of these parts one by one. This guide assumes you’re running the latest version of Raspbian Buster, the September 2019 release at the time of writing. These instructions also assume basic knowledge of the command line — I’ve included commands for OS X, so if you’re running a different OS, you’ll have to know the equivalent on your system. If you have any questions, feel free to shoot me a message!

Let’s get started!

1. Downgrade your wpa_supplicant to the version from Raspbian Stretch

For simplicity’s sake, we’re going to run the following script which will automatically uninstall Buster’s wpa_supplicant, downgrade your package sources list to Stretch, reinstall the older wpa_supplicant, freeze the package, and then restore your package sources list. Shout out to AgentRev at the Pi forums for the neat script.

#!/bin/sh
# Downgrade wpa_supplicant on Buster
# Connect Ethernet or another Wifi network before running
sudo apt-get remove wpasupplicant -y
sudo mv -f /etc/apt/sources.list /etc/apt/sources.list.bak
sudo bash -c "echo 'deb http://raspbian.raspberrypi.org/raspbian/ stretch main contrib non-free rpi' > /etc/apt/sources.list"
sudo apt-get update
sudo apt-get install wpasupplicant -y
sudo apt-mark hold wpasupplicant
sudo cp -f /etc/apt/sources.list.bak /etc/apt/sources.list
sudo apt-get update

First, power down your Pi and put the SD card in your computer. If you don’t feel like removing your SD card, feel free to type the instructions one by one in the command line on the Pi, or SSH in, or anything you like. Note that the script requires internet access, so you’ll have to first either wire up via internet, or connect to another hotspot to access the older wpa_supplicant.

To copy the script on my mac from the command line to a file called downgrade_wpa.sh, I did

$ cd /Volumes/boot #boot is the default name for the Raspbian img
$ touch downgrade_wpa.sh
$ nano downgrade_wpa.sh

and then copy and paste the script in to the terminal.

Save the file (on the mac, ctrl-x to quit nano, y to confirm save, enter to write to the same file)

Stick the SD card back in the Pi, and execute the script. This script requires an internet connection, so either connect your Pi up via ethernet, or connect to another wifi network temporarily. On the Pi Zero, I connected to a hotspot on my phone to downgrade, since there’s no ethernet jack.

Run the following lines on the Pi, with the SD card in, to execute the downgrade_wpa.sh script you copied over to the /boot directory.

$ cd /boot
$ ./downgrade_wpa.sh #dot slash (./) runs the script in current dir

If all goes well, you should see the Pi uninstall wpa_supplicant, and then reinstall the old version from Stretch. Part one, done!

2. Get your university’s CA cert (maybe optional)

Apparently, some universities don’t do SSL for eduroam, but mine did, so perhaps check if this is necessary at your eduroam location. If your IT department is really kind, shoot them an email, explain what you’re doing, and ask them for the CA cert.

If you don’t want to bother doing that, then head over to cat.eduroam.org to hack your uni’s CA cert. It’s just a public key file, (i.e. it’s public) so it’s perfectly okay. Click “download eduroam installer,” and choose your university. Ignore the prompt to download for your own system, and click “choose another installer to download”

Download the script for linux.

You should end up with a Python script called eduroam-linux-xxxx.py. Open it in your favourite text editor, and ctrl-f for “BEGIN CERTIFICATE.”

We’re going to need to copy this to a file, so pull out the SD card from the Pi and put it in your computer again. Copy and paste the entire string (there should be two certificates) to a file on the root of your SD card. On the mac, to create an empty file called eduroam.pem, I did:

$ cd /Volumes/boot
$ touch eduroam.pem
$ nano eduroam.pem

And then copy and paste the cert string in to the file in the terminal.

Now, stick the SD card back in the Pi and boot up.

On the Pi, copy the cert file somewhere safe (the standard location for certs is /usr/share/ca-certificates):

$ sudo cp /boot/eduroam.pem /usr/share/ca-certificates/eduroam.pem

Part 2 done! Nearly there.

3. Set up wpa_supplicant.conf

Last, we need to set up our wpa_supplicant.conf to connect to eduroam and tell it to use our cert file. Open your wpa_supplicant.conf file on the Pi:

$ sudo nano /etc/wpa_supplicant/wpa_supplicant.conf

Add the following lines, substituting your username for identity and anonymous identity, and password for password.

network={
         ssid="eduroam"
         scan_ssid=1
         key_mgmt=WPA-EAP
         eap=PEAP
         identity="*****@*****.edu"
         anonymous_identity="*****@*****.edu"
         password="*****"
         ca_cert="/usr/share/ca-certificates/eduroam.pem"
         phase1="peaplabel=auto peapver=auto"
         phase2="auth=MSCHAPV2"
}

And voila! To connect without rebooting, on the Pi:

$ wpa_cli -i wlan0 reconfigure

And then check if you’re connected.

$ iwconfig

If everything went okay, you should see this. Enjoy!