Skip to content
Docs
Networking
eduroam Network Installation

eduroam Network Installation

Getting eduroam to work on Linux is more painful than it should be. Every “official” method I tried failed; the connection would just hang during the TLS handshake and never connect. I eventually figured out a manual setup that works reliably and wrote a script around it. Sharing it here so you hopefully don’t have to go through the same process.

What doesn’t work

cat.eduroam.org installer (official)

The Python installer from cat.eduroam.org provides a graphical interface and creates a connection profile. On some recent Linux distributions, the connection may hang during the TLS handshake due to changes in NetworkManager.

cat.eduroam.org download portal for Saxion

geteduroam Linux app (official)
The geteduroam Linux app (CLI and GUI RPM) may also experience connection issues on some recent distributions.
easyroam-linux (community)
easyroam-linux by jahtz may not work on all distributions.
UvA/HvA Linux eduroam guide
The guide at linux.datanose.nl (UvA/HvA) may not result in a working connection on all recent systems.

What does work

PEAP/MSCHAPv2 with CA validation via the system trust store and domain-suffix-match (the modern replacement for the deprecated altsubject-matches).

Requirements:

  • Python 3.10+
  • NetworkManager 1.8+ (nmcli)

Connection settings

SettingValue
SecurityWPA & WPA2 Enterprise
AuthenticationProtected EAP (PEAP)
PEAP versionAutomatic
Inner authenticationMSCHAPv2
CA certificateSystem CA bundle (/etc/pki/tls/certs/ca-bundle.crt)
Domain validationdomain-suffix-match: ise.infra.saxion.net
Phase2 domain validationphase2-domain-suffix-match: ise.infra.saxion.net
Anonymous identity[email protected]
Identity[email protected]

Automated setup (recommended)

A Python script automates the full nmcli connection setup for Saxion:

# 1. Download
curl -LO https://zephyrus-linux.stensel.nl/scripts/saxion-eduroam.py

# 2. Verify checksum
echo "8dd2f2120ddebdfd9d764e04954322307dccb8c855c691de7600f2a8a71db42b  saxion-eduroam.py" | sha256sum -c

# 3. Run
python3 saxion-eduroam.py

SHA256: 8dd2f2120ddebdfd9d764e04954322307dccb8c855c691de7600f2a8a71db42b

The script removes any existing eduroam profile, prompts for your username via a GUI dialog (zenity, kdialog, or yad) or terminal fallback, and activates the connection. Your password is never asked by the script; it is requested by your GNOME Keyring at connection time and stored securely, never in plaintext.

This script is Saxion-specific and validates against Saxion’s RADIUS server (ise.infra.saxion.net). For other institutions, use the official CAT script from cat.eduroam.org as a starting point.
This is a personal reverse-engineered rewrite based on the official cat.eduroam.org installer, which was outdated and didn’t work on my system. I don’t manage the eduroam network or the Saxion infrastructure. I make no guarantees about this script working, being kept up to date, or remaining correct if Saxion changes their setup. Use it at your own risk.

If everything goes well, you should see something like this:

eduroam installer showing installation successful

Source: saxion-eduroam.py

Manual setup via nmcli

This command stores the password directly in the connection profile. The automated script above uses password-flags 1 instead, which stores the password securely in GNOME Keyring. Both approaches work; the script’s method is more secure.
nmcli connection add \
  type wifi \
  con-name "eduroam" \
  ssid "eduroam" \
  wifi-sec.key-mgmt wpa-eap \
  802-1x.eap peap \
  802-1x.phase2-auth mschapv2 \
  802-1x.identity "[email protected]" \
  802-1x.password "your-password" \
  802-1x.anonymous-identity "[email protected]" \
  802-1x.ca-cert file:///etc/pki/tls/certs/ca-bundle.crt \
  802-1x.domain-suffix-match "ise.infra.saxion.net" \
  802-1x.phase2-domain-suffix-match "ise.infra.saxion.net"

Then connect:

nmcli connection up eduroam

Manual setup via GNOME Settings

  1. Open Settings → Wi-Fi
  2. Select eduroam
  3. Go to the Security tab and fill in the settings from the table above
  4. Enter your institutional credentials
  5. Click Apply

Here’s what the Security tab should look like:

GNOME Settings eduroam Security tab

Removal 

nmcli connection delete eduroam
ApplicationsVirt-Manager / KVM