Skip to Content.

geteduroam - Re: eap-config format supported by geteduroam

Subject: An open discussion list for topics related to the geteduroam service

List archive

Re: eap-config format supported by geteduroam

Chronological Thread 
  • From: Paul Dekkers <paul.dekkers AT>
  • To: James Potter <Jim.Potter AT>
  • Cc: "geteduroam AT" <geteduroam AT>
  • Subject: Re: eap-config format supported by geteduroam
  • Date: Thu, 20 Jun 2024 08:34:24 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ck+rlDkKpQZKssF2nhAHBFdjTVEhdy8FkvR1SpPTPrE=; b=hG/GAdPD5PDZ2hemgYPaSch8eoURwDpVw//4hZ15FMaZD31C5lLOtey/qzDn21AkLPDPv9Gf1jL5JbR20B/qpBh6G/UWLlcE00e5etCrkjQLcQoHfx5QaUIWm09Zbws4YNaPN7ecjJ0Cqm7+w0CHYhJ18xgYjDos0tseeV62oypQY/siWFyis/Oe0JioW0Fn5jPbcrXI9dtCIryZojXruWpB4MnjTfDUkhhBgKR6Gf7oj93lhLwiRmmzYvKX2oeIbONDds19nFMnzk0REoXtDg1pZFKRNeoEz5mQJA8mzZT15wNTrKMM6KvtlLHvLHHAtpem36+cjKLzoPotzwvbeQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=YeL0KgxpIUp6Hto6JBEwXxP9dSfsE4YZTGBUGkm6q73LrSeO4nFS9Q4G+ro1zoK7k26gmbC/18NFjp0X5VbDr1HNuoUaD330qxsJK7OMO/M9m57j2Xb+cs7tPvZokHQ+8wBbpaTCk+Y0cmrBVjlcf19duEs2bONWcagMjoa1MeZhuIeeia06SCpgiLBHJhpug73CCOGD/OCleMZUigrBTWv92im1i//Que8azSlxDyPNP0XaiCJ+SFK1bbCXgROTjdq15xp+N0L1UaFNJV/ZoYN4DNaS5P5HQhzsHyWiV3GXW6U5WL9bG/btRZibjxvTjWhdTIiEZeiBrprtx2iJpg==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none;
  • Msip_labels: MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_Enabled=True;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_SiteId=48f9394d-8a14-4d27-82a6-f35f12361205;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_SetDate=2024-06-20T08:29:57.0000000Z;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_Name=Confidential - External;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_ContentBits=0;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_Method=Privileged



You could in fact also use Shibboleth in the letswifi-portal, but most of that work is in a non-committed branch. It’s not the best approach, Shibboleth has more limitations than SimpleSAMLphp, in particular if you want to run the service on multiple hosts.

Either way I would advise you to look at the OAUTH path, it really has advantages.

And I’ll get in touch off-list, of course I’m interested to hear more 😊





From: James Potter <Jim.Potter AT>
Date: Thursday, 20 June 2024 at 10:30
To: Paul Dekkers <paul.dekkers AT>
Cc: geteduroam AT <geteduroam AT>
Subject: RE: eap-config format supported by geteduroam

Hi Paul,


Thanks for quick answers!


OK – I’ll give that a go from the xsd file. And base64 PKCS12, spot on.


I’d found the LetsWifi portal after I’d written a chunk of my service… I’ve not used OAuth, I used SAML (we do shibboleth support, I’ve stuck to what I know here), not sure how well that will integrate with geteduroam, we’ll find out. It works nicely on windows…


I’ve built my service to be multi tenant, HSM backed + have an OCSP responder, happy to do a show + tell if you’re interested.







From: Paul Dekkers <paul.dekkers AT>
Sent: Thursday, June 20, 2024 9:15 AM
To: James Potter <Jim.Potter AT>
Cc: geteduroam AT
Subject: Re: eap-config format supported by geteduroam



On 20/06/2024 10:07, James Potter (via geteduroam Mailing List) wrote:

I’ve created a service which creates customised eap-config files, the plan is that users download them, they open in geteduroam + set up the wifi profile, but I’m having issues with getting geteduroam to accept the config (it says “Not a valid eap-config file” at the moment).

So basically you recreated the geteduroam portal? ;-) (I hope you knew about its existence!)

(That's fine, no judgement, but I hope you also do it via OAUTH to mimic the geteduroam native workflow and have it most secure, and then there's an alternative for admins to choose software and it would make sense and integrate well with the Apps and authentication.)

I’ve started with a config from eduroam CAT and added custom ClientSideCredential subelements.


So I’ve taken inspiration from for what I should be including, but have some queries:

I think a better and more current source is in the CAT repo:

  1. The config from CAT contains InnerIdentitySuffix and InnerIdentityHint, these aren’t mentioned in the above doc
  2. I’ve added the following:



                                <AnonymousIdentity>jim AT</AnonymousIdentity>

                                <UserName>jim AT</UserName>


                                <ClientCertificate> SOME BASE64 </ClientCertificate>




Are these the correct subelements? And what form should the ClientCertificate take? I’ve tried cert pem + encrypted private key (crashes) and Base64 encoded pkcs12 (complains, not a valid eap-config file)


I’m having trouble deducing this from the app source code – any hints here would be great.

I think it's easier to test with the .eap-configs that the letswifi-portal produces, or the output from CAT itself. Looking at what letswifi-portal produces, it looks like:

<OuterIdentity>pseudo-id AT realm.tld</OuterIdentity>
<ClientCertificate format="PKCS12" encoding="base64">... (base64 here)...</ClientCertificate>

Hope this helps,



I’ve attached the eap-config I’m working with (cert + passphrase work but are revoked)




Jim Potter







Archive powered by MHonArc 2.6.24.

Top of Page