Skip to Content.

geteduroam - RE: eap-config format supported by geteduroam

Subject: An open discussion list for topics related to the geteduroam service

List archive

RE: eap-config format supported by geteduroam

Chronological Thread 
  • From: James Potter <Jim.Potter AT>
  • To: Paul Dekkers <paul.dekkers AT>
  • Cc: "geteduroam AT" <geteduroam AT>
  • Subject: RE: eap-config format supported by geteduroam
  • Date: Thu, 20 Jun 2024 12:08:47 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=wuKq68m3MGhYu4dakPi2tZqIjoKdsSTUccpiG7mhPhE=; b=WzJE2wIp2e8lSFklFYgzepkHhmCYLWPQX6Mbcp7m4WPt2xdXCX5BpBCrgcQ21Iyr5xyeQrd9+6VQ6aCFoNrS7yugpJxxuGc9crGyRbpAXJd952F552o4HQoXZ6UKWVxxVqqHX8+lH+7XFFVzCeZFCnvN2jiVlgFejGxxK54vUHZDN4TK4rIkvZBtzfSxF843jatTIwvc5Q3BsTp7LnxSVIQ6zQDaonljkSlRZZuj1UQizC3s5u/l9kKav5wszVuvyie8NnAV/isVAZYVYrnGHmKwPcGNY7hBO3ZQgvL34hMrhzwPFL6XH7YpjqBA4eGPYsFDsncBssMt6kqdkM5bow==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=Yez+gRVl3UjmsG7bSdOjMUZUlqWB/GTb2fbw8usEunRrJ1Bjm8O+sep7KXCtfPY70KKTQ+A/8H72GvhzEM2RvI403Nuvwp5e9zxwX9FpyuL9xIppeBPRxh9v8+560BKD+2lohpiNUFQFcBldTCNbrjb4f41DZo6rVwWSNx9E8zGPOeLwZPpNn9KfD0rU4NT+ObvFGLyV/YKwxmJMboLjoCiY2ha4C4oJD2hZwx3OdXNpajcSxyZGlpwYdgkw1x9t59q+QrwgSojh3gToAuZ9uIG/OemQNeq6gUkFtOXQmLKXlt992soxwck8XzqWTBnFX8qX8ak0eZeQO5nSooS//g==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none;
  • Msip_labels: MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_ActionId=33db4fb5-d460-4380-89e1-c7438bbbbf84;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_ContentBits=0;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_Enabled=true;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_Method=Privileged;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_Name=Confidential - External;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_SetDate=2024-06-20T12:08:46Z;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_SiteId=48f9394d-8a14-4d27-82a6-f35f12361205;

Hi Paul,


OK, that has worked absolutely beautifully – it connects straight away with all the correct settings.


(You don’t have the xsd or similar for the Apple wifi config file do you? That’s next on the list…)


Thanks again for your help,




From: Paul Dekkers <paul.dekkers AT>
Sent: Thursday, June 20, 2024 9:15 AM
To: James Potter <Jim.Potter AT>
Cc: geteduroam AT
Subject: Re: eap-config format supported by geteduroam



On 20/06/2024 10:07, James Potter (via geteduroam Mailing List) wrote:

I’ve created a service which creates customised eap-config files, the plan is that users download them, they open in geteduroam + set up the wifi profile, but I’m having issues with getting geteduroam to accept the config (it says “Not a valid eap-config file” at the moment).

So basically you recreated the geteduroam portal? ;-) (I hope you knew about its existence!)

(That's fine, no judgement, but I hope you also do it via OAUTH to mimic the geteduroam native workflow and have it most secure, and then there's an alternative for admins to choose software and it would make sense and integrate well with the Apps and authentication.)

I’ve started with a config from eduroam CAT and added custom ClientSideCredential subelements.


So I’ve taken inspiration from for what I should be including, but have some queries:

I think a better and more current source is in the CAT repo:

  1. The config from CAT contains InnerIdentitySuffix and InnerIdentityHint, these aren’t mentioned in the above doc
  2. I’ve added the following:



                                <AnonymousIdentity>jim AT</AnonymousIdentity>

                                <UserName>jim AT</UserName>


                                <ClientCertificate> SOME BASE64 </ClientCertificate>




Are these the correct subelements? And what form should the ClientCertificate take? I’ve tried cert pem + encrypted private key (crashes) and Base64 encoded pkcs12 (complains, not a valid eap-config file)


I’m having trouble deducing this from the app source code – any hints here would be great.

I think it's easier to test with the .eap-configs that the letswifi-portal produces, or the output from CAT itself. Looking at what letswifi-portal produces, it looks like:

<OuterIdentity>pseudo-id AT realm.tld</OuterIdentity>
<ClientCertificate format="PKCS12" encoding="base64">... (base64 here)...</ClientCertificate>

Hope this helps,



I’ve attached the eap-config I’m working with (cert + passphrase work but are revoked)




Jim Potter







Archive powered by MHonArc 2.6.24.

Top of Page