Skip to Content.

geteduroam - Re: eap-config format supported by geteduroam

Subject: An open discussion list for topics related to the geteduroam service

List archive

Re: eap-config format supported by geteduroam

Chronological Thread 
  • From: Stefan Paetow <Stefan.Paetow AT>
  • To: James Potter <Jim.Potter AT>, Paul Dekkers <paul.dekkers AT>
  • Cc: "geteduroam AT" <geteduroam AT>
  • Subject: Re: eap-config format supported by geteduroam
  • Date: Thu, 20 Jun 2024 16:21:44 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1b6LMcZZxcxDb+uwSRCarNIPAptQPn4MIO2cIYuf6l4=; b=fwN2loxa0R7W4a8ykR2LBFxa2klJF35gUd+1FQtWLOCrYq7uuln4aTZRVIdQo37A2GHK2Wf2LjnNoz/7y4a2RJajPWyit4H/17DSVbE22osDDmy+YMp4kwlCnS/mGUn7DbqaxkZ0XbBIUKohc5GJYvpVFOrDoJzfPWgRxCBKk+QAQVosDtxdKcE3WYpxjIskAQV2QyBiT1XpoKUqZhNtiaOsIyOHpt2Gjf91fj9qOhaEJjGppfmjDiBDLl72zY19emoPIEYz9ggoutOyTrZjhG49SR2AxM/ab5BiuCbE8v1UVCLqyXu4D5+EfXzt3VHCgdaRDgHW0E9ranzNV6IC4Q==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=Kd6o2ODmvKWkOHYw+e/mWuo2edrU4FDrx3Xi52/I5GdTsGghCj6HrV2nE2V9w2Ab4KD7xV9AYBkrIxPNLYQCUo6Eq6rgyRH97mnVQNqYYBGCIj+o4PDWjp9uqHFb3CdxfdCkr2YY5W8nMyWpCeXq+B5rqyvhymF0TqLzy+Wenj0W+3BTWtFM3XcEJcjskiVbHhpGxT/u8CvrMHonvew2GVQJvYmdRfoZCfzSXCpaYW/Bp1nA3KU/iS4/UvPmUvkUPW4vQ35f6nRR9qQQlCZiP4ndrN4eTSPyQv0p5Na6jo0xssarMnqo5nxTB9Pzx35uZbx9uAWkf09/4Obq5qu4wg==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none;
  • Msip_labels: MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_ActionId=33db4fb5-d460-4380-89e1-c7438bbbbf84;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_ContentBits=0;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_Enabled=true;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_Method=Privileged;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_Name=Confidential - External;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_SetDate=2024-06-20T12:08:46Z;MSIP_Label_23fbfc4d-4f2b-405b-9635-512bd5247bcf_SiteId=48f9394d-8a14-4d27-82a6-f35f12361205;



Just FYI – Paul, if the XSD on GitHub has changes in it that are not part of the eap-metadata-02, then the draft needs to be updated… We'll need to ask Stefan W to do that.




Stefan Paetow

Federated Roaming Technical Specialist

eduroam(UK), Jisc


email/teams: stefan.paetow AT

gpg: 0x3FCE5142


For eduroam support, please contact the eduroam team via help AT and mark it for eduroam’s attention.

On Wednesdays and Fridays, I am not available between 12:00 and 15:00 London time (UTC in winter, UTC+0100 in summer).


Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, BS1 6NB Tel: 020 3697 5800.



From: <geteduroam-request AT> on behalf of "geteduroam AT" <geteduroam AT>
Reply to: James Potter <Jim.Potter AT>
Date: Thursday 20 June 2024 at 13:09
To: Paul Dekkers <paul.dekkers AT>
Cc: "geteduroam AT" <geteduroam AT>
Subject: RE: eap-config format supported by geteduroam


Hi Paul,


OK, that has worked absolutely beautifully – it connects straight away with all the correct settings.


(You don’t have the xsd or similar for the Apple wifi config file do you? That’s next on the list…)


Thanks again for your help,




From: Paul Dekkers <paul.dekkers AT>
Sent: Thursday, June 20, 2024 9:15 AM
To: James Potter <Jim.Potter AT>
Cc: geteduroam AT
Subject: Re: eap-config format supported by geteduroam



On 20/06/2024 10:07, James Potter (via geteduroam Mailing List) wrote:

I’ve created a service which creates customised eap-config files, the plan is that users download them, they open in geteduroam + set up the wifi profile, but I’m having issues with getting geteduroam to accept the config (it says “Not a valid eap-config file” at the moment).

So basically you recreated the geteduroam portal? ;-) (I hope you knew about its existence!)

(That's fine, no judgement, but I hope you also do it via OAUTH to mimic the geteduroam native workflow and have it most secure, and then there's an alternative for admins to choose software and it would make sense and integrate well with the Apps and authentication.)

I’ve started with a config from eduroam CAT and added custom ClientSideCredential subelements.


So I’ve taken inspiration from for what I should be including, but have some queries:

I think a better and more current source is in the CAT repo:

  1. The config from CAT contains InnerIdentitySuffix and InnerIdentityHint, these aren’t mentioned in the above doc
  2. I’ve added the following:



                                <AnonymousIdentity>jim AT</AnonymousIdentity>

                                <UserName>jim AT</UserName>


                                <ClientCertificate> SOME BASE64 </ClientCertificate>




Are these the correct subelements? And what form should the ClientCertificate take? I’ve tried cert pem + encrypted private key (crashes) and Base64 encoded pkcs12 (complains, not a valid eap-config file)


I’m having trouble deducing this from the app source code – any hints here would be great.

I think it's easier to test with the .eap-configs that the letswifi-portal produces, or the output from CAT itself. Looking at what letswifi-portal produces, it looks like:

<OuterIdentity>pseudo-id AT realm.tld</OuterIdentity>
<ClientCertificate format="PKCS12" encoding="base64">... (base64 here)...</ClientCertificate>

Hope this helps,



I’ve attached the eap-config I’m working with (cert + passphrase work but are revoked)




Jim Potter







Archive powered by MHonArc 2.6.24.

Top of Page