Set Up Enterprise Wifi on Arch Linux

Most big institutions have guest and employee wifi networks. Guest wifi is usually fine, fast enough for the basics, but far inferior to employee wifi. On a custom-built OS, such as a fairly minimalist Linux distribution, getting the employee wifi to work can be a beast.

This was a little tricky to get working but very worth it, so here’s an outline, mostly for my own later benefit.

This post is specific to VUMC, with the VUMCEmployee network.

Similar steps should be applicable for other enterprise wifi users, though this post will unquestionably be out of date before long, and the intricacies of enterprise wifi are infinite.

VUMCGuest is fine

As with other public networks at large institutions, VUMCGuest is just a little slow and finicky, and it’s annoying to have to re-authenticate repeatedly to use all the HIPAA-compliant things.

VUMCEmployee is better

I’ll probably put a screenshot here at some point comparing speedtest scores. VUMCEmployee gives over 100 Mbps down, and around 100 up.

It’s also more stable, and latency is around 10ms.

Most practical gain, other than faster everything: When I use VUMCGuest, the keyboard shortcut I use to launch and automatically login to Epic only works intermittently. On VUMCEmployee, it works reliably. No more typing! It’s faster and, again, more reliable than tapping the badge-readers at the VUMC workstations.

Backend

The personal networking stack of greatest beauty on Linux at this point is:

systemd-networkd +systemd-resolved + iwd

Disable and delete NetworkManager and other such nonsense, if you are unwise like me and installed conflicting and useless things.

If you’d like a GUI, iwgtk is nice, but the CLI shipped with iwd (iwctl) is intuitive, friendly, and well-documented. I keep the GUI version around for quickly checking on things via a keyboard shortcut, but use the CLI for any heavy lifting, which has thankfully become rare since landing on this setup.

Start with VUMCEmployeeSetup

First, log on to the VUMCEmployeeSetup wifi. Then navigate to one of my favorite websites, http://neverssl.com/. This will force the redirect to the VUMCEmployee enrollment page (I also use this site for connecting to public wifi at airports, libraries, coffee shops, etc.). Agree to the terms and conditions. Then click the “Show all operating systems” link at the bottom, followed by the “Other Operating Systems” tab that pops up at the bottom of the list.

The “Other Operating Systems” tab has three steps listed, which are simply the pieces that the various installers put together for you. The first two are downloads for certificates, and the third is a template.

Finding this tab was the gold mine - initially I repackaged one of the other Linux installers for Arch, because I thought that (since there was an installer) the process must be complicated, and repackaging things from Debian-based systems for Arch-based systems is easy enough. The repackaged version of the installer was decent at first, but it turns out that the manual process is easier and more reliable. I also learned more about enterprise networks in the process, which was an added bonus (I’m honestly not sure about the sarcasm:sincerity ratio in the previous sentence).

Download the PEM files listed under Steps 1 (root certificate) and 2 (client certificate).

Make your own iwd profile

Here’s where it goes: /var/lib/iwd/VUMCEmployee.8021x

Below are the contents, sensitive info redacted, then we’ll go through some of the key parts and one nicety.

[IPv6]
Enabled=true

[Security]
EAP-Method=PEAP
EAP-Identity=username
EAP-PEAP-CACert=embed:root_cert
EAP-PEAP-ServerDomainMask=*.radius.service.vumc.org
EAP-PEAP-Phase2-Method=MSCHAPV2
EAP-PEAP-Phase2-Identity=username
EAP-PEAP-Phase2-Password=password

[Settings]
AutoConnect=true

[@pem@root_cert]
-----BEGIN CERTIFICATE-----
*lots of gobbledigook goes here*
-----END CERTIFICATE-----

Most of these options are outlined in Step 3 from the VUMCEmployeeSetup, cross-referenced against the Arch Wiki page on iwd, subsection Network configuration, and the iwd wiki proper.

An easy-to-miss step: The EAP-PEAP-Phase2-Method requirement for MSCHAPV2 leads to another required install, check the wiki for current instructions.

Put in your own username and password.

My favorite trick in this file is directly embedding the root certificate in the line EAP-PEAP-CACert= with the syntax embed:root_cert (any name is fine, doesn’t have to be root_cert, it’s just a pointer). Then you add a definition of root_cert in a [@pem@root_cert] section. Insert the contents of the root certificate directly via copy-paste or cat, etc.

Easiest method, as root:

cat /home/beau/dl/root_cert.PEM >> /var/lib/iwd/VUMCEmployee.8021x

With the direct embed method, you don’t need to point to the root certificate file or keep it around at all.

Needless to say, VUMCEmployee.8021x is a sensitive file and should be protected appropriately. However, this file or a version of it is what the automated tools would have made anyway, so there’s no special risk here - AND since you did it all yourself you know there was no funny business coming from a black-box installer.

The other certificate (Client)

I can’t remember what I had to do with the client cert, probably added using the Chrome/Firefox certificate managers.

I had to do this before when getting set up for VA remote access, the Arch Wiki comes through again with an article on Common Access Cards that includes instructions on adding certs to browsers.

There’s a chance it’s not even needed? The specification no longer supports adding a client cert field without a key, which I don’t have, and do not, apparently, need (see the section “EAP-PEAP with tunneled EAP-MSCHAPV2”). At any rate, this setup is working now and I won’t futz with it further until something breaks.

-> ~~Profit~~ Prosper