Getting a Raspberry Pi on Worcester Polytechnic Institute (WPI) WiFi (WPA-EAP)

The following is a very specific guide and like all guides of this nature written by me it is mostly for my benefit so I can come back to it later. It is a modification of this guide written by Campus IT.  If you have any suggestions to improve anything, PLEASE shoot me an email or leave me a comment below.


I will be connecting my Raspberry Pi Model B+ running the latest build of Raspbian using the Edimax EW-7811Un WiFi dongle to this kind of network (From Campus IT):

Specifically, WPI requires 802.1x EAP-TLS certificate based authentication. This is sometimes referred to as WPA Enterprise

Having an internet connection will make doing this much much easier. In fact, if all you need to do is share your laptops WiFi with the Pi over the Ethernet port on your laptop that is quite easy (For WPI people please note that this is a violation of the networks’ acceptable use policy). For windows 8.1:

First, we will have to enable sharing our Wi-Fi through the Ethernet ports of our computer.

Open the Network and Sharing center on your computer. It is found under Control Panel->Network and Internet->Network and Sharing Center.
Next, click on “change adapter settings.”
Right click on your Wi-Fi, and select “Properties.” You will most likely need to be an administrator for this step.
Click on the “Sharing” tab.
Check the “Allow other network users to connect through this computer’s Internet connection” checkbox.
Hit OK to close this window.
Next, we will connect to the raspberry Pi over our Ethernet cable.

Open up cmd. Type “ping raspberrypi.mshome.net” into the command line. Do not use any quotes when you type in this command.
Take note of this IP address. You can connect to the Pi through Putty using that IP address.

If you’re using a fresh install, make sure you set the Pi’s internal time to the proper time using raspi-config. It’s under internationalization options.

sudo raspi-config

You will then need to register the MAC address

Next we need to acquire the proper certificates.

Campus IT has already created a good tutorial for doing this found here. You’ll want two get two certificates seen here:

Move those two documents onto the Pi as well. I’m using

/home/pi/certs/

as the location for my certificates for the sake of this tutorial.

From there you’ll have to convert the ‘certificate.p12’ document to a .pem format with OpenSSL. OpenSSL is installed by default in Raspian. Do this with the following command:

openssl pkcs12 -in /home/pi/certs/certificate.p12 -out /home/pi/certs/certificate.pem -nodes

Enter the password for the NETWORK when prompted. We now have 3 certificate files. The CA-.pem, certificate.p12 and certificate.pem all located in the /home/pi/certs directory on the pi.

Next we have to disable all the default wifi settings that come with Raspian. Do this by changing your /etc/network/interfaces file to the following:

auto lo

iface lo inet loopback
iface eth0 inet dhcp

#allow-hotplug wlan0
#iface wlan0 inet manual
#wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
#iface default inet dhcp

Doing this stops the Pi from trying to use the wlan0 device at boot and will allow us to use it directly.

Now we must configure wpa_supplicants. It doesn’t really matter where you put the configuration file, but the raspberry pi places it by default here:

/etc/wpa_supplicant/wpa_supplicant.conf

Edit the file to look like the following. Note that things you WILL have to change are marked with []’s. Also note that this config places all 3 certs in that directory I’ve mentioned a few times.

#ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
#update_config=1

network={
 ssid="WPI-Wireless"
 key_mgmt=WPA-EAP
 proto=WPA2
 pairwise=CCMP
 group=CCMP
 eap=TLS

 identity="[YOUR_WPI_EMAIL]@wpi.edu"

 ca_cert="/home/pi/certs/CA-[A_BUNCH_OF_NUMBERS].pem"
 client_cert="/home/pi/certs/certificate.pem"
 private_key="/home/pi/certs/certificate.p12"
 private_key_passwd="[YOUR_WPI_EMAIL_PASSWORD]"

 priority=1
}

I found that in an example configuration of wpa_supplicant.conf specifically notes the need of a .pem file for the client cert, thus the conversion.

We’re pretty much done, all we need to do is add a few steps to the boot process to start the whole process each time the device boots. We can use crontab or /etc/rc.local (thanks Greg Tighe) to accomplish this.

With Crontab:

crontab -e

Add the two lines to the file:

@reboot sudo wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -i wlan0
@reboot sudo /sbin/dhclient wlan0

or edit /etc/rc.local to contain:

@reboot sudo wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -i wlan0

And reboot your pi! Everything should connect and work.

3 Comments

  1. Got this working on a RasPi 2, huge thanks for the guide. One or two quick notes though, you can just connect to WPI-Wireless-Setup to get the certs instead of sharing the network from another machine (which is a violation of the AUP I think). And instead of putting the last two lines under cron I threw the first under /etc/rc.local and didn’t use the second one and everything worked fine for me.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.