Linux

If you encounter any problems, please also read our Wi-Fi FAQ and follow the checklist for reporting Wi-Fi issues.

Configuring Wi-Fi

Authentication at KIT and eduroam

Below, we’ll walk you through the authentication process for KIT. For eduroam, simply select the SSID “eduroam” in Network Manager. The configuration process is exactly the same. If you’re using wpa_supplicant, you just need to specify the SSID “eduroam” instead of “KIT.”

For a secure connection, the ISRG Root YE CA certificate (or ISRG Root X2 or ISRG Root X1) is required. This certificate is included in the ca-certificates package in all distributions known to us.
If none of the CA certificates are available in your distribution, the certificate for ISRG Root YE is available at the following link: root-ye.pem

However, the installed certificate can be found in different files across various distributions (usually in bundle files, together with other certificates; these are preferred).
Ubuntu/Debian: /etc/ssl/certs/ca-certificates.crt
Fedora: /etc/ssl/certs/ca-bundle.crt
Arch Linux: /etc/ca-certificates/extracted/tls-ca-bundle.pem

To connect to KIT, you can use Network Manager , for example.
This serves as a graphical user interface for administration of wireless connections.
In the background, services such as wpa_supplicant or iwd are used to configure and authenticate wireless connections.
Experienced users can, of course, configure the connection directly without using a graphical interface.

Network Manager

The screenshots were taken using Ubuntu 26.04 with the GNOME desktop environment. The dialogs may look different on other distributions and desktop environments. 

  1. Open the Settings app and select the network you want to connect to from the Wi-Fi menu.

  2. Configure the network settings as described here and click Connect.

    • Wi-Fi security: WPA & WPA2 Enterprise
    • Authentication: Tunneled TLS
    • Anonymous Identity: anonymous@kit.edu
    • Domain: radius-wlan.scc.kit.edu
    • CA Certificate: /etc/ssl/certs/ca-certificates.crt
    • Internal Authentication: PAP
    • Username: Your KIT-account@kit.edu (e.g., ab1234@kit.edu or uxxxx@kit.edu)
    • Password: Your password

     

  3. Your device should now be connected to the configured network.

Direct configuration

wpa_supplicant

If you want to use wpa_supplicant directly, your configuration file should contain the following. ca_cert is configured for Debian/Ubuntu. For other distributions, the entry there may need to be different; see also the information about the CA certificate at the top of this page.

WPA2/WPA3-Enterprise (mixed)

network={
ssid="KIT"
key_mgmt=WPA-EAP WPA-EAP-SHA256
pairwise=CCMP TKIP
group=CCMP TKIP
eap=TTLS
phase2="auth=PAP"
anonymous_identity="anonymous@kit.edu"
identity="ab1234@kit.edu"
password="password"
ca_cert="/etc/ssl/certs/ca-certificates.crt "
altsubject_match="DNS:radius-wlan.scc.kit.edu"
ieee80211w=1
}

 

WPA3-Enterprise (exclusive)

Currently, WPA2/WPA3-Enterprise is supported in mixed mode.
A standalone WPA3 configuration will be made available soon. Please use the mixed configuration.

iwd

If you want to use iwd, you must create a configuration file at /var/lib/iwd/KIT.8021x containing the following. ca_cert is configured for Debian/Ubuntu. For other distributions, the contents may need to be different; see also the information about the CA certificate at the top of this page.

WPA2/WPA3-Enterprise (mixed)

[General]
ManagementFrameProtection=1

[Security]
EAP-Method=TTLS
EAP-Identity=anonymous@kit.edu
EAP-TTLS-CACert=/etc/ssl/certs/ca-certificates.crt
EAP-TTLS-ServerDomainMask=radius-wlan.scc.kit.edu
EAP-TTLS-Phase2-Method=Tunneled-PAP
EAP-TTLS-Phase2-Identity=ab1234@kit.edu
EAP-TTLS-Phase2-Password=password

[Settings]
AutoConnect=true

 

WPA3-Enterprise (exclusive)

Currently, WPA2/WPA3-Enterprise is supported in mixed mode.
A WPA3-only configuration will be made available soon. Please use the mixed configuration for now.