Eduroam WPA3-Enterprise WiFi problem

GGORG

Hi, my university (Wroclaw University of Technology) has an Eduroam network.

It works on my Linux laptop - see https://gist.github.com/GGORG0/0510996de1d9a956f3b5a7b75390e70f
It also worked on GrapheneOS before (about a year ago), but then one day it suddenly failed to connect. It's been like that ever since.

I used the Geteduroam app to configure the profile, and it works for all my friends, both on Android and iOS.

When I set up the profile, it tries to connect but then errors out with "Authentication failure" - see https://i.imgur.com/ruEIgi3.png

I'd really like my phone to be able to connect to the university WiFi, as the Pixel 6 line has really, really poor battery life when on low signal mobile data, and it doesn't even last an entire day (however on WiFi, even in bad cellular signal, I can get well over 1 day of battery life)

n3t_admin

GGORG have you tried to set randomized MAC to "per network" instead of "per connection"? That's the only thing that comes to mind, unless you made an error somewhere else in the configuration. Does your university have any documentation for setting up eduroam?

GGORG

n3t_admin Hi, yes, my MAC is set to per network. My entire network config in this case is managed by geteduroam, so it should be identical to my friends'. There is documentation, available at https://di.pwr.edu.pl/uslugi/siec/eduroam (there are English sections). I know about the cert change, and have reconfigured my profile.

n3t_admin

GGORG yeah I understand Polish well enough to read through the documentation without the English section actually :D

Some things to consider: it seems like your university is using Active Directory as a backend, ughh. Makes things harder to troubleshoot.

Next thing is, are you possibly the only person with a Pixel phone among your friends? Maybe this also applies to you. Assuming the configurator app actually fills out all the fields correctly, I can only assume that something goes wrong during the connection/authentication process.
I assume you also tried filling out all the fields manually instead of using the app?

Sigismund

Have you tried quest network? If so does it work?
Have you tried to configure the connection manually?
Are you using your owner profile to configure everything including the app needed?
You sure your AD account works/can sign-in to other apps and don't have this permissions revoked/cut out?
You say WPA3 yet the docs say WPA2. You sure you're not messing up the settings?

GGORG

the gist i mentioned earlier works on my laptop with my AD credentials just fine, and has worked since forever
the guest network automatically disconnects you if you use it for too long
my friends on Samsung had no issues, don't know about Pixels though
yes i tried to configure it manually with TOFU certs, still didnt work
yeah i confused the WPA versions in the title but then didn't have the ability to edit it
i will try to email the admins about it, although the uni's admins are famous for ghosting too difficult emails
yes i am using my owner profile
the identity system here is very weird and we have like 3 different email systems, but i can say the same credentials work on my laptop so no issues here

spammerofspam

I'm curious what you find out, because this happened to me as well (at a different university), and I never bothered to troubleshoot. It worked and then it didn't.

I never tried the app, instead I was manually installing the certificate.

GGORG

Hey, update: it was my uni's fault. The admins replied that they are aware of the issue specifically with Pixels, and told me that it's because of an old version of TLS used in the handshake. I suppose other manufacturers allow older, less secure, versions of TLS than AOSP.
They upgraded the access points' firmware yesterday and today my Pixel connects to the network without any issues, and I didn't even have to download a new certificate profile! So it was truly on their side.

If anyone else suspects they might have a similar issue (it works everywhere else, except Pixels, and you are sure you configured it correctly and have the correct anonymous identity), let your uni's admins know!

Quoting a (translated) reply from the admins:

Good morning,

we're aware of the issue with Pixel brand phones, and it is caused by an outdated version of the TLS protocol used when connecting to the Eduroam network. We're currently working on updating the Wi-Fi network, and the initial rollout of the new protocol is planned for September 8th. Once the network is stable and Pixels can connect to the Eduroam network, we'll send you a confirmation email.

Best regards,
redacted

I think, judging by the reply, someone in the admin team (or close to them) has a Pixel and has the same issues!