I live in a dorm and only have access to eduroam. In my case this requires using WPA2-EAP and MSCHAPv2 for authentication, which many devices don’t support. Regular WDS bridging would be very convenient, but it doesn’t work here, since it’s meant for personal networks.
Instead, I got an OpenWRT-compatible router and connected to eduroam in client mode. It’s by no means an original idea, but documentation is somewhat sparse. Having had to do it multiple times, I thought I’d do myself the favor of writing it down for once. So here we go.
The main requirement here is that it supports OpenWRT. Make sure it’s modern enough to have a reasonable amount of flash – over 8 MiB seems to be good. At the very least you’ll need to upgrade wpad to the full version, which uses about 1 MiB extra.
It should also ideally have two radios, usually one is 5 GHz and the other 2.4 GHz. If your clients will connect via Ethernet this is not necessary. As far as I can tell, it should also be possible to use a single radio both ways, but it would halve the speed.
Once you have OpenWRT working, you’ll need internet in order to upgrade wpad. You can do it through the WAN port, which requires no extra configuration, or you can connect to a regular PSK network in client mode. Even a mobile hotspot would work here.
If you want to do the latter, first make sure the router’s IP address is in a different subnet from your host network. OpenWRT’s default is 192.168.1.0/24, so if there is a conflict you need to change it. Log into LuCi, the default web interface; this is at http://192.168.1.1 by default. Go to Network→Interfaces and edit the LAN interface, then change its IP address to a different subnet – for example, 192.168.22.1. Save and apply.
After that, you can go to Network→Wireless and select “scan” on one of the radios. Choose the desired network and fill in all the details, making sure the “network” property is set only to “wwan”. Your router should now be connected to the internet.
By default, OpenWRT comes with wpad-basic-mbedtls installed. This works fine for the most common use-cases, but it doesn’t support the required authentication methods. To get it to work, you need to upgrade to the “full” version of wpad.
Use SSH to connect to the router. If you’re using a new OpenWRT release the package manager should be apk, in which case the following commands will work:
$ apk del wpad-basic-mbedtls
$ apk add wpad-mbedtls
Then reboot. If apk is not installed, you are using an older version of OpenWRT. Simply replace apk del with opkg remove, and apk add with opkg install.
If you have enough storage, you could use openssl instead of mbedtls. I’m not sure what the benefits are, but I have seen a couple of people report that it fixed some of their issues. I’m just leaving this note here in case it ends up being helpful in the future.
The basic process is the same as for the temporary connection. Make sure to remove the old connection, then scan the radio and select the desired network. Fill in all the details as before, and make sure to set “network” to “wwan”.
Afterwards, edit the network and go to the wireless security tab. Make sure all the settings are correct, then save, and save and apply on the main screen. You should now have internet.
The next thing you might want to do is to configure an access point for your new network, but I won’t go through this since it’s very well-documented and simple to set up.
Very possible. If you’ve checked your authentication details and are sure it’s all good, it could be the same bug I ran into. There is a temporary solution I came up with at the bottom of that thread, but it’s worth checking the logs like brada4 suggested, to make sure that this is indeed the problem.