My kid has a tiny NAS in her dorm for backup and replication. The dorm’s ethernet participates in eduroam and requires 802.1x authentication.
We found many instructions on how to connect to campus ethernet, using various installers and techniques. Details differ for each school, and within each school over time. Most now lean heavily on opaque installers for phones, tablets, Windows, and macOS.
What follows is the solution that worked for us.
Reminder: iXsystems does not recommend or support connecting TrueNAS SCALE directly to any public network. You alone are responsible for preventing unauthorized access, through access rules and firewall settings.
Surveying the options
Different sites will have different back-end implementation details and requirements. We happened to be working with umaryland.edu. We chased a variety of instructions and techniques spanning many years and many sources, down many dead ends.
False start: SecureW2 installer
Your school may use the SecureW2 service to provide downloadable, native apps to generate and rotate client certificates. This is the most modern, secure, and foolproof approach for Windows, macOS, phones, tablets, and desktop Linux.
But the downloadable installer for Linux only works through a GUI with an embedded browser, and thus won’t work for TrueNAS SCALE.
False start: IoT bypass
Your school may provide an online dashboard through which you preregister the MAC of a wired or wireless device, and receive a device-specific WiFi password. This can be a handy fallback for any set-top boxes and game systems which don’t feature enterprise WiFi.
But TrueNAS SCALE doesn’t include the necessary drivers, even for this reduced-security tradeoff.
Abandoned detour: IWD and EAD
I was intrigued by a the iwd toolset, which to my eye seems cleaner and more modern than wpa_supplicant. But its wired ead component isn’t well supported in Debian.
Abandoned detour: static custom build
I had installed developer tools inside a Jailmaker sandbox, to tinker and probe and troubleshoot using my own custom static builds of wpa_supplicant.
But in the end, this wasn’t necessary. And to be honest it was kind of a pain, given that the host system was still stuck in a Catch-22 with no upstream internet connection.
Step 1 of 3: install wpa_supplicant
We need a copy of the wpa_supplicant daemon. We could build one ourselves, but Debian already offers one that’s linked with the base system’s libraries. We can grab and extract theirs without entering developer mode or invoking apt.
curl -OL http://http.us.debian.org/debian/pool/main/w/wpa/wpasupplicant_2.10-12+deb12u2_amd64.deb
mkdir -p /tmp/fakeroot
dpkg-deb -X wpasupplicant_2.10-12+deb12u2_amd64.deb /tmp/fakeroot
You may already have a location where you keep your own tools and scripts. I’ll use /root/.local as an example here, but you might prefer somewhere on a data pool which will survive upgrades and reinstallation. That’s a topic for another thread.
sudo mkdir -p /root/.local/sbin
sudo install tmp/fakeroot/sbin/wpa_supplicant /root/.local/sbin
Step 2 of 3: configure authentication
CAT, eduroam’s own Configuration Assistant Tool, can run without privileges on TrueNAS SCALE and will generate the appropriate configuration files for wpa_supplicant.
Visit cat.eduroam.org and click the Download button. Find and select your university or organization. Download the installer for Linux. If it shows you the installer for macOS or Windows, look for a small link underneath the button to choose Linux instead.
Download the resulting Python script and copy it anywhere on your NAS. Your home directory is fine. Then launch it.
python3 eduroam-linux-UoM.py
You’ll notice that the filename and introductory text are tailored to your organization.
The script will look for a desktop environment first, then fall back to wpa_supplicant.
Continue? (Y/N) [Y]
This NetworkManager version is not supported
-------
NetworkManager configuration failed, but we may generate a wpa_supplicant
configuration file if you wish. Be warned that your connection password
will be saved in this file as clear text.
Continue? (Y/N) [Y]
enter your userid:
enter your password:
When successful, the installer will have left its output in a ~/.config/cat_installer/ directory. Let’s copy these somewhere safe, readable only by root. Again: I’m using /root/.local/ but you may have a different location for your persistent files.
sudo mkdir -p /root/.local/etc
sudo install -m 600 ~/.config/cat_installer/ca.pem /root/.local/etc/wpa_cert.pem
Edit ~/.config/cat_installer/cat_installer.conf to refer to the ca_cert in its new location (/root/.local/etc/wpa_cert.pem), and then copy the edited version.
sudo install -m 600 ~/.config/cat_installer/cat_installer.conf /root/.local/etc/wpa_supplicant.conf`
Optional: you can now test whether the configuration was successful. Start the tool in the foreground, replacing ifname with the name of your ethernet interface.
sudo /root/.local/sbin/wpa_supplicant -D wired -i ifname -c /root/.local/etc/wpa_supplicant.conf
Type control-C to stop. Edit the config file and retry as needed until you successfully authenticate and gain access to the network.
Step 3 of 3: launch the daemon at startup
Use the TrueNAS GUI to add a Pre-Init command. Use the same command as when testing, but remove sudo and add -B to make it a background daemon.
/root/.local/sbin/wpa_supplicant -D wired -i ifname -c /root/.local/etc/wpa_supplicant.conf -B
Now restart, and check your work!
Troubleshooting
I can’t help you with any configuration or authentication issues; that’s between you and your IT department.
But you can bring them a copy of this document. That might help them look beyond this quirky nonstandard process of installing the well-known standard wpa_supplicant daemon on TrueNAS SCALE. Good luck!
Cleaning up
Important: be sure to get rid of the ~/.config/cat_installer directory which still contains a world-readable, plaintext password.
You can also get rid of the Python script, and the .deb package. The /tmp/fakeroot directory will have already disappeared as a result of restarting.