• ../
• wired-wpa2-enterprise/
• freebsd/

Wired Ethernet WPA2-Enterprise authentication using iwd (ead)

2025-08-11

My college uses WPA2-Enterprise authentication in order to manage access not only to its wireless network (a.k.a. Eduroam) but also to the wired network. Most guides online do not even mention the possibility of using authentication on a wired interface, even iwd's documentation is quite lacking in this realm.

The configuration of the wired interface is quite similar to the wireless one, with the difference being that the tool we are now using is called ead instead of iwd. Don't worry, you don't have to install anything, since a typical iwd installation already includes ead even though it isn't mentioned even on ArchWiki.

All you have to do is to put the following into /var/lib/ead/default.8021x (for wireless put the same into /var/lib/iwd/eduroam.8021x), obviously replacing the certificate path, username and password:

[Security]
EAP-Method=PEAP
EAP-Identity=anonymous@school.edu
EAP-PEAP-CACert=/etc/ssl/certs/your_certificate.pem
EAP-PEAP-Phase2-Method=MSCHAPV2
EAP-PEAP-Phase2-Identity=azurediamond@school.edu
EAP-PEAP-Phase2-Password=hunter2

and start/enable the ead service, e.g. users of systemd can run

systemctl enable ead.service --now

For debugging you can run /usr/lib/iwd/ead -d, similarly you can run /usr/lib/iwd/ead -i eth0 to only attempt authentication on one interface. For making this setting permanent, you can override the distribution-provided service file using systemctl edit ead.service and put

[Service]
ExecStart=
ExecStart=/usr/lib/iwd/ead -i eth0

between the comments in the override file (don't forget to change the name of the interface).

One last touch, now you can point your favorite DHCP client to your ethernet interface and voila, you have working internet!