Faculty of Information Technology, BUT

User may connect notebook or similar device to wired network on dedicated places only - at present labs M103 and M104 and in the library room C126. Under no circumstances users may disconnect lab computers from network and use these cables for notebooks. Access to network is authenticated using protocol IEEE 802.1X. Authentication mey be done using either PEAP (Protected EAP) with MSCHAPv2 or EAP-TTLS with PAP or EAP-TLS with authentication using client certificate. Since the password is stored in open form on Radius server in the first two methods so users may not authenticate with any standard password, such as Unix, IS FIT or VUTlogin. Special password for Radius server authentication may be generated through IS FIT (Set password for Radius server).

Windows 7/10 Configuration

1. Click on search (start) button, type in services and launch the application.

2. Find Wired Autoconfig in the list and double click.

3. Set startup type to Automatic and click Start if the service is not running.

4. In systray right-click network icon and click Network & Internet Setting.

5. Click on Ethernet and then Change adapter options.

6. Right-click on Ethernet or Local Connection or whatever your ethernet adapter is named, then choose Properties

7. Now choose Authentication tab, select PEAP method and click Settings

8. Either check Brno University of Technology CA or if not present there uncheck Verify the server's identity on top.

9. In Additional setttings choose User authentication and click Save credentials - fill in your Radius username (i.e. login@fit.vutbr.cz) and Radius password.

Now your ethernet connection should authenticate. If you see following alert just click connect.

Note: your radius password must be generated in information system.

Note 2: you may need to install root certificate BUT certification authority if you haven't done it yet - see http://ca.vutbr.cz.


Network Manager

As of Ubuntu 18.04 you can quite easily set the 802.1X connection using Network Manager, see screenshot below. There are two minor drawbacks however. The first, once 802.1X is set you cannot connect to unprotected wired network unless you switch 802.1X off again. And the second, once you switch 802.1X off and on, you have to set it up again.

Note: keep in mind your username consists of your faculty login plus domain of the radius server (i.e. fit.vutbr.cz, for both staff and students); the password is special Radius password which may be obtained in faculty information system.


If the above does not work you may try to use opensource Xsupplicant. Default configuration directory is /usr/local/etc/1x. First we need certificate of BUT certification authority here:
wget http://ca.vutbr.cz/pki/pub/cacert/cacert.pem 
Then create configuration file /etc/xsupplicant.conf:
logfile = /var/log/xsupplicant.log
startup_command = "dhclient %i"

default {
    allow_types = eap_peap

    # login = FIT_LOGIN@fit.vutbr.cz for staff and students
    # @fit.vutbr.cz is Radius server domain (may be used
    # with Radius servers interconnected in EduRoam network)
    # password is Radius server password you can obtain in faculty information system
    identity = "login@fit.vutbr.cz"

    eap-peap {
    	inner_id = "login@fit.vutbr.cz"
	root_cert = /etc/certs/cacert.pem
	chunk_size = 1398
	random_file = /dev/urandom
	cncheck = radius.fit.vutbr.cz
	session_resume = yes
	allow_types = eap_mschapv2
	eap-mschapv2 {
            password = "password"

Back to guides

Send comments to michal@fit.vutbr.cz

Back to top