Works at Utena University of Applied Sciences (Utenos kolegija), LT

[grawity]

Confirming that this configuration (EAP-PEAP with MSCHAPv2) will work with @ukolegija.lt and @utenos-kolegija.lt accounts.

(Not that I want to encourage using a configuration that broadcasts your easily-crackable password hash literally everywhere you go, but if it does the job for you...)

[oleks]

What exactly is the alternative? WPA PSK didn't work for me last time I checked, but maybe my configuration was bad.

[grawity]

The same WPA-EAP/PEAP/MSCHAPv2, but with the server's certificate validation enabled. Same logic as HTTPS (and it's even the same SSL/TLS behind the scenes) – if you verify the cert, you know you're always talking to your home institution's auth server. If you don't, it could be anybody's.

(We use a standard web CA from /etc/ssl/certs, so domain_suffix_match="utenos-kolegija.lt" would be the important part. Unfortunately the path to standard CAs is distro-dependent...)