Connecting to Xfinity Mobile secure hotspots on Linux

So if you are in the monopolized area of Xfinity in the US, you may (or may not) be aware that their hotspot network is pretty strong.

Since most subscribers use the default modem, and the default setting on it enables the hotspot functionality, most of your neighbours are already emitting the hotspot.

This is divided into two networks:

1. xfinitywifi, which is an open network with a captive portal
2. Xfinity Mobile, which is a WPA2 Enterprise network

Traditionally, you can only use the open network on Linux or Windows systems. The annoyance is that

1. it's fully open (which is fine with sites using https or if you have some VPN)
2. but also that it means you need to re sign in every few weeks. annoying if you want it always connected.

Now you might say “why would you make this always connected”?

My primary connection is 5G Home Internet via a Calyx SIM (see my video last year). However, modems can be flakey and so I wanted a redundant link.
Ie, say the T-Mobile network has an outage, or ModemManager crashes, or the USB cable comes loose. Having a failover LAN is incredible useful.

Now, I'm not after a full Xfinity line for that - I am petty enough against Xfinity, that if I must give them money, then it will be as little as possible. Well, a normal Xfinity plan is $50 a month. They offer hotspot access at $10 a month.

So, the reasoning goes, that for only $10 extra a month, I can have a “redundant” network, where I can use OpenWRT's MultiWan support to have two simultaneous uplinks. One via the modem (primary), and a higher weight backup, that is the Xfinity hotspot.

NOTE - the $10 a month plan only gets you the open xfinitywifi, you'll need a full plan to use the “secure” network.
Thankfully, asking a friend is free, and even cheaper than $10

Now to get to my real point, they only offer this “secure” hotspot on mobile, where they just install the cert and it magically works, but that's hard to use.

BUT, they have a website to use it on Mac's, where it downloads a .mobileconfig.

So, the link to go to is https://www.xfinity.com/support/articles/wifi-for-mac

HOWEVER, if you open this on Linux, you'll get an error.

Instead, you need to:

Pick a user agent spoofer plugin on your choice.

Then set it to be MacOS on Safari.

Now you should be able to login and download the profile

If you're with a friend's login, this is all you'll need from them.

So turns out this mobile config is just XML.

And you can get all the details you need!

Its:

• WPA2 Enterprise
• TTLS outer
• PAP inner
• You get the outer ID, and the user/pass of the inner.

Note! Get your username and password from the mobile config. These are NOT your xfinity credentials!!

There are unique username and passwords for your devices on the wifi!

Easy right? Well if you enter these details on the NetworkManager UI in KDE at least, you'll start getting errors.

It took me several attempts of following journalctl -f and dmesg -w to figure out what's happening.

And it comes down to two lines. I thought I had issues with the domain and such, and tried to get the certs, yada yada.

Still would not connect.

Turns out, you need to pay attention to the TLS min and maximum in that mobile config…

But there's no spot for it in the KDE NetworkManager UI.

Instead, you need to pop up nmtui:

Now, you can see the “expert TLS options”.

Set it following the mobile config.

Just make sure you reenable rejoining so when you get deauthed, it rejoins.

The secure network appears to be speed capped at 30 Mbit down, 6 Mbit up, so they allow faster for burst traffic under 1 MB, as measured in Palo Alto on June 18th.

The open network appears to be capped to 60 Mbit down, 6 Mbit up as measured on May 1st in Palo Also, but it's possible it has also been reduced.