With this setup, wpa_supplicant automatically changes network when needed. Moreover, the network can be changed in userspace and new networks can be added. All withouth the bloat of NetworkManager and ModemManager.
/etc/network/interfaces needs for direct use with a wpa_supplicant daemon. This is done by setting the wireless network as follows.
allow-hotplug wlp2s0 iface wlp2s0 inet manual wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
This basically means that a wpa_supplicant will be watching the networks specified in the config and switch when in range. Note that the iface is set to manual and not dhcp. This means that below those lines you can configure your networks from the config manually. So say that you have a network in the wpa_supplicant.conf with id_str="work"" that needs to be configured with dhcp, you add the following lines:
iface work inet dhcp
Setting id_strs for all networks is tedious so to create a default setting you can use the default network name to for example set all wifi networks to dhcp.
iface default inet dhcp
The config file for wpa_supplicant should at least contain the following lines. The interface line defines the control socket and states that all users in the netdev group may control wpa_supplicant. The update_config line states that the config file may be updated, thus having persistent changes. Users you allow changing the config therefore have to be added to netdev.
interface=DIR=/run/wpa_supplicant GROUP=netdev update_config=1
Followed are all the network configurations. For these configuration consult the manpage for wpa_supplicant. E.g. for WPA2 networks you can use the wpa_passphrase tool. For eduroam, don't handcraft configs either, use the configuration assistant. This tool will generate a wpa_supplicant.conf if it fails to talk to networkmanager.
Editing the config file is tedious and error prone. Moreover, it requires a restart of wpa_supplicant to reinistate the config. Luckily there are two tools that allow you to do this in-place using either the command line (wpa_cli is not discussed here) and via a GUI(wpa_gui). If your user is a member of the netdev group you can just start it up. Note that it resides by default in /usr/sbin. wpa_gui is a graphical frontend where you can add, remove, diagnose and change wireless networks with almost as much functionality as wpa_cli.
Eduroam gives a nice configuration assistant tools nowadays that will generate a wpa_supplicant.conf entry for you. Previously you could hash your password using md4 but I haven't tested whether this still works.
The tool worked before™ but not anymore on my debian testing version. Therefore I've pasted my config here for later reference. You get the ca_cert from the assistant tool. I might upload that here as well.
network={
ssid="eduroam"
proto=RSN
key_mgmt=WPA-EAP
pairwise=CCMP
auth_alg=OPEN
eap=PEAP
identity="YOURUSERNAME@ru.nl"
anonymous_identity="anonymous@ru.nl"
password="YOURPASSWORD"
# ca_cert="/home/frobnicator/.cat_installer/ca.pem"
domain_suffix_match="authenticatie.ru.nl"
phase2="auth=MSCHAPV2"
}
The new version of openssl disables everything lower than TLSv1.2. If you see errors in /var/log/syslog about TLS you have to allow lower version TLS versions by changing the last two lines in /etc/ssl/openssl.cnf to:
MinProtocol = TLSv1.0 CipherString = DEFAULT@SECLEVEL=1
When you have an ethernet jack as well in your laptop you might be tempted to put this in your /etc/network/interfaces as well
auto enp0s31f6 iface enp0s31f6 inet dhcp
However, this results in your machine eagerly waiting for a connection at boot because a connected ethernet jack means a connected card, and the card is always connected in a laptop. ifupdown-extra contains scripts to fix this. Just link /etc/network/if-up.d/00check-network-cable to /etc/network/if-pre-up.d/00check-network-cable and be good to go. If your system has predictable network names you might need to apply this patch first