LinuxQuestions.org - Setting up WPA-Supplicant and PEAP,MSCHAPV2

- Linux - Wireless Networking (https://www.linuxquestions.org/questions/linux-wireless-networking-41/)

- - Setting up WPA-Supplicant and PEAP,MSCHAPV2 (https://www.linuxquestions.org/questions/linux-wireless-networking-41/setting-up-wpa-supplicant-and-peap-mschapv2-487231/)

Setting up WPA-Supplicant and PEAP,MSCHAPV2

I am trying to connect my Fedora 5 laptop to a W2K RADIUS server using PEAP, MSCHAPSv2. My window machines are fine but trying to connect my fedora laptop has been a nightmare! It is not getting a certificate from the Certificate Authority from the W2K box. I am using an older Cisco 1200 (Aironet 802.11b AP as my authenticator))Do I need something else?

Here is my wpa_supplicant.conf:

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0

network={
ssid="SSID"
bssid=XX.XX.XX.XX.XX.XX
scan_ssid=1
key_mgmt=WPA-EAP IEEE8021X
eap=PEAP
auth_alg=OPEN
phase1="peaplabel=1"
phase2="auth=MSCHAPV2"
identity="username"
password="password"
ca_cert="192.168.4.3" -------ACCESSPOINT
}

Here is error log running a -dd option:

Initializing interface 'ath0' conf '/etc/wpa_supplicant/wpa_supplicant.conf' driver 'madwifi' ctrl_interface 'N/A'
Configuration file '/etc/wpa_supplicant/wpa_supplicant.conf' -> '/etc/wpa_supplicant/wpa_supplicant.conf'
Reading configuration file '/etc/wpa_supplicant/wpa_supplicant.conf'
ctrl_interface='/var/run/wpa_supplicant'
ctrl_interface_group=0
Line: 33 - start of a new network block
ssid - hexdump_ascii(len=3):
5a 4f 52 ZOR
BSSID - hexdump(len=6): 00 12 17 34 60 e1
key_mgmt: 0x9
eap methods - hexdump(len=2): 19 00
auth_alg: 0x1
pairwise: 0x18
identity - hexdump_ascii(len=7):
64 61 62 65 61 73 74 dabeast
password - hexdump_ascii(len=14): [REMOVED]
ca_cert - hexdump_ascii(len=11):
31 39 32 2e 31 36 38 2e 34 2e 33 192.168.4.3
phase1 - hexdump_ascii(len=11):
70 65 61 70 6c 61 62 65 6c 3d 31 peaplabel=1
phase2 - hexdump_ascii(len=13):
61 75 74 68 3d 4d 53 43 48 41 50 76 32 auth=MSCHAPv2
Priority group 0
id=0 ssid='ZOR'
Initializing interface (2) 'ath0'
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
SIOCGIWRANGE: WE(compiled)=19 WE(source)=13 enc_capa=0xf
capabilities: key_mgmt 0xf enc 0xf
Own MAC address: 00:0f:b5:ae:a1:17
wpa_driver_madwifi_del_key: keyidx=0
wpa_driver_madwifi_del_key: keyidx=1
wpa_driver_madwifi_del_key: keyidx=2
wpa_driver_madwifi_del_key: keyidx=3
wpa_driver_madwifi_set_countermeasures: enabled=0
wpa_driver_madwifi_set_drop_unencrypted: enabled=1
Setting scan request: 0 sec 100000 usec
Added interface ath0
Wireless event: cmd=0x8b06 len=8
Ignore event for foreign ifindex 3
RTM_NEWLINK, IFLA_IFNAME: Interface 'ath0' added
RTM_NEWLINK, IFLA_IFNAME: Interface 'ath0' added
Wireless event: cmd=0x8b15 len=20
Wireless event: new AP: 00:12:17:34:60:e1
State: DISCONNECTED -> ASSOCIATED
Associated to a new BSS: BSSID=00:12:17:34:60:e1
No keys have been configured - skip key clearing
No network configuration found for the current AP
State: ASSOCIATED -> DISCONNECTED
wpa_driver_madwifi_disassociate
No keys have been configured - skip key clearing
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
RTM_NEWLINK, IFLA_IFNAME: Interface 'ath0' added
State: DISCONNECTED -> SCANNING
Starting AP scan (broadcast SSID)
Wireless event: cmd=0x8b1a len=8
Scan timeout - try to get results
Received 940 bytes of scan results (5 BSSes)
Scan results: 5
Selecting BSS from priority group 0
0: 00:12:0e:3d:07:9e ssid='Castedo' wpa_ie_len=0 rsn_ie_len=0 caps=0x11
skip - no WPA/RSN IE
1: 00:12:0e:40:37:6a ssid='06B407974762' wpa_ie_len=0 rsn_ie_len=0 caps=0x11
skip - no WPA/RSN IE
2: 00:12:17:34:60:e1 ssid='linksys' wpa_ie_len=0 rsn_ie_len=0 caps=0x1
skip - no WPA/RSN IE
3: 00:07:50:d5:ac:3c ssid='' wpa_ie_len=0 rsn_ie_len=0 caps=0x1
skip - no WPA/RSN IE
4: 00:13:46:c0:49:88 ssid='default' wpa_ie_len=0 rsn_ie_len=0 caps=0x1
skip - no WPA/RSN IE
No suitable AP found.

Fedora and W2K server using PEAP(MSCHAPv2)

Can anyone tell me how I can connect Fedora 5 wireless laptop using MADWIFI drivers to a Microsoft W2K RADIUS server using PEAP-MSCHAPV2. My windows clients are fine it is just trying to connect the laptop to the RADIUS server using XSupplicant or WPA_Supplicant. I have made several post but there has not been one reply. It is that difficult?

I don't know if it is difficult or not, but it certainly isn't very common. I don't think you're being ignored, but I know I don't have any useful advice. You've obviously compiled it with the proper support turned on and seem to be starting it correctly. The only thing that jumps out at me is this:

Quote:

No network configuration found for the current AP

That might suggest you haven't gotten the config quite right, but I don't have any suggestions as to what to change. Just to rule out the screamingly obvious, does wpa_supplicant work with other access points? Also, have you tried posting to the mailing list at wpa_supplicant? They might have some more useful advice than I do.

I was doing some intense reading and wpa_supplicant says that under the

PHP Code:




ca_cert= /Path/To/ROOT_CA

section I need the MS ca_root file in PEM or DEM format. I was able to copy the Root CA from the MS Certificate Authority Server. I copied it as a example.cer file. Now how would I convert that file to a PER or DEM format?

I'm more than a little out of my depth here, but if this MacOX article is correct, it looks as if openSSL can do the conversion. However, this suggests that openSSL might not be able to use DER format, so you might need to use PEM.

This also looks to be a good guide to converting various formats.

it still does not authenticate. I am lost!

I guess the only thing I can think of is to check that wpa_supplicant works on a different network. If it can connect to a WEP network, or a less complex WPA config, at least you can rule out a problem with wpa_supplicant.

I suppose you could also try the wext driver in wpa_supplicant rather than madwifi. In theory, it should work with the madwifi drivers. Other than that, I'm at a loss I'm afraid.

I guess is safe to say that linux has a long way to go with wireless security. that is sad

You'll get no argument from me. In fact I would expand that a touch to say Linux has a long way to go with wireless. Given the prevalence of wireless, I would bet it is one of the single biggest obstacles to new user acceptance of Linux.

hangdog,

thanks alot for your help. Hey I am from Maryland too. Go Baltimore Ravens or Redskins. I like what you done to your site. The WPA section if you can add some PEAP,MSCHAPV2 to your example WPA_supplicant file. That is when you can actually connect to a Microsoft RADUIS server.

Wow. I've seen your postings around here and been really sad that I had no concrete advice, or even any clue whatsoever, to give. This one was so far above my pay scale it wasn't funny. And PLEASE do add this to the LQ Wiki or write a tutorial. This amount of suffering shouldn't go for naught.

I hopefully will bring relief to so many users out there that I have been struggle with this. How would I go about adding a wiki to this forum? thanks

There is a section on how to get started on the wiki here and it pretty much steps you through the process of adding information. I think the biggest problem with your will be how to classify it since it seems to be more of a Cisco issue than anything else. There is a big section on networking that covers a lot of topics, so probably somewhere in there.