wpa_supplicant: how do I know what I did wrong

trainee · 05-06-2009, 08:25 PM

Hi everybody,

I am trying to connect to the network at Purdue University using the instruction here

http://purduelug.org/?page_id=11

I follow section 4 of it:

I was able to use wpa_cli list_networks to see the network, but unable to connect to the network.

I don't know where things go wrong.

Can you guys give me a clue or at least show me which log files should I look at to find out what went wrong?

Thank you.

2Gnu · 05-06-2009, 11:10 PM

Run the wpa_supplicant daemon in the foreground (no -B option), with increased verbosity (-dd). Example:

wpa_supplicant -w -dd -c/etc/wpa_supplicant.conf -Dwext -iwlan0

Then, sit back and watch the fun. The messages may appear to be cryptic, but read them carefully or post here and hopefully we can help you.

onebuck · 05-07-2009, 07:09 AM

Hi,

I would suggest that you look at 'Configuring your network in Slackware'. Great wiki by Alien_Bob.

This link and others are available from 'Slackware-Links'. More than just Slackware® links!

trainee · 05-07-2009, 10:27 AM

Thank you, guys. I'll try these advices and report the progress.

Ilgar · 05-07-2009, 12:18 PM

You can also use wicd from the extra/ directory (of the Slack installation CD, or find a copy in the mirrors). It's a GUI tool to setup you wireless connection.

onebuck · 05-07-2009, 05:26 PM

Hi,

'wicd' is referenced in the link that I provided in the above post. Alien_Bob has covered network setups to the 'T'. Great Wiki!

trainee · 05-08-2009, 08:54 AM

I tried the wikie of Alien_Bob. But I stuck. Here are some of the outcome.

this is my rc.inet1.conf

Quote:

IFNAME[1]="eth1"
IPADDR[1]=""
NETMASK[1]=""
USE_DHCP[1]="yes"
DHCP_HOSTNAME[1]=""
WLAN_WPA[1]="wpa_supplicant"
WLAN_WPADRIVER[1]="wext"
WLAN_ESSID[1]="PAL2.0"
WLAN_WPAWAIT[1]=30

this is my wpa_supplicant.conf

Quote:

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=1
ap_scan=1
fast_reauth=1

network={
ssid="PAL2.0"
scan_ssid=1
proto=WPA RSN
key_mgmt=WPA-EAP
eap=PEAP
identity="username"
password="pass"
ca_cert="/etc/ssl/certs/ca-certificates.crt"
phase1="peaplabel=1"
phase2="auth=MSCHAPV2"
}

this is the outcome of some command I typed

Quote:

root@darkstar:/etc/rc.d# wpa_cli status
Selected interface 'eth1'
bssid=00:07:85:b3:4f:63
ssid=PAL2.0
id=0
pairwise_cipher=TKIP
group_cipher=TKIP
key_mgmt=WPA/IEEE 802.1X/EAP
wpa_state=ASSOCIATED
Supplicant PAE state=CONNECTING
suppPortStatus=Unauthorized
EAP state=IDLE
root@darkstar:/etc/rc.d# iwconfig
lo no wireless extensions.

eth1 IEEE 802.11b ESSID:"PAL2.0" Nickname:"darkstar"
Mode:Managed Frequency:2.462 GHz Access Point: 00:07:85:B3:4F:63
Bit Rate:11 Mb/s Tx-Power=20 dBm Sensitivity=8/0
Retry limit:7 RTS thr

ff Fragment thr

ff
Encryption key

ff
Power Management

ff
Link Quality=62/100 Signal level=-63 dBm Noise level=-86 dBm
Rx invalid nwid:0 Rx invalid crypt:3 Rx invalid frag:0
Tx excessive retries:55 Invalid misc:626 Missed beacon:3

eth0 no wireless extensions.

root@darkstar:/etc/rc.d# wpa_cli list_networks
Selected interface 'eth1'
network id / ssid / bssid / flags
0 PAL2.0 any [CURRENT]

It seems like I was able to connect to the network, but it refused to give me anything else. (No domain name resolve).

Do you have any idea what I should do next?

(I haven't tried the Wicd because I want to to it by these configuration files to find out how it work and things like that.

Thank you for all your help and relies.

trainee · 05-08-2009, 09:23 AM

Another thing,

when I run the command

/etc/rc.d/rc.inet1 stop
/etc/rc.d/rc.inet1 start

I get the outcome

Quote:

./rc.inet1 eth1 information "Any ESSID"
Polling for DHCP server on interface eth1
No carrier detected on eth1. Reducing DHCP timeout to 10 seconds.
dhcpcd: MAC address = 00:12:f0:a7:05:68

janhe · 05-09-2009, 04:23 PM

This is what happens now:

It seems to me like there's a problem when wpa_supplicant tries to login on the network.

This setup requires that you provide a username and password before you get a encryption key (but you already knew that)
Something goes wrong when wpa_supplicant tries to do that.

After failing to get a wireless connection, the slackware scripts try to get an IP by running dhcpcd, just in case the carrier detection is wrong. Since there really isn't a link, you cannot get an IP.

--

The difficult part is that the encryption key for the network has to be obtained after a login. Most WPA encrypted networks work with a passphrase, and either you have configured the right passphrase, or not.

If you want to find out what goes wrong, take 2Gnu's suggestion. Kill the wpa_supplicant that is running after bootup, and execute the wpa_supplicant command that 2Gnu gave in his post above.

You should be able to kill wpa_supplicant with this command:

Code:

wpa_cli terminate

Also, make sure the interface is up before running the wpa_supplicant command yourself:

Code:

ifconfig eth1 up

good luck and please post back if and how you get it running

edit: if the wpa_supplicant command is successfull, go to another console and run the following command, after that you should be able to connect to the internet (at least until reboot):

Code:

dhcpcd eth1

trainee · 05-09-2009, 04:41 PM

Thank you. I'll try that.

trainee · 05-10-2009, 09:23 AM

I tried WiCD and failed (mysteriously, and I don't know why)

I ran the command

wpa_supplicant -i eth1 -D wext -c /etc/ssl/certs/ca.crt

and here is the outcome I got

Quote:

Trying to associate with 00:07:85:b3:4f:63 (SSID='PAL2.0' freq=2462 MHz)
Associated with 00:07:85:b3:4f:63
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
TLS: Certificate verification failed, error 2 (unable to get issuer certificate) depth 1 for '/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
CTRL-EVENT-EAP-FAILURE EAP authentication failed
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
Trying to associate with 00:07:85:b3:4f:63 (SSID='PAL2.0' freq=2462 MHz)
Associated with 00:07:85:b3:4f:63
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys

Does this mean I got the wrong certificate? (I copy and paste it as-is from the website I mentioned above.
Is there any "special" thing about those certificate, or is there any thing else I can do here?

Thank you for your advice so far.

Alien Bob · 05-10-2009, 10:17 AM

Quote:

Originally Posted by trainee

I ran the command

wpa_supplicant -i eth1 -D wext -c /etc/ssl/certs/ca.crt

For sure, this is a wrong command. The "-c" option for wpa_supplicant should point to a wpa_supplicant.conf, not to a SSL certificate file.

Quote:

Does this mean I got the wrong certificate? (I copy and paste it as-is from the website I mentioned above.
Is there any "special" thing about those certificate, or is there any thing else I can do here?

You should save the certificate from that site to a new file, any name will be fine (for instance, save it as ~/ThawteCA.pem). This should be it's content:

Code:

And your wpa_supplicant.conf file should have that filename in the line starting with "ca_cert=".

I also see that that website lists

Code:

phase1="peaplabel=0"

while your own wpa_supplicant.conf has the value "1" there.

Eric

trainee · 05-10-2009, 10:25 AM

For sure, Alien_Bob, you pointed out my mistake.

I used the right command which was

wpa_supplicant -i eth1 -D wext -c /etc/wpa_supplicant.conf

(I only posted it here wrong)

About the certificate, I did copy and pasted that exact part and saved it as /etc/ssl/certs/ca.crt

the line ca_cert in the file wpa_supplicant.conf did point to that file

trainee · 05-10-2009, 10:44 AM

And now, I am running into another problem.
There are two networks available as I can see, one is "PAL2.0", the other is "erdos". And even though I want to connect to PAL2.0, whenever I run the command

Quote:

wpa_supplicant -i eth1 -D wext -c /etc/wpa_supplicant.conf

It keep doing:

Quote:

Trying to associate with .... (SSID='erdos' freq=2347 MHz)

I fired up another one, use wpa_cli select_network to try to connect to the right one. But no luck. It kicked me out of the wpa_supplicant when I tried doing so.

(And before I ran the wpa_supplicant command, I did run

Quote:

iwconfig eth1 essid PAL2.0

)
What should I do?

PS: After a few more tries, it stopped kicking me out, but the problem remained the same.

By the suggestion of Alien_bob, I also tried "peaplable=1" and "peaplabel=0"
They both gave the same result.

I do suspect about the certificate, by reading through the instruction at purduelug.org, it seems to me that this is something I can acquire independently with the network administration. Do you know anywhere else where I can get it?

Thank you.

janhe · 05-11-2009, 04:47 PM

The first error that appears in the output from wpa_supplicant you posted is: (when you ran wpa_supplicant yourself on the command line, without the "-B" option)

Quote:

TLS: Certificate verification failed, error 2 (unable to get issuer certificate) depth 1 for '/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server

I've looked at the certificate that is mentioned on the website, and that Alien_Bob posted. It is expired since 2004.

I've found the instructions for setting up Windows XP, and it seems the needed certificate is a root certificate that is widely distributed.

I've found a certificate with the same name as the expired one (and the name mentioned in the XP howto) on my slackware 12.2 + KDE4 installation. It is located in the file /usr/share/apps/kssl/ca-bundle.crt The name is Thawte Premium Server CA.

If you have KDE installed, look if you have the certificate bundle. Try to list that as your "ca_cert=" entry in wpa_supplicant.conf