Configuring PEAP w/ ndiswrapper

Rocci rocci at rocknetworks.net.au
Fri Sep 3 00:08:55 EDT 2004


Richard Laager wrote:

>My university uses 802.11x authentication with PEAP and MSCHAP (v2, I
>assume). The ESSID on the access points is the same across the
>university, and the access points broadcast the ESSID. IP addresses are
>handed out via DHCP. I'm using ndiswrapper with the bcmwl5a driver.
>
>I can connect to unsecured access points with no trouble. I've tried a
>number of configurations of Xsupplicant and wpa_supplicant with no luck.
>wpa_supplicant at least mentions ndiswrapper in the documentation, so I
>think it's my best shot at this point.
>
>The authentication credentials are simply my username and password.
>There are no client certificates used. I do not currently have the
>server certificate. I may be able to get the server certificate if it's
>required, but I'd prefer not to have to hassle the network
>administrators: Non-Windows configurations are allowed, but unsupported.
>
>My current wpa_supplicant configuration (for wpa_supplicant 0.2.4) is as
>follows:
>
>ctrl_interface=/var/run/wpa_supplicant
>ctrl_interface_group=wheel
>network={
>        ssid="UMC"
>        scan_ssid=0
>        key_mgmt=IEEE8021X
>        eap=PEAP
>        identity="laag0007 at umcrookston.edu"
>        password="my_password_goes_here"
>        ca_cert="/etc/cert/ca.pem"
>        eapol_flags=3
>        phase1="peaplabel=0"
>        phase2="auth=MSCHAPV2"
>}
>
>If I run the following command:
>wpa_supplicant -iwlan0 -c /etc/wpa_supplicant.conf -d
>
>I get the following debug output. The authentication appears to timeout
>and loop over and over until I hit Ctrl-C. I've let it loop once here
>before stopping it.
>
>Configuration file '/etc/wpa_supplicant.conf' ->
>'/etc/wpa_supplicant.conf'
>Reading configuration file '/etc/wpa_supplicant.conf'
>ctrl_interface='/var/run/wpa_supplicant'
>ctrl_interface_group=10 (from group name 'wheel')
>Priority group 0
>   id=0 ssid='UMC'
>EAPOL: SUPP_PAE entering state DISCONNECTED
>EAPOL: KEY_RX entering state NO_KEY_RECEIVE
>EAPOL: SUPP_BE entering state INITIALIZE
>EAP: EAP entering state DISABLED
>EAPOL: External notification - portEnabled=0
>EAPOL: External notification - portValid=0
>Setting scan request: 0 sec 100000 usec
>Starting AP scan (broadcast SSID)
>Scan timeout - try to get results
>Received 148 bytes of scan results (1 BSSes)
>Scan results: 1
>Selecting BSS from priority group 0
>0: 00:0b:5f:7c:1e:c5 ssid='UMC' wpa_ie_len=0 rsn_ie_len=0
>   skip - no WPA/RSN IE
>   selected non-WPA AP 00:0b:5f:7c:1e:c5 ssid='UMC'
>Trying to associate with 00:0b:5f:7c:1e:c5 (SSID='UMC' freq=2452 MHz)
>Cancelling scan request
>Setting authentication timeout: 5 sec 0 usec
>EAPOL: External notification - portControl=Auto
>Authentication with 00:00:00:00:00:00 timed out.
>Setting scan request: 0 sec 0 usec
>Starting AP scan (broadcast SSID)
>Scan timeout - try to get results
>Received 148 bytes of scan results (1 BSSes)
>Scan results: 1
>Selecting BSS from priority group 0
>0: 00:0b:5f:7c:1e:c5 ssid='UMC' wpa_ie_len=0 rsn_ie_len=0
>   skip - no WPA/RSN IE
>   selected non-WPA AP 00:0b:5f:7c:1e:c5 ssid='UMC'
>Trying to associate with 00:0b:5f:7c:1e:c5 (SSID='UMC' freq=2452 MHz)
>Cancelling scan request
>Setting authentication timeout: 5 sec 0 usec
>EAPOL: External notification - portControl=Auto
>Signal 2 received - terminating
>EAPOL: External notification - portEnabled=0
>EAPOL: External notification - portValid=0
>
>Is there a step-by-step guide to getting 802.11x authentication working
>in such a configuration? If not, can anyone point to my mistakes?
>
>I'm a very experience Linux administrator, but I'm a total newbie when
>it comes to configuring wireless authentication. If I've omitted any
>important information, please let me know.
>
>Thanks,
>Richard Laager
>
>  
>
>------------------------------------------------------------------------
>
>_______________________________________________
>HostAP mailing list
>HostAP at shmoo.com
>http://lists.shmoo.com/mailman/listinfo/hostap
>  
>
Hi,
I realise that this is a late response to your question but I've had the 
same problem and only recently managed to resolve it.
I am using wpa_supplicant with mad_wifi (Atheros chip driver) which 
works perfectly fine.
I too can access my university's wireless access points but the problem 
I have is obtaining the ca certificate.
My uni also uses TKIP+PEAP+MSCHAPv2 and login with user/password network 
access.
My uni IT services division does not support Linux :( ,only MacOS & 
Windose, so here's what I did:
I used a windows XP PC to access the network and obtain the ca 
certificate. Then I copied the windows ca certificate onto my linux 
partition.
Then converted that certificate using openssl and put it in the right 
place as per the wpa_supplicant.conf file. On windows the certificaate 
is a .cer file and I converted it to a .pem file as follows:

openssl x509 -inform der -in university_certificate.cer -out 
university_certificate.pem

Then edited the line in the config file for wpa_supplicant as: 
ca_cert="/etc/cert/university_certificate.pem"
And I managed to authenticate via wpa successfully and then restarted my 
network interface to pick up an IP from DHCP and yeeehaaaaaa I am now on 
the network at Uni.

Hope this helps :)

- Rocci



More information about the HostAP mailing list