EAP-FAST authentication on a university campus

Stephen Bosch posting at vodacomm.ca
Fri Apr 15 08:11:06 EDT 2011


Hi everyone --

my university recently switched to EAP-FAST authentication. Support
for Linux users is non-existent.

I am using wicd with wpa_supplicant, and I can't get this to work. I
have tried a few manual configurations, but without success. I can't
make heads or tails out of the debug output, but I will try to post
the relevant stuff here.

The institution provides the following configuration information and
instructions to users:

802.11b, 802.11g or 802.11n
Infrastructure AP
SSID
WPA2 Enterprise authentication
Encryption: AES (I assume that this is CCMP)
Network authentication: PEAP
No certificate verification
Authentication method: EAP-MSCHAPv2
Use Windows Domain user id and password

A colleague's Mac has the following schemes enabled for his connection
(which is working):

PEAP
TTLS
EAP-FAST
WPA2 Enterprise

When I configure wicd to use EAP-FAST, it generates this configuration file:

> ap_scan=1
> ctrl_interface=/var/run/wpa_supplicant
> network={
>        ssid="HAB"
>        scan_ssid=1
>        proto=RSN WPA
>        pairwise=CCMP TKIP
>        group=CCMP TKIP
>        key-mgmt=WPA-EAP
>        eap=FAST
>        identity="<windows_userid>"
>        password="<windows_password>"
>        phase1="fast_provisioning=1"
> }

but when I call this manually with wpa_supplicant, like so:

> wpa_supplicant -i eth2 -c /var/lib/wicd/configurations/00263e072100 -D wext -d

I get this output:

> Initializing interface 'eth2' conf '/var/lib/wicd/configurations/00263e072100' driver 'wext' ctrl_interface 'N/A' bridge 'N/A'
> Configuration file '/var/lib/wicd/configurations/00263e072100' -> '/var/lib/wicd/configurations/00263e072100'
> Reading configuration file '/var/lib/wicd/configurations/00263e072100'
> ap_scan=1
> ctrl_interface='/var/run/wpa_supplicant'
> Line 9: unknown network field 'key-mgmt'.
> Line 15: WPA-PSK accepted for key management, but no PSK configured.
> Line 15: failed to parse network block.
> Failed to read or parse configuration '/var/lib/wicd/configurations/00263e072100'.
> Failed to add interface eth2
> Cancelling scan request
> Cancelling authentication timeout

(I recognize that some of the warning messages are for parameters that
only wicd cares about.)

I've tried other variations, such as:

> ap_scan=1
> ctrl_interface=/var/run/wpa_supplicant
> network={
>        ssid="HAB"
>        scan_ssid=1
>        proto=RSN
>        key_mgmt=WPA-EAP
>        pairwise=CCMP
>        group=CCMP
>        eap=PEAP
>        identity="<windows_userid>"
>        password="<windows_password>"
>        phase1="fast_provisioning=1"
>        phase2="auth=MSCHAPV2"
> }

It actually attempts a connection then, but still fails:

> Initializing interface 'eth2' conf '/var/lib/wicd/configurations/00263e072100' driver 'wext' ctrl_interface 'N/A' bridge 'N/A'
> Configuration file '/var/lib/wicd/configurations/00263e072100' -> '/var/lib/wicd/configurations/00263e072100'
> Reading configuration file '/var/lib/wicd/configurations/00263e072100'
> ap_scan=1
> ctrl_interface='/var/run/wpa_supplicant'
> Priority group 0
>   id=0 ssid='HAB'
> WEXT: cfg80211-based driver detected
> SIOCGIWRANGE: WE(compiled)=22 WE(source)=18 enc_capa=0xf
>  capabilities: key_mgmt 0xf enc 0xf flags 0x0
> netlink: Operstate: linkmode=1, operstate=5
> Own MAC address: 00:13:ce:cc:3c:ae
> wpa_driver_wext_set_key: alg=0 key_idx=0 set_tx=0 seq_len=0 key_len=0
> wpa_driver_wext_set_key: alg=0 key_idx=1 set_tx=0 seq_len=0 key_len=0
> wpa_driver_wext_set_key: alg=0 key_idx=2 set_tx=0 seq_len=0 key_len=0
> wpa_driver_wext_set_key: alg=0 key_idx=3 set_tx=0 seq_len=0 key_len=0
> wpa_driver_wext_set_countermeasures
> RSN: flushing PMKID list in the driver
> Setting scan request: 0 sec 100000 usec
> WPS: UUID based on MAC address - hexdump(len=16): 0d ef 31 fb df 60 5f ba b9 36 73 db d4 e0 13 14
> EAPOL: SUPP_PAE entering state DISCONNECTED
> EAPOL: Supplicant port status: Unauthorized
> EAPOL: KEY_RX entering state NO_KEY_RECEIVE
> EAPOL: SUPP_BE entering state INITIALIZE
> EAP: EAP entering state DISABLED
> EAPOL: Supplicant port status: Unauthorized
> EAPOL: Supplicant port status: Unauthorized
> Added interface eth2
> RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP])
> RTM_NEWLINK, IFLA_IFNAME: Interface 'eth2' added
> RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP])
> RTM_NEWLINK, IFLA_IFNAME: Interface 'eth2' added
> Wireless event: cmd=0x8b06 len=8
> RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP])
> RTM_NEWLINK, IFLA_IFNAME: Interface 'eth2' added
> Wireless event: cmd=0x8b1a len=8
> State: DISCONNECTED -> SCANNING
> Scan SSID - hexdump_ascii(len=3):
>     48 41 42                                          HAB
> Starting AP scan for specific SSID(s)
> Scan requested (ret=0) - scan timeout 5 seconds
> RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP])
> RTM_NEWLINK, IFLA_IFNAME: Interface 'eth2' added
> Wireless event: cmd=0x8b19 len=8
> Received 2531 bytes of scan results (11 BSSes)
> BSS: Start scan result update 1
> BSS: Add new id 0 BSSID 00:26:3e:07:21:00 SSID 'HAB'
> BSS: Add new id 1 BSSID 00:26:3e:12:f1:00 SSID 'HAB'
> BSS: Add new id 2 BSSID 00:26:3e:51:0b:c0 SSID 'HAB'
> BSS: Add new id 3 BSSID 00:1d:19:34:aa:a3 SSID 'WLAN-34AA22'
> BSS: Add new id 4 BSSID 1a:0c:72:18:b0:a6 SSID 'A9F1BDF1DAB1NVT4F4F59'
> BSS: Add new id 5 BSSID 00:26:3e:07:21:04 SSID 'gast'
> BSS: Add new id 6 BSSID 00:26:3e:07:21:02 SSID 'WLANRZ99'
> BSS: Add new id 7 BSSID 00:26:3e:12:f1:02 SSID 'WLANRZ99'
> BSS: Add new id 8 BSSID 00:26:3e:51:0b:c2 SSID 'WLANRZ99'
> BSS: Add new id 9 BSSID 00:26:3e:51:0b:c4 SSID 'gast'
> BSS: Add new id 10 BSSID 00:26:3e:12:f1:04 SSID 'gast'
> New scan results available
> Selecting BSS from priority group 0
> Try to find WPA-enabled AP
> 0: 00:26:3e:07:21:00 ssid='HAB' wpa_ie_len=0 rsn_ie_len=20 caps=0x11
>   selected based on RSN IE
>   selected WPA AP 00:26:3e:07:21:00 ssid='HAB'
> Trying to associate with 00:26:3e:07:21:00 (SSID='HAB' freq=2462 MHz)
> Cancelling scan request
> WPA: clearing own WPA/RSN IE
> Automatic auth_alg selection: 0x1
> RSN: using IEEE 802.11i/D9.0
> WPA: Selected cipher suites: group 16 pairwise 16 key_mgmt 1 proto 2
> WPA: clearing AP WPA IE
> WPA: set AP RSN IE - hexdump(len=22): 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 01 00 00
> WPA: using GTK CCMP
> WPA: using PTK CCMP
> WPA: using KEY_MGMT 802.1X
> WPA: Set own WPA IE default - hexdump(len=22): 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 01 00 00
> No keys have been configured - skip key clearing
> State: SCANNING -> ASSOCIATING
> wpa_driver_wext_set_operstate: operstate 0->0 (DORMANT)
> netlink: Operstate: linkmode=-1, operstate=5
> wpa_driver_wext_associate
> wpa_driver_wext_set_drop_unencrypted
> wpa_driver_wext_set_psk
> Setting authentication timeout: 10 sec 0 usec
> EAPOL: External notification - EAP success=0
> EAPOL: Supplicant port status: Unauthorized
> EAPOL: External notification - EAP fail=0
> EAPOL: Supplicant port status: Unauthorized
> EAPOL: External notification - portControl=Auto
> EAPOL: Supplicant port status: Unauthorized
> RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP])
> RTM_NEWLINK, IFLA_IFNAME: Interface 'eth2' added
> Wireless event: cmd=0x8b1a len=8
> RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP])
> RTM_NEWLINK, IFLA_IFNAME: Interface 'eth2' added
> Wireless event: cmd=0x8b06 len=8
> RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP])
> RTM_NEWLINK, IFLA_IFNAME: Interface 'eth2' added
> Wireless event: cmd=0x8b04 len=12
> RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP])
> RTM_NEWLINK, IFLA_IFNAME: Interface 'eth2' added
> Wireless event: cmd=0x8b1a len=11
> RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP])
> RTM_NEWLINK, IFLA_IFNAME: Interface 'eth2' added
> Wireless event: cmd=0x8b15 len=20
> Wireless event: new AP: 00:00:00:00:00:00
> Disassociation notification
> Added BSSID 00:26:3e:07:21:00 into blacklist
> CTRL-EVENT-DISCONNECTED bssid=00:26:3e:07:21:00 reason=0
> Disconnect event - remove keys
> wpa_driver_wext_set_key: alg=0 key_idx=0 set_tx=0 seq_len=0 key_len=0
> wpa_driver_wext_set_key: alg=0 key_idx=1 set_tx=0 seq_len=0 key_len=0
> wpa_driver_wext_set_key: alg=0 key_idx=2 set_tx=0 seq_len=0 key_len=0
> wpa_driver_wext_set_key: alg=0 key_idx=3 set_tx=0 seq_len=0 key_len=0
> wpa_driver_wext_set_key: alg=0 key_idx=0 set_tx=0 seq_len=0 key_len=0
> State: ASSOCIATING -> DISCONNECTED
> wpa_driver_wext_set_operstate: operstate 0->0 (DORMANT)
> netlink: Operstate: linkmode=-1, operstate=5
> EAPOL: External notification - portEnabled=0
> EAPOL: Supplicant port status: Unauthorized
> EAPOL: External notification - portValid=0
> EAPOL: Supplicant port status: Unauthorized
> EAPOL: disable timer tick
> EAPOL: Supplicant port status: Unauthorized

The access point gives this information:

>       Cell 02 - Address: 00:26:3E:51:0B:C0
>                     ESSID:"HAB"
>                     Protocol:IEEE 802.11bg
>                     Mode:Master
>                     Frequency:2.437 GHz (Channel 6)
>                     Encryption key:on
>                     Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 6 Mb/s; 9 Mb/s
>                               11 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
>                               48 Mb/s; 54 Mb/s
>                     Quality=51/100  Signal level=-70 dBm
>                     IE: IEEE 802.11i/WPA2 Version 1
>                         Group Cipher : CCMP
>                         Pairwise Ciphers (1) : CCMP
>                         Authentication Suites (1) : 802.1x
>                     Extra: Last beacon: 10ms ago

I am stuck here, not least because I don't even understand what is
happening. What am I doing wrong?


More information about the HostAP mailing list