EAP-FAST authentication on a university campus

Dan Williams dcbw at redhat.com
Fri Apr 15 13:58:09 EDT 2011


On Fri, 2011-04-15 at 19:02 +0200, Stephen wrote:
> On 15.04.2011 17:09, Jouni Malinen wrote:
> > On Fri, Apr 15, 2011 at 02:11:06PM +0200, Stephen Bosch wrote:
> >> my university recently switched to EAP-FAST authentication. Support
> >> for Linux users is non-existent.
> > 
> >> The institution provides the following configuration information and
> >> instructions to users:
> >>
> >> WPA2 Enterprise authentication
> >> Encryption: AES (I assume that this is CCMP)
> >> Network authentication: PEAP
> > 
> > That PEAP is in conflict with the switch to EAP-FAST.. Anyway, the logs
> > you showed did not get as far as even starting EAP, so this would not
> > have changed them.
> 
> So, it's not an EAP-FAST network, then? I just assumed it was, since it
> doesn't seem to require a certificate.
> 
> >>> ap_scan=1
> >>> ctrl_interface=/var/run/wpa_supplicant
> >>> network={
> >>>        ssid="HAB"
> >>>        scan_ssid=1
> >>>        proto=RSN WPA
> >>>        pairwise=CCMP TKIP
> >>>        group=CCMP TKIP
> >>>        key-mgmt=WPA-EAP
> > 
> > That "key-mgmt" should be "key_mgmt".
> 
> The wicd project seems to be stagnating :(
> 
> (Can you suggest a good alternative?)
> 
> >>> ap_scan=1
> >>> ctrl_interface=/var/run/wpa_supplicant
> >>> network={
> >>>        ssid="HAB"
> >>>        scan_ssid=1
> >>>        proto=RSN
> >>>        key_mgmt=WPA-EAP
> >>>        pairwise=CCMP
> >>>        group=CCMP
> >>>        eap=PEAP
> >>>        identity="<windows_userid>"
> >>>        password="<windows_password>"
> >>>        phase1="fast_provisioning=1"
> >>>        phase2="auth=MSCHAPV2"
> > 
> > This looks fine in general.
> > 
> >> It actually attempts a connection then, but still fails:
> > 
> >>> 0: 00:26:3e:07:21:00 ssid='HAB' wpa_ie_len=0 rsn_ie_len=20 caps=0x11
> >>>   selected based on RSN IE
> >>>   selected WPA AP 00:26:3e:07:21:00 ssid='HAB'
> >>> Trying to associate with 00:26:3e:07:21:00 (SSID='HAB' freq=2462 MHz)
> > 
> > wpa_supplicant asks the driver to associate with the AP, but the driver
> > does not seem to be able to do that. Which driver are you using?
> 
> I use the wireless extensions; the command line looks like this:
> 
> > wpa_supplicant -i eth2 -c /var/lib/wicd/configurations/00263e072100 -D wext -d
> 
> It's odd that it can't associate. The IT department runs a parallel
> wireless network, with which I have been able to associate -- although
> that network is unencrypted and unauthenticated. We did everything
> through a VPN before.
> 
> Should I be using a specific driver?
> 
> The adapter is an Intel 2915:
> 
> > 02:02.0 Network controller: Intel Corporation PRO/Wireless 2915ABG [Calexico2] Network Connection (rev 05)
> >         Subsystem: Intel Corporation Device 1012
> >         Kernel driver in use: ipw2200
> >         Kernel modules: ipw2200

Just a note that 2915 only supports WEXT and isn't maintained anymore;
but you could try enabling debug information from the driver.  You can
either user a modprobe file (/etc/modprobe.d/ or /etc/modprobe.conf into
which you put "options ipw2200 debug=0x4014FC6F") to get this on startup
or you can:

rmmod ipw2200
modprobe ipw2200 debug=0x4014FC6F

which enables a bunch of debugging printouts that will go to 'dmesg'.
That might help us figure out why the firmware isn't able to associate.

Dan




More information about the HostAP mailing list