Configuring PEAP w/ ndiswrapper

Donald Teed dteed
Fri Sep 3 03:06:07 PDT 2004 

One difference is that Richard is using a different wireless
device - the broadcom based one.

Some Mac users on our campus found it was possible to get
wpa_supplicant working with TTLS rather than PEAP - and thus I discovered
we do not only work with PEAP.  I've tried TTLS as well,
with a certificate (PEAP doesn't require a certificate,
but TTLS does - as I've been told) and still the broadcom
will not work with a broadcasting SSID and ndiswrapper .10 .

Broadcom is said to work, but I've yet to hear of my
specific device (truemobile 1350) being reported a success
with wpa_supplicant.  Based on how we have seen a world
of difference in ndiswrapper stability between the
truemobile 1300 and 1350, I'm ready to assume that we can't 
just say "broadcom works" because the same brand and series
chipset was a sucess for someone else.  I don't think
anyone has had a sucess in wpa_supplicant with any
broadcom mini-PCI component (please correct me if I'm wrong).

The way I obtained the CA Certificate is to visit the
web server on the AD server.  I think the default is
http://yourservername/certsrv
It allows you to download a number of certificate related files.

--Donald Teed


On Fri, 3 Sep 2004, Rocci wrote:

> Richard Laager wrote:
>
>> My university uses 802.11x authentication with PEAP and MSCHAP (v2, I
>> assume). The ESSID on the access points is the same across the
>> university, and the access points broadcast the ESSID. IP addresses are
>> handed out via DHCP. I'm using ndiswrapper with the bcmwl5a driver.
>> 
>> I can connect to unsecured access points with no trouble. I've tried a
>> number of configurations of Xsupplicant and wpa_supplicant with no luck.
>> wpa_supplicant at least mentions ndiswrapper in the documentation, so I
>> think it's my best shot at this point.
>> 
>> The authentication credentials are simply my username and password.
>> There are no client certificates used. I do not currently have the
>> server certificate. I may be able to get the server certificate if it's
>> required, but I'd prefer not to have to hassle the network
>> administrators: Non-Windows configurations are allowed, but unsupported.
>> 
>> My current wpa_supplicant configuration (for wpa_supplicant 0.2.4) is as
>> follows:
>> 
>> ctrl_interface=/var/run/wpa_supplicant
>> ctrl_interface_group=wheel
>> network={
>> ssid="UMC"
>> scan_ssid=0
>> key_mgmt=IEEE8021X
>> eap=PEAP
>> identity="laag0007 at umcrookston.edu"
>> password="my_password_goes_here"
>> ca_cert="/etc/cert/ca.pem"
>> eapol_flags=3
>> phase1="peaplabel=0"
>> phase2="auth=MSCHAPV2"
>> }
>> 
>> If I run the following command:
>> wpa_supplicant -iwlan0 -c /etc/wpa_supplicant.conf -d
>> 
>> I get the following debug output. The authentication appears to timeout
>> and loop over and over until I hit Ctrl-C. I've let it loop once here
>> before stopping it.
>> 
>> Configuration file '/etc/wpa_supplicant.conf' ->
>> '/etc/wpa_supplicant.conf'
>> Reading configuration file '/etc/wpa_supplicant.conf'
>> ctrl_interface='/var/run/wpa_supplicant'
>> ctrl_interface_group=10 (from group name 'wheel')
>> Priority group 0
>>   id=0 ssid='UMC'
>> EAPOL: SUPP_PAE entering state DISCONNECTED
>> EAPOL: KEY_RX entering state NO_KEY_RECEIVE
>> EAPOL: SUPP_BE entering state INITIALIZE
>> EAP: EAP entering state DISABLED
>> EAPOL: External notification - portEnabled=0
>> EAPOL: External notification - portValid=0
>> Setting scan request: 0 sec 100000 usec
>> Starting AP scan (broadcast SSID)
>> Scan timeout - try to get results
>> Received 148 bytes of scan results (1 BSSes)
>> Scan results: 1
>> Selecting BSS from priority group 0
>> 0: 00:0b:5f:7c:1e:c5 ssid='UMC' wpa_ie_len=0 rsn_ie_len=0
>> skip - no WPA/RSN IE
>> selected non-WPA AP 00:0b:5f:7c:1e:c5 ssid='UMC'
>> Trying to associate with 00:0b:5f:7c:1e:c5 (SSID='UMC' freq=2452 MHz)
>> Cancelling scan request
>> Setting authentication timeout: 5 sec 0 usec
>> EAPOL: External notification - portControl=Auto
>> Authentication with 00:00:00:00:00:00 timed out.
>> Setting scan request: 0 sec 0 usec
>> Starting AP scan (broadcast SSID)
>> Scan timeout - try to get results
>> Received 148 bytes of scan results (1 BSSes)
>> Scan results: 1
>> Selecting BSS from priority group 0
>> 0: 00:0b:5f:7c:1e:c5 ssid='UMC' wpa_ie_len=0 rsn_ie_len=0
>> skip - no WPA/RSN IE
>> selected non-WPA AP 00:0b:5f:7c:1e:c5 ssid='UMC'
>> Trying to associate with 00:0b:5f:7c:1e:c5 (SSID='UMC' freq=2452 MHz)
>> Cancelling scan request
>> Setting authentication timeout: 5 sec 0 usec
>> EAPOL: External notification - portControl=Auto
>> Signal 2 received - terminating
>> EAPOL: External notification - portEnabled=0
>> EAPOL: External notification - portValid=0
>> 
>> Is there a step-by-step guide to getting 802.11x authentication working
>> in such a configuration? If not, can anyone point to my mistakes?
>> 
>> I'm a very experience Linux administrator, but I'm a total newbie when
>> it comes to configuring wireless authentication. If I've omitted any
>> important information, please let me know.
>> 
>> Thanks,
>> Richard Laager
>> 
>> 
>> 
>> ------------------------------------------------------------------------
>> 
>> _______________________________________________
>> HostAP mailing list
>> HostAP at shmoo.com
>> http://lists.shmoo.com/mailman/listinfo/hostap
>> 
>> 
> Hi,
> I realise that this is a late response to your question but I've had the same 
> problem and only recently managed to resolve it.
> I am using wpa_supplicant with mad_wifi (Atheros chip driver) which works 
> perfectly fine.
> I too can access my university's wireless access points but the problem I 
> have is obtaining the ca certificate.
> My uni also uses TKIP+PEAP+MSCHAPv2 and login with user/password network 
> access.
> My uni IT services division does not support Linux :( ,only MacOS & Windose, 
> so here's what I did:
> I used a windows XP PC to access the network and obtain the ca certificate. 
> Then I copied the windows ca certificate onto my linux partition.
> Then converted that certificate using openssl and put it in the right place 
> as per the wpa_supplicant.conf file. On windows the certificaate is a .cer 
> file and I converted it to a .pem file as follows:
>
> openssl x509 -inform der -in university_certificate.cer -out 
> university_certificate.pem
>
> Then edited the line in the config file for wpa_supplicant as: 
> ca_cert="/etc/cert/university_certificate.pem"
> And I managed to authenticate via wpa successfully and then restarted my 
> network interface to pick up an IP from DHCP and yeeehaaaaaa I am now on the 
> network at Uni.
>
> Hope this helps :)
>
> - Rocci
> _______________________________________________
> HostAP mailing list
> HostAP at shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>
>
>

More information about the Hostap mailing list