EAP-FAST authentication on a university campus
Dan Williams
dcbw
Fri Apr 15 10:58:09 PDT 2011
On Fri, 2011-04-15 at 19:02 +0200, Stephen wrote:
> On 15.04.2011 17:09, Jouni Malinen wrote:
> > On Fri, Apr 15, 2011 at 02:11:06PM +0200, Stephen Bosch wrote:
> >> my university recently switched to EAP-FAST authentication. Support
> >> for Linux users is non-existent.
> >
> >> The institution provides the following configuration information and
> >> instructions to users:
> >>
> >> WPA2 Enterprise authentication
> >> Encryption: AES (I assume that this is CCMP)
> >> Network authentication: PEAP
> >
> > That PEAP is in conflict with the switch to EAP-FAST.. Anyway, the logs
> > you showed did not get as far as even starting EAP, so this would not
> > have changed them.
>
> So, it's not an EAP-FAST network, then? I just assumed it was, since it
> doesn't seem to require a certificate.
>
> >>> ap_scan=1
> >>> ctrl_interface=/var/run/wpa_supplicant
> >>> network={
> >>> ssid="HAB"
> >>> scan_ssid=1
> >>> proto=RSN WPA
> >>> pairwise=CCMP TKIP
> >>> group=CCMP TKIP
> >>> key-mgmt=WPA-EAP
> >
> > That "key-mgmt" should be "key_mgmt".
>
> The wicd project seems to be stagnating :(
>
> (Can you suggest a good alternative?)
>
> >>> ap_scan=1
> >>> ctrl_interface=/var/run/wpa_supplicant
> >>> network={
> >>> ssid="HAB"
> >>> scan_ssid=1
> >>> proto=RSN
> >>> key_mgmt=WPA-EAP
> >>> pairwise=CCMP
> >>> group=CCMP
> >>> eap=PEAP
> >>> identity="<windows_userid>"
> >>> password="<windows_password>"
> >>> phase1="fast_provisioning=1"
> >>> phase2="auth=MSCHAPV2"
> >
> > This looks fine in general.
> >
> >> It actually attempts a connection then, but still fails:
> >
> >>> 0: 00:26:3e:07:21:00 ssid='HAB' wpa_ie_len=0 rsn_ie_len=20 caps=0x11
> >>> selected based on RSN IE
> >>> selected WPA AP 00:26:3e:07:21:00 ssid='HAB'
> >>> Trying to associate with 00:26:3e:07:21:00 (SSID='HAB' freq=2462 MHz)
> >
> > wpa_supplicant asks the driver to associate with the AP, but the driver
> > does not seem to be able to do that. Which driver are you using?
>
> I use the wireless extensions; the command line looks like this:
>
> > wpa_supplicant -i eth2 -c /var/lib/wicd/configurations/00263e072100 -D wext -d
>
> It's odd that it can't associate. The IT department runs a parallel
> wireless network, with which I have been able to associate -- although
> that network is unencrypted and unauthenticated. We did everything
> through a VPN before.
>
> Should I be using a specific driver?
>
> The adapter is an Intel 2915:
>
> > 02:02.0 Network controller: Intel Corporation PRO/Wireless 2915ABG [Calexico2] Network Connection (rev 05)
> > Subsystem: Intel Corporation Device 1012
> > Kernel driver in use: ipw2200
> > Kernel modules: ipw2200
Just a note that 2915 only supports WEXT and isn't maintained anymore;
but you could try enabling debug information from the driver. You can
either user a modprobe file (/etc/modprobe.d/ or /etc/modprobe.conf into
which you put "options ipw2200 debug=0x4014FC6F") to get this on startup
or you can:
rmmod ipw2200
modprobe ipw2200 debug=0x4014FC6F
which enables a bunch of debugging printouts that will go to 'dmesg'.
That might help us figure out why the firmware isn't able to associate.
Dan
More information about the Hostap
mailing list