EAP-TLS connection rejected by server: "no such user", client says association timed out

Sun Jun 18 23:04:07 PDT 2017

I'm having trouble completing an enterprise wireless connection. The
RADIUS server log contains error codes indicating "no such user". I've
got a few snippets of information about what is appearing in the RADIUS
server logs from the enterprise wifi admin:

  "Use Windows authentication for all users" (this phrase shows up
  verbatim in the logs)
  "4136,3,4142,8" indicates rejection reason is "no such user".
  Docs:
  https://technet.microsoft.com/en-us/library/dd197432(v=ws.10).aspx

The client is a 64-bit Ubuntu 14.04.4 LTS server with the wpasupplicant
package version 2.1-0ubuntu1 installed. I also tried an Ubuntu 16.04 LTS
desktop with a more recent wpasupplicant package (2.4 if I recall
correctly) but it had the same "no such user" problem server-side. There
are many Windows clients that are able to connect to the network without
problems. Client side I see many kernel messages like these (ap MAC
redacted):

  [ 4569.552056] wlan1: send auth to 00:00:00:00:00:00 (try 1/3)
  [ 4569.553037] wlan1: authenticated
  [ 4569.553824] wlan1: associate with 00:00:00:00:00:00 (try 1/3)
  [ 4569.757832] wlan1: associate with 00:00:00:00:00:00 (try 2/3)
  [ 4569.961813] wlan1: associate with 00:00:00:00:00:00 (try 3/3)
  [ 4570.165774] wlan1: association with 00:00:00:00:00:00 timed out

Here's the /etc/wpa_supplicant.conf file I'm trying (latest version --
I've tried many different configurations):

  ctrl_interface=/var/run/wpa_supplicant
  network={
    ssid="THEIRSSID"
    scan_ssid=1
    key_mgmt=IEEE8021X
    eap=TLS
    identity="ubuntu.wifi.local.place"
    ca_cert="/opt/wifi/root.crt"
    client_cert="/opt/wifi/client.pem"
    private_key="/opt/wifi/encrypted.key"
    private_key_passwd="(REDACTED)"
    eapol_flags=3
  }

Does that config file look more or less reasonable?

Given the "no such user" error, should I suspect an invalid setting for
the "identity" config option? Does it look more or less sane, or should
it perhaps be something more like "BLAH\ubuntu.guest.domain.name"?
Sorry, I don't have much experience with Windows, but I recall names
looking more like that on Windows networks.

I created the files in /opt/wifi/ by extracting them with openssl from a
".pfx" file the admin provided.

I'll confirm with the enterprise wifi admin tomorrow, but I think what
they gave me in that file is:

1. private key (they provided the password separately)
2. client cert
3. intermediate cert
4. root cert

As for the files mentioned in my wpa_supplicant.conf:

* /opt/wifi/root.crt contains the root cert
* /opt/wifi/client.pem contains the client cert
* /opt/wifi/encrypted.key contains the private key
* I wasn't sure what to do with the intermediate cert

Should I work in the intermediate cert somewhere? Where? How do I verify
I did so properly?

Before I sent this mail I searched the mailing lists a bunch with
queries like this:

  site:lists.infradead.org inurl:hostap wpa_supplicant.conf eap tls cert

but I [clearly] haven't found the solution yet.

Thank you,
-Adam