EAP-TLS connection rejected by server: "no such user", client says association timed out
haircut at gmail.com
Sun Jun 18 23:04:07 PDT 2017
I'm having trouble completing an enterprise wireless connection. The
RADIUS server log contains error codes indicating "no such user". I've
got a few snippets of information about what is appearing in the RADIUS
server logs from the enterprise wifi admin:
"Use Windows authentication for all users" (this phrase shows up
verbatim in the logs)
"4136,3,4142,8" indicates rejection reason is "no such user".
The client is a 64-bit Ubuntu 14.04.4 LTS server with the wpasupplicant
package version 2.1-0ubuntu1 installed. I also tried an Ubuntu 16.04 LTS
desktop with a more recent wpasupplicant package (2.4 if I recall
correctly) but it had the same "no such user" problem server-side. There
are many Windows clients that are able to connect to the network without
problems. Client side I see many kernel messages like these (ap MAC
[ 4569.552056] wlan1: send auth to 00:00:00:00:00:00 (try 1/3)
[ 4569.553037] wlan1: authenticated
[ 4569.553824] wlan1: associate with 00:00:00:00:00:00 (try 1/3)
[ 4569.757832] wlan1: associate with 00:00:00:00:00:00 (try 2/3)
[ 4569.961813] wlan1: associate with 00:00:00:00:00:00 (try 3/3)
[ 4570.165774] wlan1: association with 00:00:00:00:00:00 timed out
Here's the /etc/wpa_supplicant.conf file I'm trying (latest version --
I've tried many different configurations):
Does that config file look more or less reasonable?
Given the "no such user" error, should I suspect an invalid setting for
the "identity" config option? Does it look more or less sane, or should
it perhaps be something more like "BLAH\ubuntu.guest.domain.name"?
Sorry, I don't have much experience with Windows, but I recall names
looking more like that on Windows networks.
I created the files in /opt/wifi/ by extracting them with openssl from a
".pfx" file the admin provided.
I'll confirm with the enterprise wifi admin tomorrow, but I think what
they gave me in that file is:
1. private key (they provided the password separately)
2. client cert
3. intermediate cert
4. root cert
As for the files mentioned in my wpa_supplicant.conf:
* /opt/wifi/root.crt contains the root cert
* /opt/wifi/client.pem contains the client cert
* /opt/wifi/encrypted.key contains the private key
* I wasn't sure what to do with the intermediate cert
Should I work in the intermediate cert somewhere? Where? How do I verify
I did so properly?
Before I sent this mail I searched the mailing lists a bunch with
queries like this:
site:lists.infradead.org inurl:hostap wpa_supplicant.conf eap tls cert
but I [clearly] haven't found the solution yet.
More information about the Hostap