Trying to setup WPA2 EAP-TLS connection
Orion Poplawski
orion at nwra.com
Mon Jul 27 20:03:29 EDT 2020
I'm trying to setup a WPA2 EAP-TLS network with openwrt AP and a Fedora
client.
OpenWRT config:
config wifi-iface 'wifinet2'
option auth_server '10.20.0.10'
option ssid 'NWRA-TLS'
option device 'radio1'
option auth_port '1812'
option network 'lan'
option nasid 'OpenWRT'
option mode 'ap'
option auth_secret SECRET
option encryption 'wpa2'
ifcfg-NWRA-TLS:
ESSID=NWRA-TLS
MODE=Managed
KEY_MGMT=IEEE8021X
MAC_ADDRESS_RANDOMIZATION=never
TYPE=Wireless
IEEE_8021X_EAP_METHODS=TLS
IEEE_8021X_IDENTITY=host/HOSTNAM
IEEE_8021X_PRIVATE_KEY=/etc/pki/tls/private/HOSTNAME.key
IEEE_8021X_PRIVATE_KEY_PASSWORD_FLAGS=unused
IEEE_8021X_CLIENT_CERT=/etc/pki/tls/certs/HOSTNAME.crt
IEEE_8021X_CA_CERT=/etc/pki/ca-trust/source/anchors/CA.crt
PROXY_METHOD=auto
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME=NWRA-TLS
ONBOOT=yes
DHCP_CLIENT_ID=HOSTNAME
AUTOCONNECT_PRIORITY=1
ZONE=work
Connection fails - openwrt doesn't ever connect to the radius server:
Syslog 136 DAEMON.INFO: Jul 27 23:31:59 OpenWrt hostapd: wlan1-1: STA
70:f1:a1:e7:53:59 IEEE 802.11: authenticated
Syslog 159 DAEMON.INFO: Jul 27 23:31:59 OpenWrt hostapd: wlan1-1: STA
70:f1:a1:e7:53:59 IEEE 802.11: No WPA/RSN IE in association request
wpa debug follows. What seems relevant is the key mgmt mismatch, but I
don't know what that means.
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: 8:
f6:f2:6d:c5:db:be ssid='NWRA-TLS' wpa_ie_len=0 rsn_ie_len=20 caps=0x431
level=-68 freq=2462
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: skip RSN
IE - key mgmt mismatch, IE: 0x1 ssid: 0x8
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: allow in
non-WPA/WPA2
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: selected
BSS f6:f2:6d:c5:db:be ssid='NWRA-TLS'
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Considering
connect request: reassociate: 0 selected: f6:f2:6d:c5:db:be bssid:
00:00:00:00:00:00 pending: 00:00:00:00:00:00 wpa_state: SCANNING
ssid=0x55d5167be630 current_ssid=0x55d5167be630
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Request
association with f6:f2:6d:c5:db:be
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1:
Re-association to the same ESS
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: WMM AC: Save last
configured tspecs
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: No ongoing
scan/p2p-scan found to abort
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Add radio
work 'sme-connect'@0x55d5167c9440
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: First radio
work item in the queue - schedule start immediately
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: RSN: Ignored PMKID
candidate without preauth flag
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: dbus:
flush_object_timeout_handler: Timeout - sending changed properties of
object /fi/w1/wpa_supplicant1/Interfaces/0
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: dbus:
org.freedesktop.DBus.Properties.GetAll
(/fi/w1/wpa_supplicant1/Interfaces/0/BSSs/69) [s]
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Starting
radio work 'sme-connect'@0x55d5167c9440 after 0.007299 second wait
Jul 27 16:32:02 HOSTNAME kernel: wlp8s0b1: RX AssocResp from
f6:f2:6d:c5:db:be (capab=0x431 status=40 aid=0)
Jul 27 16:32:02 HOSTNAME kernel: wlp8s0b1: f6:f2:6d:c5:db:be denied
association (code=40)
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: WPA: clearing
own WPA/RSN IE
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Automatic
auth_alg selection: 0x1
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: WPA: clearing
AP WPA IE
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: WPA: clearing
AP RSN IE
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: WPA: clearing
own WPA/RSN IE
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: FT: Stored MDIE and
FTIE from (Re)Association Response - hexdump(len=0):
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: RRM: Determining
whether RRM can be used - device support: 0x10
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: RRM: No RRM in network
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: Added supported
operating classes IE - hexdump(len=4): 3b 02 51 51
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: EAPOL: External
notification - EAP success=0
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: EAPOL: External
notification - EAP fail=0
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: EAPOL: External
notification - portControl=Auto
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Cancelling
scan request
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: SME: Trying
to authenticate with f6:f2:6d:c5:db:be (SSID='NWRA-TLS' freq=2462 MHz)
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: EAPOL: External
notification - portValid=0
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: State:
SCANNING -> AUTHENTICATING
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Determining
shared radio frequencies (max len 1)
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Shared
frequencies (len=0): completed iteration
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Authenticate
(ifindex=4)
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: * bssid=f6:f2:6d:c5:db:be
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: * freq=2462
Jul 27 16:32:02 HOSTNAME NetworkManager[1691]: <info> [1595892722.8182]
device (wlp8s0b1): supplicant interface state: scanning -> associating
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: * SSID=NWRA-TLS
Jul 27 16:32:02 HOSTNAME NetworkManager[1691]: <info> [1595892722.8205]
device (wlp8s0b1): supplicant interface state: associating -> disconnected
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: * IEs -
hexdump(len=0): [NULL]
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: * Auth Type 0
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Authentication
request send successfully
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Event message
available
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Drv Event 19
(NL80211_CMD_NEW_STATION) received for wlp8s0b1
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: New station
f6:f2:6d:c5:db:be
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Event message
available
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Drv Event 37
(NL80211_CMD_AUTHENTICATE) received for wlp8s0b1
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: MLME event 37
(NL80211_CMD_AUTHENTICATE) on wlp8s0b1(70:f1:a1:e7:53:59)
A1=70:f1:a1:e7:53:59 A2=f6:f2:6d:c5:db:be
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: MLME event
frame - hexdump(len=30): b0 00 3a 01 70 f1 a1 e7 53 59 f6 f2 6d c5 db be
f6 f2 6d c5 db be d0 7f 00 00 02 00 00 00
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Authenticate event
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Event AUTH
(10) received
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: SME:
Authentication response: peer=f6:f2:6d:c5:db:be auth_type=0
auth_transaction=2 status_code=0
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: SME: Authentication
response IEs - hexdump(len=0): [NULL]
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: SME: Association
Request IEs - hexdump(len=14): 7f 08 00 00 00 00 00 00 00 40 3b 02 51 51
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Trying to
associate with f6:f2:6d:c5:db:be (SSID='NWRA-TLS' freq=2462 MHz)
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: State:
AUTHENTICATING -> ASSOCIATING
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Set wlp8s0b1
operstate 0->0 (DORMANT)
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: netlink: Operstate:
ifindex=4 linkmode=-1 (no change), operstate=5 (IF_OPER_DORMANT)
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: WPA: clearing
own WPA/RSN IE
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Associate
(ifindex=4)
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: * bssid=f6:f2:6d:c5:db:be
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: * freq=2462
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: * SSID=NWRA-TLS
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: * IEs -
hexdump(len=14): 7f 08 00 00 00 00 00 00 00 40 3b 02 51 51
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Association
request send successfully
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Event message
available
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Drv Event 20
(NL80211_CMD_DEL_STATION) received for wlp8s0b1
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Delete station
f6:f2:6d:c5:db:be
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Event message
available
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Drv Event 38
(NL80211_CMD_ASSOCIATE) received for wlp8s0b1
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: MLME event 38
(NL80211_CMD_ASSOCIATE) on wlp8s0b1(70:f1:a1:e7:53:59)
A1=70:f1:a1:e7:53:59 A2=f6:f2:6d:c5:db:be
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: MLME event
frame - hexdump(len=139): 10 00 3a 01 70 f1 a1 e7 53 59 f6 f2 6d c5 db
be f6 f2 6d c5 db be e0 7f 31 04 28 00 00 c0 01 08 82 84 8b 96 0c 12 18
24 32 04 30 48 60 6c 2d 1a ed 11 1b ff ff ff 00 00 00 00 00 00 00 00 00
01 00 00 00 00 00 00 00 00 00 00 3d 16 0b 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 7f 08 04 00 00 02 00 00 01 40 5a 03 24
01 00 dd 18 00 50 f2 02 01 01 80 00 03 a4 00 00 27 a4 00 00 42 43 5e 00
62 32 2f 00
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Associate event
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Event
ASSOC_REJECT (12) received
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1:
CTRL-EVENT-ASSOC-REJECT bssid=f6:f2:6d:c5:db:be status_code=40
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: SME:
Association with f6:f2:6d:c5:db:be failed: status code 40
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]:
wpa_driver_nl80211_deauthenticate(addr=f6:f2:6d:c5:db:be reason_code=3)
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: nl80211: MLME
command failed: reason=3 ret=-107 (Transport endpoint is not connected)
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: SME: Deauth
request to the driver failed
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Radio work
'sme-connect'@0x55d5167c9440 done in 0.018087 seconds
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1:
radio_work_free('sme-connect'@0x55d5167c9440): num_active_works --> 0
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: Added BSSID
f6:f2:6d:c5:db:be into blacklist
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: Continuous association
failures - consider temporary network disabling
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1:
CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="NWRA-TLS" auth_failures=1
duration=10 reason=CONN_FAILED
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Blacklist
count 4 --> request scan in 5000 ms
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Setting scan
request: 5.000000 sec
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: State:
ASSOCIATING -> DISCONNECTED
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Set wlp8s0b1
operstate 0->0 (DORMANT)
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: netlink: Operstate:
ifindex=4 linkmode=-1 (no change), operstate=5 (IF_OPER_DORMANT)
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Event message
available
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Drv Event 46
(NL80211_CMD_CONNECT) received for wlp8s0b1
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Ignore connect
event (cmd=46) when using userspace SME
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: dbus:
flush_object_timeout_handler: Timeout - sending changed properties of
object /fi/w1/wpa_supplicant1/Interfaces/0
Thanks for any help,
Orion
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion at nwra.com
Boulder, CO 80301 https://www.nwra.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3799 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20200727/c08f2a1f/attachment.p7s>
More information about the Hostap
mailing list