EAP-FAST authentication on a university campus

[Dan Williams]

On Fri, 2011-04-15 at 12:58 -0500, Dan Williams wrote:
> On Fri, 2011-04-15 at 19:02 +0200, Stephen wrote:
> > On 15.04.2011 17:09, Jouni Malinen wrote:
> > > On Fri, Apr 15, 2011 at 02:11:06PM +0200, Stephen Bosch wrote:
> > >> my university recently switched to EAP-FAST authentication. Support
> > >> for Linux users is non-existent.
> > > 
> > >> The institution provides the following configuration information and
> > >> instructions to users:
> > >>
> > >> WPA2 Enterprise authentication
> > >> Encryption: AES (I assume that this is CCMP)
> > >> Network authentication: PEAP
> > > 
> > > That PEAP is in conflict with the switch to EAP-FAST.. Anyway, the logs
> > > you showed did not get as far as even starting EAP, so this would not
> > > have changed them.
> > 
> > So, it's not an EAP-FAST network, then? I just assumed it was, since it
> > doesn't seem to require a certificate.
> > 
> > >>> ap_scan=1
> > >>> ctrl_interface=/var/run/wpa_supplicant
> > >>> network={
> > >>>        ssid="HAB"
> > >>>        scan_ssid=1
> > >>>        proto=RSN WPA
> > >>>        pairwise=CCMP TKIP
> > >>>        group=CCMP TKIP
> > >>>        key-mgmt=WPA-EAP
> > > 
> > > That "key-mgmt" should be "key_mgmt".
> > 
> > The wicd project seems to be stagnating :(
> > 
> > (Can you suggest a good alternative?)
> > 
> > >>> ap_scan=1
> > >>> ctrl_interface=/var/run/wpa_supplicant
> > >>> network={
> > >>>        ssid="HAB"
> > >>>        scan_ssid=1
> > >>>        proto=RSN
> > >>>        key_mgmt=WPA-EAP
> > >>>        pairwise=CCMP
> > >>>        group=CCMP
> > >>>        eap=PEAP
> > >>>        identity="<windows_userid>"
> > >>>        password="<windows_password>"
> > >>>        phase1="fast_provisioning=1"
> > >>>        phase2="auth=MSCHAPV2"
> > > 
> > > This looks fine in general.
> > > 
> > >> It actually attempts a connection then, but still fails:
> > > 
> > >>> 0: 00:26:3e:07:21:00 ssid='HAB' wpa_ie_len=0 rsn_ie_len=20 caps=0x11
> > >>>   selected based on RSN IE
> > >>>   selected WPA AP 00:26:3e:07:21:00 ssid='HAB'
> > >>> Trying to associate with 00:26:3e:07:21:00 (SSID='HAB' freq=2462 MHz)
> > > 
> > > wpa_supplicant asks the driver to associate with the AP, but the driver
> > > does not seem to be able to do that. Which driver are you using?
> > 
> > I use the wireless extensions; the command line looks like this:
> > 
> > > wpa_supplicant -i eth2 -c /var/lib/wicd/configurations/00263e072100 -D wext -d
> > 
> > It's odd that it can't associate. The IT department runs a parallel
> > wireless network, with which I have been able to associate -- although
> > that network is unencrypted and unauthenticated. We did everything
> > through a VPN before.
> > 
> > Should I be using a specific driver?
> > 
> > The adapter is an Intel 2915:
> > 
> > > 02:02.0 Network controller: Intel Corporation PRO/Wireless 2915ABG [Calexico2] Network Connection (rev 05)
> > >         Subsystem: Intel Corporation Device 1012
> > >         Kernel driver in use: ipw2200
> > >         Kernel modules: ipw2200
> 
> Just a note that 2915 only supports WEXT and isn't maintained anymore;
> but you could try enabling debug information from the driver.  You can
> either user a modprobe file (/etc/modprobe.d/ or /etc/modprobe.conf into
> which you put "options ipw2200 debug=0x4014FC6F") to get this on startup
> or you can:
> 
> rmmod ipw2200
> modprobe ipw2200 debug=0x4014FC6F
> 
> which enables a bunch of debugging printouts that will go to 'dmesg'.
> That might help us figure out why the firmware isn't able to associate.

(for those that care, that debug option should be the combination of the
following...)

IPW_DL_ERROR | IPW_DL_WARNING | IPW_DL_INFO | IPW_DL_WX |
IPW_DL_HOST_COMMAND | IPW_DL_STATE | IPW_DL_NOTIF | IPW_DL_SCAN |
IPW_DL_ASSOC | IPW_DL_DROP | IPW_DL_IOCTL | IPW_DL_MANAGE |
IPW_DL_FW_ERRORS | IPW_DL_ORD | IPW_DL_MERGE

Dan