Experimenting with corporate wireless.

Hi,

I’m getting some training in network administration (meaning windows
mostly), and these days we are trying a corporate network Wi-Fi, meaning a
machine with windows server 2008 connected via ethernet to a linksys router
with wifi AP, and another machine running windows 7 as client to the domain.

The server has active directory, radius server, certificate server, network
policy and access services; more or less, we are following this paper:
<http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/>

So… the training is windows mostly (I did not succeed with the above, I’m
a Linux guy; but others in the room did, so we have some working setups).
And today I happened to read a post here where somebody said they managed
to get a similar situation working with a Linux client
<http://forums.opensuse.org/showthread.php?t=469463>, so I decided to
change the Win 7 client with an openSUSE 12.1 client, and I dedicated part
of the afternoon to install it on a spare partition we had left in
preparation (we also intend to play with Asterisk later on).

The Linux install managed to connect instantly to the wifi, when configured
as a plain standard wpa, both using ifup or network manager. But when we
tried the corporate setup, it failed.

NM did see the wifi connection, and it detected the parameters as an
enterprise setup, the same as David described in his post:

Code:

Wireless Security: WPA and WPA2 Enterprise
Authentication: Protected EAP (PEAP) (or mschap something?)
Anonymous Identity: (blank)
Subject: <will be filled in automatically>
CA Certificate: certificado.cer
PEAP Version: Automatic
Inner Authentication: MSCHAPv2
Username: bob
Password: foobar
] Ask for password every time
[x] Show password

First I tried without certificate (you can say “ignore” to the warning),
but no go. Then I tried with certificate, but we weren’t sure how to
extract the certificate from the windows server.

What I see in the messages log and the Netmanager log is that the wifi
“associates”, whatever that means. But after… dunno, 1/2 minute the popup
returns asking to verify the settings and password. Nothing in the log
about this. And in the Windows server we were not capable of finding an
appropriate “event”, which is their type of logs. I did not know about the
wpa_supplicant.log, I’ll look at it tomorrow.

I also do not know if I have to join the Linux machine to the Windows
domain for this to work. I have never done this…

Ideas, anyone?

I can not provide logs nor command output, I’m at home now. Tomorrow
afternoon I’ll go back and can try again, and post any logs needed, but I
would like to have some extra ideas so that I can try again.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The setup at Attachmate is a WPA2 Enterprise setup with PEAP and
MSCHAP2, and something else Version 0. Using the networking
configuration tools on my 12.1 system (and previously on my 11.3 system,
though Gnome-based at the time) KDE system allows me to connect without
any issues; I never specify (just Ignore, as you stated) the
certificate. So far, all has been well enough.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPPdrdAAoJEF+XTK08PnB5mZ0P/2mNU4qsnicUgF+evM9091/0
909Y7c1ol5/vzBklTCx8n9j2fKcv3Xw7pjVwVMQPkiWytAsnR2Eo3x9NuKdYQ888
gOwNVN86hiFSuhtD8nMZLCWMp6iF2hCMOh8ffjWBlPKYtsoRXV7AcYsjbIBRMCQr
TFwffk9Z2zBKzUjRXna/GitU3YPTPs1DdYUSRVIlkEfPaJ4dkEr571PfhUBzMEH5
qVe4WDaF9i4akDAjRAzHUTk3ip2v02XKyZBcVjYNUldoORdYW8/9We+p/gk+G7WQ
n9TxxDX210rW1x1ecvZRLGtrWyyYlq5wQ3CSZ2FCA7ptT6YxCB8Kij7bLtcCsujg
aA3ZE3fa8iKkyoaafIyUwy8MMaXl6mEd3vgAajnfEgNidGvA4S44JzDCVOgL/GGc
CCeqJ3SoP4eZ2m5LYPiteVg9TpaTciijxmXkOVtnfPxUcKCa0MU9gbi5FEVEiVUp
oTGsAGeg/ce68Zo+rMjzjuJSr7KdtP1LtouLIId/v0u6aAHIlDeX6qIugkgG0MvB
esxfI2+css/6P3gnqQT1eXChR4zCDBtFX5F4EPwG6i4Ql/XG3PZqo7ktPEpWG1dV
65FzWTKQkcFDeXy8ijDVgLwP02Lv7jvYWWS51CjJ2xbzCZ8h1/0ZM0pqKgek9QNI
cD8WB9PzsSPLoVSQs+qH
=ya59
-----END PGP SIGNATURE-----

On 02/17/2012 02:53 AM, Carlos E. R. wrote:
> Ideas, anyone?

so, you are having trouble connecting to a Microsoft Windows Server
2008…hmmmm…and, 2007/8 was about the time Novell and MS joined
forces to make sure such interoperability in the enterprise was more
than possible…so, i’d guess 15 minutes at either of the below should
be all that is needed to find the easy to follow step-by-step:

http://support.microsoft.com/search/?adv=1
http://www.novell.com/support/microsites/microsite.do


DD
Yes, i was trying to be a little funny…and, yes i know the quagmire
thrown up against interoperability is more than just a little sad.

On 2012-02-17 12:28, DenverD wrote:
> On 02/17/2012 02:53 AM, Carlos E. R. wrote:
>> Ideas, anyone?
>
> so, you are having trouble connecting to a Microsoft Windows Server
> 2008…hmmmm…and, 2007/8 was about the time Novell and MS joined forces
> to make sure such interoperability in the enterprise was more than
> possible…so, i’d guess 15 minutes at either of the below should be all
> that is needed to find the easy to follow step-by-step:
>
> http://support.microsoft.com/search/?adv=1
> http://www.novell.com/support/microsites/microsite.do

Ha, ha. :slight_smile:

Actually, I’m having trouble connecting to a wifi router with enterprise
setup, meaning it is asking a radius server for the login/pass pair, which
is one different for each user instead of using the same auth for the
entire network. And the login/pass happen to be the same as for the windows
domain, and the radius server is done by windows.

It should work, but it doesn’t.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

On 2012-02-17 05:43, ab wrote:
> The setup at Attachmate is a WPA2 Enterprise setup with PEAP and
> MSCHAP2, and something else Version 0. Using the networking
> configuration tools on my 12.1 system (and previously on my 11.3 system,
> though Gnome-based at the time) KDE system allows me to connect without
> any issues; I never specify (just Ignore, as you stated) the
> certificate. So far, all has been well enough.

So, it can work. I’ll try again. The thing is, I don’t know where to look
for clues why it does not work.

What I don’t know is if I also have to join the domain or not.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

On 02/17/2012 06:38 AM, Carlos E. R. wrote:
>
> Actually, I’m having trouble connecting to a wifi router with enterprise
> setup, meaning it is asking a radius server for the login/pass pair, which
> is one different for each user instead of using the same auth for the
> entire network. And the login/pass happen to be the same as for the windows
> domain, and the radius server is done by windows.
>
> It should work, but it doesn’t.

To answer a question from your first post, connection to an encrypted AP
involves two steps. If active scanning is allowed, the station (client) sends a
probe request on all allowed channels (a scan). Each AP will respond with the
information that is seen in an ‘iwlist scan’ command. This is passed to
wpa_supplicant where the desired AP is selected (usually based on the ESSID) and
an association request is sent. The AP responds with an association
acknowledgment, and immediately starts the encryption handshaking. Only when the
secrets are obtained is the authentication phase complete and communication can
begin.

I cannot help much with the Windows radius server as I don’t have access to one,
but any radius server should conform to the standards, and you should not need
to connect to the Windows domain.

As you cannot find any logs on the Windows server, it is impossible to know what
the AP is actually doing to authenticate you. Can your network people provide a
machine that can capture the over-the-air packets between your box and the AP
using wireshark? I don’t recommend that you do this on your own - some corporate
policies expressly forbid this kind of snooping. The wireshark files will show
the actualdata exchanged. Similarly, a tcpdump on the radius server will show
the traffic between the AP and the server when it is trying to authenticate you.
If your network admins/techs are good, they should be able to see what is wrong.

On Fri, 17 Feb 2012 01:53:06 +0000, Carlos E. R. wrote:

> The Linux install managed to connect instantly to the wifi, when
> configured as a plain standard wpa, both using ifup or network manager.
> But when we tried the corporate setup, it failed.

You need to know what your back end WiFi stuff requires. If it’s running
WPA, that’s fine, but if it’s running WPA Enterprise, it’s different.

> NM did see the wifi connection, and it detected the parameters as an
> enterprise setup, the same as David described in his post:
>
> Code:
> --------------------
> Wireless Security: WPA and WPA2 Enterprise Authentication: Protected
> EAP (PEAP) (or mschap something?) Anonymous Identity: (blank)
> Subject: <will be filled in automatically> CA Certificate:
> certificado.cer
> PEAP Version: Automatic
> Inner Authentication: MSCHAPv2
> Username: bob
> Password: foobar
> ] Ask for password every time
> [x] Show password
> --------------------

I guess that’s me. If you follow that thread to the end, you’ll see that
I got it working by changing to a newer version of Network Manager. Here,
changing “PEAP Version” to “0” works better than “Automatic”.

> First I tried without certificate (you can say “ignore” to the warning),
> but no go. Then I tried with certificate, but we weren’t sure how to
> extract the certificate from the windows server.

It’s whatever certificate your wireless access point configuration has
been told to use. You’d have to check with your vendor there to find out
where it is, and whether it’s required.

> What I see in the messages log and the Netmanager log is that the wifi
> “associates”, whatever that means.

It means that your wireless NIC has connected to the wireless access
point. It’s then going to begin negotiating the authentication to use
that access point.

> But after… dunno, 1/2 minute the
> popup returns asking to verify the settings and password. Nothing in the
> log about this.

That’s kinda like the symptoms I was getting, but that was with OpenSuSE
11.4 and the stock Network Manager. With OpenSuSE 12.1, it worked fine.

> And in the Windows server we were not capable of finding
> an appropriate “event”, which is their type of logs.

Can’t help you there. Whatever you’re using to manage authentication to
your wireless network should be where you look.

> I also do not know if I have to join the Linux machine to the Windows
> domain for this to work. I have never done this…

No, you do not.

David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

On 02/17/2012 03:32 PM, Larry Finger wrote:

> On 02/17/2012 06:38 AM, Carlos E. R. wrote:

> To answer a question from your first post, connection to an encrypted AP
> involves two steps. If active scanning is allowed, the station (client)
> sends a probe request on all allowed channels (a scan). Each AP will
> respond with the information that is seen in an ‘iwlist scan’ command.
> This is passed to wpa_supplicant where the desired AP is selected
> (usually based on the ESSID) and an association request is sent. The AP
> responds with an association acknowledgment, and immediately starts the
> encryption handshaking. Only when the secrets are obtained is the
> authentication phase complete and communication can begin.

Right… so far so good, it happens. In the
“/var/log/wpa_supplicant.log” I see:


> Trying to authenticate with 00:23:69:28:bc:6a (SSID='WIFI-Tux' freq=2437 MHz)
> Trying to associate with 00:23:69:28:bc:6a (SSID='WIFI-Tux' freq=2437 MHz)
> Associated with 00:23:69:28:bc:6a
> CTRL-EVENT-EAP-STARTED EAP authentication started
> CTRL-EVENT-EAP-STARTED EAP authentication started
> CTRL-EVENT-EAP-STARTED EAP authentication started
> CTRL-EVENT-DISCONNECTED bssid=00:00:00:00:00:00 reason=3
> Trying to authenticate with 00:23:69:28:bc:6a (SSID='WIFI-Tux' freq=2437 MHz)
> Trying to associate with 00:23:69:28:bc:6a (SSID='WIFI-Tux' freq=2437 MHz)
> Associated with 00:23:69:28:bc:6a
> CTRL-EVENT-EAP-STARTED EAP authentication started
> CTRL-EVENT-EAP-STARTED EAP authentication started
> CTRL-EVENT-DISCONNECTED bssid=00:23:69:28:bc:6a reason=4
> Trying to authenticate with 00:23:69:28:bc:6a (SSID='WIFI-Tux' freq=2437 MHz)
> Trying to associate with 00:23:69:28:bc:6a (SSID='WIFI-Tux' freq=2437 MHz)
> Associated with 00:23:69:28:bc:6a

Right now I’m trying to google that “reason=4” message. instead, I find
a musical group so named. One entry metnioned that reason for is
“Disassociated due to inactivity”. Huh?

And the “/var/log/NetworkManager” said, for one of the many attempts:


> Feb 16 20:18:21 linux NetworkManager[1118]: <info> Config: added 'ssid' value 'WIFI-Tux'
> Feb 16 20:18:21 linux NetworkManager[1118]: <info> Config: added 'key_mgmt' value 'WPA-EAP'
> Feb 16 20:18:21 linux NetworkManager[1118]: <info> Config: added 'eap' value 'TTLS PEAP TLS'
> Feb 16 20:18:21 linux NetworkManager[1118]: <info> Config: added 'identity' value ' '
> Feb 16 20:18:21 linux NetworkManager[1118]: <info> Config: added 'ca_cert' value 'probe://'
> Feb 16 20:18:21 linux NetworkManager[1118]: <info> (wlan0): supplicant interface state: associated -> disconnected
> Feb 16 20:18:21 linux NetworkManager[1118]: <info> Config: set interface ap_scan to 1
> Feb 16 20:18:21 linux NetworkManager[1118]: <info> (wlan0): supplicant interface state: disconnected -> scanning
> Feb 16 20:18:22 linux NetworkManager[1118]: <info> (wlan0): supplicant interface state: scanning -> authenticating
> Feb 16 20:18:22 linux NetworkManager[1118]: <info> (wlan0): supplicant interface state: authenticating -> associating
> Feb 16 20:18:22 linux NetworkManager[1118]: <info> (wlan0): supplicant interface state: associating -> associated
> Feb 16 20:18:52 linux NetworkManager[1118]: <info> (wlan0): supplicant interface state: associated -> disconnected
> Feb 16 20:18:52 linux NetworkManager[1118]: <info> (wlan0): supplicant interface state: disconnected -> scanning

> I cannot help much with the Windows radius server as I don’t have access
> to one, but any radius server should conform to the standards, and you
> should not need to connect to the Windows domain.

So we thought.

> As you cannot find any logs on the Windows server, it is impossible to
> know what the AP is actually doing to authenticate you.

We have access to it, but we simply do not know how to find the radius
logs. In windows parlance, they are named “events”, but there are
hundreds on many different clickable places, so we don’t know where to look.

> Can your network
> people provide a machine that can capture the over-the-air packets
> between your box and the AP using wireshark?

We are the network people, in training. We can do anything we want :wink:

> The wireshark files will show the actualdata exchanged.

On wlan? Mmm, interesting, I’ll see if we can try.

> Similarly, a tcpdump on the radius server will show the traffic between
> the AP and the server when it is trying to authenticate you. If your
> network admins/techs are good, they should be able to see what is wrong.

That’s more difficult, we only have one linux machine, mine. We’ll need
a wireshark for windows.


Cheers / Saludos
Carlos E. R.

On 02/17/2012 09:39 AM, Carlos E. R. wrote:
> On 02/17/2012 03:32 PM, Larry Finger wrote:
>
>> On 02/17/2012 06:38 AM, Carlos E. R. wrote:
>
>> To answer a question from your first post, connection to an encrypted AP
>> involves two steps. If active scanning is allowed, the station (client)
>> sends a probe request on all allowed channels (a scan). Each AP will
>> respond with the information that is seen in an ‘iwlist scan’ command.
>> This is passed to wpa_supplicant where the desired AP is selected
>> (usually based on the ESSID) and an association request is sent. The AP
>> responds with an association acknowledgment, and immediately starts the
>> encryption handshaking. Only when the secrets are obtained is the
>> authentication phase complete and communication can begin.
>
> Right… so far so good, it happens. In the “/var/log/wpa_supplicant.log” I see:
>
>
>


>> Trying to authenticate with 00:23:69:28:bc:6a (SSID='WIFI-Tux' freq=2437 MHz)
>> Trying to associate with 00:23:69:28:bc:6a (SSID='WIFI-Tux' freq=2437 MHz)
>> Associated with 00:23:69:28:bc:6a
>> CTRL-EVENT-EAP-STARTED EAP authentication started
>> CTRL-EVENT-EAP-STARTED EAP authentication started
>> CTRL-EVENT-EAP-STARTED EAP authentication started
>> CTRL-EVENT-DISCONNECTED bssid=00:00:00:00:00:00 reason=3
>> Trying to authenticate with 00:23:69:28:bc:6a (SSID='WIFI-Tux' freq=2437 MHz)
>> Trying to associate with 00:23:69:28:bc:6a (SSID='WIFI-Tux' freq=2437 MHz)
>> Associated with 00:23:69:28:bc:6a
>> CTRL-EVENT-EAP-STARTED EAP authentication started
>> CTRL-EVENT-EAP-STARTED EAP authentication started
>> CTRL-EVENT-DISCONNECTED bssid=00:23:69:28:bc:6a reason=4
>> Trying to authenticate with 00:23:69:28:bc:6a (SSID='WIFI-Tux' freq=2437 MHz)
>> Trying to associate with 00:23:69:28:bc:6a (SSID='WIFI-Tux' freq=2437 MHz)
>> Associated with 00:23:69:28:bc:6a
> 

Right now I’m trying to google that “reason=4” message. instead, I find a
musical group so named. One entry metnioned that reason for is “Disassociated
due to inactivity”. Huh?

For me, the source of meanings for the deauth/disassoc reasons is
Basic Choreography :: Chapter 4. WLAN Fundamentals :: Wireless lan security :: Networking :: eTutorials.org. Yes, reason 4 is due to inactivity.

And the “/var/log/NetworkManager” said, for one of the many attempts:


>> Feb 16 20:18:21 linux NetworkManager[1118]: <info> Config: added 'ssid' value
>> 'WIFI-Tux'
>> Feb 16 20:18:21 linux NetworkManager[1118]: <info> Config: added 'key_mgmt'
>> value 'WPA-EAP'
>> Feb 16 20:18:21 linux NetworkManager[1118]: <info> Config: added 'eap' value
>> 'TTLS PEAP TLS'
>> Feb 16 20:18:21 linux NetworkManager[1118]: <info> Config: added 'identity'
>> value ' '
>> Feb 16 20:18:21 linux NetworkManager[1118]: <info> Config: added 'ca_cert'
>> value 'probe://'
>> Feb 16 20:18:21 linux NetworkManager[1118]: <info> (wlan0): supplicant
>> interface state: associated -> disconnected
>> Feb 16 20:18:21 linux NetworkManager[1118]: <info> Config: set interface
>> ap_scan to 1
>> Feb 16 20:18:21 linux NetworkManager[1118]: <info> (wlan0): supplicant
>> interface state: disconnected -> scanning
>> Feb 16 20:18:22 linux NetworkManager[1118]: <info> (wlan0): supplicant
>> interface state: scanning -> authenticating
>> Feb 16 20:18:22 linux NetworkManager[1118]: <info> (wlan0): supplicant
>> interface state: authenticating -> associating
>> Feb 16 20:18:22 linux NetworkManager[1118]: <info> (wlan0): supplicant
>> interface state: associating -> associated
>> Feb 16 20:18:52 linux NetworkManager[1118]: <info> (wlan0): supplicant
>> interface state: associated -> disconnected
>> Feb 16 20:18:52 linux NetworkManager[1118]: <info> (wlan0): supplicant
>> interface state: disconnected -> scanning
> 

I would be surprised if you were able to authenticate without the actual
certificate.

>> I cannot help much with the Windows radius server as I don’t have access
>> to one, but any radius server should conform to the standards, and you
>> should not need to connect to the Windows domain.
>
> So we thought.
>
>
>> As you cannot find any logs on the Windows server, it is impossible to
>> know what the AP is actually doing to authenticate you.
>
> We have access to it, but we simply do not know how to find the radius logs. In
> windows parlance, they are named “events”, but there are hundreds on many
> different clickable places, so we don’t know where to look.

OK, you don’t really have a network whiz. In
Configure Log File Properties | Microsoft Learn, you will find the
procedure for setting up logging of the Radius server.

>> Can your network
>> people provide a machine that can capture the over-the-air packets
>> between your box and the AP using wireshark?
>
> We are the network people, in training. We can do anything we want :wink:
>
>> The wireshark files will show the actualdata exchanged.
>
> On wlan? Mmm, interesting, I’ll see if we can try.

Yes. These data files are a valuable resource. Yesterday I was troubleshooting
why the Realtek RTL8188CE card slows from 18 Mbps to 1 Mbps after a few seconds.
The wireshark output file was 6 MB, but it clearly shows that the AP needed to
retransmit every packet 3-4 times after the slowdown, but there were no
retransmits at 18 Mbps. Unfortunately, I don’t know why that happens - it even
happens for the Realtek vendor drivers, and may be a firmware problem.

>> Similarly, a tcpdump on the radius server will show the traffic between
>> the AP and the server when it is trying to authenticate you. If your
>> network admins/techs are good, they should be able to see what is wrong.
>
> That’s more difficult, we only have one linux machine, mine. We’ll need a
> wireshark for windows.

It exists for Windows and can capture data from most wireless or wired
interfaces. You will need a copy for some machine with wireless, and also one
for the Radius server.

On 02/17/2012 05:37 PM, Larry Finger wrote:
> On 02/17/2012 09:39 AM, Carlos E. R. wrote:
>> On 02/17/2012 03:32 PM, Larry Finger wrote:
>
> For me, the source of meanings for the deauth/disassoc reasons is
> http://tinyurl.com/3e97t58. Yes, reason 4 is due to inactivity.

Thanks for the link, it is useful.

> I would be surprised if you were able to authenticate without the actual
> certificate.

I have tried with and without. Apparently, it can work without for some
people.

> OK, you don’t really have a network whiz. In
> http://technet.microsoft.com/en-us/library/cc730677.aspx, you will find
> the procedure for setting up logging of the Radius server.

Ah, right, thanks.

We looked there, it was actually activated, but noting at all was
logged, the file did not exist. We changed its format to its most modern
version. Then we noticed an event error somewhere, we did something we
can’t remember, and that started working. We tested with a windows 7
client, and we managed to connect after we dropped the firewall
completely in the windows server and in the router, and manually
imported the root certificate of the server to the client (not the
machine certificate, it does not work that way)

>>> The wireshark files will show the actualdata exchanged.
>>
>> On wlan? Mmm, interesting, I’ll see if we can try.

We now have several wireshark dumps from both the Windows server and the
Linux client. I’ll try to upload them to the pastebin.

I see attempts to connect in wireshark. One strange thing is that the
server is getting login trials with an empty username, probably from
Linux. The packet comes from the router, but we can’t see what IP is
requesting to log in - well, actually Linux doesn’t have an IP yet.

Perhaps related is the error we see in the Windows entry
diagnostico/visor de eventos/Registros de windows/ Seguridad/ error de
auditoria (diagnostics, event viewer, windows registry, security, audit
errors):

“el servidor de redes no pudo conectar al controlador del dominio.”

the network server (Network Policy and access services) could not
connect to the domain controller (AD)

And the router doesn’t provide a log :-/

It is a linksys, aka cisco, model WRT54GL. There is an
administration/Log tab, where I see incoming log and outgoing log, and
enable. Clicking on any of the two logs, both are empty. :-/

Windows radius log: <http://paste.opensuse.org/24981475>

Wireshark Linux capture: impossible to upload.
Wireshark Windows capture: impossible to upload.

Trying to upload file to pastebin.ca, FF is timing out. :frowning:
filebin.ca doesn’t respond. Has it been closed as those the FBI closed?
Yargh :frowning:

Do you know another pastebin that allows binary file upload? Ie, pcap
capture.

So… we are abandoning the attempt to connect to a corporate network
that we fully control from Linux. It will only work for Windows. Even if
it is a test environment, everybody here will say that linux doesn’t
work for this. I failed. I’m disappointed and discouraged.


Cheers / Saludos
Carlos E. R.

On 02/17/2012 04:30 PM, David Gersic wrote:
> On Fri, 17 Feb 2012 01:53:06 +0000, Carlos E. R. wrote:
>
>> The Linux install managed to connect instantly to the wifi, when
>> configured as a plain standard wpa, both using ifup or network manager.
>> But when we tried the corporate setup, it failed.
>
> You need to know what your back end WiFi stuff requires. If it’s running
> WPA, that’s fine, but if it’s running WPA Enterprise, it’s different.

It can run anything we want, but the purpose of this experiment is
enterprise. We tried both wpa and wpa2 enterprise. No go.

Current setting of the router (it works for a W7 client):

security mode: WPA2 enterprise
wpa algorithm: tkip+aes
radius server address: 192.168.2.1
radius port: 1812
shard key: 123456789
timeout interval: 3600 seconds.

> I guess that’s me. If you follow that thread to the end, you’ll see that
> I got it working by changing to a newer version of Network Manager. Here,
> changing “PEAP Version” to “0” works better than “Automatic”.

I tried all combinations we thought about, no go. User name domain/user,
user, no go.

> It’s whatever certificate your wireless access point configuration has
> been told to use. You’d have to check with your vendor there to find out
> where it is, and whether it’s required.

The certificate resides in Windows, not the router.
Tried several combinations.

> That’s kinda like the symptoms I was getting, but that was with OpenSuSE
> 11.4 and the stock Network Manager. With OpenSuSE 12.1, it worked fine.

12.1 here. Fullly patched.


Cheers / Saludos
Carlos E. R.

On 02/17/2012 01:39 PM, Carlos E. R. wrote:
> On 02/17/2012 05:37 PM, Larry Finger wrote:
>> On 02/17/2012 09:39 AM, Carlos E. R. wrote:
>>> On 02/17/2012 03:32 PM, Larry Finger wrote:
>>
>> For me, the source of meanings for the deauth/disassoc reasons is
>> http://tinyurl.com/3e97t58. Yes, reason 4 is due to inactivity.
>
> Thanks for the link, it is useful.
>
>
>> I would be surprised if you were able to authenticate without the actual
>> certificate.
>
> I have tried with and without. Apparently, it can work without for some people.
>
>
>> OK, you don’t really have a network whiz. In
>> http://technet.microsoft.com/en-us/library/cc730677.aspx, you will find
>> the procedure for setting up logging of the Radius server.
>
> Ah, right, thanks.
>
> We looked there, it was actually activated, but noting at all was logged, the
> file did not exist. We changed its format to its most modern version. Then we
> noticed an event error somewhere, we did something we can’t remember, and that
> started working. We tested with a windows 7 client, and we managed to connect
> after we dropped the firewall completely in the windows server and in the
> router, and manually imported the root certificate of the server to the client
> (not the machine certificate, it does not work that way)
>
>
>>>> The wireshark files will show the actualdata exchanged.
>>>
>>> On wlan? Mmm, interesting, I’ll see if we can try.
>
> We now have several wireshark dumps from both the Windows server and the Linux
> client. I’ll try to upload them to the pastebin.
>
> I see attempts to connect in wireshark. One strange thing is that the server is
> getting login trials with an empty username, probably from Linux. The packet
> comes from the router, but we can’t see what IP is requesting to log in - well,
> actually Linux doesn’t have an IP yet.

At this point, you need to use the MAC address, not the IP.

> Perhaps related is the error we see in the Windows entry
> diagnostico/visor de eventos/Registros de windows/ Seguridad/ error de auditoria
> (diagnostics, event viewer, windows registry, security, audit errors):
>
> “el servidor de redes no pudo conectar al controlador del dominio.”
>
> the network server (Network Policy and access services) could not connect to the
> domain controller (AD)
>
>
> And the router doesn’t provide a log :-/
>
> It is a linksys, aka cisco, model WRT54GL. There is an administration/Log tab,
> where I see incoming log and outgoing log, and enable. Clicking on any of the
> two logs, both are empty. :-/

The WRT54GL has no space to store any logs. I have one of those, but it has been
a long time since I ran the original firmware as I use openWRT on mine, but I
think that tab is for setting up logging on another host.

> Windows radius log: <http://paste.opensuse.org/24981475>
>
> Wireshark Linux capture: impossible to upload.
> Wireshark Windows capture: impossible to upload.
>
> Trying to upload file to pastebin.ca, FF is timing out. :frowning:
> filebin.ca doesn’t respond. Has it been closed as those the FBI closed? Yargh :frowning:
>
>
> Do you know another pastebin that allows binary file upload? Ie, pcap capture.

No, so I set up ftp on my server. I will post the details as a PM.

> So… we are abandoning the attempt to connect to a corporate network that we
> fully control from Linux. It will only work for Windows. Even if it is a test
> environment, everybody here will say that linux doesn’t work for this. I failed.
> I’m disappointed and discouraged.

We cannot let that happen.

On 2012-02-17 22:29, Larry Finger wrote:
> On 02/17/2012 01:39 PM, Carlos E. R. wrote:

>> I see attempts to connect in wireshark. One strange thing is that the
>> server is getting login trials with an empty username, probably from Linux. The packet
>> comes from the router, but we can’t see what IP is requesting to log in -
>> well, actually Linux doesn’t have an IP yet.
>
> At this point, you need to use the MAC address, not the IP.

Didn’t think of that…
…]
You are right.

The radius access-request packet contains a field named calling-Station-id,
and the is …27b640, which matches the MAC of the Linux wlan device.

And the user name of that field is empty… so that could be the problem.
Or the problem is that I know too little! :slight_smile:

Pity. now that I think, the timestamps of the wirehark capture are relative
to the start of the capture, not absolute times. I can not correlate both
dumps. …] No, I’m mistaken: I can display full timestamp! This wireshark
ever surprises me.

On the Linux side I see EAP packets that I think are the login request, but
I don’t see there the login/pass pair. It may be encrypted, though. It
should, actually.

>> And the router doesn’t provide a log :-/
>>
>> It is a linksys, aka cisco, model WRT54GL. There is an administration/Log
>> tab, where I see incoming log and outgoing log, and enable. Clicking on any of
>> the two logs, both are empty. :-/
>
> The WRT54GL has no space to store any logs. I have one of those, but it has
> been a long time since I ran the original firmware as I use openWRT on
> mine, but I think that tab is for setting up logging on another host.

I thought of that, it would have been wonderful, I use that system at home.
Unfortunately it is not that, there is no prompt for an IP and port for
logging. The help does say that clicking there you should see the last
entries from the log.

I guess it has a broken feature.

>> Do you know another pastebin that allows binary file upload? Ie, pcap
>> capture.
>
> No, so I set up ftp on my server. I will post the details as a PM.

Done, that’s nice of you.

The windows capture has several failed attempts, and a sucessful one from a
Windows 7 machine. I should have noted its IP, but I didn’t. Username
“mperez”, pass “1234”. Not very inventive, nor secure :slight_smile:

>> I’m disappointed and discouraged.
>
> We cannot let that happen.

Thanks! If you can find something, we might try again. Not for very long,
though, I think the teacher want us to move on.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

On 2012-02-17 23:48, Carlos E. R. wrote:
> Thanks! If you can find something, we might try again. Not for very long,
> though, I think the teacher want us to move on.

Just for the record, I tried again, briefly, after having managed to join
to the domain and login, via cable. Same result.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)