How to connect to WPA Enterprise PEAP without secondary authentication

I am able to connect to most wifi networks with openSUSE, with the exception of my work’s network. They use WPA Enterprise PEAP with username and password for authentication. They specify that there is no secondary authentication used. I am able to connect via Windows 10 on this machine. I am also able to connect with y Android phone. I am unable to connect with openSUSE. Using Network Manager, I set the credentials correctly. On the wireless security tab, I am asked for “inner authentication”, and “none” is not an option. When I attempt to connect, it fails after a long wait. The security settings between Windows and openSUSE are identical, except that Windows does not have a setting for “inner authentication”.
I have also tried the same settings via Wicked, with the same negative results.
dmesg gives me:

[1031.875773] wlan0: authenticate with 00:41:d2:6c:a1:c2
 1031.894266] wlan0: send auth to 00:41:d2:6c:a1:c2 (try 1/3)
 1031.951288] wlan0: authenticated
 1031.957849] wlan0: associate with 00:41:d2:6c:a1:c2 (try 1/3)
 1031.993329] wlan0: RX AssocResp from 00:41:d2:6c:a1:c2 (capab=0x431 status=0 aid=1)
 1031.993554] wlan0: associated
 1032.069062] wlan0: Limiting TX power to 20 dBm as advertised by 00:41:d2:6c:a1:c2
 1034.146468] wlan0: deauthenticating from 00:41:d2:6c:a1:c2 by local choice (Reason: 3=DEAUTH_LEAVING) 

I am guessing that openSUSE is not allowing the connection because of the lack of secondary security. Does this seem plausible? If so, could anyone suggest a work-around?

You should at least describe what type of 802.1x authentication you are setting up… PWD only? MD5? Something else?

I’m guessing that the “secondary” or “inner” authentication is the PEAP you mention in your subject line…
In other words, if you’re required to configure only one type of authentication, then it might be a password <or> certificate but not both.

TSU

Yes

If so, could anyone suggest a work-around?

Does it help? networking - Connecting to a 802.1x EAP-PEAP wireless network with no phase2-auth in Linux - Super User

That’s an interesting workaround… Disable NM (I’m sure simply switching to Wicked should be sufficient) and then going “old school” creating your own network connection in a custom wpa_supplicant.config file… Incidentally, I don’t see a need to define a custom config file which is what the author did… You should be able to simply add your definition to the existing config file and it will be available to you without any special invocation (The author scripted his starup).

I also was curious who/what would want to implement 802.1 without inner authentication (using a certificate to properly verify the client while connected). Apparently this may be unique to Eduroram (https://www.eduroam.org/). I cannot imagine why anyone would create a uniquely inferior backend, but apparently they decided to do so… Even for its supposedly primary purpose which is to be able to roam between educational institutions and use the same credentials, I can’t imagine any good reason or benefit for not doing inner authentication.

In any case…
Although the link and solution Arvidjaar suggests is the top hit in a Google search with minimal terms,
If you search “why does eduroram lack inner authentication” apparently there is a “better” solution for Linux, current Eduroram supports certificates issued by Globalsign

https://uwaterloo.ca/information-systems-technology/services/eduroam/connecting-eduroam-wireless-network/linux-ubuntu

If you configure a Globalsign certificate in a standard Network Manager PEAP configuration, I’d expect that your inner authentication would be used, so it’s better than a solution without inner authentication.

TSU

I’ll try to implement the wpa_supplicant.conf file when I get a chance. It appears to be what I need. I work for a large corporation, and have an active NDA, so I am not at liberty to discuss details of their systems. I did let their local IT guy hear my theory about the secondary identification by saying that Linux probably was not letting me to connect to a pseudo-secure network. I seriously doubt they will change anything though.
Thanks to all for the help.

Just in case this is relevant…

IMO should be tried in this order

  1. Configuring the Globalsign CA as described in the uwaterloo.ca link in my post
    https://forums.opensuse.org/showthread.php/538414-How-to-connect-to-WPA-Enterprise-PEAP-without-secondary-authentication?p=2921652#post2921652
    Reason: If it works, then inner authentication is implemented so that 802.1x security is fully implemented.

  2. Configuring MSCHAPv2 with an empty password as described in the askubuntu link in Deano’s post
    https://forums.opensuse.org/newreply.php?do=newreply&p=2921673
    Reason: Although does not configure inner authentication, Network Manager is implemented so that the inconvenience of having to disable Network Manager just for eduoram network connections.

  3. If both the above don’t work, then I have little doubt that invoking wpa_supplicant directly with a custom configuration should work. But, it requires disabling Network Manager which would be useful if not next to required for other wireless connections. This can be very inconvenient.
    https://forums.opensuse.org/showthread.php/538414-How-to-connect-to-WPA-Enterprise-PEAP-without-secondary-authentication?p=2921637#post2921637
    Reason: Last resort but IMO greatest certainty to work

TSU

Does your company have any externally available help documents how to configure (Windows) clients?

Yes, and it works in Windows. It also works fine with my Android phone. They specify "secondary authentication “none”. That is the problem. “none” is not an option with NetworkManager.

I tried creating the wpa_supplicant.conf script and my system rejected the first line as not a valid global string (or something close to that):

ctrl_interface=DIR=/var/wpa_supplicant

Two “=” in a config line doesn’t seem right. Please show the URL to the instructions. FWIW my /etc/wpa_supplicant/wpa_supplicant.conf contains


ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel

[QUOTE=Knurpht;2922077]Two “=” in a config line doesn’t seem right. Please show the URL to the instructions. FWIW my /etc/wpa_supplicant/wpa_supplicant.conf contains



Here is the link as suggested above in this thread:
https://superuser.com/questions/1355876/connecting-to-a-802-1x-eap-peap-wireless-network-with-no-phase2-auth-in-linux

What I did next was to edit my actual wpa_supplicant.conf file by adding the "network" section of the posted instructions. The entire file is now:


ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel

network={
ssid=“network-to-connect-to”
key_mgmt=WPA-EAP
eap=PEAP
phase2=“none”
identity=“my-user”
password=“my-password”



Still no authentication. wpa_supplicant apparently allows only 3 drivers. The only wifi driver seems to be wext. I also tried the nl80211 with no luck. 
The supplicant appears to be working but authentication fails with multiple attempts. Everything works with identical settings in Windows on this machine. 
The exact command I am using is:


sudo wpa_supplicant -Dnl80211 -iwlan1 -c/etc/wpa_supplicant/wpa_supplicant.conf



I should add  that I manually modprobe the correct rtl8723be driver before runing wpa_supplicant.

First,
You shouldn’t be messing with your drivers… If as you say you can connect to other WiFi networks, that indicates the loaded driver is working without a problem. Your hardware is detected properly.

Like most networking apps,
wpa_supplicant does not access the hardware device directly, there is a software “interface” defined by, and containing configurations between wpa_supplicant and the hardware NIC called… an interface file. As long as the interface file is properly associated with, and contains valid information about the hardware NIC, any application can read and utilize the interface file to reliably access networking.

Note that the original instructions for using this modified wpa_supplicant.conf directly is to make sure that your interface is “up.”
So, before you execute wpa_supplicant, if the interface wasn’t automatically started on boot, you may need to manually start it using “ifup”

TSU