How to set up 802.1x wired authentication on OPENSUSE v12.3?

acandac · April 5, 2013, 3:38pm

Hi,

I installed OPENSUSE 12.3 with DHCP network, which doesnt work as our institution uses
the 802.1x authentication protocol with the following parameters:

Security: WPA & WPA2 Enterprise
Authentication: Protected EAP (PEAP)
Anonymous identity:
CA certificate: (None)
PEAP version: Automatic
Inner authentication: MSCHAPv2

I have been therefore trying to set up 802.1x wired authentication on OPENSUSE v12.3 using wpa_supplicant.

In order to run wpa_supplicant, I prepared an
/etc/wpa_supplicant.conf file as follows

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=users
ap_scan=0
fast_reauth=1
network={
ssid=""
scan_ssid=""
key_mgmt=IEEE8021X
eap=PEAP
phase2=“auth=MSCHAPV2”
identity=“caandac”
password=“mevlana”
}

and executed the wpa_supplicant command under /etc directory as

wpa_supplicant -D wired -i eth0 -c ./wpa_supplicant.conf -d

The execution of wpa_supplicant came out OK with no errors…
However, I still cant connect to network…

Does anyone know what I do wrong with 802.1x authentication set up?

Best regards,

Cenk Andac, Ph.D.
Asst. Prof. of Medical Pharmacology
MEvlana University, Konya Turkiye

acandac · April 5, 2013, 4:46pm

Also, after execution of wpa_supplicant I get the following text message :

wpa_supplicant v1.1
random: Trying to read entropy from /dev/random
Initializing interface ‘eth0’ conf ‘./wpa_supplicant.conf’ driver ‘wired’ ctrl_interface ‘N/A’ bridge ‘N/A’
Configuration file ‘./wpa_supplicant.conf’ → ‘/etc/wpa_supplicant/./wpa_supplicant.conf’
Reading configuration file ‘/etc/wpa_supplicant/./wpa_supplicant.conf’
ctrl_interface=’/etc/wpa_supplicant’
ctrl_interface_group=‘users’
ap_scan=0
Priority group 0
id=0 ssid=’’
wpa_driver_wired_init: Added multicast membership with packet socket
eth0: Own MAC address: ac:16:2d:02:14:18
eth0: RSN: flushing PMKID list in the driver
eth0: Setting scan request: 0 sec 100000 usec
WPS: Set UUID for interface eth0
WPS: UUID based on MAC address - hexdump(len=16): 16 06 65 a3 ee d1 52 ba ba 7f 46 f3 a6 98 85 ea
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: Supplicant port status: Unauthorized
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: Supplicant port status: Unauthorized
EAPOL: Supplicant port status: Unauthorized
Using existing control interface directory.
ctrl_interface_group=100 (from group name ‘users’)
eth0: Added interface eth0
random: Got 20/20 bytes from /dev/random
EAPOL: External notification - EAP success=0
EAPOL: Supplicant port status: Unauthorized
EAPOL: External notification - EAP fail=0
EAPOL: Supplicant port status: Unauthorized
EAPOL: External notification - portControl=Auto
EAPOL: Supplicant port status: Unauthorized
eth0: Already associated with a configured network - generating associated event
eth0: Event ASSOC (0) received
eth0: Association info event
eth0: State: DISCONNECTED → ASSOCIATED
eth0: Associated to a new BSS: BSSID=01:80:c2:00:00:03
eth0: No keys have been configured - skip key clearing
eth0: Select network based on association information
eth0: Network configuration found for the current AP
eth0: WPA: clearing AP WPA IE
eth0: WPA: clearing AP RSN IE
eth0: WPA: clearing own WPA/RSN IE
EAPOL: External notification - EAP success=0
EAPOL: Supplicant port status: Unauthorized
EAPOL: External notification - EAP fail=0
EAPOL: Supplicant port status: Unauthorized
EAPOL: External notification - portControl=Auto
EAPOL: Supplicant port status: Unauthorized
eth0: Associated with 01:80:c2:00:00:03
eth0: WPA: Association event - clear replay counter
eth0: WPA: Clear old PTK
EAPOL: External notification - portEnabled=0
EAPOL: Supplicant port status: Unauthorized
EAPOL: External notification - portValid=0
EAPOL: Supplicant port status: Unauthorized
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
eth0: Cancelling scan request
EAPOL: startWhen → 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
TX EAPOL: dst=01:80:c2:00:00:03
eth0: RX EAPOL from e8:e7:32:15:e5:67
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
eth0: CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=7):
63 61 61 6e 64 61 63 caandac
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL: dst=01:80:c2:00:00:03
EAPOL: SUPP_BE entering state RECEIVE
eth0: RX EAPOL from e8:e7:32:15:e5:67
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=1 method=25 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
…
…
…
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL: dst=01:80:c2:00:00:03
EAPOL: SUPP_BE entering state RECEIVE
eth0: RX EAPOL from e8:e7:32:15:e5:67
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Success
EAP: EAP entering state SUCCESS
eth0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required
eth0: WPA: EAPOL processing complete
eth0: Cancelling authentication timeout
eth0: State: ASSOCIATED → COMPLETED
eth0: CTRL-EVENT-CONNECTED - Connection to 01:80:c2:00:00:03 completed (auth) [id=0 id_str=]
EAPOL: SUPP_PAE entering state AUTHENTICATED
EAPOL: Supplicant port status: Authorized
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state SUCCESS
EAPOL: SUPP_BE entering state IDLE
EAPOL authentication completed successfully
EAPOL: startWhen → 0
EAPOL: authWhile → 0
EAPOL: idleWhile → 0
EAPOL: disable timer tick

acandac · April 5, 2013, 4:48pm

Does anyone know why I get the following message?

EAPOL: startWhen → 0
EAPOL: authWhile → 0
EAPOL: idleWhile → 0
EAPOL: disable timer tick

vazhavandan · April 5, 2013, 5:28pm

Long Command line outputs should be shared through SUSE Paste
For posting Short outputs use the

 tag or the "#" button in the "advanced"  the post editor.
People in these forums get put off and will not help you if you post the output in the way you did ;)

arvidjaar · April 6, 2013, 12:29pm

wpa_supplicant is responsible only for associating with wireless AP, it is not responsible for setting up network interface.

Does anyone know what I do wrong with 802.1x authentication set up?

According to output you provided 802.1x authentication completed successfully. You need to configure interface now.

acandac · April 6, 2013, 9:56pm

Dear Arvidjaar,
Thank you for responding. As far as I know, the network tools in Opensuse 12.3 is not configurable for 802.1x authentication. Can you please let me know of how i should be setting up the network interface? Regards, Jenk

arvidjaar · April 6, 2013, 10:32pm

Sorry, I missed the fact that you used wired interface. But this does not change the main point - wpa_suppicant only authenticates interface, it does not set up IP configuration.

I do not know if traditional ifup support 802.1x, but NetworkManager does. You would need to use YaST2 to switch to NM and use NetworkManager tools to configure connection.

acandac · April 8, 2013, 11:45am

Dear Arvidjar, Thank you for the response.

F.Y.I. I turned off the firewall during the following process.

As you suggested , I switched to the Manual Network Interface using YAST2.

After execution of wpa_supplicant, I then got myself into the Network Manager on KDE Desktop and configured the wired setup for 802.1x security as follows :

Authentication : PEAP
PEAP version : Automatic
Inner Authentication : MSCHAPv2
Username : MY USER NAME
PASS : MY PASSWORD

and enabled the network connection.

From the network interface I get the following parameters
Type : Wired Ethernet
Connection State : Connected
IP Address : 10.10.145.89
Connection Speed : 1GB/s
System name eth0
MAC address : AC:…18
Driver r8169

The message above says my system is connected. However I still cannot connect to the network using FireFox nor ssh connect to our server…

Do you have any idea what might be going wrong here?

Regards,

Jenk