WPA-EAP

Hello there,

I’ve been trying to connect to the wireless network at my university for several weeks now, and I still haven’t had any success at it. So it’s time to get some help here :wink:

The network is secured using WPA-EAP TTLS, no server certificate.

This is my wpa_supplicant.conf (as generated by Yast):

ctrl_interface=/var/run/wpa_supplicant
network={
   scan_ssid=1
   ssid="gorlaeus"
   key_mgmt=WPA-EAP
   eap=TTLS
   identity="<my identity>"
   password="<my password>"
   phase1="peaplabel=0"
   phase2="auth=PAP"
}

This is the output of wpa_supplicant -ieth1 -c/var/run/wpa_supplicant-eth1.conf -Dwext -dd:

ioctl[SIOCSIWFREQ]: Operation not supported
Initializing interface 'eth1' conf '/var/run/wpa_supplicant-eth1.conf' driver 'wext' ctrl_interface 'N/A' bridge 'N/A'
Configuration file '/var/run/wpa_supplicant-eth1.conf' -> '/var/run/wpa_supplicant-eth1.conf'
Reading configuration file '/var/run/wpa_supplicant-eth1.conf'
ctrl_interface='/var/run/wpa_supplicant'
Line: 2 - start of a new network block
scan_ssid=1 (0x1)
ssid - hexdump_ascii(len=8):
     67 6f 72 6c 61 65 75 73                           gorlaeus
key_mgmt: 0x1
eap methods - hexdump(len=16): 00 00 00 00 15 00 00 00 00 00 00 00 00 00 00 00
identity - hexdump_ascii(len=27):
     73 30 38 31 33 36 36 34 40 63 68 65 6d 2e 6c 65   s0813664@chem.le
     69 64 65 6e 75 6e 69 76 2e 6e 6c                  idenuniv.nl
password - hexdump_ascii(len=10): [REMOVED]
phase1 - hexdump_ascii(len=11):
     70 65 61 70 6c 61 62 65 6c 3d 30                  peaplabel=0
phase2 - hexdump_ascii(len=8):
     61 75 74 68 3d 50 41 50                           auth=PAP
Priority group 0
   id=0 ssid='gorlaeus'
Initializing interface (2) 'eth1'
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
SIOCGIWRANGE: WE(compiled)=22 WE(source)=18 enc_capa=0xf
  capabilities: key_mgmt 0xf enc 0xf
WEXT: Operstate: linkmode=1, operstate=5
Own MAC address: 00:0c:f1:40:0a:9a
wpa_driver_wext_set_wpa
wpa_driver_wext_set_key: alg=0 key_idx=0 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_key: alg=0 key_idx=1 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_key: alg=0 key_idx=2 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_key: alg=0 key_idx=3 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_countermeasures
wpa_driver_wext_set_drop_unencrypted
Setting scan request: 0 sec 100000 usec
Using existing control interface directory.
Added interface eth1
RTM_NEWLINK: operstate=0 ifi_flags=0x1002 ()
Wireless event: cmd=0x8b06 len=8
RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP])
RTM_NEWLINK, IFLA_IFNAME: Interface 'eth1' added
State: DISCONNECTED -> SCANNING
Starting AP scan (specific SSID)
Scan SSID - hexdump_ascii(len=8):
     67 6f 72 6c 61 65 75 73                           gorlaeus
Trying to get current scan results first without requesting a new scan to speed up initial association
Received 1436 bytes of scan results (5 BSSes)
Scan results: 5
Selecting BSS from priority group 0
Try to find WPA-enabled AP
0: 00:1d:7e:43:95:6c ssid='gorlaeus' wpa_ie_len=30 rsn_ie_len=26 caps=0x11
   selected based on RSN IE
   selected WPA AP 00:1d:7e:43:95:6c ssid='gorlaeus'
Try to find non-WPA AP
Trying to associate with 00:1d:7e:43:95:6c (SSID='gorlaeus' freq=2412 MHz)
Cancelling scan request
WPA: clearing own WPA/RSN IE
Automatic auth_alg selection: 0x1
RSN: using IEEE 802.11i/D9.0
WPA: Selected cipher suites: group 8 pairwise 24 key_mgmt 1 proto 2
WPA: set AP WPA IE - hexdump(len=30): dd 1c 00 50 f2 01 01 00 00 50 f2 02 02 00 00 50 f2 04 00 50 f2 02 01 00 00 50 f2 01 01 00
WPA: set AP RSN IE - hexdump(len=26): 30 18 01 00 00 0f ac 02 02 00 00 0f ac 04 00 0f ac 02 01 00 00 0f ac 01 01 00
WPA: using GTK TKIP
WPA: using PTK CCMP
WPA: using KEY_MGMT 802.1X
WPA: Set own WPA IE default - hexdump(len=22): 30 14 01 00 00 0f ac 02 01 00 00 0f ac 04 01 00 00 0f ac 01 00 00
No keys have been configured - skip key clearing
wpa_driver_wext_set_drop_unencrypted
State: SCANNING -> ASSOCIATING
wpa_driver_wext_set_operstate: operstate 0->0 (DORMANT)
WEXT: Operstate: linkmode=-1, operstate=5
wpa_driver_wext_associate
wpa_driver_wext_associate: assoc failed because set_freq failed
Association request to the driver failed
Setting authentication timeout: 15 sec 0 usec
EAPOL: External notification - portControl=Auto
RSN: added PMKSA cache candidate 00:1d:7e:43:90:7d prio 1000
RSN: processing PMKSA candidate list
RSN: not in suitable state for new pre-authentication
RSN: added PMKSA cache candidate 00:1d:7e:43:90:d7 prio 1000
RSN: processing PMKSA candidate list
RSN: not in suitable state for new pre-authentication
RSN: added PMKSA cache candidate 00:1d:7e:43:93:6e prio 1000
RSN: processing PMKSA candidate list
RSN: not in suitable state for new pre-authentication
RSN: added PMKSA cache candidate 00:1d:7e:43:95:6c prio 1000
RSN: processing PMKSA candidate list
RSN: not in suitable state for new pre-authentication
RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP])
Wireless event: cmd=0x8b06 len=8
RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP])
Wireless event: cmd=0x8b1a len=16
RTM_NEWLINK: operstate=0 ifi_flags=0x11003 ([UP][LOWER_UP])
Wireless event: cmd=0x8b15 len=20
Wireless event: new AP: 00:1d:7e:43:95:6c
State: ASSOCIATING -> ASSOCIATED
wpa_driver_wext_set_operstate: operstate 0->0 (DORMANT)
WEXT: Operstate: linkmode=-1, operstate=5
Associated to a new BSS: BSSID=00:1d:7e:43:95:6c
No keys have been configured - skip key clearing
Associated with 00:1d:7e:43:95:6c
WPA: Association event - clear replay counter
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Setting authentication timeout: 10 sec 0 usec
Cancelling scan request
RTM_NEWLINK: operstate=0 ifi_flags=0x11003 ([UP][LOWER_UP])
RTM_NEWLINK, IFLA_IFNAME: Interface 'eth1' added
RX EAPOL from 00:1d:7e:43:95:6c
RX EAPOL - hexdump(len=121): 02 03 00 75 02 00 8a 00 10 00 00 00 00 00 00 00 01 e7 39 8f bd a1 80 09 4d cf ce 71 4c 46 f6 0f 81 b6 8e 39 ef 00 f6 74 bf 7e a9 19 91 05 4e 23 77 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 dd 14 00 0f ac 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Setting authentication timeout: 70 sec 0 usec
EAPOL: Ignoring WPA EAPOL-Key frame in EAPOL state machines
IEEE 802.1X RX: version=2 type=3 length=117
  EAPOL-Key type=2
  key_info 0x8a (ver=2 keyidx=0 rsvd=0 Pairwise Ack)
  key_length=16 key_data_length=22
  replay_counter - hexdump(len=8): 00 00 00 00 00 00 00 01
  key_nonce - hexdump(len=32): e7 39 8f bd a1 80 09 4d cf ce 71 4c 46 f6 0f 81 b6 8e 39 ef 00 f6 74 bf 7e a9 19 91 05 4e 23 77
  key_iv - hexdump(len=16): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  key_rsc - hexdump(len=8): 00 00 00 00 00 00 00 00
  key_id (reserved) - hexdump(len=8): 00 00 00 00 00 00 00 00
  key_mic - hexdump(len=16): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
WPA: RX EAPOL-Key - hexdump(len=121): 02 03 00 75 02 00 8a 00 10 00 00 00 00 00 00 00 01 e7 39 8f bd a1 80 09 4d cf ce 71 4c 46 f6 0f 81 b6 8e 39 ef 00 f6 74 bf 7e a9 19 91 05 4e 23 77 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 dd 14 00 0f ac 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
State: ASSOCIATED -> 4WAY_HANDSHAKE
WPA: RX message 1 of 4-Way Handshake from 00:1d:7e:43:95:6c (ver=2)
RSN: msg 1/4 key data - hexdump(len=22): dd 14 00 0f ac 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSN: PMKID from Authenticator - hexdump(len=16): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSN: no matching PMKID found
WPA: Failed to get master session key from EAPOL state machines
WPA: Key handshake aborted
RX EAPOL from 00:1d:7e:43:95:6c
RX EAPOL - hexdump(len=121): 02 03 00 75 02 00 8a 00 10 00 00 00 00 00 00 00 02 e7 39 8f bd a1 80 09 4d cf ce 71 4c 46 f6 0f 81 b6 8e 39 ef 00 f6 74 bf 7e a9 19 91 05 4e 23 77 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 dd 14 00 0f ac 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
EAPOL: Ignoring WPA EAPOL-Key frame in EAPOL state machines

Does anyone know what I’m doing wrong here?

Hello again, sorry for the double post.

I think I’ve found at least part of the problem. The university access points use WPA with EAP-TTLS. This mailing list post states that RSN-preauthentication is only used with EAP-PEAP. So I suppose I have to disable the RSN pre-authentication somehow. However, I don’t know how to do this.