Problems with 802.1x configuration

Hello,
i got Problems with setting up my Router with OpenWrt.
In my Apartment i only got a lan-socket where i can get my internet from.
Its from a german university and i need to install a telekom-certificat + a wpa_supplicant config.
I got both files ready but im not able to get a working wlan connection.
I mainly worked with this german tutorial:

I did everything like on the tutorial.
When i type
wpa_supplicant -i eth0 -D wired -c /etc/config/wpasupplicant.conf -B -dd -t
Just nothing happens. Normally the router should get a ip by the dhcp of the server and he should be online.
But in my situation he is not.

Is here someone with the necessary knowledge who can help me by setting up my router?
a.e. im not able to install wpa-cli

Greets

You need to install the full wpad. The wpad-basic or wpad-mini that is installed by default does not support 802.1X.

1 Like

i got a version which wpad is installed.

I managed to install wpa-cli now.
I did move the wpasupplicant into /etc/config/
And the Certificat into /etc/

After

 wpa_supplicant -i eth0 -D wired -c /etc/config/wpasupplicant.con
f -B -dd -t

it says: Successfully initialized wpa_supplicant

Still i get no working Connection.

Wpa_Cli status:

Selected interface 'eth0'
bssid=01:80:c2:00:00:03
freq=0
ssid=
id=0
mode=station
pairwise_cipher=CCMP
group_cipher=CCMP
key_mgmt=WPA2/IEEE 802.1X/EAP
wpa_state=ASSOCIATED
address=0c:80:63:60:9d:6f
Supplicant PAE state=CONNECTING
suppPortStatus=Unauthorized
EAP state=IDLE
uuid=c5976073-6b7e-5c52-8d85-0b53b50d7634

bump. can anybody help me?

Again:

You install wpad by:

opkg update
opkg install wpad

You can then setup an 802.11x connection.

Do not use. Setup in /etc/config/wireless

???

No one said to install.

:smile:

  • Please follow instructions above.

My /etc/config/wireless File:

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/qca956x_wmac'
	option htmode 'HT20'
	option country 'DE'
	option legacy_rates '1'
	option disabled '0'
	option channel '6'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'psk2'
	option key 'ABEDCNAU'
	option network 'lan'

Like i said, i got the full wpad installed.

I thought you needed sta???

1 Like

The OP is trying to 802.1X authenticate on a wired university ethernet connection. Someone on this forum has recently successfully done that. Searching may find it

2 Likes

Would be perfect if i find it

1 Like

didnt worked out.
Is it right to run the Wlan as AP with the lan port as input?
And on Network -> Interfaces -> Lan -> Physical Interface = eth 1.1 and radio0.network1 checked?
Is this the right way?

Here is the one I was thinking of.

I don't think that LuCI or uci support this mode of operation. You will have to do it with the CLI and scripts.
The post describes how to create a wpa supplicant config file with your credentials then launch an instance of wpa_supplicant in wired mode from the CLI. The command points wpa_supplicant directly at an Ethernet port. Once authentication is completed, then you use regular network setup (typically DHCP client) to configure access of the network.

The example is a simple TTLS / PAP user-password scenario. If your site requires you to present a client certificate or you want to validate the server certificate, you will need to read the main wpa_supplicant documentation to include them in your config file.

1 Like

You may like to make sure the device date is current before joining to a 802.1x network. Sync the device date to your browser.

1 Like

I got nearly the same Config Files like the guy in the post. The problem is that i need to validate per server certificate. The tutorial i posted is nearly the same but just with included certificate.
And i sync the date per browser before i start do configure everything still i get no working connection :confused:
Is my Wpa_Cli Status (above) fine or did i configure the wlan wrong?

This has nothing to do with a wlan configuration since you are using a wired connection and the wired driver in wpa_supplicant.

You must of course use the -i interface of the CPU Ethernet port that leads to your university wall connection including VLAN number if any.

Check logread for error messages. Omitting the -B option causes wpa_supplicant to run in the foreground so you will likely see more messages. When there is "no working connection" there should be error messages.

1 Like

After i start wpasupplicant manually:

Tue May  7 22:46:04 2019 daemon.info dnsmasq[1341]: read /etc/hosts - 4 addresse                                                                                                                                                             s
Tue May  7 22:46:04 2019 daemon.info dnsmasq[1341]: read /tmp/hosts/dhcp.cfg0141                                                                                                                                                             1c - 2 addresses
Tue May  7 22:46:04 2019 daemon.info dnsmasq-dhcp[1341]: read /etc/ethers - 0 ad                                                                                                                                                             dresses
Tue May  7 22:47:27 2019 authpriv.info dropbear[3226]: Child connection from 192                                                                                                                                                             .168.1.162:58885
Tue May  7 22:47:32 2019 authpriv.notice dropbear[3226]: Password auth succeeded                                                                                                                                                              for 'root' from 192.168.1.162:58885

After i try to ping a website:

Tue May  7 22:51:14 2019 daemon.notice netifd: Interface 'wwan' is disabled
Tue May  7 22:51:14 2019 daemon.notice netifd: Interface 'wwan' has link connectivity loss
Tue May  7 22:51:15 2019 kern.info kernel: [  683.377605] eth1: link down
Tue May  7 22:51:15 2019 daemon.notice netifd: Network device 'eth1' link is down
Tue May  7 22:51:15 2019 daemon.notice netifd: VLAN 'eth1.1' link is down
Tue May  7 22:51:15 2019 kern.info kernel: [  683.384828] br-lan: port 1(eth1.1) entered disabled state
Tue May  7 22:51:15 2019 daemon.notice netifd: wwan (2650): udhcpc: received SIGTERM
Tue May  7 22:51:15 2019 daemon.notice netifd: Interface 'wwan' is now down
Tue May  7 22:51:15 2019 daemon.notice hostapd: wlan0-1: interface state ENABLED->DISABLED
Tue May  7 22:51:15 2019 daemon.notice hostapd: wlan0-1: AP-DISABLED
Tue May  7 22:51:15 2019 daemon.notice hostapd: wlan0-1: CTRL-EVENT-TERMINATING
Tue May  7 22:51:15 2019 daemon.notice hostapd: nl80211: deinit ifname=wlan0-1 disabled_11b_rates=0
Tue May  7 22:51:15 2019 kern.info kernel: [  684.123261] device wlan0-1 left promiscuous mode
Tue May  7 22:51:15 2019 kern.info kernel: [  684.128170] br-lan: port 2(wlan0-1) entered disabled state
Tue May  7 22:51:15 2019 kern.info kernel: [  684.138736] eth1: link up (1000Mbps/Full duplex)
Tue May  7 22:51:16 2019 daemon.notice netifd: Network device 'wlan0-1' link is down
Tue May  7 22:51:16 2019 kern.info kernel: [  684.446510] wlan0: deauthenticating from 76:99:63:ee:50:9c by local choice (Reason: 3=DEAUTH_LEAVING)
Tue May  7 22:51:16 2019 daemon.notice netifd: bridge 'br-lan' link is down
Tue May  7 22:51:16 2019 daemon.notice netifd: Interface 'lan' has link connectivity loss
Tue May  7 22:51:16 2019 daemon.notice netifd: Network device 'eth1' link is up
Tue May  7 22:51:16 2019 kern.info kernel: [  684.743856] br-lan: port 1(eth1.1) entered blocking state
Tue May  7 22:51:16 2019 kern.info kernel: [  684.749447] br-lan: port 1(eth1.1) entered forwarding state
Tue May  7 22:51:16 2019 daemon.notice netifd: VLAN 'eth1.1' link is up
Tue May  7 22:51:16 2019 daemon.notice netifd: bridge 'br-lan' link is up
Tue May  7 22:51:16 2019 daemon.notice netifd: Interface 'lan' has link connectivity
Tue May  7 22:51:16 2019 daemon.warn dnsmasq[1341]: no servers found in /tmp/resolv.conf.auto, will retry
Tue May  7 22:51:16 2019 daemon.info dnsmasq-dhcp[1341]: DHCPREQUEST(br-lan) 192.168.1.162 00:d8:61:17:9b:1d
Tue May  7 22:51:16 2019 daemon.info dnsmasq-dhcp[1341]: DHCPACK(br-lan) 192.168.1.162 00:d8:61:17:9b:1d DESKTOP-87JBAOU
Tue May  7 22:51:19 2019 daemon.err hostapd: Configuration file: /var/run/hostapd-phy0.conf
Tue May  7 22:51:20 2019 kern.info kernel: [  688.626037] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
Tue May  7 22:51:20 2019 kern.info kernel: [  688.636899] br-lan: port 2(wlan0) entered blocking state
Tue May  7 22:51:20 2019 kern.info kernel: [  688.642578] br-lan: port 2(wlan0) entered disabled state
Tue May  7 22:51:20 2019 kern.info kernel: [  688.648473] device wlan0 entered promiscuous mode
Tue May  7 22:51:20 2019 daemon.notice hostapd: wlan0: interface state UNINITIALIZED->COUNTRY_UPDATE
Tue May  7 22:51:20 2019 daemon.err hostapd: Using interface wlan0 with hwaddr 0c:80:63:60:9d:6e and ssid "OpenWrt"
Tue May  7 22:51:20 2019 kern.info kernel: [  688.971311] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
Tue May  7 22:51:20 2019 kern.info kernel: [  688.978077] br-lan: port 2(wlan0) entered blocking state
Tue May  7 22:51:20 2019 kern.info kernel: [  688.983639] br-lan: port 2(wlan0) entered forwarding state
Tue May  7 22:51:20 2019 daemon.notice hostapd: wlan0: interface state COUNTRY_UPDATE->ENABLED
Tue May  7 22:51:20 2019 daemon.notice hostapd: wlan0: AP-ENABLED
Tue May  7 22:51:21 2019 daemon.notice netifd: Network device 'wlan0' link is up

There is nothing from wpa_supplicant in either of those logs.

A foreground run (use the same command line, but leave out the -B) would be more informative.

You should not have a 'wwan' network. The default 'wan' should be used, and left connected to the default Ethernet port, which looks likely to be eth0.2 in this case.

There is some hint of a wlan0-1 network, though the /etc/config/wireless you posted shows only one wlan, which is an ordinary AP. That one would be running as wlan0.

It has reached that time when I highly recommend:
Reset OpenWrt to default configuration and start over.

I reseted OpenWrt and did everything new.

start wpa supplicant:

root@OpenWrt:~#  wpa_supplicant -i eth0 -D wired -c /etc/config/wpasupplicant.conf  -dd -t
1557265418.768373: Successfully initialized wpa_supplicant
1557265418.870540: eth0: Associated with 01:80:c2:00:00:03
1557265418.871119: WMM AC: Missing IEs
1557265418.871765: eth0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
C1557265442.301133: eth0: CTRL-EVENT-DISCONNECTED bssid=01:80:c2:00:00:03 reason=3 locally_generated=1
1557265442.302139: eth0: CTRL-EVENT-TERMINATING

logread:

Tue May  7 23:44:08 2019 daemon.info hostapd: wlan0: STA 54:99:63:ee:50:9c IEEE 802.11: authenticated
Tue May  7 23:44:08 2019 daemon.info hostapd: wlan0: STA 54:99:63:ee:50:9c IEEE 802.11: associated (aid 2)
Tue May  7 23:44:08 2019 daemon.notice hostapd: wlan0: AP-STA-CONNECTED 54:99:63:ee:50:9c
Tue May  7 23:44:08 2019 daemon.info hostapd: wlan0: STA 54:99:63:ee:50:9c RADIUS: starting accounting session 9FC3684A6A0A0EF1
Tue May  7 23:44:08 2019 daemon.info hostapd: wlan0: STA 54:99:63:ee:50:9c WPA: pairwise key handshake completed (RSN)
Tue May  7 23:44:09 2019 daemon.info dnsmasq-dhcp[1361]: DHCPREQUEST(br-lan) 192.168.1.102 54:99:63:ee:50:9c
Tue May  7 23:44:09 2019 daemon.info dnsmasq-dhcp[1361]: DHCPACK(br-lan) 192.168.1.102 54:99:63:ee:50:9c iPhone-I
Tue May  7 23:44:10 2019 daemon.warn odhcpd[916]: DHCPV6 SOLICIT IA_NA from 00010001236c4252549963ee509c on br-lan: ok fd3a:4ef0:a761::3e0/128
Tue May  7 23:44:11 2019 daemon.warn odhcpd[916]: DHCPV6 REQUEST IA_NA from 00010001236c4252549963ee509c on br-lan: ok fd3a:4ef0:a761::3e0/128
Tue May  7 23:45:13 2019 daemon.notice hostapd: wlan0: AP-STA-DISCONNECTED 54:99:63:ee:50:9c
Tue May  7 23:45:13 2019 daemon.info hostapd: wlan0: STA 54:99:63:ee:50:9c IEEE 802.11: disassociated
Tue May  7 23:45:14 2019 daemon.info hostapd: wlan0: STA 54:99:63:ee:50:9c IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Tue May  7 23:45:36 2019 daemon.info hostapd: wlan0: STA 54:99:63:ee:50:9c IEEE 802.11: authenticated
Tue May  7 23:45:36 2019 daemon.info hostapd: wlan0: STA 54:99:63:ee:50:9c IEEE 802.11: authenticated
Tue May  7 23:45:36 2019 daemon.info hostapd: wlan0: STA 54:99:63:ee:50:9c IEEE 802.11: associated (aid 1)
Tue May  7 23:45:36 2019 daemon.notice hostapd: wlan0: AP-STA-CONNECTED 54:99:63:ee:50:9c
Tue May  7 23:45:36 2019 daemon.info hostapd: wlan0: STA 54:99:63:ee:50:9c RADIUS: starting accounting session DCCDCD68A384D9A9
Tue May  7 23:45:36 2019 daemon.info hostapd: wlan0: STA 54:99:63:ee:50:9c WPA: pairwise key handshake completed (RSN)
Tue May  7 23:45:36 2019 daemon.info dnsmasq-dhcp[1361]: DHCPREQUEST(br-lan) 192.168.1.102 54:99:63:ee:50:9c
Tue May  7 23:45:36 2019 daemon.info dnsmasq-dhcp[1361]: DHCPACK(br-lan) 192.168.1.102 54:99:63:ee:50:9c iPhone-I
Tue May  7 23:45:37 2019 daemon.warn odhcpd[916]: DHCPV6 SOLICIT IA_NA from 00010001236c4252549963ee509c on br-lan: ok fd3a:4ef0:a761::3e0/128
Tue May  7 23:45:38 2019 daemon.warn odhcpd[916]: DHCPV6 REQUEST IA_NA from 00010001236c4252549963ee509c on br-lan: ok fd3a:4ef0:a761::3e0/128

Still no wifi connection

You're not posting enough to help me or anyone else figure out the problem.

I see a log of your iPhone connecting to a wifi AP, in a completely normal way. There isn't going to be any cloudy iPhone magic happening though unless and until the router has a path to the Internet. You can test that with a wired connection from the router's LAN to your laptop. Turn off the AP and forget the iPhone for now to reduce clutter.

Check /etc/config/network and see what the WAN port is. I think it is going to be eth0.2. I have seen eth0.1 in a few of your logs, and one big cardinal rule is that once you have VLANs on an eth port you never reference the plain "parent" port (eth0 with no VLAN number) to any network activity. It won't work.

Please post all the major config files (especially network, and your wpa_supplicant config, in entirety-- but of course with personal details redacted.

Also would be good to know the make/model of the router, and link to its OpenWrt wiki page if one exists.