Wifi enterprise client connection

Installing and Using OpenWrt Network and Wireless Configuration
1

I want to connect to a enterprise wifi network from my router (v19.07.1) as a client. Here is the wpa_supplicant config I think should work:

network={
        ssid="eduroam"
        key_mgmt=WPA-EAP
        pairwise=CCMP
        group=CCMP TKIP
        eap=PEAP
        ca_cert="/tmp/ca.pem"
        identity="xxxx@xxxx"
        altsubject_match="DNS:zzzzz.zzz.zz.zz"
        phase2="auth=MSCHAPV2"
        password="wwwwwwww"
        anonymous_identity="yyyy@yyyy"
}

I tried to translate it to the UCI config in /etc/config/wireless . I followed the config options here:

https://openwrt.org/docs/guide-user/network/wifi/basic#wpa_enterprise_client

But I could not get the matching UCI options for every option, such as anonymous_identity.

Note the ca_cert option is not a problem. I have the ca.pem file, which I saved in /tmp/ca.pem in openwrt and I can see the ca_cert option in the openwrt guide.

So far, this is my config:

config wifi-iface 'wifinet2'
	option ssid 'eduroam'
	option device 'radio0'
	option mode 'sta'
	option network 'wwan'
	option encryption 'wpa2+tkip+aes'
	option eap_type 'peap'
	option auth 'auth=MSCHAPV2'
	option identity 'xxxx@xxxx'
	option password 'wwwwwwww'
	option ca_cert '/tmp/ca.pem'

which generates:

root@OpenWrt:~# cat /var/run/wpa_supplicant-wlan0.conf 


network={
	scan_ssid=1
	ssid="eduroam"
	key_mgmt=WPA-EAP
	ca_cert="/tmp/ca.pem"
	identity="xxxx@xxxx"
	password="wwwwwwww"
	phase2="auth=MSCHAPV2"
	eap=PEAP
	proto=RSN
	beacon_int=100
}

This doesn't work. My syslog says:

Thu Feb  6 23:56:38 2020 daemon.notice wpa_supplicant[4483]: wlan0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=0 subject='...' err='unknown CA'
Thu Feb  6 23:56:40 2020 daemon.notice wpa_supplicant[4483]: wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed

Missing fields are anonymous_identity, pairwise, group and altsubject_match. Not sure what the proto and beacon_int fields are about in the openwrt generated config.

How do I generate a matching wpa_supplicant config using the UCI options?

2

/tmp is a RAM disk in OpenWrt; you need to store the certificate somewhere else or it will be erased on a reboot.

I suggest making a directory under /etc/config like /etc/config/certs since that whole branch will be saved along with the configuration during sysupgrades.

3

Is the certificate self signed? I guess it is?
I think the problem is that the certificate can't be verified.
Does it work when you copy the certificate also to /etc/ssl/certs/ ? Maybe you have to rename it to *.crt ...
Maybe /etc/ssl/private/ does work too.

4

@mk24 Thanks for the tip. I moved it to /etc/config/ca.pem. Still didn't help with the connection.

5

@shm0 Thanks for the suggestions. I copied it to /etc/config/ca.pem , which didn't help with the connection, and I tried renaming it to ca.crt (also changed it in the config), which didn't work either. Same issue in syslog:

Fri Feb  7 00:10:40 2020 daemon.notice wpa_supplicant[2247]: wlan0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=0 subject='... ' err='unknown CA'

This is my University's WiFi, and the certificate comes from them.

6

Did you install wpad (full version)?

opkg update
opkg remove wpad-mini
opkg install wpad
7

@shm0 Yes indeed, I removed wpad-basic and installed wpad.

8

I don't know...

anonymous_identity and altsubject_match should work.

Adding those missing options won't fix the 'Unknown CA' error, I think.
But worth a try...

Did you also install ca-bundle or ca-certificates?

9

@shm0 Setting anonymous_identity and altsubject_match made it work! Thanks very much for your help!

It turns out that they select the certificates on the server side based on the value in anonymous_identity.

10

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.