WPA2 EAP TTLS PAP Configuration help

I have sucsessfully connected to the BTWifi-With-FON Network in client mode and pushed openzone DNS servers to get landing page, i have been trying to connect to a BTWifi-X Hotspot using EAP-TTLS & PAP, (Upgraded From DDWRT to LEDE) I have sucsessfully set up a windows connection to said hotspot but having proplems with LEDE, The hotspot connects to BTWifi-X hotspot then gets a deauth, Here are relevant settings (And link to original article) And SysLog

Relevent Settings:
Wireless Service Set Identifier (SSID): BTWifi-X
Wireless authentication method: WPA2 Enterprise
Wireless authentication EAP protocol: EAP-TTLS
Inner EAP-TTLS authentication protocol: PAP
Identity Privacy: Disabled
Username: 8021x:BTRCon/newprof/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX:XXX-XXX (as above)
Password: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (as above)
Trusted Certificates: "8021x.bt.com" certificate (as above)
Trusted Server Certificate Names / Connect To Names: 8021x.bt.com

Link to article: https://neilalexander.eu/articles/2017/2/27/bt-wifi

Syslog:

Wed Jan  3 23:47:45 2018 kern.info kernel: [ 2974.641025] wlan0: authenticate with 42:c7:29:0d:2f:98
Wed Jan  3 23:47:45 2018 kern.info kernel: [ 2974.658117] wlan0: send auth to 42:c7:29:0d:2f:98 (try 1/3)
Wed Jan  3 23:47:45 2018 kern.info kernel: [ 2974.667456] wlan0: authenticated
Wed Jan  3 23:47:45 2018 kern.info kernel: [ 2974.679853] wlan0: associate with 42:c7:29:0d:2f:98 (try 1/3)
Wed Jan  3 23:47:45 2018 kern.info kernel: [ 2974.689246] wlan0: RX AssocResp from 42:c7:29:0d:2f:98 (capab=0x411 status=0 aid=1)
Wed Jan  3 23:47:45 2018 kern.info kernel: [ 2974.697412] wlan0: associated
Wed Jan  3 23:47:46 2018 daemon.notice netifd: Network device 'wlan0' link is up
Wed Jan  3 23:47:46 2018 daemon.notice netifd: Interface 'wwanX' has link connectivity 
Wed Jan  3 23:47:46 2018 daemon.notice netifd: Interface 'wwanX' is setting up now
Wed Jan  3 23:47:46 2018 daemon.notice netifd: wwanX (4933): udhcpc: started, v1.25.1
Wed Jan  3 23:47:46 2018 daemon.notice netifd: wwanX (4933): udhcpc: sending discover
Wed Jan  3 23:47:49 2018 daemon.notice netifd: wwanX (4933): udhcpc: sending discover
Wed Jan  3 23:47:52 2018 daemon.notice netifd: wwanX (4933): udhcpc: sending discover
Wed Jan  3 23:48:57 2018 kern.info kernel: [ 3045.696220] wlan0: deauthenticating from 42:c7:29:0d:2f:98 by local choice (Reason: 3=DEAUTH_LEAVING)
Wed Jan  3 23:48:57 2018 daemon.notice netifd: Network device 'wlan0' link is down
Wed Jan  3 23:48:57 2018 daemon.notice netifd: Interface 'wwanX' has link connectivity loss
Wed Jan  3 23:48:57 2018 daemon.notice netifd: wwanX (4933): udhcpc: received SIGTERM
Wed Jan  3 23:50:05 2018 daemon.info dnsmasq-dhcp[1140]: DHCPREQUEST(br-lan) 192.168.1.166 00:26:6c:53:ef:96 
Wed Jan  3 23:50:05 2018 daemon.info dnsmasq-dhcp[1140]: DHCPACK(br-lan) 192.168.1.166 00:26:6c:53:ef:96 DESKTOP-6I07C2O
Wed Jan  3 23:50:05 2018 daemon.notice odhcpd[865]: Got DHCPv6 request
Wed Jan  3 23:50:05 2018 daemon.warn odhcpd[865]: DHCPV6 SOLICIT IA_NA from 0001000121df021200266c53ef96 on br-lan: ok fde0:4e0c:e280::9b7/128 
Wed Jan  3 23:50:05 2018 daemon.info dnsmasq[1140]: read /etc/hosts - 4 addresses
Wed Jan  3 23:50:05 2018 daemon.info dnsmasq[1140]: read /tmp/hosts/odhcpd - 0 addresses
Wed Jan  3 23:50:05 2018 daemon.info dnsmasq[1140]: read /tmp/hosts/dhcp.cfg02411c - 2 addresses
Wed Jan  3 23:50:05 2018 daemon.info dnsmasq-dhcp[1140]: read /etc/ethers - 0 addresses
Wed Jan  3 23:50:05 2018 daemon.info odhcpd[865]: Using a RA lifetime of 0 seconds on br-lan
Wed Jan  3 23:50:05 2018 daemon.notice odhcpd[865]: Got DHCPv6 request
Wed Jan  3 23:50:05 2018 daemon.warn odhcpd[865]: DHCPV6 SOLICIT IA_NA from 0001000121df021200266c53ef96 on br-lan: ok fde0:4e0c:e280::9b7/128 
Wed Jan  3 23:50:06 2018 daemon.notice odhcpd[865]: Got DHCPv6 request
Wed Jan  3 23:50:06 2018 daemon.warn odhcpd[865]: DHCPV6 REQUEST IA_NA from 0001000121df021200266c53ef96 on br-lan: ok fde0:4e0c:e280::9b7/128 
Wed Jan  3 23:50:06 2018 daemon.info dnsmasq[1140]: read /etc/hosts - 4 addresses
Wed Jan  3 23:50:06 2018 daemon.info dnsmasq[1140]: read /tmp/hosts/odhcpd - 1 addresses
Wed Jan  3 23:50:06 2018 daemon.info dnsmasq[1140]: read /tmp/hosts/dhcp.cfg02411c - 2 addresses
Wed Jan  3 23:50:06 2018 daemon.info dnsmasq-dhcp[1140]: read /etc/ethers - 0 addresses
Wed Jan  3 23:50:07 2018 kern.info kernel: [ 3115.941573] wlan0: authenticate with 42:c7:29:0d:2f:98
Wed Jan  3 23:50:07 2018 kern.info kernel: [ 3115.958673] wlan0: send auth to 42:c7:29:0d:2f:98 (try 1/3)
Wed Jan  3 23:50:07 2018 kern.info kernel: [ 3115.966218] wlan0: authenticated
Wed Jan  3 23:50:07 2018 kern.info kernel: [ 3115.979769] wlan0: associate with 42:c7:29:0d:2f:98 (try 1/3)
Wed Jan  3 23:50:07 2018 kern.info kernel: [ 3115.990066] wlan0: RX AssocResp from 42:c7:29:0d:2f:98 (capab=0x411 status=0 aid=1)
Wed Jan  3 23:50:07 2018 kern.info kernel: [ 3115.998439] wlan0: associated
Wed Jan  3 23:50:07 2018 daemon.notice netifd: Network device 'wlan0' link is up
Wed Jan  3 23:50:07 2018 daemon.notice netifd: Interface 'wwanX' has link connectivity 
Wed Jan  3 23:50:07 2018 daemon.notice netifd: Interface 'wwanX' is setting up now
Wed Jan  3 23:50:07 2018 daemon.notice netifd: wwanX (4957): udhcpc: started, v1.25.1
Wed Jan  3 23:50:07 2018 daemon.notice netifd: wwanX (4957): udhcpc: sending discover
Wed Jan  3 23:50:09 2018 daemon.info odhcpd[865]: Using a RA lifetime of 0 seconds on br-lan
Wed Jan  3 23:50:10 2018 daemon.notice netifd: wwanX (4957): udhcpc: sending discover
Wed Jan  3 23:50:11 2018 kern.info kernel: [ 3120.439431] wlan0: deauthenticating from 42:c7:29:0d:2f:98 by local choice (Reason: 3=DEAUTH_LEAVING)
Wed Jan  3 23:50:12 2018 daemon.notice netifd: Network device 'wlan0' link is down
Wed Jan  3 23:50:12 2018 daemon.notice netifd: Interface 'wwanX' has link connectivity loss
Wed Jan  3 23:50:12 2018 daemon.notice netifd: wwanX (4957): udhcpc: received SIGTERM

Can anyone help?

Did you install wpad instead of wpad-mini and can you share your current /etc/config/wireless ?

Tried with wpad full and wpa supplicant full how do I share /etc/config/wireless, VIA Putty on luci?

SSH into the router.

At the command prompt, enter cat /etc/config/wireless

Make sure to obscure the "option key" value(s) in the wireless config results before posting.

root@LEDE:~# cat /etc/config/wireless

config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11g'
option path 'pci0000:00/0000:00:00.0'
option htmode 'HT20'
option disabled '0'
option channel '6'
option country 'US'

config wifi-iface
option network 'wwan'
option ssid 'BTWifi-X'
option device 'radio0'
option mode 'sta'
option bssid '42:C7:29:0D:2F:98'
option encryption 'wpa2'
option eap_type 'ttls'
option ca_cert '/etc/luci-uploads/cbid.wireless.cfg033579.ca_cert'
option auth 'PAP'
option identity '8021x:BTRCon/newprof/7C82xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxB8:stmxxxxx'
option password 'zBn1NxxxxxxxxxxxxxxxxxxxxFTOxCGs'

Bump please

Try changing encryption to WPA2-PSK and cipher to AES.

@jwoods
The user asks for an enterprise uplink, any psk-configuration makes no sense. The configured "wpa2" encryption is quite fine.

@aidanmacgregor
Please make sure that you only have installed the packages 'wpad', 'hostapd-common' and 'hostapd-utils', no more wpa*- or hostapd-packages in parallel. You can check that with 'opkg list-installed'.

just added hostapd-util to packages, no change

root@LEDE:~# opkg list-installed
base-files - 173-r3435-65eec8bd5f
busybox - 1.25.1-4
ca-certificates - 20170717
dnsmasq - 2.77-1
dropbear - 2017.75-1
firewall - 2017-05-27-a4d98aea-1
fstools - 2016-12-04-84b530a7-2
fwtool - 1
hostapd-common - 2016-12-19-ad02e79d-3
hostapd-utils - 2016-12-19-ad02e79d-7
ip6tables - 1.4.21-2
iptables - 1.4.21-2
iw - 4.9-1
iwinfo - 2016-09-21-fd9e17be-1
jshn - 2017-02-24-96305a3c-1
jsonfilter - 2016-07-02-dea067ad-1
kernel - 4.4.71-1-840c23c3f9dc6160d8c7bd302c6f494d
kmod-ath - 4.4.71+2017-01-31-2
kmod-ath9k - 4.4.71+2017-01-31-2
kmod-ath9k-common - 4.4.71+2017-01-31-2
kmod-cfg80211 - 4.4.71+2017-01-31-2
kmod-gpio-button-hotplug - 4.4.71-2
kmod-ip6tables - 4.4.71-1
kmod-ipt-conntrack - 4.4.71-1
kmod-ipt-core - 4.4.71-1
kmod-ipt-nat - 4.4.71-1
kmod-lib-crc-ccitt - 4.4.71-1
kmod-mac80211 - 4.4.71+2017-01-31-2
kmod-nf-conntrack - 4.4.71-1
kmod-nf-conntrack6 - 4.4.71-1
kmod-nf-ipt - 4.4.71-1
kmod-nf-ipt6 - 4.4.71-1
kmod-nf-nat - 4.4.71-1
kmod-nls-base - 4.4.71-1
kmod-ppp - 4.4.71-1
kmod-pppoe - 4.4.71-1
kmod-pppox - 4.4.71-1
kmod-slhc - 4.4.71-1
kmod-usb-core - 4.4.71-1
kmod-usb-ledtrig-usbport - 4.4.71-1
kmod-usb2 - 4.4.71-1
lede-keyring - 2017-01-20-a50b7529-1
libblobmsg-json - 2017-02-24-96305a3c-1
libc - 1.1.16-1
libgcc - 5.4.0-1
libip4tc - 1.4.21-2
libip6tc - 1.4.21-2
libiwinfo - 2016-09-21-fd9e17be-1
libiwinfo-lua - 2016-09-21-fd9e17be-1
libjson-c - 0.12.1-1
libjson-script - 2017-02-24-96305a3c-1
liblua - 5.1.5-1
libnl-tiny - 0.1-5
libopenssl - 1.0.2n-1
libpcre - 8.41-2
libpthread - 1.1.16-1
librt - 1.1.16-1
libubox - 2017-02-24-96305a3c-1
libubus - 2017-02-18-34c6e818-1
libubus-lua - 2017-02-18-34c6e818-1
libuci - 2016-07-04-e1bf4356-1
libuci-lua - 2016-07-04-e1bf4356-1
libuclient - 2016-12-09-52d955fd-1
libxtables - 1.4.21-2
logd - 2017-03-10-16f7e161-1
lua - 5.1.5-1
luci - git-17.152.82987-7f6fc16-1
luci-app-firewall - git-17.152.82987-7f6fc16-1
luci-base - git-17.152.82987-7f6fc16-1
luci-lib-ip - git-17.152.82987-7f6fc16-1
luci-lib-jsonc - git-17.152.82987-7f6fc16-1
luci-lib-nixio - git-17.152.82987-7f6fc16-1
luci-mod-admin-full - git-17.152.82987-7f6fc16-1
luci-proto-ipv6 - git-17.152.82987-7f6fc16-1
luci-proto-ppp - git-17.152.82987-7f6fc16-1
luci-theme-bootstrap - git-17.152.82987-7f6fc16-1
mtd - 21
netifd - 2017-01-25-650758b1-1
odhcp6c - 2017-01-30-c13b6a05-1
odhcpd - 2017-04-28-9268ca65-1
openssl-util - 1.0.2n-1
opkg - 2017-03-23-1d0263bb-1
ppp - 2.4.7-11
ppp-mod-pppoe - 2.4.7-11
procd - 2017-02-15-5f912410-1
rpcd - 2016-12-03-0577cfc1-1
swconfig - 11
uboot-envtools - 2015.10-1
ubox - 2017-03-10-16f7e161-1
ubus - 2017-02-18-34c6e818-1
ubusd - 2017-02-18-34c6e818-1
uci - 2016-07-04-e1bf4356-1
uclient-fetch - 2016-12-09-52d955fd-1
uhttpd - 2016-10-25-1628fa4b-1
uhttpd-mod-ubus - 2016-10-25-1628fa4b-1
usign - 2015-07-04-ef641914-1
wget - 1.19.2-2
wpad - 2016-12-19-ad02e79d-7
zlib - 1.2.11-1
root@LEDE:~#

I have no experience with such certificate based eap connection. I found the following hint in the openwrt wiki, maybe you could try to change the auth option to ...

option auth 'auth=PAP'

Well thanks for the suggestion, nothing was ever solved without one

Thanks for the correction.

Should I try using wpa-supplicant instead of wpad? Could I use this conf file?

Thanks for this guide. There's hardly any information out there about this subject. I had been using BT Fon for years, and never liked the potential for either over-the-air snooping or piggybacking by MAC address spoofing (which I've tested and works). So it's great to have the extra security of encryption.

I want to contribute something back, so here's my config that I've been using for the last several months under (Arch) Linux using wpa_supplicant as the network manager:

Copied 8021x.bt.com.cer to /etc/wpa_supplicant/
Created this config file for wpa_supplicant (/etc/wpa_supplicant/wpa_supplicant-wlan0.conf):

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
passive_scan=1

network={
priority=2
scan_ssid=1
ssid="BTWifi-X"
key_mgmt=WPA-EAP
eap=TTLS
identity="8021x:BTRCon/newprof/ABC-123-ETC-1234567890:example@btinternet.com"
password="abc123etc"
client_cert="/etc/wpa_supplicant/8021x.bt.com.cer"
phase2="auth=PAP"
}

It was very fussy about having the right options provided before it would work, so hopefully it helps someone.

Another thing, I use wget like this to login when redirected to the captive portal:
wget -q -O /dev/null --post-data "username=example@btinternet.com&password=pass123" https://www.btopenzone.com:8443/tbbLogon