WPA2-Enterprise Client mode setup, I am at a loss

ivantheredmenace · October 1, 2018, 4:19am

Hi,
I am trying to setup at repeater to extend the range of a corporate network.
Specifically eduroam, but there is also a local network with what I can tell, identical security requirements.

Now, there are several writeups on this that I could find through google.
And I have been following this one specifically:
https://forum.archive.openwrt.org/viewtopic.php?id=69653

I am using: OpenWrt 18.06.1 r7258-5eb055306f

Removed wpad-mini package and
replaced it with wpad and wpa-cli
also tried this with wpa-supplicant

I could connect to the network.
It would read a Rx/Tx. But it would not give a hostname.

Even though I was connected, ping would not return anything.

Here is where it gets weird.
I would briefly connect a WAN cable to my router. This way internet connection would return.
I would then disconnect the cable and be only connected to the internet via the enterprise wifi network.
In this case, I could ping openwrt.org, and even download software packages to my router. But could not
ping any other address.
If I reset the router, the internet connection would be lost again, until I briefly connect and then disconnect the WAN cable.

I am pretty sure that this has something to do with WPA2-enterprise specifically.
If I set up a test network with a different security protocol (WPA2-PSK for example), I could connect to it via client mode and set up the router as a repeater.

I am wondering what could I be missing?

Thanks for your help.

ivantheredmenace · October 2, 2018, 2:59am

I am including extra information here.

Here is my /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/10300000.wmac'
	option htmode 'HT20'
	option legacy_rates '1'
	option channel '6'
	option disabled '0'
	option country 'US'

config wifi-iface
	option network 'wwan'
	option ssid 'eduroam'
	option device 'radio0'
	option mode 'sta'
	option encryption 'wpa2'
	option eap_type 'peap'
	option auth 'EAP-MSCHAPV2'
	option identity 'xxx@xxx.com'
	option password 'xxxxx'

And then the auto generated wpa-supplicant.conf is:

country=US
network={
	scan_ssid=1
	ssid="eduroam"
	key_mgmt=WPA-EAP
	identity="xxx@xxx.xxxk\"
	password="xxx"
	phase2="auth=MSCHAPV2"
	eap=PEAP
	proto=RSN
	beacon_int=100
}

Logging into LUCY, I get:
Wireless1

But when I perform ping:
ping openwrt.org
it returns.
ping: bad address 'openwrt.org'

ivantheredmenace · October 2, 2018, 3:01am

The "eduroam" network configuration that is set up on my PC looks like this:
Wireless3

jeff · October 2, 2018, 3:03am

wpa2+ccmp ??

ivantheredmenace · October 2, 2018, 3:10am

just tried. No change.

ivantheredmenace · October 2, 2018, 3:14am

ok.
ping openwrt.org
returns
ping: bad address 'openwrt.org'

but
ping 139.59.209.225
returns

PING 139.59.209.225 (139.59.209.225): 56 data bytes
64 bytes from 139.59.209.225: seq=0 ttl=52 time=187.030 ms
64 bytes from 139.59.209.225: seq=1 ttl=52 time=186.846 ms
64 bytes from 139.59.209.225: seq=2 ttl=52 time=185.402 ms
64 bytes from 139.59.209.225: seq=3 ttl=52 time=184.452 ms
64 bytes from 139.59.209.225: seq=4 ttl=52 time=188.337 ms

--- 139.59.209.225 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 184.452/186.413/188.337 ms

What could be the issue?

jeff · October 2, 2018, 3:17am

DNS and/or DHCP

Is DNS working on the OpenWrt box? Is it serving your LAN? Is your DHCP indicating that its clients should use that DNS?

ivantheredmenace · October 2, 2018, 3:34am

Not sure where the issue is.
/etc/conf/dhcp

config dnsmasq
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option domainneeded '1'
	option authoritative '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

There is no entry for wwan which is the wireless.

An entry exists in the /etc/config/network though


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd6c:383b:cb97::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr '80:3f:5d:c9:db:f0'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'static'
	option ipaddr '144.214.24.22'
	option netmask '255.255.0.0'
	option gateway '144.214.2.254'
	option dns '144.214.5.20 144.214.5.27'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr '80:3f:5d:c9:db:f1'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

config interface 'wwan'
	option proto 'dhcp'

wan is a cable connection. It requires a static IP configuration. But it works no problems.
I am not quite sure what DNS/DHCP settings are different that screw up wireless.

ivantheredmenace · October 2, 2018, 4:33am

This DNS/DHCP issue only comes up with WPA2-Enterprise networks.

I set up a hotspot (my phone) with WPA2-psk encryption.
And the router functions without issue!


config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/10300000.wmac'
	option htmode 'HT20'
	option legacy_rates '1'
	option disabled '0'
	option country 'US'
	option channel '11'


config wifi-iface
	option network 'wwan'
	option ssid 'xxx_Phone'
	option encryption 'psk2'
	option device 'radio0'
	option mode 'sta'
	option bssid 'D4:38:9C:8B:1A:98'
	option key 'xxxxxxxx'

All other settings remain unchanged. Only the network I connect to as a client.

ivantheredmenace · October 3, 2018, 3:06am

Strange and strange.
But it works now.

I disabled the firewall, that got ping to work on the router, but not on the PC connected to it.
Then I disabled DHCP and was forced to do a hard reset on the router.

With a fresh system, removed WPA-mini, installed Wpad, installed wpa-cli.
Now it works. Firewall is not disabled! All configuration done via LUCI.

Mystery! But it works.

system · October 13, 2018, 3:06am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.