OpenWrt Forum Archive

Topic: WPA2-Enterprise, TTLS & eduroam problem

The content of this topic has been archived on 26 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hey folks.

After two days of troubleshooting I decided I need help because I am not making progress anymore.

Goal

Classic eduroam situation, eduroam wlan available and I want to create my own local subnet in which I can connect ethernet devices to the internet/eduroam wlan.

wiki.openwrt.org/doc/recipes/routedclient#usingmasquerade

I set it up, configured everything and then it worked. I created a backup tar via luci to be able to restore it to this state. This was in March 2016.

Fastforward to 2017. I didnt use the setup for 2 months, the router was powered of during this time. Needed to use the setup again, so I started the router again. Setup doesnt work anymore. After rebulding everything from scratch I am stuck with this problem:

Logs

logread:
   

Mon Jan 30 20:46:35 2017 kern.info kernel: [ 1379.260000] wlan1: authenticate with mac_of_eduroam_ap
    Mon Jan 30 20:46:35 2017 kern.info kernel: [ 1379.280000] wlan1: send auth to mac_of_eduroam_ap (try 1/3)
    Mon Jan 30 20:46:35 2017 kern.info kernel: [ 1379.290000] wlan1: authenticated
    Mon Jan 30 20:46:35 2017 kern.info kernel: [ 1379.300000] wlan1: associate with mac_of_eduroam_ap (try 1/3)
    Mon Jan 30 20:46:35 2017 daemon.notice netifd: Network device 'wlan1' link is up
    Mon Jan 30 20:46:35 2017 daemon.notice netifd: Interface 'wan' has link connectivity
    Mon Jan 30 20:46:35 2017 daemon.notice netifd: Interface 'wan' is setting up now
    Mon Jan 30 20:46:35 2017 kern.info kernel: [ 1379.310000] wlan1: RX AssocResp from mac_of_eduroam_ap (capab=0x431 status=0 aid=2)
    Mon Jan 30 20:46:35 2017 kern.info kernel: [ 1379.320000] wlan1: associated
    Mon Jan 30 20:46:35 2017 daemon.notice netifd: wan (1458): udhcpc (v1.23.2) started
    Mon Jan 30 20:46:35 2017 daemon.notice netifd: wan (1458): Sending discover...
    Mon Jan 30 20:46:38 2017 daemon.notice netifd: wan (1458): Sending discover...
    Mon Jan 30 20:46:41 2017 daemon.notice netifd: wan (1458): Sending discover...
    Mon Jan 30 20:46:41 2017 kern.info kernel: [ 1385.470000] wlan1: deauthenticating from mac_of_eduroam_ap by local choice (Reason: 3=DEAUTH_LEAVING)
    Mon Jan 30 20:46:41 2017 daemon.notice netifd: Network device 'wlan1' link is down
    Mon Jan 30 20:46:41 2017 daemon.notice netifd: Interface 'wan' has link connectivity loss
    Mon Jan 30 20:46:41 2017 daemon.notice netifd: wan (1458): Received SIGTERM

iw event:
   

wlan1 (phy #1): scan started
    wlan1 (phy #1): scan finished: 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472, "eduroam" ""
    wlan1: new station mac_of_eduroam_ap
    wlan1 (phy #1): auth mac_of_eduroam_ap -> mac_of_my_router status: 0: Successful
    wlan1 (phy #1): assoc mac_of_eduroam_ap -> mac_of_my_router status: 0: Successful
    wlan1 (phy #1): connected to mac_of_eduroam_ap
    wlan1: del station mac_of_eduroam_ap
    wlan1 (phy #1): deauth mac_of_my_router -> mac_of_eduroam_ap reason 3: Deauthenticated because sending station is leaving (or has left) the IBSS or ESS
    wlan1 (phy #1): disconnected (local request)
    wlan1 (phy #1): scan started
    wlan1 (phy #1): scan finished: 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472, "eduroam" ""

log messages inside wpa_cli:
   

<3>SME: Trying to authenticate with mac_of_eduroam_ap (SSID='eduroam' freq=2437 MHz)
    <3>Trying to associate with mac_of_eduroam_ap (SSID='eduroam' freq=2437 MHz)
    <3>Associated with mac_of_eduroam_ap
    <3>CTRL-EVENT-EAP-STARTED EAP authentication started
    <3>CTRL-EVENT-EAP-STATUS status='started' parameter=''
    <3>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
    <3>CTRL-EVENT-EAP-STATUS status='accept proposed method' parameter='TTLS'
    <3>CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
    <3>CTRL-EVENT-EAP-STATUS status='completion' parameter='failure'
    <3>CTRL-EVENT-EAP-FAILURE EAP authentication failed
    <3>Authentication with mac_of_eduroam_ap timed out.
    <3>CTRL-EVENT-DISCONNECTED bssid=mac_of_eduroam_ap reason=3 locally_generated=1
    <3>CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="eduroam" auth_failures=2 duration=23 reason=AUTH_FAILED

tcpdump (in wireshark):
Tp-LinkT = my router
0a:27:22 = eduroam AP

u.nya.is/zexbtf.png

^Not able to link/embed the image, thanks to forum restrictions (for new accounts probably).

Config file:

wpa_suppliant.conf:
   

network={
        scan_ssid=1
        ssid="eduroam"
        key_mgmt=WPA-EAP
        identity="xxx.xxx@xxx.xx"
        phase2="auth=PAP"
        password="password"
        eap=TTLS
        proto=RSN
    }

What I got so far:
    * wpa_supplicant config file is correct
        => copied the file over to a linux desktop and a raspberry pi, started wpa_supplicant w/ the config and got a working connection on both
        => successful eap-ttls handshake looks like this btw (taken from my desktop pc w/ tplink wlan card): u.nya.is/kqnttz.png
    * reflashed the router with 15.05.01
    * verified that wpad-mini is replaced with wpad
    * synced local time
    * [...]

I guess it is some certifcate problem, look at the tcpdump screenshot. The package #45 is sent from my router to the eduroam and says "Certificate unknown (46)". As specified in the TLS 1.0 standard:

   

certificate_unknown
        Some other (unspecified) issue arose in processing the
        certificate, rendering it unacceptable.

Thought about missing openssl libs, but which one ? Also: arent all required openssl libs bundled in the wpad package ?

i think you're missing the local cert
do a tcpdump on raspberrypi/other linux and check the same messages

maurer wrote:

i think you're missing the local cert
do a tcpdump on raspberrypi/other linux and check the same messages

Which local cert ? You mean the public key of the server (or its CA) saved locally on the router to verify the server cert ?

If so, then according to the wpa_supplicant configuration file:

# ca_cert: File path to CA certificate file (PEM/DER). This file can have one
#    or more trusted CA certificates. If ca_cert and ca_path are not
#    included, server certificate will not be verified.
This is insecure and
#    a trusted CA certificate should always be configured when using
#    EAP-TLS/TTLS/PEAP. Full path should be used since working directory may
#    change when wpa_supplicant is run in the background.

Tcpdumps show that the proplem occours in both cases, when the ca_cert location is given and when it's not.

As included in the main post, tcpdump section on device where it works: u.nya.is/kqnttz.png

(Last edited by networkjanitor on 1 Feb 2017, 10:55)

Did you have any luck solving this yet?

I have exactly the same problem and have been stuck on it for a while.

kedalion wrote:

Did you have any luck solving this yet?

I have exactly the same problem and have been stuck on it for a while.

Had no luck solving this ...

I am using a raspberrypi + wifi antenna now. It works more or less fine, except for when I need to restart the wifi interface on the rpi. This however is probably more attributed to the spotty eduroam wlan and not to the setup.

Most of the configurations for the rpi setup is taken from here: raspberrypi.stackexchange.com/questions/13440/bridge-wifi-and-ethernet,however there are really a lot of (other) tutorials regarding wifi forwarding/bridging on rpi.

(Last edited by networkjanitor on 18 Apr 2017, 23:18)

So it's just a different hardware setup to make it work for you, but no solution to the original problem?

So the 'deauth' problem just does not happen there at all? I can connect with all kind of devices just fine, but openwrt craps out just like in your original post:

Mon Jan 30 20:46:35 2017 kern.info kernel: [ 1379.320000] wlan1: associated
    Mon Jan 30 20:46:35 2017 daemon.notice netifd: wan (1458): udhcpc (v1.23.2) started
    Mon Jan 30 20:46:35 2017 daemon.notice netifd: wan (1458): Sending discover...
    Mon Jan 30 20:46:38 2017 daemon.notice netifd: wan (1458): Sending discover...
    Mon Jan 30 20:46:41 2017 daemon.notice netifd: wan (1458): Sending discover...
    Mon Jan 30 20:46:41 2017 kern.info kernel: [ 1385.470000] wlan1: deauthenticating from mac_of_eduroam_ap by local choice (Reason: 3=DEAUTH_LEAVING)
    Mon Jan 30 20:46:41 2017 daemon.notice netifd: Network device 'wlan1' link is down

kedalion wrote:

So it's just a different hardware setup to make it work for you, but no solution to the original problem?

So the 'deauth' problem just does not happen there at all? I can connect with all kind of devices just fine, but openwrt craps out just like in your original post:
[...]

Yeah. Every other device is able to connect to the access point(s) just fine. Only openwrt craps out.

As written in the original post, you can copy the configuration file of the openwrt wpa_supplicant to another device (like raspberrypi/laptop) and it'll work just fine on there. .... just not on openwrt.

Okay, look. After you started posting here ... I kinda got interested again in making this work.

Flashed LEDE 17.01 on my router, removed the wpad-mini package and replaced it with wpad and wpa-cli. Configured the whole eduroam client stuff through LuCi (because lazy and I didnt expect the following).

It worked. I dont know why, because I tested this already a month ago (or so) with the same steps/files. ¯\_(ツ)_/¯

The following snippet was added inside the /etc/config/wireless by LuCi:

config wifi-iface
    option network 'wwan'
    option ssid 'eduroam'
    option device 'radio1'
    option mode 'sta'
    option encryption 'wpa2'
    option eap_type 'ttls'
    option identity 'user@domain.tld'
    option password 'password'
    option auth 'EAP-MSCHAPV2'
    option anonymous_identity 'anonymous@domain.tld'

The auto-generated config file which the wpa_supplicant uses now looks like this:

country=US
network={
    scan_ssid=1
    ssid="eduroam"
    key_mgmt=WPA-EAP
    identity="user@domain.tld"
    anonymous_identity="anonymous@domain.tld"
    password="password"
    phase2="autheap=MSCHAPV2"
    eap=TTLS
    proto=RSN
}

Adjust country, identity. anonymous_identity and password accordingly. Country modification (replacing 'US') was not neccessary for me, however this is also configurable from LuCi.

Hope this helps.

I tried the config on my router with no success.

I'll try to upgrade to LEDE as well. Maybe it's just a problem that was fixed in newer libraries.
Thanks.

Yep, I installed Lede and all just worked with wpad. It seems like older versions of wpad and wpa_supplicant have some bug with WPA2 enterprise...

The discussion might have continued from here.