Hey folks.
After two days of troubleshooting I decided I need help because I am not making progress anymore.
Goal
Classic eduroam situation, eduroam wlan available and I want to create my own local subnet in which I can connect ethernet devices to the internet/eduroam wlan.
wiki.openwrt.org/doc/recipes/routedclient#usingmasquerade
I set it up, configured everything and then it worked. I created a backup tar via luci to be able to restore it to this state. This was in March 2016.
Fastforward to 2017. I didnt use the setup for 2 months, the router was powered of during this time. Needed to use the setup again, so I started the router again. Setup doesnt work anymore. After rebulding everything from scratch I am stuck with this problem:
Logs
logread:
Mon Jan 30 20:46:35 2017 kern.info kernel: [ 1379.260000] wlan1: authenticate with mac_of_eduroam_ap
Mon Jan 30 20:46:35 2017 kern.info kernel: [ 1379.280000] wlan1: send auth to mac_of_eduroam_ap (try 1/3)
Mon Jan 30 20:46:35 2017 kern.info kernel: [ 1379.290000] wlan1: authenticated
Mon Jan 30 20:46:35 2017 kern.info kernel: [ 1379.300000] wlan1: associate with mac_of_eduroam_ap (try 1/3)
Mon Jan 30 20:46:35 2017 daemon.notice netifd: Network device 'wlan1' link is up
Mon Jan 30 20:46:35 2017 daemon.notice netifd: Interface 'wan' has link connectivity
Mon Jan 30 20:46:35 2017 daemon.notice netifd: Interface 'wan' is setting up now
Mon Jan 30 20:46:35 2017 kern.info kernel: [ 1379.310000] wlan1: RX AssocResp from mac_of_eduroam_ap (capab=0x431 status=0 aid=2)
Mon Jan 30 20:46:35 2017 kern.info kernel: [ 1379.320000] wlan1: associated
Mon Jan 30 20:46:35 2017 daemon.notice netifd: wan (1458): udhcpc (v1.23.2) started
Mon Jan 30 20:46:35 2017 daemon.notice netifd: wan (1458): Sending discover...
Mon Jan 30 20:46:38 2017 daemon.notice netifd: wan (1458): Sending discover...
Mon Jan 30 20:46:41 2017 daemon.notice netifd: wan (1458): Sending discover...
Mon Jan 30 20:46:41 2017 kern.info kernel: [ 1385.470000] wlan1: deauthenticating from mac_of_eduroam_ap by local choice (Reason: 3=DEAUTH_LEAVING)
Mon Jan 30 20:46:41 2017 daemon.notice netifd: Network device 'wlan1' link is down
Mon Jan 30 20:46:41 2017 daemon.notice netifd: Interface 'wan' has link connectivity loss
Mon Jan 30 20:46:41 2017 daemon.notice netifd: wan (1458): Received SIGTERM
iw event:
wlan1 (phy #1): scan started
wlan1 (phy #1): scan finished: 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472, "eduroam" ""
wlan1: new station mac_of_eduroam_ap
wlan1 (phy #1): auth mac_of_eduroam_ap -> mac_of_my_router status: 0: Successful
wlan1 (phy #1): assoc mac_of_eduroam_ap -> mac_of_my_router status: 0: Successful
wlan1 (phy #1): connected to mac_of_eduroam_ap
wlan1: del station mac_of_eduroam_ap
wlan1 (phy #1): deauth mac_of_my_router -> mac_of_eduroam_ap reason 3: Deauthenticated because sending station is leaving (or has left) the IBSS or ESS
wlan1 (phy #1): disconnected (local request)
wlan1 (phy #1): scan started
wlan1 (phy #1): scan finished: 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472, "eduroam" ""
log messages inside wpa_cli:
<3>SME: Trying to authenticate with mac_of_eduroam_ap (SSID='eduroam' freq=2437 MHz)
<3>Trying to associate with mac_of_eduroam_ap (SSID='eduroam' freq=2437 MHz)
<3>Associated with mac_of_eduroam_ap
<3>CTRL-EVENT-EAP-STARTED EAP authentication started
<3>CTRL-EVENT-EAP-STATUS status='started' parameter=''
<3>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
<3>CTRL-EVENT-EAP-STATUS status='accept proposed method' parameter='TTLS'
<3>CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
<3>CTRL-EVENT-EAP-STATUS status='completion' parameter='failure'
<3>CTRL-EVENT-EAP-FAILURE EAP authentication failed
<3>Authentication with mac_of_eduroam_ap timed out.
<3>CTRL-EVENT-DISCONNECTED bssid=mac_of_eduroam_ap reason=3 locally_generated=1
<3>CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="eduroam" auth_failures=2 duration=23 reason=AUTH_FAILED
tcpdump (in wireshark):
Tp-LinkT = my router
0a:27:22 = eduroam AP
u.nya.is/zexbtf.png
^Not able to link/embed the image, thanks to forum restrictions (for new accounts probably).
Config file:
wpa_suppliant.conf:
network={
scan_ssid=1
ssid="eduroam"
key_mgmt=WPA-EAP
identity="xxx.xxx@xxx.xx"
phase2="auth=PAP"
password="password"
eap=TTLS
proto=RSN
}
What I got so far:
* wpa_supplicant config file is correct
=> copied the file over to a linux desktop and a raspberry pi, started wpa_supplicant w/ the config and got a working connection on both
=> successful eap-ttls handshake looks like this btw (taken from my desktop pc w/ tplink wlan card): u.nya.is/kqnttz.png
* reflashed the router with 15.05.01
* verified that wpad-mini is replaced with wpad
* synced local time
* [...]
I guess it is some certifcate problem, look at the tcpdump screenshot. The package #45 is sent from my router to the eduroam and says "Certificate unknown (46)". As specified in the TLS 1.0 standard:
certificate_unknown
Some other (unspecified) issue arose in processing the
certificate, rendering it unacceptable.
Thought about missing openssl libs, but which one ? Also: arent all required openssl libs bundled in the wpad package ?