# Using wpa_supplicant on 802.1x/RADIUS/WPA/PEAP Network

## UberPinguin

I am having trouble getting wpa_supplicant to connect to the network at my workplace.  Here are the provided instructions for configuring a Windows client:

 *Quote:*   

> -Set SSID to WIFINET
> 
> -Enable 'Data encryption (WEP enabled)'
> 
> -On the Authentication tab select 'Enable IEEE 802.1x authentication for this network'
> ...

 

This is the wpa_supplicant.conf entry I generated based on these instructions:

```
network={

        ssid="WIFINET"

        scan_ssid=1

        key_mgmt=IEEE8021X

        auth_alg=OPEN

        eap=MSCHAPV2

        identity="DOMAIN\username"

        password="really weak passphrase ;)"

        ca_cert="/etc/cert/cert.cer"

        ca_cert2="/etc/cert/cert.cer"

        phase1="peaplabel=1"

        phase2="auth=MSCHAPV2"

}
```

The relevant lines from /etc/conf.d/net:

```
 # Prefer wpa_supplicant over wireless-tools

modules=( "wpa_supplicant" )

wpa_supplicant_wlan0="-Dwext enc on enc open"

iwconfig_wlan0="mode managed"
```

When using wpa_gui, it loops endlessly on 'ASSOCIATING' (i.e. attempts to associate, times out, tries again).

When running wpa_supplicant from a shell, the following spits out:

```
localhost ubrpngn # wpa_supplicant  -Dwext -c/etc/wpa_supplicant.conf -d -iwlan0

Initializing interface 'wlan0' conf '/etc/wpa_supplicant.conf' driver 'wext' ctrl_interface 'N/A' bridge 'N/A'

Configuration file '/etc/wpa_supplicant.conf' -> '/etc/wpa_supplicant.conf'

Reading configuration file '/etc/wpa_supplicant.conf'

ctrl_interface='/var/run/wpa_supplicant'

ctrl_interface_group='wheel' (DEPRECATED)

ap_scan=2

update_config=1

Priority group 0

   id=0 ssid='WIFINET'

   id=1 ssid='WOMBATNET'

Initializing interface (2) 'wlan0'

EAPOL: SUPP_PAE entering state DISCONNECTED

EAPOL: KEY_RX entering state NO_KEY_RECEIVE

EAPOL: SUPP_BE entering state INITIALIZE

EAP: EAP entering state DISABLED

EAPOL: External notification - portEnabled=0

EAPOL: External notification - portValid=0

SIOCGIWRANGE: WE(compiled)=20 WE(source)=18 enc_capa=0xd

  capabilities: key_mgmt 0x5 enc 0xf

WEXT: Operstate: linkmode=1, operstate=5

Own MAC address: 00:11:95:da:1c:f7

wpa_driver_wext_set_wpa

wpa_driver_wext_set_key: alg=0 key_idx=0 set_tx=0 seq_len=0 key_len=0

wpa_driver_wext_set_key: alg=0 key_idx=1 set_tx=0 seq_len=0 key_len=0

wpa_driver_wext_set_key: alg=0 key_idx=2 set_tx=0 seq_len=0 key_len=0

wpa_driver_wext_set_key: alg=0 key_idx=3 set_tx=0 seq_len=0 key_len=0

wpa_driver_wext_set_countermeasures

wpa_driver_wext_set_drop_unencrypted

Setting scan request: 0 sec 100000 usec

ctrl_interface_group=10 (from group name 'wheel')

Added interface wlan0

RTM_NEWLINK: operstate=0 ifi_flags=0x1022 ()

Wireless event: cmd=0x8b06 len=8

RTM_NEWLINK: operstate=0 ifi_flags=0x11063 ([UP][RUNNING][LOWER_UP])

RTM_NEWLINK, IFLA_IFNAME: Interface 'wlan0' added

RTM_NEWLINK: operstate=0 ifi_flags=0x11063 ([UP][RUNNING][LOWER_UP])

RTM_NEWLINK, IFLA_IFNAME: Interface 'wlan0' added

RTM_NEWLINK: operstate=0 ifi_flags=0x11023 ([UP][LOWER_UP])

RTM_NEWLINK, IFLA_IFNAME: Interface 'wlan0' added

State: DISCONNECTED -> SCANNING

Trying to associate with SSID 'WIFINET'

Cancelling scan request

WPA: clearing own WPA/RSN IE

Automatic auth_alg selection: 0x1

Overriding auth_alg selection: 0x1

WPA: clearing AP WPA IE

WPA: clearing AP RSN IE

WPA: clearing own WPA/RSN IE

No keys have been configured - skip key clearing

wpa_driver_wext_set_drop_unencrypted

State: SCANNING -> ASSOCIATING

wpa_driver_wext_set_operstate: operstate 0->0 (DORMANT)

WEXT: Operstate: linkmode=-1, operstate=5

wpa_driver_wext_associate

Setting authentication timeout: 60 sec 0 usec

EAPOL: External notification - portControl=Auto

RTM_NEWLINK: operstate=0 ifi_flags=0x11023 ([UP][LOWER_UP])

Wireless event: cmd=0x8b06 len=8

RTM_NEWLINK: operstate=0 ifi_flags=0x11023 ([UP][LOWER_UP])

Wireless event: cmd=0x8b1a len=16

Authentication with 00:00:00:00:00:00 timed out.

Added BSSID 00:00:00:00:00:00 into blacklist

State: ASSOCIATING -> DISCONNECTED

wpa_driver_wext_set_operstate: operstate 0->0 (DORMANT)

WEXT: Operstate: linkmode=-1, operstate=5

No keys have been configured - skip key clearing

EAPOL: External notification - portEnabled=0

EAPOL: External notification - portValid=0

Setting scan request: 0 sec 0 usec

State: DISCONNECTED -> SCANNING

wpa_supplicant_scan: Reached end of scan list - go back to beginning

Setting scan request: 0 sec 0 usec

Trying to associate with SSID 'WIFINET'

Cancelling scan request

WPA: clearing own WPA/RSN IE

Automatic auth_alg selection: 0x1

Overriding auth_alg selection: 0x1

WPA: clearing AP WPA IE

WPA: clearing AP RSN IE

WPA: clearing own WPA/RSN IE

No keys have been configured - skip key clearing

wpa_driver_wext_set_drop_unencrypted

State: SCANNING -> ASSOCIATING

wpa_driver_wext_set_operstate: operstate 0->0 (DORMANT)

WEXT: Operstate: linkmode=-1, operstate=5

wpa_driver_wext_associate

Setting authentication timeout: 60 sec 0 usec

EAPOL: External notification - portControl=Auto

RTM_NEWLINK: operstate=0 ifi_flags=0x11023 ([UP][LOWER_UP])

Wireless event: cmd=0x8b06 len=8

RTM_NEWLINK: operstate=0 ifi_flags=0x11023 ([UP][LOWER_UP])

Wireless event: cmd=0x8b1a len=16
```

FWIW, I know the network uses a hidden SSID and that the AP authenticates to a RADIUS server.  Has anyone experienced this sort of set up before?  Any hints?

Thanks in advance!

 *Quote:*   

> The facts in this posting are based on a true story.  SSIDs, domains and usernames have been changed to protect the innocent.

 

----------

## UberPinguin

UPDATE: For some reason it's working this morning....sort of.  The AP is being found correctly, and it gets as far as the EAP authentication.  At this point, I discovered that wpa_supplicant.conf had a small error.  The corrected configuration:

```
network={

        ssid="WFINET"

        scan_ssid=1

        key_mgmt=IEEE8021X

        auth_alg=OPEN

        eap=PEAP

        identity="DOMAIN\username"

        password="really weak passphrase ;)" 

        ca_cert="/etc/cert/cert.cer"

        ca_cert2="/etc/cert/cert.cer"

        phase1="peaplabel=1"

        phase2="auth=MSCHAPV2"

}
```

  Now, however, wpa_supplicant returns the following error after authenticating: 

```
ioctl[SIOCGIFADDR]: Cannot assign requested address
```

Any thoughts?

[EDIT] I did some more poking around.  Yes, I have the correct encryption compiled in my kernel:

```
localhost ubrpngn # cat /usr/src/linux/.config |grep CONFIG_IEEE80211

CONFIG_IEEE80211=y

# CONFIG_IEEE80211_DEBUG is not set

CONFIG_IEEE80211_CRYPT_WEP=y

CONFIG_IEEE80211_CRYPT_CCMP=y

CONFIG_IEEE80211_CRYPT_TKIP=y

CONFIG_IEEE80211_SOFTMAC=y

# CONFIG_IEEE80211_SOFTMAC_DEBUG is not set

localhost ubrpngn # cat /usr/src/linux/.config |grep CONFIG_CRYPTO_AES

CONFIG_CRYPTO_AES=y

CONFIG_CRYPTO_AES_586=m
```

----------

## UberPinguin

*bump*

----------

## fbcyborg

Hello!

I have the same ABSURD, Boring, and whatever you want... problem.

My wifi adapter, Intel Corporation PRO/Wireless 3945ABG Network Connection (rev 02), seems to get working only when it wants.

I don't know why, in most cases it fails in associating with an AP.

The error message is the same: 

```
ioctl[SIOCGIFADDR]: Cannot assign requested address

```

There must be a solution!!!!!!!!!!!!!!!!!!!!    :Evil or Very Mad: 

I don't use ieee80211 kernel module. I emerged net-wireless/ieee80211, following these instructions.

Could somebody tell us, how to verify, if connection can be manually estabilished, using iwconfig and ifconfig???

----------

## UberPinguin

It may be the adapter - my problem was solved when my wife tripped over my WiFi stick and I had to buy a new one.  I used it as an opportunity to switch chipsets, and I can now associate flawlessly.  Sorry I don't have a better answer for you.

EDIT: FWIW, this is the wpa_supplicant.conf I'm using ATM: 

```
ctrl_interface=/var/run/wpa_supplicant

ctrl_interface_group=wheel

ap_scan=2

update_config=1

network={

        ssid="HOMENET"

        bssid=xx:xx:xx:xx:xx:xx

        scan_ssid=1

        key_mgmt=NONE

        auth_alg=OPEN

        wep_key0=xxxxxxxxxxxxxxxxxxxxxxxxxx

        wep_key1=yyyyyyyyyyyyyyyyyyyyyyyyyy

        wep_key2=zzzzzzzzzzzzzzzzzzzzzzzzzz

        wep_key3=aaaaaaaaaaaaaaaaaaaaaaa

        wep_tx_keyidx=0

}

network={

        ssid="WIFINET"

        scan_ssid=1

        key_mgmt=IEEE8021X

        eap=PEAP

        identity="domain\username"

        password="domain password"

        ca_cert="/etc/cert/root-cert.cer"

        phase1="peaplabel=0"

        phase2="auth=MSCHAPV2"

}
```

I'm working on setting up a RADIUS server w/ssh & vpn for my home network, so there's no point chiding me on how silly using multiple rotating WEP keys is.  It's just a stop-gap measure.

----------

## fbcyborg

Thank you very much, but it isn't the adapter... It works perfectly under windows.

For examle... NOW!!!! it is working!!!!!!!!!!!!!!!!!!          aaaahhhhhrrrggg!

5 minutes later, after a simple reboot:

It doesn't work!!!!!!!!   :Question:   :Question:   :Question:   :Shocked:   :Shocked:   :Shocked:   :Shocked: 

Sometimes, when I start wpa_supplicant by hand, it can estabilish connection with AP, but I can't access to Internet.

----------

## UberPinguin

 *fbcyborg wrote:*   

> Thank you very much, but it isn't the adapter... It works perfectly under windows.
> 
> For examle... NOW!!!! it is working!!!!!!!!!!!!!!!!!!          aaaahhhhhrrrggg!
> 
> 5 minutes later, after a simple reboot:
> ...

 

I apologize.  I didn't mean to say the hardware was faulty, but rather the driver for the chipset.  Are you using a native Linux driver or NDISwrapper?

----------

## fbcyborg

OK ok!  :Smile:  Don't warry!

I'm using a native Linux Driver: ipw3945.

----------

## UberPinguin

I don't have one of these cards to play with, but have you looked at this wiki?  It might be useful, but I honestly have no way of checking.

----------

## fbcyborg

Thank you, but I know that wiki very well.

----------

## UberPinguin

I was afraid of that.

Can you post the errors/output you're getting?  Ideally I'd like output from both successful and failed attempts, but we'll work with what's available  :Smile: 

----------

## fbcyborg

OK, would you like to see wpa_supplicant verbose output produced by the shell?

----------

## UberPinguin

Anything you can provide - wpa_supplicant verbose output, wpa_supplicant.conf, manual connection output, commands used for manual connection, relevant dmesg output.  You might want to use a pastebin for this - the forums will truncate your post after a certain number of lines, which can make this a pain.

If you can also sort/tag it by 'successful' and 'failed' to help keep everything straight I would appreciate it.

Also, if you have access to IRC I may be able to help more efficiently later - I'm firewalled and proxied right now, though.

----------

## fbcyborg

Hello, 

here's my experience... 

After a regular boot process I always do an 

```
ifconfig eth0 down
```

When wi-fi card was working above command was sufficient to grant eth1 (bound to wi-fi interface) working.

First of all, here's my configuration files: 

/etc/conf.d/net

```

config_eth0=( "192.168.1.100 netmask 255.255.255.0" )

routes_eth0=( "default gw 192.168.1.254" )

modules=( "wpa_supplicant" )

wpa_timeout_eth1=90

wpa_supplicant_eth1="-Dwext -c /etc/wpa_supplicant/wpa_supplicant.conf"

config_eth1=( "192.168.1.110 netmask 255.255.255.0" )

routes_eth1=( "default gw 192.168.1.254" )

```

/etc/wpa_supplicant/wpa_supplicant.conf

```

ctrl_interface=/var/run/wpa_supplicant

ctrl_interface_group=wheel

#ctrl_interface_group=100

ap_scan=2

update_config=1

#Home

network={

        ssid="A02-RA242-W54"

        #bssid=XX:XX:XX:XX:XX:XX

        scan_ssid=1

        psk="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" #(63 chars key)

        proto=WPA

        key_mgmt=WPA-PSK

        pairwise=TKIP

        group=TKIP WEP104 WEP40

}

```

The problem seems to be in associating with an AP... Sometimes I can view in wpa_gui "STATUS: SCANNING" and nothing else.

Now, I'm going to killall wpa_supplicant and restart it manually in this way:

```
wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -Dwext -i eth1 -dd
```

After wpa_supplicant start I can see at wpa_gui the following:

STATUS: ASSOCIATING

If I select the first ESSID (network) on wpa_gui Last message is: Trying to associate with ssid A02-RA242-W54... 

after few seconds, (1 minut about) it shows: 

STATUS: Scanning, 

Last Message: Authentication with 00:00:00:00:00:00 ti

the rest is all blank...

Here's wpa_supplicant verbose output.

AAh!!! Sometimes, I was been able to connect to my AP... I don't know why.. and doing an iwconfig I read:

eth1      associated  ESSID:"A02-RA242-W54ù"

note that "ù". Sometimes it can appear an "è" or something else... I don't know why.

----------

## UberPinguin

OK. 

First: Try running 'iwconfig eth1 mode managed' before running wpa_supplicant manually in verbose mode.  See if the output is any different / more successful.  If so, add 'iwconfig_eth1="mode managed"' to your /etc/conf.d/net file.

Let me know what happens.  I have a couple of other ideas, but I need the results of this test to refine them.

----------

## fbcyborg

Nothing to do...

Note that my eth1 is already in managed mode... In fact if I do an iwconfig eth1 it gives me:

```
eth1      unassociated  ESSID:"A02-RA242-W54"

          Mode:Managed  Frequency=nan kHz  Access Point: Not-Associated

```

Mode:Managed.

Afterwards I did as you said, but without results.

I would try with wireless-tools to do a manual connection, if you want....

I think there's some other problem.. 

for example, iwconfig eth1 essid MY_ESSID, shouldn't work now... 

Thank you very much.

----------

## UberPinguin

Yes, try with wireless-tools and see what comes up.

----------

## fbcyborg

OK, I'm back again...  :Very Happy: 

I performed an AP scanning... This is my network:

```
# iwlist eth1 scan

eth1      Scan completed :

          Cell 01 - Address: XX:XX:XX:XX:XX:XX

                    ESSID:"<hidden>"

                    Protocol:IEEE 802.11bg

                    Mode:Master

                    Channel:6

                    Encryption key:on

                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 6 Mb/s; 9 Mb/s

                              11 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s

                              48 Mb/s; 54 Mb/s

                    Quality=87/100  Signal level=-46 dBm  Noise level=-46 dBm

                    IE: WPA Version 1

                        Group Cipher : WEP-40

                        Pairwise Ciphers (1) : WEP-40

                        Authentication Suites (1) : PSK

                    Extra: Last beacon: 1540ms ago

```

```

iwconfig eth1 essid A02-RA242-W54

```

My essid is hidden.

Here I should set my Mode... as below:

```

# iwconfig eth1 mode Master

Error for wireless request "Set Mode" (8B06) :

    SET failed on device eth1 ; Invalid argument.

```

But, as you can see Master gives me that error... I read man page of iwconfig and I should be able to do that.

Anyway... I do 

```
iwconfig eth1 mode Managed
```

...

```

iwconfig eth1 key my_63char_key

ifconfig eth1 192.168.1.110 up

route add default gw 192.168.1.254

```

Result is: unassociated  :Shocked:   :Shocked:   :Shocked: 

I think the problem maight be in MODE.

----------

## UberPinguin

 *fbcyborg wrote:*   

> Here I should set my Mode... as below:
> 
> ```
> 
> # iwconfig eth1 mode Master
> ...

 

While that is a valid iwconfig command, not all adapters support Master mode.  Even if your adapter is technically capable of functioning as an AP, the Linux driver may not yet have that capability.  Your best bet if you actually want to set up a Linux box as a WAP is to use Orinoco Gold-based cards.  They are rumored to be relatively rare, but are also reputed to have the best and most complete support under Linux.  Beware that you need to investigate the precise details of the chipset before buying - several vendors will sell the same adapter with different chipsets but not change the name or revision of the product :p.

 *fbcyborg wrote:*   

> Anyway... I do 
> 
> ```
> iwconfig eth1 mode Managed
> ```
> ...

 

Try running 

```
ifconfig eth1 up && iwconfig eth1 mode managed enc [open/restricted - if 'open' doesn't work, try 'restricted'] essid A02RA242-W54 key my_63char_key && ifconfig eth1 192.168.1.110 && route add default gw 192.168.1.254
```

Also, when you enter your key are you using the ASCII value or the hex ?  Remember that for ASCII you need to enter the key like so:

```
iwconfig eth1 key s:my_63char_key
```

Hope this helps!

----------

## fbcyborg

Thank you...

Unfortunately it doesn't work...

I tried in several ways, but I still can't get it working.

I don't want to buy a new wifi card...   :Sad: 

mmh.. I have an USB wi-fi card for another pc, but I want to use the built in one.. also because there are no linux drivers for that card.

I used it with ndiswrapper very well, but it's for another pc, I can't get it.  :Wink: 

Well.. It seems very strange because about 20 days ago it was working very well. I think ipw3954 support is good under linux even though there's a lot of troubles. 

It maight be that there's some missing option to compile into the kernel... 

As I said before, in a previous post, my card sometimes works.. When I decide to reboot.. nothing to do!!!

I think my key is hexadecimal... 

I wrote a casual char sequence with my keyboard... up to 63 chars.

Watching my key, there are only hexadecimal values, because all chars are between 0 and f.

I also tried to use wireless-tools to manually connect as you said.

----------

## UberPinguin

Have you done any updates in the last 20 days?

Also, from your log posted above:

```
PSK (ASCII passphrase) - hexdump_ascii(len=63): [REMOVED]

proto: 0x1

key_mgmt: 0x2

pairwise: 0x8

group: 0xe

PSK (from passphrase) - hexdump(len=32): [REMOVED]

Line: 20 - start of a new network block
```

It looks like wpa_supplicant is interpreting your passphrase as an ASCII sequence.  Perhaps try manually with wireless-tools using 'key s:my_63char_key'?

I really wish we had the output from a successful connection.

Are you able to connect to open/unsecured/unencrypted networks?  Maybe find a cafÃ© or other wifi hotspot (or a neighbor who just plug-n-played his network  :Wink: ) and try there.  On a non-secure network you should be able to just 'iwconfig eth1 essid NETWORKNAME && dhcpcd eth1'

----------

## fbcyborg

Ok ok... 

I tried to disable WPA protection.. 

I'm be able to connect to my temporarily open network doing these things:

```
iwlist eth1 scan:

eth1      Scan completed :

          Cell 01 - Address: 00:00:00:00:00:00

                    ESSID:"A02-RA242-W54"

                    Protocol:IEEE 802.11bg

                    Mode:Master

                    Channel:6

                    Encryption key:off

                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 6 Mb/s; 9 Mb/s

                              11 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s

                              48 Mb/s; 54 Mb/s

                    Quality=90/100  Signal level=-41 dBm  Noise level=-41 dBm

                    Extra: Last beacon: 80ms ago

```

```
# ifconfig eth0 down

# iwconfig eth1 essid A02-RA242-W54

# ifconfig eth1 192.168.1.110 up

# iwconfig

eth0      no wireless extensions.

lo        no wireless extensions.

eth1      IEEE 802.11g  ESSID:"A02-RA242-W54"

          Mode:Managed  Frequency:2.437 GHz  Access Point: 00:00:00:00:00:00

          Bit Rate:54 Mb/s   Tx-Power:12 dBm

          Retry limit:15   RTS thr:off   Fragment thr:off

          Encryption key:off

          Power Management:off

          Link Quality=90/100  Signal level=-42 dBm  Noise level=-43 dBm

          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0

          Tx excessive retries:0  Invalid misc:696   Missed beacon:0

# route add default gw 192.168.1.254

```

As you can see Now it is on Managed Mode... I don't know how...

Anyway.. I could connect to my AP.

In order to reply to your previous post, I didn't any big update in the last 20 days... 

ah.. My Gentoo is recently "born" on my notebook.

----------

## UberPinguin

Thanks for that.

Upon further reading, I think the wirless-tools are a dead end - WPA-PSK is not supported.

I think the main thing holding you up is your PSK - the authentication is not being performed correctly.  Running

```
dd if=/dev/urandom bs=1 count=63 | hexdump
```

 should give you a hexdump of a random 63-character key.  The output should be like this:

```
63+0 records in

63+0 records out

63 bytes (63 B) copied, 0.000737244 s, 85.5 kB/s

0000000 42fb 44f3 2752 2f72 7ecd ac7a d462 b60a

0000010 9c8b de55 49d8 3aa0 f9d8 4d33 338b 9d5b

0000020 5169 ca82 e522 63f9 f74b e65e 2acd 77ff

0000030 d3a7 ed3d 1ec4 12a5 e987 f184 7d41 00a9

000003f 
```

 Ignore the first column, and remove all the whitespace in the others to end up with a 128-character hex value: 42fb44f327522f727ecdac7ad462b60a9c8bde5549d83aa0f9d84d33338b9d5b5169ca82e52263f9f74be65e2acd77ffd3a7 ed3d1ec412a5e987f1847d4100a9

Set this as your PSK on your WAP.  Enter it without quotes in your wpa_supplicant.conf: 

```

ctrl_interface=/var/run/wpa_supplicant

ctrl_interface_group=wheel

#ctrl_interface_group=100

ap_scan=2

update_config=1

#Home

network={

        ssid="A02-RA242-W54"

        #bssid=XX:XX:XX:XX:XX:XX

        scan_ssid=1

        psk=128-character-hexadecimal-value

        proto=WPA

        key_mgmt=WPA-PSK

        pairwise=TKIP

        group=TKIP WEP104 WEP40

}
```

 This will serve a couple of purposes: 

1. It will give you as close to a random key as you can obtain, including non-printing characters.

2. It makes sure that you are using the same key on both your WAP and your client, and that both are using hex keys - not one ascii, the other hex.

----------

## fbcyborg

I can't set a 128 hex char key on my AP... I think I could insert max 63 or 64 chars...

Anyway.. I tried to change WPA key, but I can't associate with AP.

Thank you very much for your support.

----------

