# connecting wifi to IEEE802.1x (PEAP MSCHAPv2)

## hygnos

Hey,

I need some help in connecting to my schools IEEE 802.1x encrypted wireless network. It is encrypted in PEAP with MSCHAPv2. My wireless works on unencrypted as well as WPA-PSK and WEB, but for some reason this IEEE 802.1x will not work.

Unfortunately all information is specified towards windows users...

Network authentication: WEP

Data encryption: Open

The key is provided automatically

802.1x authentication enabled with PEAP

Server certificate should be validated (authentication method: MSCHAPv2)

It should enable fast reconnect...

And that is it...

I am using the following versions:

```

net-misc/xsupplicant-1.2.2

sys-apps/baselayout-1.12.4-r2

net-wireless/wpa_supplicant-0.5.4

net-wireless/ipw2100-1.2.1-r1 (0)

net-wireless/ipw2100-firmware-1.3

net-wireless/ieee80211-1.1.13-r1

```

I have tried with wpa_supplicant and xsupplicant. But neither seems to be able to connect to the network.

I have tried a number of different configurations, but this one seems like it ought to work

```

wpa_supplicant.conf (relevant sections)

eapol_version=1

ap_scan=1

fast_reauth=1

network={

   ssid="ssid"

   scan_ssid=1

   key_mgmt=IEEE8021X WPA-EAP

   eap=PEAP

   identity="xxxxx"

   password="xxxxxxx"

   priority=1

   phase1="peaplabel=1"

   phase2="auth=MSCHAPV2"

```

```

xsupplicant (relevant parts)

ssid

{

  type = wireless

  allow_types = all

  identity = xxxxx

 

  wpa_pairwise_cipher = WEP104 #WEP40 WEP104 TKIP WRAP

  wpa_group_cipher = WEP104 #WEP40 WEP104 TKIP

  eap-peap {

      identity = xxxxx

      chunk_size = 1398

      #random_file = /path/to/random/source      

      cncheck = radius.server.address

      cnexact = yes                         

      session_resume = yes

      proper_peap_v1_keying = yes     

      allow_types = all # where all = MSCHAPv2, MD5, OTP, GTC, SIM

      eap-mschapv2 {

        username = xxxxx   

        password = xxxxxx

      }

  }

 

  eap-mschapv2 {

      username = xxxx  

      password = xxxxxx

  }

     

}

```

When I start either wpa_supplicant or xsupplicant from the commandline they are scanning, and afterwards dropping all the available AP's.

----------

## hygnos

If I start wpa_supplicant from the command line I will get this output

```

thygeT40 linux # wpa_supplicant -i eth1 -c /etc/wpa_supplicant.conf -D wext -dd

Initializing interface 'eth1' conf '/etc/wpa_supplicant.conf' driver 'wext' ctrl_interface 'N/A' bridge 'N/A'

Configuration file '/etc/wpa_supplicant.conf' -> '/etc/wpa_supplicant.conf'

Reading configuration file '/etc/wpa_supplicant.conf'

ctrl_interface='/var/run/wpa_supplicant'

ctrl_interface_group=10 (from group name 'wheel')

eapol_version=2

ap_scan=0

fast_reauth=1

Line: 71 - start of a new network block

disabled=1 (0x1)

ssid - hexdump_ascii(len=5):

     xxxx                                    xxxx

key_mgmt: 0x2

pairwise: 0x8

group: 0x18

PSK - hexdump(len=32): [REMOVED]

priority=4 (0x4)

Line 81: removed CCMP from group cipher list since it was not allowed for pairwise cipher

Line: 84 - start of a new network block

disabled=1 (0x1)

ssid - hexdump_ascii(len=8):

     xxxx                                    xxxx

proto: 0x1

key_mgmt: 0x2

pairwise: 0x8

PSK (ASCII passphrase) - hexdump_ascii(len=14): [REMOVED]

priority=6 (0x6)

PSK (from passphrase) - hexdump(len=32): [REMOVED]

Line 93: removed CCMP from group cipher list since it was not allowed for pairwise cipher

Line: 97 - start of a new network block

disabled=1 (0x1)

ssid - hexdump_ascii(len=7):

     xxxx                                      xxxx

scan_ssid=1 (0x1)

key_mgmt: 0x4

wep_key0 - hexdump(len=13): [REMOVED]

wep_tx_keyidx=0 (0x0)

auth_alg: 0x1

priority=8 (0x8)

Line: 110 - start of a new network block

disabled=1 (0x1)

ssid - hexdump_ascii(len=12):

     xxxx                                      xxxx

key_mgmt: 0x4

priority=5 (0x5)

Line: 120 - start of a new network block

disabled=1 (0x1)

ssid - hexdump_ascii(len=5):

     xxxx                                       xxxx

scan_ssid=1 (0x1)

key_mgmt: 0x4

wep_key0 - hexdump(len=5): [REMOVED]

auth_alg: 0x1

priority=10 (0xa)

Line: 131 - start of a new network block

ssid - hexdump_ascii(len=3):

     xxxx                                         xxxx

scan_ssid=0 (0x0)

key_mgmt: 0x8

eap methods - hexdump(len=16): xxxxxxx

identity - hexdump_ascii(len=5):

     xxxx                                         xxxx

password - hexdump_ascii(len=10): [REMOVED]

phase1 - hexdump_ascii(len=11):

     70 65 61 70 6c 61 62 65 6c 3d 30                  peaplabel=0

phase2 - hexdump_ascii(len=13):

     61 75 74 68 3d 4d 53 43 48 41 50 56 32            auth=MSCHAPV2

priority=1 (0x1)

Line: 154 - start of a new network block

ssid - hexdump_ascii(len=9):

     xxxx                                          xxxx

key_mgmt: 0x4

priority=3 (0x3)

Line: 159 - start of a new network block

ssid - hexdump_ascii(len=10):

     xxxx                                          xxxx

scan_ssid=0 (0x0)

key_mgmt: 0x4

group: 0x1e

wep_key0 - hexdump(len=10): [REMOVED]

auth_alg: 0x1

priority=2 (0x2)

Priority group 10

   id=4 ssid='xxxx'

Priority group 8

   id=2 ssid='xxxx'

Priority group 6

   id=1 ssid='xxxx'

Priority group 5

   id=3 ssid='xxxx'

Priority group 4

   id=0 ssid='xxxx'

Priority group 3

   id=6 ssid='xxxx'

Priority group 2

   id=7 ssid='xxxx'

Priority group 1

   id=5 ssid='xxxx'

Initializing interface (2) 'eth1'

EAPOL: SUPP_PAE entering state DISCONNECTED

EAPOL: KEY_RX entering state NO_KEY_RECEIVE

EAPOL: SUPP_BE entering state INITIALIZE

EAP: EAP entering state DISABLED

EAPOL: External notification - portEnabled=0

EAPOL: External notification - portValid=0

SIOCGIWRANGE: WE(compiled)=19 WE(source)=18 enc_capa=0xf

  capabilities: key_mgmt 0xf enc 0xf

WEXT: Operstate: linkmode=1, operstate=5

Own MAC address: 00:04:23:8d:a4:78

wpa_driver_wext_set_wpa

wpa_driver_wext_set_key: alg=0 key_idx=0 set_tx=0 seq_len=0 key_len=0

wpa_driver_wext_set_key: alg=0 key_idx=1 set_tx=0 seq_len=0 key_len=0

wpa_driver_wext_set_key: alg=0 key_idx=2 set_tx=0 seq_len=0 key_len=0

wpa_driver_wext_set_key: alg=0 key_idx=3 set_tx=0 seq_len=0 key_len=0

wpa_driver_wext_set_countermeasures

wpa_driver_wext_set_drop_unencrypted

Setting scan request: 0 sec 100000 usec

Added interface eth1

Wireless event: cmd=0x8b06 len=8

RTM_NEWLINK, IFLA_IFNAME: Interface 'eth1' added

RTM_NEWLINK, IFLA_IFNAME: Interface 'eth1' added

EAPOL: External notification - portControl=Auto

Already associated with a configured network - generating associated event

Association info event

State: DISCONNECTED -> ASSOCIATED

WEXT: Operstate: linkmode=-1, operstate=5

Associated with 00:00:00:00:00:00

WPA: Association event - clear replay counter

EAPOL: External notification - portEnabled=0

EAPOL: External notification - portValid=0

EAPOL: External notification - portEnabled=1

EAPOL: SUPP_PAE entering state CONNECTING

EAPOL: SUPP_BE entering state IDLE

Setting authentication timeout: 10 sec 0 usec

EAPOL: startWhen --> 0

EAPOL: SUPP_PAE entering state CONNECTING

EAPOL: txStart

BSSID not set when trying to send an EAPOL frame

Using the source address of the last received EAPOL frame 00:00:00:00:00:00 as the EAPOL destination

TX EAPOL - hexdump(len=4): 02 01 00 00

Authentication with 00:00:00:00:00:00 timed out.

Added BSSID 00:00:00:00:00:00 into blacklist

State: ASSOCIATED -> DISCONNECTED

WEXT: Operstate: linkmode=-1, operstate=5

No keys have been configured - skip key clearing

EAPOL: External notification - portEnabled=0

EAPOL: SUPP_PAE entering state DISCONNECTED

EAPOL: SUPP_BE entering state INITIALIZE

EAPOL: External notification - portValid=0

Setting scan request: 0 sec 0 usec

EAPOL: External notification - portControl=Auto

Already associated with a configured network - generating associated event

Association info event

State: DISCONNECTED -> ASSOCIATED

WEXT: Operstate: linkmode=-1, operstate=5

Associated with 00:00:00:00:00:00

WPA: Association event - clear replay counter

EAPOL: External notification - portEnabled=0

EAPOL: External notification - portValid=0

EAPOL: External notification - portEnabled=1

EAPOL: SUPP_PAE entering state CONNECTING

EAPOL: SUPP_BE entering state IDLE

Setting authentication timeout: 10 sec 0 usec

EAPOL: startWhen --> 0

EAPOL: SUPP_PAE entering state CONNECTING

EAPOL: txStart

BSSID not set when trying to send an EAPOL frame

Using the source address of the last received EAPOL frame 00:00:00:00:00:00 as the EAPOL destination

TX EAPOL - hexdump(len=4): 02 01 00 00

Authentication with 00:00:00:00:00:00 timed out.

BSSID 00:00:00:00:00:00 blacklist count incremented to 2

State: ASSOCIATED -> DISCONNECTED

WEXT: Operstate: linkmode=-1, operstate=5

No keys have been configured - skip key clearing

EAPOL: External notification - portEnabled=0

EAPOL: SUPP_PAE entering state DISCONNECTED

EAPOL: SUPP_BE entering state INITIALIZE

EAPOL: External notification - portValid=0

Setting scan request: 0 sec 0 usec

EAPOL: External notification - portControl=Auto

```

And it just continues...

If I try using xsupplicant from the command line it will give me the following output

```

thygeT40 linux # xsupplicant -i eth1 -d 9 -Dwext -c /etc/xsupplicant.conf -f

[STATE] Reinit state machine

[STATE] [backend_sm] REQUEST -> INITIALIZE

[STATE] [backend_sm] INITIALIZE -> IDLE

[STATE] [backend_sm] UNKNOWN -> INITIALIZE

[STATE] [backend_sm] INITIALIZE -> IDLE

[INT] Initializing socket for interface eth1..

[INT] Allmulti mode is already enabled on this device!

[INT] Interface eth1 is wireless!

[INT] Interface initialized!

[CONFIG] Working from config file /etc/xsupplicant.conf.

No configuration information for network "(null)" found.  Using default.

[INT] Opened socket descriptor #5

[INT] Interface eth1 is wireless!

Your card is currently set for wireless network "XXXX".  Looking for a config.

[CONFIG] Working from config file /etc/xsupplicant.conf.

Couldn't build a config for ESSD XXXX!

[STATE] Init wireless state machine.

UNASSOCIATED -> ACTIVE_SCAN

[STATE] Reinit state machine

[STATE] [backend_sm] IDLE -> INITIALIZE

[STATE] [backend_sm] INITIALIZE -> IDLE

Scanning for wireless networks ...

[INT] Issuing scan request for interface eth1!

[INT] Called cardif_clear_keys!

cardif_linux_wext_delete_key : Not supported by WE(17)!

cardif_linux_wext_delete_key : Not supported by WE(17)!

cardif_linux_wext_delete_key : Not supported by WE(17)!

cardif_linux_wext_delete_key : Not supported by WE(17)!

cardif_linux_wext_delete_key : Not supported by WE(17)!

[INT] Checking for returned SSID information....

[INT] Reaping data. (Size : 206)

14 00 15 8B 01 00 00 12 - 00 CD 09 40 D0 00 00 00 ...........@....

04 00 00 00 11 00 1B 8B - 09 00 01 00 3C 68 69 64 ............<hid

64 65 6E 3E 00 14 00 01 - 8B 49 45 45 45 20 38 30 den>.....IEEE.80

32 2E 31 31 62 67 00 00 - 00 08 00 07 8B 03 00 00 2.11bg..........

00 0C 00 05 8B 01 00 00 - 00 00 00 00 32 08 00 2B ............2..+

8B 00 00 00 08 54 00 21 - 8B 40 42 0F 00 00 00 00 .....T.!.@B.....

08 80 84 1E 00 00 00 00 - 08 60 EC 53 00 00 00 00 .........`.S....

08 C0 D8 A7 00 00 00 00 - 08 00 1B B7 00 00 00 00 ................

08 80 A8 12 01 00 00 00 - 08 00 36 6E 01 00 00 00 ..........6n....

08 00 51 25 02 00 00 00 - 08 00 6C DC 02 00 00 00 ..Q%......l.....

08 80 F9 37 03 00 00 00 - 08 08 00 01 8C 23 00 00 ...7.........#..

67 1D 00 02 8C 15 00 00 - 00 20 4C 61 73 74 20 62 g.........Last.b

    eacon:.4ms.ago

[INT] AP MAC : 00 12 00 CD 09 40

[CONFIG] Found new ESSID block, adding...

[INT] ESSID : <hidden>

[INT] IWEVCUSTOM :  Last beacon: 4ms ago

[INT] No valid network data!! (wireless_sm_check_globals)

[ALL]

Dumpping SSIDs:

[ALL] ESSID : <hidden>

[ALL] Abilities : 02

[CONFIG] Checking <hidden> with Priority 255

Scanning for wireless networks ...

[INT] Issuing scan request for interface eth1!

[INT] Checking for returned SSID information....

[INT] Reaping data. (Size : 0)

[INT] No valid network data!! (wireless_sm_check_globals)

[ALL]

Dumpping SSIDs:

Scanning for wireless networks ...

[INT] Issuing scan request for interface eth1!

[INT] Checking for returned SSID information....

[INT] Reaping data. (Size : 0)

[INT] No valid network data!! (wireless_sm_check_globals)

[ALL]

Dumpping SSIDs:

Scanning for wireless networks ...

[INT] Issuing scan request for interface eth1!

[INT] Checking for returned SSID information....

[INT] Reaping data. (Size : 206)

14 00 15 8B 01 00 00 12 - 00 CD 09 40 D0 00 00 00 ...........@....

04 00 00 00 11 00 1B 8B - 09 00 01 00 3C 68 69 64 ............<hid

64 65 6E 3E 00 14 00 01 - 8B 49 45 45 45 20 38 30 den>.....IEEE.80

32 2E 31 31 62 67 00 00 - 00 08 00 07 8B 03 00 00 2.11bg..........

00 0C 00 05 8B 01 00 00 - 00 00 00 00 32 08 00 2B ............2..+

8B 00 00 00 08 54 00 21 - 8B 40 42 0F 00 00 00 00 .....T.!.@B.....

08 80 84 1E 00 00 00 00 - 08 60 EC 53 00 00 00 00 .........`.S....

08 C0 D8 A7 00 00 00 00 - 08 00 1B B7 00 00 00 00 ................

08 80 A8 12 01 00 00 00 - 08 00 36 6E 01 00 00 00 ..........6n....

08 00 51 25 02 00 00 00 - 08 00 6C DC 02 00 00 00 ..Q%......l.....

08 80 F9 37 03 00 00 00 - 08 08 00 01 8C 23 00 00 ...7.........#..

67 1D 00 02 8C 15 00 00 - 00 20 4C 61 73 74 20 62 g.........Last.b

    eacon:.4ms.ago

[INT] AP MAC : 00 12 00 CD 09 40

[CONFIG] Found new ESSID block, adding...

[INT] ESSID : <hidden>

[INT] IWEVCUSTOM :  Last beacon: 4ms ago

[INT] No valid network data!! (wireless_sm_check_globals)

[ALL]

```

And this continues.

/hygnos

----------

## plastikman187

I know that this is months late and you have probably forgotten about this.  

I just started a new job and the wireless here uses the same set up.

i used this to get my system on the wireless here

```

network={

   ssid="example 802.1x network"

   key_mgmt=IEEE8021X

   eap=PEAP

   phase2="auth=MSCHAPV2"

   identity="user name"

   password="password"

#ca_cert="/etc/cert/ca.pem"

}

```

You may need a certificate check on your windows machine to see if there is a cert configured on the authentication section of the wireless config.

----------

## hygnos

Hi,

thx for your reply. I actually found a similar solution. Namely

```

network={

       ssid="ESSID"

       key_mgmt=IEEE8021X

       eap=PEAP

       auth_alg=OPEN

       identity="USER"

       password="passphare"

       phase1="peaplabel=0"

       phase2="auth=MSCHAPV2"

       priority=2

}

```

However this only worked if I disabled scanning eg. 

```

ap_scan=2

```

so I only considered it a partly solution, since I had to change the .conf file if I wanted to log onto a different network. Is this the same on your network?!

/hygnos

----------

## plastikman187

no, i have one large config file for about 15 different networks, WEP, WPA-PSK, Unsecured and now 80211.1X.  Have you tried adding a line for the actual bssid of the AP?

would look similar to this

```

{network=

       ssid="ESSID"

       bssid=00:00:00:00:00

       key_mgmt=IEEE8021X

       eap=PEAP

       auth_alg=OPEN

       identity="USER"

       password="passphare"

       phase1="peaplabel=0"

       phase2="auth=MSCHAPV2"

       priority=2

} 

```

----------

## hygnos

I used this configuration when I connected to the campus wifi, so I had to connect to many different ap's. If I add the mac address of the ap, I guess that would only let me connect to a single ap?!

But anyway. It was only out of curiosity I asked about how your configuration worked, Since I am no longer on that campus, I don't have the problem anymore  :Wink:  So I can't even test if your conf-file does the trick. However I will keep it in mind, in case I run into a 80211.1X wifi.

/hygnos

----------

