Hi,
I cannot reproduce this. But I'm seeing issues with an empty
anonymous_identity as well.
Testing against FreeRadius 2.2.9, I'm getting
Mon Nov 12 20:12:45 2018 : Debug: [eap] UserIdentity Unknown
Mon Nov 12 20:12:45 2018 : Debug: [eap] Identity Unknown, authentication
failed
Mon Nov 12 20:12:45 2018 : Debug: [eap] Failed in handler
when setting
anonymous_identity=""
with TTLS/PAP.
This error is from
if ((len <= 5) || (eap_packet->data[1] == 0x00)) {
RDEBUG("UserIdentity Unknown ");
return NULL;
}
So basically FreeRadius disregards empty string (identity len = zero) or
strings starting with null byte.
Maybe your AP or RADIUS infrastructure behaves similarely with empty
identities?
Regards,
M. Braun
Am 12.11.2018 14:33, schrieb Ricardo Band:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Ahoi,
I have several networks which use PEAP and MSCHAPv2 and for several
months I had lots of issues connecting to them.
Now I finally found out why I couldn't connect.
Here's my minimal config example:
# wpa_supplicant.conf
ctrl_interface=/run/wpa_supplicant
update_config=1
network={
ssid="#somewifiname"
key_mgmt=WPA-EAP
eap=PEAP
identity="someusername"
anonymous_identity=""
password="supersecurepassword"
ca_cert="/etc/ssl/certs/SOMECERT.pem"
priority=1
phase2="auth=MSCHAPV2"
}
Note that the anonymous_identity is set to an empty String. The wifi
name starts with a "#" but this should be fine, right?
When I try to connect I get the following:
$ sudo wpa_supplicant -i wlp59s0 -c wpa_supplicant.conf
Successfully initialized wpa_supplicant
wlp59s0: SME: Trying to authenticate with 12:34:56:f8:8b:1b
(SSID='#somewifiname' freq=5500 MHz)
wlp59s0: Trying to associate with 12:34:56:f8:8b:1b
(SSID='#somewifiname' freq=5500 MHz)
wlp59s0: Associated with 12:34:56:f8:8b:1b
wlp59s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp59s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp59s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
wlp59s0: Authentication with 12:34:56:f8:8b:1b timed out.
wlp59s0: CTRL-EVENT-DISCONNECTED bssid=12:34:56:f8:8b:1b reason=3
locally_generated=1
wlp59s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="#somewifiname"
auth_failures=1 duration=10 reason=AUTH_FAILED
wlp59s0: CTRL-EVENT-SSID-REENABLED id=0 ssid="#somewifiname"
wlp59s0: SME: Trying to authenticate with 12:34:56:56:cc:29
(SSID='#somewifiname' freq=5240 MHz)
wlp59s0: Trying to associate with 12:34:56:56:cc:29
(SSID='#somewifiname' freq=5240 MHz)
wlp59s0: Associated with 12:34:56:56:cc:29
wlp59s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp59s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp59s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
wlp59s0: Authentication with 12:34:56:56:cc:29 timed out.
wlp59s0: CTRL-EVENT-DISCONNECTED bssid=12:34:56:56:cc:29 reason=3
locally_generated=1
wlp59s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="#somewifiname"
auth_failures=2 duration=23 reason=AUTH_FAILED
So basically everything on my mashine is telling me that my credentials
are wrong. I checked them and everything in the config file is
perfectly fine.
I went to my Wifi admin and looked into the debug log on the access
point with him. Surprisingly my client was trying to authenticate with
the clients MAC address as the username. So the error messages about
wrong credentials are actually correct.
Now when I remove the anonymous_identity setting or simply insert a
string with any length other then 0, my client succesfully connects to
the wifi using the identity as the username for auth.
I think I found a bug here or at least a misbehaviour. An empty string
in the anonymous_identity should not lead to my MAC address being used
as my username. Or did I miss something?
If this behaviour is intended it should at least be documented cause
it's really easy to walk into this.
Some additional infos:
$ pacman -Q wpa_supplicant linux
wpa_supplicant 1:2.6-12
linux 4.18.14.arch1-1
The APs are Aruba 3xx Series.
- --
Greetings
Ricardo Band
https:// www.ricardo.band
mailto:// email@xxxxxxxxxxxx
xmpp://jabber@xxxxxxxxxxxx
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEhyzgFNiV8yZuI1T5Gp1lfQa1gg4FAlvpj0IACgkQGp1lfQa1
gg5/mA//RS2G5L5HdjeglwHXidKYqcHQeap1qL6GAdaXMqQcYzA1ya8yrbfg/PAF
qZunxOCYucvmqAHPKRdQR+WqgBlA18URBK/zsx/wS19j3H8n3eKdaRIWsMmST48F
Fmfuq/FlepLVfG40FDsvybdhiLyMDXqZ0C6LGLvhUrKEvH6lhdGYoOKtUVUbtG5r
y9aFXOddI18ayfv3DjjUSFIXOtgBI5iYLa3V4+fgd5815Eygf+umvLeKxXTqcseq
er1lbgh/hHEzAjtLSAb2p7dE7ikKi29W3l0oz0NORkle+/hmhOQnUjbUzTiNjXta
+XB6/JzpFPgJq8zujqY8vnhzltGtYHfLwJZqmf4zUd0fRkevPNRAjA6HaDVYX/tp
T8jbFN7Rq+sm371Lpaz1rx1lZCWsQD84q7V+BEHWS1QcIdyzjIuXWuxfwJX/BuDb
8USbSJ+4PYZBhWrUAEA9lcU7/vpBSb/TK1r+dFtnJd7HUiiNB52OKCndMAdXOpVf
6eV2100TmtXHo471inBWtx5F1NQYXMJFv7X/2hxGuWCi82ktKgJBxc8ENPHF8EiV
gwUO3oheSjtuf1yss8oWNEYshBlsIHXe1YQsI3X+Xp6zUdllget5GXh3u1JW7raH
gnrfIh6woMArh9B12DHFdb/wYqgorgIlS2zGVZw2LeZB+P2Vqqc=
=v9LF
-----END PGP SIGNATURE-----
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
