Learning learning learning ... PEAP requires a certificate. I created a self signed certificate, installed the certificate and I was able to authenticate! Added: server_cert=/etc/hostapd.crt private_key=/etc/hostapd.key And the related files from building a self-signed cert using OpenSSL. openssl req -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out hostapd.crt -keyout hostapd.key Thank you for your help! ...Duane > On Jun 19, 2020, at 3:14 PM, Duane Murphy <duane.murphy@xxxxxxxxxxxxxxxxxxxx> wrote: > > (Finally getting a chance to try using hostapd again.) > > Authentication has not been successful. Perhaps I need more configuration than I understand: > > I have enabled verbose debugging In the hopes of understanding what I am doing incorrectly > > Here is the journalctl for hostapd during two cable insertions (hardwired): > > duane@nuvo:~$ sudo journalctl -u hostapd --follow > -- Logs begin at Tue 2020-04-07 21:03:33 UTC. -- > Jun 19 21:44:42 nuvo systemd[1]: Starting Advanced IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator... > Jun 19 21:44:42 nuvo hostapd[31715]: Configuration file: /etc/hostapd/hostapd.conf > Jun 19 21:44:42 nuvo hostapd[31715]: enp7s0: IEEE 802.11 Fetching hardware channel/rate support not supported. > Jun 19 21:44:42 nuvo hostapd[31715]: Using interface enp7s0 with hwaddr 78:d0:04:28:6f:ca and ssid "" > Jun 19 21:44:42 nuvo hostapd[31715]: enp7s0: interface state UNINITIALIZED->ENABLED > Jun 19 21:44:42 nuvo hostapd[31715]: enp7s0: AP-ENABLED > Jun 19 21:44:42 nuvo hostapd[31715]: enp7s0: IEEE 802.11 Fetching hardware channel/rate support not supported. > Jun 19 21:44:42 nuvo systemd[1]: Started Advanced IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator. > Jun 19 21:59:05 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 IEEE 802.1X: start authentication > Jun 19 21:59:05 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 IEEE 802.1X: received EAPOL-Start from STA > Jun 19 21:59:05 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 IEEE 802.1X: unauthorizing port > Jun 19 21:59:05 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 IEEE 802.1X: Sending EAP Packet (identifier 110) > Jun 19 21:59:08 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 IEEE 802.1X: Sending EAP Packet (identifier 110) > Jun 19 21:59:14 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 IEEE 802.1X: Sending EAP Packet (identifier 110) > Jun 19 21:59:20 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 IEEE 802.1X: received EAP packet (code=2 id=110 len=10) from STA: EAP Response-Identity (1) > Jun 19 21:59:20 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 IEEE 802.1X: Sending EAP Packet (identifier 110) > Jun 19 21:59:20 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 IEEE 802.1X: unauthorizing port > Jun 19 21:59:20 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 IEEE 802.1X: authentication failed - EAP type: 0 (unknown) > Jun 19 21:59:20 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 IEEE 802.1X: Supplicant used different EAP type: 1 (Identity) > Jun 19 21:59:20 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 MLME: MLME-DEAUTHENTICATE.indication(10:65:30:67:b6:57, 23) > Jun 19 21:59:20 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 MLME: MLME-DELETEKEYS.request(10:65:30:67:b6:57) > Jun 19 21:59:25 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 IEEE 802.11: deauthenticated due to local deauth request > Jun 19 22:02:39 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 IEEE 802.1X: start authentication > Jun 19 22:02:39 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 IEEE 802.1X: received EAPOL-Start from STA > Jun 19 22:02:39 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 IEEE 802.1X: unauthorizing port > Jun 19 22:02:39 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 IEEE 802.1X: Sending EAP Packet (identifier 44) > Jun 19 22:02:42 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 IEEE 802.1X: Sending EAP Packet (identifier 44) > Jun 19 22:02:48 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 IEEE 802.1X: Sending EAP Packet (identifier 44) > Jun 19 22:02:54 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 IEEE 802.1X: received EAP packet (code=2 id=44 len=10) from STA: EAP Response-Identity (1) > Jun 19 22:02:54 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 IEEE 802.1X: Sending EAP Packet (identifier 44) > Jun 19 22:02:54 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 IEEE 802.1X: unauthorizing port > Jun 19 22:02:54 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 IEEE 802.1X: authentication failed - EAP type: 0 (unknown) > Jun 19 22:02:54 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 IEEE 802.1X: Supplicant used different EAP type: 1 (Identity) > Jun 19 22:02:54 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 MLME: MLME-DEAUTHENTICATE.indication(10:65:30:67:b6:57, 23) > Jun 19 22:02:54 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 MLME: MLME-DELETEKEYS.request(10:65:30:67:b6:57) > Jun 19 22:02:59 nuvo hostapd[31725]: enp7s0: STA 10:65:30:67:b6:57 IEEE 802.11: deauthenticated due to local deauth request > > The hostapd.eap_user file contains: > > * PEAP > "duane" MSCHAPV2 "password" > > In the "Integrated EAP server" section of hostapd.conf I have > > eap_server=1 > eap_user_file=/etc/hostapd.eap_user > > The "hostapd configuration file" section of hostapd.conf has > > interface=enp7s0 > driver=wired > > All the other settings are whatever the default from the recommended configuration file. > > The Windows client that is being connected has the configuration show below: > >>> Windows Authentication >>> >>> * Enable IEEE 8021.1x Authentication >>> * Microsoft: Protected EAP (PEAP) >>> * Authentication Method: Secured Password (EAP-MSCHAP v2) >>> * Enable Fast Reconnect — Selected >>> * Authentication Mode: User authentication > > Before I get too far into setting up more of the advanced configuration I'd like to prove that I can do a simple configuration. > > I have not installed any certificates on either system. Is there some other configuration that I might be missing? > > Thank you for your help! > > ...Duane Murphy > > >> On Mar 1, 2020, at 9:42 AM, Jouni Malinen <j@xxxxx> wrote: >> >> On Fri, Feb 21, 2020 at 04:01:47PM -0800, Duane Murphy wrote: >>> I’d like to validate my hostapd configuration by testing that I can login with a Windows 10 client. >>> >>> As a simple (?) test I thought I would use hostapd.eap_user. There are lots of nice entries pre-defined, but most of them don’t work with Windows 10. >>> >>> For example, Windows 10 no longer supports MD5 (out of the box). >>> >>> My knowledge of how to authenticate with Windows is fairly limited. Some help would be appreciated. >>> >>> I’ve tried several of the names and passwords in hostapd.eap_user but I have not been successful in authenticating. >>> >>> Do I need to configure Windows differently? Is there a different setting in hostapd.eap_user that I can use? >> >> It depends on what EAP method you want to use. If you just want to test >> something simple, PEAP with MSCHAPv2 has been available for a long time >> in various Windows versions. It could be configured with following style >> hostapd.eap_use entries: >> >> * PEAP >> "user" MSCHAPV2 "password" >> >>> Windows Authentication >>> >>> * Enable IEEE 8021.1x Authentication >>> * Microsoft: Protected EAP (PEAP) >>> * Authentication Method: Secured Password (EAP-MSCHAP v2) >>> * Enable Fast Reconnect — Selected >>> * Authentication Mode: User authentication >> >> Which would match those entries above. >> >> -- >> Jouni Malinen PGP id EFC895FA > _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
