Trying to setup WPA2 EAP-TLS connection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm trying to setup a WPA2 EAP-TLS network with openwrt AP and a Fedora client. 

OpenWRT config:

config wifi-iface 'wifinet2'
        option auth_server '10.20.0.10'
        option ssid 'NWRA-TLS'
        option device 'radio1'
        option auth_port '1812'
        option network 'lan'
        option nasid 'OpenWRT'
        option mode 'ap'
        option auth_secret SECRET
        option encryption 'wpa2'


ifcfg-NWRA-TLS:

ESSID=NWRA-TLS
MODE=Managed
KEY_MGMT=IEEE8021X
MAC_ADDRESS_RANDOMIZATION=never
TYPE=Wireless
IEEE_8021X_EAP_METHODS=TLS
IEEE_8021X_IDENTITY=host/HOSTNAM
IEEE_8021X_PRIVATE_KEY=/etc/pki/tls/private/HOSTNAME.key
IEEE_8021X_PRIVATE_KEY_PASSWORD_FLAGS=unused
IEEE_8021X_CLIENT_CERT=/etc/pki/tls/certs/HOSTNAME.crt
IEEE_8021X_CA_CERT=/etc/pki/ca-trust/source/anchors/CA.crt
PROXY_METHOD=auto
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME=NWRA-TLS
ONBOOT=yes
DHCP_CLIENT_ID=HOSTNAME
AUTOCONNECT_PRIORITY=1
ZONE=work


Connection fails - openwrt doesn't ever connect to the radius server:
Syslog 136 DAEMON.INFO: Jul 27 23:31:59 OpenWrt hostapd: wlan1-1: STA 70:f1:a1:e7:53:59 IEEE 802.11: authenticated Syslog 159 DAEMON.INFO: Jul 27 23:31:59 OpenWrt hostapd: wlan1-1: STA 70:f1:a1:e7:53:59 IEEE 802.11: No WPA/RSN IE in association request
wpa debug follows. What seems relevant is the key mgmt mismatch, but I don't know what that means.
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: 8: f6:f2:6d:c5:db:be ssid='NWRA-TLS' wpa_ie_len=0 rsn_ie_len=20 caps=0x431 level=-68 freq=2462 Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: skip RSN IE - key mgmt mismatch, IE: 0x1 ssid: 0x8 Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: allow in non-WPA/WPA2 Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: selected BSS f6:f2:6d:c5:db:be ssid='NWRA-TLS' Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Considering connect request: reassociate: 0 selected: f6:f2:6d:c5:db:be bssid: 00:00:00:00:00:00 pending: 00:00:00:00:00:00 wpa_state: SCANNING ssid=0x55d5167be630 current_ssid=0x55d5167be630 Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Request association with f6:f2:6d:c5:db:be Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Re-association to the same ESS Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: WMM AC: Save last configured tspecs Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: No ongoing scan/p2p-scan found to abort Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Add radio work 'sme-connect'@0x55d5167c9440 Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: First radio work item in the queue - schedule start immediately Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: RSN: Ignored PMKID candidate without preauth flag Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: dbus: flush_object_timeout_handler: Timeout - sending changed properties of object /fi/w1/wpa_supplicant1/Interfaces/0
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: dbus: org.freedesktop.DBus.Properties.GetAll (/fi/w1/wpa_supplicant1/Interfaces/0/BSSs/69) [s] Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Starting radio work 'sme-connect'@0x55d5167c9440 after 0.007299 second wait Jul 27 16:32:02 HOSTNAME kernel: wlp8s0b1: RX AssocResp from f6:f2:6d:c5:db:be (capab=0x431 status=40 aid=0) Jul 27 16:32:02 HOSTNAME kernel: wlp8s0b1: f6:f2:6d:c5:db:be denied association (code=40) Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: WPA: clearing own WPA/RSN IE Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Automatic auth_alg selection: 0x1 Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: WPA: clearing AP WPA IE Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: WPA: clearing AP RSN IE Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: WPA: clearing own WPA/RSN IE Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: FT: Stored MDIE and FTIE from (Re)Association Response - hexdump(len=0): Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: RRM: Determining whether RRM can be used - device support: 0x10 
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: RRM: No RRM in network
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: Added supported operating classes IE - hexdump(len=4): 3b 02 51 51 Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: EAPOL: External notification - EAP success=0 Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: EAPOL: External notification - EAP fail=0 Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: EAPOL: External notification - portControl=Auto Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Cancelling scan request Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: SME: Trying to authenticate with f6:f2:6d:c5:db:be (SSID='NWRA-TLS' freq=2462 MHz) Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: EAPOL: External notification - portValid=0 Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: State: SCANNING -> AUTHENTICATING Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Determining shared radio frequencies (max len 1) Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Shared frequencies (len=0): completed iteration Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Authenticate (ifindex=4) 
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]:   * bssid=f6:f2:6d:c5:db:be
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]:   * freq=2462
Jul 27 16:32:02 HOSTNAME NetworkManager[1691]: <info> [1595892722.8182] device (wlp8s0b1): supplicant interface state: scanning -> associating 
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]:   * SSID=NWRA-TLS
Jul 27 16:32:02 HOSTNAME NetworkManager[1691]: <info> [1595892722.8205] device (wlp8s0b1): supplicant interface state: associating -> disconnected Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: * IEs - hexdump(len=0): [NULL] 
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]:   * Auth Type 0
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Authentication request send successfully Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Event message available Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Drv Event 19 (NL80211_CMD_NEW_STATION) received for wlp8s0b1 Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: New station f6:f2:6d:c5:db:be Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Event message available Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Drv Event 37 (NL80211_CMD_AUTHENTICATE) received for wlp8s0b1 Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: MLME event 37 (NL80211_CMD_AUTHENTICATE) on wlp8s0b1(70:f1:a1:e7:53:59) A1=70:f1:a1:e7:53:59 A2=f6:f2:6d:c5:db:be
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: MLME event frame - hexdump(len=30): b0 00 3a 01 70 f1 a1 e7 53 59 f6 f2 6d c5 db be f6 f2 6d c5 db be d0 7f 00 00 02 00 00 00 

Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Authenticate event
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Event AUTH (10) received Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: SME: Authentication response: peer=f6:f2:6d:c5:db:be auth_type=0 auth_transaction=2 status_code=0 Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: SME: Authentication response IEs - hexdump(len=0): [NULL] Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: SME: Association Request IEs - hexdump(len=14): 7f 08 00 00 00 00 00 00 00 40 3b 02 51 51 Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Trying to associate with f6:f2:6d:c5:db:be (SSID='NWRA-TLS' freq=2462 MHz) Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: State: AUTHENTICATING -> ASSOCIATING Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Set wlp8s0b1 operstate 0->0 (DORMANT) Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: netlink: Operstate: ifindex=4 linkmode=-1 (no change), operstate=5 (IF_OPER_DORMANT) Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: WPA: clearing own WPA/RSN IE Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Associate (ifindex=4) 
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]:   * bssid=f6:f2:6d:c5:db:be
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]:   * freq=2462
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]:   * SSID=NWRA-TLS
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: * IEs - hexdump(len=14): 7f 08 00 00 00 00 00 00 00 40 3b 02 51 51 Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Association request send successfully Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Event message available Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Drv Event 20 (NL80211_CMD_DEL_STATION) received for wlp8s0b1 Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Delete station f6:f2:6d:c5:db:be Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Event message available Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Drv Event 38 (NL80211_CMD_ASSOCIATE) received for wlp8s0b1 Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: MLME event 38 (NL80211_CMD_ASSOCIATE) on wlp8s0b1(70:f1:a1:e7:53:59) A1=70:f1:a1:e7:53:59 A2=f6:f2:6d:c5:db:be Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: MLME event frame - hexdump(len=139): 10 00 3a 01 70 f1 a1 e7 53 59 f6 f2 6d c5 db be f6 f2 6d c5 db be e0 7f 31 04 28 00 00 c0 01 08 82 84 8b 96 0c 12 18 24 32 04 30 48 60 6c 2d 1a ed 11 1b ff ff ff 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 3d 16 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7f 08 04 00 00 02 00 00 01 40 5a 03 24 01 00 dd 18 00 50 f2 02 01 01 80 00 03 a4 00 00 27 a4 00 00 42 43 5e 00 62 32 2f 00 
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Associate event
Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Event ASSOC_REJECT (12) received Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: CTRL-EVENT-ASSOC-REJECT bssid=f6:f2:6d:c5:db:be status_code=40 Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: SME: Association with f6:f2:6d:c5:db:be failed: status code 40 Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wpa_driver_nl80211_deauthenticate(addr=f6:f2:6d:c5:db:be reason_code=3) Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: nl80211: MLME command failed: reason=3 ret=-107 (Transport endpoint is not connected) Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: SME: Deauth request to the driver failed Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Radio work 'sme-connect'@0x55d5167c9440 done in 0.018087 seconds Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: radio_work_free('sme-connect'@0x55d5167c9440): num_active_works --> 0 Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: Added BSSID f6:f2:6d:c5:db:be into blacklist Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: Continuous association failures - consider temporary network disabling Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="NWRA-TLS" auth_failures=1 duration=10 reason=CONN_FAILED Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Blacklist count 4 --> request scan in 5000 ms Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: Setting scan request: 5.000000 sec Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: wlp8s0b1: State: ASSOCIATING -> DISCONNECTED Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Set wlp8s0b1 operstate 0->0 (DORMANT) Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: netlink: Operstate: ifindex=4 linkmode=-1 (no change), operstate=5 (IF_OPER_DORMANT) Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Event message available Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Drv Event 46 (NL80211_CMD_CONNECT) received for wlp8s0b1 Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: nl80211: Ignore connect event (cmd=46) when using userspace SME Jul 27 16:32:02 HOSTNAME wpa_supplicant[392118]: dbus: flush_object_timeout_handler: Timeout - sending changed properties of object /fi/w1/wpa_supplicant1/Interfaces/0 


Thanks for any help,
  Orion

--
Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion@xxxxxxxx
Boulder, CO 80301                 https://www.nwra.com/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux