OpenWrt Forum Archive

Topic: IEEE8021X setup

The content of this topic has been archived on 12 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hello! Please, could someone help me with setting up ieee8021x on (OpenWRT flashed) TP-LINK TL-WR1043ND (v. 1.8). It is used as authorization method on campus LAN.

I tried to use xsupplicant (1.2.8-3) with several different configurations, but it doesn't work. Also, I tried wpa_supplicant, but it also doesn't work.

On my laptop I use the following wpa_supplicant config, and it works perfectly:

ctrl_interface=/var/run/wpa_supplicant_umrnet_lan
ctrl_interface_group=0
eapol_version=2
ap_scan=0
network={
key_mgmt=IEEE8021X
eap=TTLS
phase1=""
phase2="auth=PAP"
ca_cert="/etc/ssl/certs/Deutsche_Telekom_Root_CA_2.pem"
anonymous_identity="***"
identity="***"
password="***"
}

But when I try to run wpa_supplicant with similar config on my router, I'm getting:

Line 18: unknown network field 'eap'.
Line 19: unknown network field 'phase1'.
Line 20: unknown network field 'phase2'.
Line 21: unknown network field 'ca_cert'.
Line 22: unknown network field 'anonymous_identity'.
Line 23: unknown network field 'identity'.
Line 24: unknown network field 'password'.
Line 25: failed to parse network block.
Failed to read or parse configuration '/etc/wpa_supplicant.conf'.

I tried the following config for xsupplicant:

network_list = default                                                      
network_list = default                                                      
default_netname = default                                                    
logfile = /var/log/xsupplicant.log                                             
                                                                               
default                                                                        
{                                                                              
  type = wired                                                                 
  association_type = open                                                      
  allow_types = eap_ttls                                                       
  force_eapol_ver = 2                                                          
  identity = "***"                                   
                                                                               
  eap-md5 {                                                                    
      username = ***                                                      
      password = "***"
  }                                                                            
                                                                               
  eap-ttls {                                                                   
      root_cert = /etc/Deutsche_Telekom_Root_CA_2.pem                          
      chunk_size = 1398                                                        
      random_file = /dev/random                                                
      phase2_type = pap                                                        
      pap {                                                                    
        username = ***                              
        password = "***"                                                   
      }                                                                        
  }                                                                            
}

When running xsupplicant -i eth0.2 I'm getting:

Starting XSupplicant v. 1.2.8

And in log file:

Couldn't get encryption capabilites!
No configuration information for network "(null)" found.  Using default.

Also, I tried eap-md5, but still nothing...

What should I do? Please, help...

You should use WPAD (not mini)

Yes, thanks, now wpa_supplicant works, but I still can't connect.

On my laptop I'm getting this:

wpa_supplicant -Dwired -ieth0 -c/etc/wpa_supplicant/wpa_supplicant_umrnet_lan.conf && dhclient eth0
eth0: Associated with 01:80:c2:00:00:03
eth0: CTRL-EVENT-EAP-STARTED EAP authentication started
eth0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK
eth0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
eth0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
eth0: CTRL-EVENT-EAP-PEER-CERT depth=3 subject='/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2'
eth0: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01'
eth0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=DE/O=Universitaet Marburg/OU=Hochschulrechenzentrum/CN=Uni Marburg CA - G02/emailAddress=pki@uni-marburg.de'
eth0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=DE/ST=Hessen/L=Marburg/O=Universitaet Marburg/OU=HRZ/CN=radius.staff.uni-marburg.de'
eth0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
eth0: CTRL-EVENT-CONNECTED - Connection to 01:80:c2:00:00:03 completed (auth) [id=0 id_str=]

But on router (I tried different ports) I'm getting this (with the same config):

wpad wpa_supplicant -Dwired -ieth0.2 -c/etc/wpa_supplicant_umrnet_lan.conf
eth0.2: Associated with 01:80:c2:00:00:03
eth0.2: CTRL-EVENT-EAP-FAILURE EAP authentication failed

Also I tried this:

wpa_supplicant -dd -Dwired -ieth0.2 -c/etc/wpa_supplicant_umrnet_lan.conf
wpa_supplicant v2.0-devel
random: Trying to read entropy from /dev/random
Initializing interface 'eth0.2' conf '/etc/wpa_supplicant_umrnet_lan.conf' driver 'wired' ctrl_interface 'N/A' bridge 'N/A'
Configuration file '/etc/wpa_supplicant_umrnet_lan.conf' -> '/etc/wpa_supplicant_umrnet_lan.conf'
Reading configuration file '/etc/wpa_supplicant_umrnet_lan.conf'
ctrl_interface='/var/run/wpa_supplicant_umrnet_lan'
ctrl_interface_group='0'
eapol_version=2
ap_scan=0
Line: 17 - start of a new network block
key_mgmt: 0x8
eap methods - hexdump(len=16): 00 00 00 00 00 00 00 15 00 00 00 00 00 00 00 00
phase1 - hexdump_ascii(len=0):
phase2 - hexdump_ascii(len=8):
     61 75 74 68 3d 50 41 50                           auth=PAP        
ca_cert - hexdump_ascii(len=35):
     2f 65 74 63 2f 44 65 75 74 73 63 68 65 5f 54 65   /etc/Deutsche_Te
     6c 65 6b 6f 6d 5f 52 6f 6f 74 5f 43 41 5f 32 2e   lekom_Root_CA_2.
     70 65 6d                                          pem             
anonymous_identity - hexdump_ascii(len=29): [REMOVED]
identity - hexdump_ascii(len=29): [REMOVED]   
password - hexdump_ascii(len=7): [REMOVED]
Priority group 0
   id=0 ssid=''
wpa_driver_wired_init: Added multicast membership with packet socket
eth0.2: Own MAC address: f4:ec:38:a5:7a:18
eth0.2: RSN: flushing PMKID list in the driver
eth0.2: Setting scan request: 0 sec 100000 usec
WPS: Set UUID for interface eth0.2
WPS: UUID based on MAC address - hexdump(len=16): 68 26 5a 08 bd fa 56 f4 88 02 aa 75 2a d6 e8 64
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: Supplicant port status: Unauthorized
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: Supplicant port status: Unauthorized
EAPOL: Supplicant port status: Unauthorized
ctrl_interface_group=0
eth0.2: Added interface eth0.2
EAPOL: External notification - EAP success=0
EAPOL: Supplicant port status: Unauthorized
EAPOL: External notification - EAP fail=0
EAPOL: Supplicant port status: Unauthorized
EAPOL: External notification - portControl=Auto
EAPOL: Supplicant port status: Unauthorized
eth0.2: Already associated with a configured network - generating associated event
eth0.2: Event 0 received on interface eth0.2
eth0.2: Association info event
eth0.2: State: DISCONNECTED -> ASSOCIATED
eth0.2: Associated to a new BSS: BSSID=01:80:c2:00:00:03
Add randomness: count=1 entropy=0
eth0.2: No keys have been configured - skip key clearing
eth0.2: Select network based on association information
eth0.2: Network configuration found for the current AP
eth0.2: WPA: clearing AP WPA IE
eth0.2: WPA: clearing AP RSN IE
eth0.2: WPA: clearing own WPA/RSN IE
EAPOL: External notification - EAP success=0
EAPOL: Supplicant port status: Unauthorized
EAPOL: External notification - EAP fail=0
EAPOL: Supplicant port status: Unauthorized
EAPOL: External notification - portControl=Auto
EAPOL: Supplicant port status: Unauthorized
eth0.2: Associated with 01:80:c2:00:00:03
eth0.2: WPA: Association event - clear replay counter
eth0.2: WPA: Clear old PTK
EAPOL: External notification - portEnabled=0
EAPOL: Supplicant port status: Unauthorized
EAPOL: External notification - portValid=0
EAPOL: Supplicant port status: Unauthorized
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
eth0.2: Cancelling scan request
EAPOL: startWhen --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
TX EAPOL: dst=01:80:c2:00:00:03
TX EAPOL - hexdump(len=4): 02 01 00 00
EAPOL: startWhen --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
TX EAPOL: dst=01:80:c2:00:00:03
TX EAPOL - hexdump(len=4): 02 01 00 00
^Ceth0.2: CTRL-EVENT-TERMINATING - signal 2 received
eth0.2: Removing interface eth0.2
eth0.2: No keys have been configured - skip key clearing
eth0.2: State: ASSOCIATED -> DISCONNECTED
EAPOL: External notification - portEnabled=0
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: Supplicant port status: Unauthorized
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: Supplicant port status: Unauthorized
EAPOL: External notification - portValid=0
EAPOL: Supplicant port status: Unauthorized
eth0.2: No keys have been configured - skip key clearing
eth0.2: Cancelling scan request
eth0.2: Cancelling authentication timeout

Hmmm... I'm lost.

Anything new? I have the same problem. This is what I get:

root@OpenWrt:/etc/ssl# wpa_supplicant -D wired -i eth0 -c /etc/wpa_supplicant.conf 
Successfully initialized wpa_supplicant
eth0: Associated with 01:80:c2:00:00:03
eth0: CTRL-EVENT-EAP-STARTED EAP authentication started
eth0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
eth0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
eth0: CTRL-EVENT-EAP-FAILURE EAP authentication failed

Also, using -dd makes no difference, if anything it sometimes prints out even less.

Hey Guys, I think I have the same problem. It seems that my authentication works a little more, but still fails, I get:

root@OpenWrt:~# wpad wpa_supplicant -D wired -i eth0.2 -c /etc/config/8021x.conf

Successfully initialized wpa_supplicant
eth0.2: Associated with 01:80:c2:00:00:03
eth0.2: CTRL-EVENT-EAP-STARTED EAP authentication started
eth0.2: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK
eth0.2: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
eth0.2: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
eth0.2: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
eth0.2: CTRL-EVENT-CONNECTED - Connection to 01:80:c2:00:00:03 completed [id=0 i                  d_str=]
eth0.2: CTRL-EVENT-EAP-STARTED EAP authentication started
eth0.2: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK
eth0.2: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
eth0.2: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
eth0.2: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
^Ceth0.2: CTRL-EVENT-DISCONNECTED bssid=01:80:c2:00:00:03 reason=3 locally_gener                  ated=1
eth0.2: CTRL-EVENT-TERMINATING

Compare with the message that the topic host got with linux authentication, It shows that may be it was the problem of "Certificate" usage that did not proceeded successfully. how ever, I searched many similar cases in Germany, They do not use this "Deutsche Telekom" root certificate, so no help obtained yet.

Does anyone in Uni-marburg made it through already?

(Last edited by zhouxiaodi on 7 Dec 2013, 16:39)

The discussion might have continued from here.