[WORKED-AROUND] Can't connect to PEAP access point

woodape · 2015-04-10 09:17:56

Hi all! After having followed the guide (I did, I promise!), I haven't been able to get a connection to the PEAP network which my university uses. I'm using NetworkManager to manage my connections and nm-connection-edior doesn't allow me to create any network connection with any wifi security, and nm-applet doesn't allow me to connect to a network that requires more than just a passphrase, i.e. WEP, WPA. In nm-applet, the "connect" button is greyed out, while in nm-connection-editor the "save" button is greyed out. The error which seems to be most relevent is:

 ** (nm-connection-editor:11889): WARNING **: Invalid setting Wi-Fi Security: Invalid Wi-Fi security

I tried disabling the NetworkManager service, uninstalling, and installing Wicd, but I still couldn't connect to the PEAP network. Wicd does connect to the Wifi hotspot on my phone though, so at least something is going right. I'm certain I have the credentials correct, as I'm using the same ID and passphrase to connect with my phone.

Here are the outputs from a few relevent commands:

$pacman -Qs wpa_supplicant
local/wpa_supplicant 2.3-1
    A utility providing key negotiation for WPA wireless networks
local/wpa_supplicant_gui 2.3-1
    A Qt frontend to wpa_supplicant

#######################################

$lspci -k
01:00.0 Network controller: Intel Corporation Centrino Advanced-N 6235 (rev 24)
	Subsystem: Intel Corporation Centrino Advanced-N 6235 AGN
	Kernel driver in use: iwlwifi
	Kernel modules: iwlwifi

#######################################

$dmesg | grep firmware
[    2.354276] iwlwifi 0000:01:00.0: loaded firmware version 18.168.6.1 op_mode iwldvm
[    2.876078] psmouse serio1: elantech: assuming hardware version 4 (with firmware version 0x575f01)

########################################

$iw dev
phy#0
	Interface wlp1s0
		ifindex 2
		wdev 0x1
		addr c4:85:08:7b:5c:9b
		type managed
		channel 11 (2462 MHz), width: 20 MHz, center1: 2462 MHz

########################################

$ip link show wlp1s0
2: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DORMANT group default qlen 1000
    link/ether c4:85:08:7b:5c:9b brd ff:ff:ff:ff:ff:ff

########################################

$systemctl -a | grep NetworkManager
  NetworkManager.service     loaded    active   running   Network Manager

########################################

$rfkill list
0: samsung-wlan: Wireless LAN
	Soft blocked: no
	Hard blocked: no
1: samsung-bluetooth: Bluetooth
	Soft blocked: no
	Hard blocked: no
2: hci0: Bluetooth
	Soft blocked: no
	Hard blocked: no
3: phy0: Wireless LAN
	Soft blocked: no
	Hard blocked: no

########################################

$nm-connection-editor

(nm-connection-editor:10609): GLib-GObject-WARNING **: The property GtkButton:use-stock is deprecated and shouldn't be used anymore. It will be removed in a future version.

(nm-connection-editor:10609): GLib-GObject-WARNING **: The property GtkSettings:gtk-button-images is deprecated and shouldn't be used anymore. It will be removed in a future version.

(nm-connection-editor:10609): GLib-GObject-WARNING **: The property GtkTreeView:rules-hint is deprecated and shouldn't be used anymore. It will be removed in a future version.

** (nm-connection-editor:10609): WARNING **: nm_connection_list_new: failed to load VPN plugins: Couldn't read VPN .name files directory /etc/NetworkManager/VPN.
Gtk-Message: GtkDialog mapped without a transient parent. This is discouraged.

(nm-connection-editor:10609): GLib-GObject-WARNING **: The property GtkMisc:yalign is deprecated and shouldn't be used anymore. It will be removed in a future version.

(nm-connection-editor:10609): GLib-GObject-WARNING **: The property GtkImage:stock is deprecated and shouldn't be used anymore. It will be removed in a future version.

(nm-connection-editor:10609): GLib-GObject-WARNING **: The property GtkButton:xalign is deprecated and shouldn't be used anymore. It will be removed in a future version.

(nm-connection-editor:10609): GLib-GObject-WARNING **: The property GtkWidget:margin-left is deprecated and shouldn't be used anymore. It will be removed in a future version.

(nm-connection-editor:10609): GLib-GObject-WARNING **: The property GtkAlignment:left-padding is deprecated and shouldn't be used anymore. It will be removed in a future version.

###Here I selected create wifi connection

** (nm-connection-editor:10609): WARNING **: Invalid setting Wi-Fi: 802-11-wireless.ssid: property is missing

** (nm-connection-editor:10609): WARNING **: Failed to get zones from FirewallD: (2) The name org.fedoraproject.FirewallD1 was not provided by any .service files

** (nm-connection-editor:10609): WARNING **: Invalid setting Wi-Fi: 802-11-wireless.ssid: property is missing

** (nm-connection-editor:10609): WARNING **: Invalid setting Wi-Fi: 802-11-wireless.ssid: property is missing

** (nm-connection-editor:10609): WARNING **: Invalid setting Wi-Fi: 802-11-wireless.ssid: property is missing

** (nm-connection-editor:10609): WARNING **: Invalid setting Wi-Fi: 802-11-wireless.ssid: property is missing

###Here I selected WPA & WPA2 Enterprise after typing in a SSID

** (nm-connection-editor:10609): WARNING **: Invalid setting Wi-Fi Security: Invalid Wi-Fi security

** (nm-connection-editor:10609): WARNING **: Invalid setting Wi-Fi Security: Invalid Wi-Fi security

I'm all open to suggestions, please let me know if I should post additional output.

****EDIT: The work around if thread is TLDR****

When prompted use 'sudo' or else log in as root to do the configuration.

Manual Connection to WPA-Enterprise / PEAP can be accomplished with wpa_supplicant, available in the repos. Make sure you have it:

pacman -S wpa_supplicant

Next create a wpa_supplicant.conf file, there is already one in the existing folder with a great deal of comments/documentation, so it is best to back that one up, not replace it.

cd /etc/wpa_supplicant
cp wpa_supplicant.conf wpa_supplicant.conf.orig

echo "ctrl_interface=DIR=/run/wpa_supplicant
ap_scan=1
fast_reauth=1" > /etc/wpa_supplicant/wpa_supplicant.conf

@Head_on_a_Stick suggested the command:

wpa_passphrase SSID passphrase >> /etc/wpa_supplicant/wpa_supplicant.conf

But I couldn't get that to work with EAP. I recall reading somewhere that this isn't necessary because of the type of encryption, but I can't find the source so for now it's hearsay. Nonetheless, since I couldn't get it to work, I didn't use the command.

Now open up the file as root in your favorite text editor and change the fields inside the network tags to look like the following, substituting in your own ID and passphrase:

network={
     scan_ssid=1
     ssid="eduroam"
     key_mgmt=WPA-EAP
     eap=PEAP
     identity="myid@university.ac.za"
     anonymous_identity="myid@university.ac.za"
     password="*******"
     phase1="peaplabel=auto peapver=0 " 
     phase2="auth=MSCHAPv2"
}

Two issues I ran into were that I didn't need a CA certificate, and apparently the connection uses auto PEAP, not a dedicated version. If you need a certificate, the parameter is:

ca_cert="path/to/certificate"

and if you have a particular version of PEAP, you need to indicate by changing the "peaplabel" in "phase1=" to the correct version number.

With this file in place, you can now connect. First find out the name of your wireless interface:

$iw dev
phy#0
	Interface wlp1s0
		ifindex 2
		wdev 0x1
		addr c4:85:08:7b:5c:9b
		type managed
		channel 11 (2462 MHz), width: 20 MHz, center1: 2462 MHz

Isuue the following commands, all of which need to be issued as root, replacing "INTERFACE" with the name of your interface:

ip l set INTERFACE up
wpa_supplicant -B -i INTERFACE -c /etc/wpa_supplicant/wpa_supplicant.conf
dhcpcd INTERFACE

You should now have a connection. To make this automatically connect when you boot, create and enable a systemd service file in '/etc/systemd/system/' called 'network-wireless@.service'. Don't forget the period after the "@" symbol:

[Unit]
Description=Wireless network connectivity (%i)
Wants=network.target
Before=network.target
BindsTo=sys-subsystem-net-devices-%i.device
After=sys-subsystem-net-devices-%i.device

[Service]
Type=oneshot
RemainAfterExit=yes

ExecStart=/usr/bin/ip link set dev %i up
ExecStart=/usr/bin/wpa_supplicant -B -i %i -c /etc/wpa_supplicant/wpa_supplicant.conf
ExecStart=/usr/bin/dhcpcd %i

ExecStop=/usr/bin/ip link set dev %i down

[Install]
WantedBy=multi-user.target

Enable the service by listing the interface name after the "@" symbol:

systemctl enable network-wireless@INTERFACE.service

You should now have a connection at boot. Enjoy!

Last edited by woodape (2015-04-15 09:17:20)

runical · 2015-04-10 09:47:59

Which guide and what is your setup (DE/WM)? As far as I know, nm-applet requires some sort of keyring to save passwords. If you didn't install that, try installing gnome-keyring.

Also, are you sure about the settings and did you select a certificate (even if it is 'none')? I had some trouble with that a while ago as well.

Last edited by runical (2015-04-10 09:48:55)

woodape · 2015-04-10 10:18:34

Thanks for the reply runical. I followed the Beginners Wireless guide. The commands I'm posting are from that section.

I'm using DWM, no display manager. My .xinitrc is the following:

#!/bin/sh

userresources=$HOME/.Xresources
usermodmap=$HOME/.Xmodmap
sysresources=/etc/X11/xinit/.Xresources
sysmodmap=/etc/X11/xinit/.Xmodmap

# merge in defaults and keymaps

if [ -f $sysresources ]; then
    xrdb -merge $sysresources
fi

if [ -f $sysmodmap ]; then
    xmodmap $sysmodmap
fi

if [ -f "$userresources" ]; then
    xrdb -merge "$userresources"
fi

if [ -f "$usermodmap" ]; then
    xmodmap "$usermodmap"
fi

# start some nice programs

if [ -d /etc/X11/xinit/xinitrc.d ] ; then
 for f in /etc/X11/xinit/xinitrc.d/?*.sh ; do
  [ -x "$f" ] && . "$f"
 done
 unset f
fi

# start some programs that are useful

urxvtd -q -f -o

# DWM Section

sh ~/.fehbg &
dwm-status & 

exec /home/woodape/dwm/dwm

I already have gnome-keyring intalled.

woodape[~]$ pacman -Qs gnome-keyring
local/gnome-keyring 3.15.92-1 (gnome)
    GNOME Password Management daemon

I selected 'none' for sure. But even if I go to "create new network" using nm-applet it only offers WEP security or none. I can't create a network connection using anything stronger.

According to the guide, this looks like nm-applet isn't detecting that I have wpa_supplicant installed, which provides the increased security types, but it is installed.

Head_on_a_Stick · 2015-04-10 12:42:24

Hiya woodape

Have you installed iw?

Try connecting manually to see if you can get it working without NetworkManager first.
https://wiki.archlinux.org/index.php/Wi … nual_setup

woodape · 2015-04-10 13:17:42

Hey Head! iw is installed:

woodape[~]$ pacman -Qs iw
local/iw 3.17-1
    nl80211 based CLI configuration utility for wireless devices

According to the guide though, iw only works with WEP or no encryption. I'm able to connect under those conditions with no problem. The issue is when connecting to anything more serious, which apparently requires wpa_supplicant (which is installed as shown in post#1).

I think I'm getting closer to the issue though by trying to connect manually. I've made the following 'work.conf' file according to the wpa_supplicant man page(5):

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
network={
     ssid="eduroam"
     scan_ssid=1
     key_mgmt=WPA-EAP
     eap=PEAP
     identity="myid@university.ac.za"
     anonymous_identity="myid@university.ac.za"
     password="*******"
     ca_cert=""
     phase1="peaplabel=0"
     phase2="auth=MSCHAPv2"
}

and tried to connect manually by issuing

wpa_supplicant -B -i wlp1s0 -c /etc/wpa_supplicant/work.conf

which is followed by

Successfully initialized wpa_supplicant
wlp1s0: Failed to initialize driver interface

but according to lspci -k (in my first post) the "iwlwifi" driver is loaded and in use. I'm pretty sure my config is ok, but not positive - there isn't an exhaustive list of examples on the man page, but pretty close.

In short, tried manually connecting but no luck thus far.

Head_on_a_Stick · 2015-04-10 13:33:18

woodape wrote:

tried to connect manually by issuing

wpa_supplicant -B -i wlp1s0 -c /etc/wpa_supplicant/work.conf

which is followed by

Successfully initialized wpa_supplicant
wlp1s0: Failed to initialize driver interface

Try this first:

# ip l set wlp1s0 up

I find that this is all that is required to create a wpa_supplicant.conf file (backup the original first):

# echo "ctrl_interface=DIR=/run/wpa_supplicant" > /etc/wpa_supplicant/wpa_supplicant.conf
# wpa_passphrase SSID password >> /etc/wpa_supplicant/wpa_supplicant.conf

Replace "SSID" with the name of the interface & "password" with your password; repeat the second line for all the access points you need.

Then start the connection using:

# wpa_supplicant -B -i wlp1s0 -c /etc/wpa_supplicant/wpa_supplicant.conf
# dhcpcd wlp1s0

https://wiki.archlinux.org/index.php/Wi … 2Fservices

woodape · 2015-04-10 16:21:24

Getting close here!

# ip l set wlp1s0 up

no errors so far

# echo "ctrl_interface=DIR=/run/wpa_supplicant" > /etc/wpa_supplicant/wpa_supplicant.conf
# wpa_passphrase SSID password >> /etc/wpa_supplicant/wpa_supplicant.conf

These second command assumes away EAP so I filled in the rest of the file as I had in the previous post but removing the line for 'ca_cert=""'

Then I did:

#wpa_supplicant -B -i wlp1s0 -c /etc/wpa_supplicant/wpa_supplicant.conf
Successfully initialized wpa_supplicant
#wpa_cli
wpa_cli v2.3
Copyright (c) 2004-2014, Jouni Malinen <j@w1.fi> and contributors

This software may be distributed under the terms of the BSD license.
See README for more details.

Selected interface 'wlp1s0'

Interactive mode

<3>CTRL-EVENT-SCAN-STARTED 
<3>CTRL-EVENT-SCAN-RESULTS 
<3>SME: Trying to authenticate with b4:a4:e3:1f:85:60 (SSID='eduroam' freq=2462 MHz)
<3>Trying to associate with b4:a4:e3:1f:85:60 (SSID='eduroam' freq=2462 MHz)
<3>Associated with b4:a4:e3:1f:85:60
<3>CTRL-EVENT-EAP-STARTED EAP authentication started
<3>CTRL-EVENT-EAP-STATUS status='started' parameter=''
<3>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
<3>CTRL-EVENT-EAP-STATUS status='refuse proposed method' parameter='TLS'
<3>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
<3>CTRL-EVENT-EAP-STATUS status='accept proposed method' parameter='PEAP'
<3>CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
<3>CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/O=thawte, Inc./CN=thawte SSL CA - G2'
<3>CTRL-EVENT-EAP-STATUS status='remote certificate verification' parameter='success'
<3>CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=ZA/ST=Western Cape/L=Rondebosch/O=University of Cape Town/OU=ICTS - Technical Support Services/CN=uc-acs.uct.ac.za'
<3>CTRL-EVENT-EAP-STATUS status='remote certificate verification' parameter='success'
<3>CTRL-EVENT-EAP-STATUS status='completion' parameter='success'
<3>CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
<3>Authentication with b4:a4:e3:1f:85:60 timed out.
<3>CTRL-EVENT-DISCONNECTED bssid=b4:a4:e3:1f:85:60 reason=3 locally_generated=1

Thers's a lot of success here. All of that output was autmatically generated after running 'wpa_cli' and waiting a second. It could very well be that the final

<3>Authentication with b4:a4:e3:1f:85:60 timed out.
<3>CTRL-EVENT-DISCONNECTED bssid=b4:a4:e3:1f:85:60 reason=3 locally_generated=1

bits are because the network is not so great. People complain all the time here (myself included) about the signal dropping out on them. I'll have to look up what "reason=3" means.

dhcpcd wlp1s0

Always times out, I'm assuming because of the DISCONNECTED error.

It is however Friday evening now, so this is going to have to wait until I'm back at the university on Monday to be sorted out completely.

woodape · 2015-04-15 08:10:22

So back at the University I've finnaly been able to connect manually after finding this post: Wpa_supplicant on WPA2-Enterprise

In the final post of that thread, the OP solves his(her) issue by changing:

     phase1="peaplabel=0"

to

  phase1="peaplabel=auto peapver=0 "

Making this change, and nothing else, to my own wpa_supplicant.conf file has allowed me to connect manually. However, NetworkManager still does not allow me to create this connection, and still reports the error:

 ** (nm-connection-editor:11889): WARNING **: Invalid setting Wi-Fi Security: Invalid Wi-Fi security

Which is somewhat inconvenient as I would like to be able to fall back on it should I not be able to configure manual settings in the future. For now this thread is [WORKED-AROUND]. Thanks HOS for pointing me in the right direction.

Arch Linux

#1 2015-04-10 09:17:56

[WORKED-AROUND] Can't connect to PEAP access point

#2 2015-04-10 09:47:59

Re: [WORKED-AROUND] Can't connect to PEAP access point

#3 2015-04-10 10:18:34

Re: [WORKED-AROUND] Can't connect to PEAP access point

#4 2015-04-10 12:42:24

Re: [WORKED-AROUND] Can't connect to PEAP access point

#5 2015-04-10 13:17:42

Re: [WORKED-AROUND] Can't connect to PEAP access point

#6 2015-04-10 13:33:18

Re: [WORKED-AROUND] Can't connect to PEAP access point

#7 2015-04-10 16:21:24

Re: [WORKED-AROUND] Can't connect to PEAP access point

#8 2015-04-15 08:10:22

Re: [WORKED-AROUND] Can't connect to PEAP access point

Board footer