You are not logged in.

#1 2019-03-15 03:18:59

bbus
Member
Registered: 2019-03-14
Posts: 33

[SOLVED] netctl and eduroam

I have just completed another fresh install of arch. The only thing I have setup beyond creating a user is netctl. I have searched for and found numerous other tips and configs to get netctl setup for eduroam, but none of them have worked for me. Specifically, dmesg reports that my wireless interface associates and authenticates just fine, but moments after, it'll report deauthenticating by local choice (Reason: 3=DEAUTH_LEAVING)

I can successfully connect to a regular, password protected network just fine. It seems almost every "solved" thread I've found (numerous), the general trend ended up being they had wpa_supplicant somehow enabled in addition to NetworkManager or some other service, which caused conflicting instances. Directly from the fresh install, I've only installed wpa_supplicant, without entering any command with spa_supplicant besides calling it's status from systemctl.

The relevant (I think) portion from dmesg:

...
[    2.666341] iwlwifi 0000:02:00.0 wlp2s0: renamed from wlan0
[    2.716844] random: crng init done
[    2.716845] random: 1 urandom warning(s) missed due to ratelimiting

...

[    3.789255] Bluetooth: hci0: Waiting for firmware download to complete
[    3.789257] Bluetooth: hci0: Firmware loaded in 1436647 usecs
[    3.789368] Bluetooth: hci0: Waiting for device to boot
[    3.801276] Bluetooth: hci0: Device booted in 11705 usecs
[    3.801568] Bluetooth: hci0: Found Intel DDC parameters: intel/ibt-12-16.ddc
[    3.804246] Bluetooth: hci0: Applying Intel DDC parameters completed
[    5.712512] pci_raw_set_power_state: 10 callbacks suppressed
[    5.712514] pcieport 0000:04:00.0: Refused to change power state, currently in D3
[    5.712819] pci_bus 0000:05: busn_res: [bus 05] is released
[    5.712885] pci_bus 0000:06: busn_res: [bus 06-3a] is released
[    5.712923] pci_bus 0000:3b: busn_res: [bus 3b] is released
[    5.712961] pci_bus 0000:04: busn_res: [bus 04-3b] is released
[    6.071513] audit: type=1006 audit(1552521194.589:21): pid=384 uid=0 old-auid=4294967295 auid=1000 tty=tty1 old-ses=4294967295 ses=1 res=1
[    6.099424] audit: type=1130 audit(1552521194.616:22): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=user-runtime-dir@1000 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[    6.105085] audit: type=1006 audit(1552521194.623:23): pid=441 uid=0 old-auid=4294967295 auid=1000 tty=(none) old-ses=4294967295 ses=2 res=1
[    6.140031] audit: type=1130 audit(1552521194.656:24): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=user@1000 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[    6.489966] wlp2s0: authenticate with 20:a6:cd:0c:00:71
[    6.503795] wlp2s0: send auth to 20:a6:cd:0c:00:71 (try 1/3)
[    6.509753] wlp2s0: authenticated
[    6.511475] wlp2s0: associate with 20:a6:cd:0c:00:71 (try 1/3)
[    6.513184] wlp2s0: RX AssocResp from 20:a6:cd:0c:00:71 (capab=0x411 status=0 aid=2)
[    6.515991] wlp2s0: associated
[    6.558484] wlp2s0: Limiting TX power to 30 (30 - 0) dBm as advertised by 20:a6:cd:0c:00:71
[    7.446896] audit: type=1131 audit(1552521195.963:25): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-rfkill comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[    9.731453] wlp2s0: deauthenticating from 20:a6:cd:0c:00:71 by local choice (Reason: 3=DEAUTH_LEAVING)
[   11.023985] wlp2s0: authenticate with 20:a6:cd:0b:fa:71
[   11.033758] wlp2s0: send auth to 20:a6:cd:0b:fa:71 (try 1/3)
[   11.040135] wlp2s0: authenticated
[   11.041414] wlp2s0: associate with 20:a6:cd:0b:fa:71 (try 1/3)
[   11.042921] wlp2s0: RX AssocResp from 20:a6:cd:0b:fa:71 (capab=0x411 status=0 aid=1)
[   11.045728] wlp2s0: associated
[   11.057127] wlp2s0: Limiting TX power to 36 (36 - 0) dBm as advertised by 20:a6:cd:0b:fa:71
[   13.924858] wlp2s0: deauthenticating from 20:a6:cd:0b:fa:71 by local choice (Reason: 3=DEAUTH_LEAVING)

output of systemctl list-unit-files --state=enabled

UNIT FILE        STATE  
autovt@.service  enabled
getty@.service   enabled
remote-fs.target enabled

3 unit files listed.

output of systemctl list-unit-files --type=service

UNIT                                                                                          LOAD   ACTIVE SUB     DESCRIPTION                                                                    
dbus.service                                                                                  loaded active running D-Bus System Message Bus                                                       
getty@tty1.service                                                                            loaded active running Getty on tty1                                                                  
kmod-static-nodes.service                                                                     loaded active exited  Create list of required static device nodes for the current kernel             
lvm2-lvmetad.service                                                                          loaded active running LVM2 metadata daemon                                                           
lvm2-monitor.service                                                                          loaded active exited  Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling  
netctl-auto@wlp2s0.service                                                                    loaded active running Automatic wireless network connection using netctl profiles                    
netctl-ifplugd@enp0s31f6.service                                                              loaded active running Automatic wired network connection using netctl profiles                       
systemd-backlight@backlight:intel_backlight.service                                           loaded active exited  Load/Save Screen Backlight Brightness of backlight:intel_backlight             
systemd-backlight@leds:dell::kbd_backlight.service                                            loaded active exited  Load/Save Screen Backlight Brightness of leds:dell::kbd_backlight              
systemd-fsck@dev-disk-by\x2dpartuuid-83e031d3\x2d58a0\x2d44cc\x2dab00\x2dd5df26fa2e58.service loaded active exited  File System Check on /dev/disk/by-partuuid/83e031d3-58a0-44cc-ab00-d5df26fa2e58
systemd-journal-flush.service                                                                 loaded active exited  Flush Journal to Persistent Storage                                            
systemd-journald.service                                                                      loaded active running Journal Service                                                                
systemd-logind.service                                                                        loaded active running Login Service                                                                  
systemd-random-seed.service                                                                   loaded active exited  Load/Save Random Seed                                                          
systemd-remount-fs.service                                                                    loaded active exited  Remount Root and Kernel File Systems                                           
systemd-sysctl.service                                                                        loaded active exited  Apply Kernel Variables                                                         
systemd-tmpfiles-setup-dev.service                                                            loaded active exited  Create Static Device Nodes in /dev                                             
systemd-tmpfiles-setup.service                                                                loaded active exited  Create Volatile Files and Directories                                          
systemd-udev-trigger.service                                                                  loaded active exited  udev Coldplug all Devices                                                      
systemd-udevd.service                                                                         loaded active running udev Kernel Device Manager                                                     
systemd-update-utmp.service                                                                   loaded active exited  Update UTMP about System Boot/Shutdown                                         
systemd-user-sessions.service                                                                 loaded active exited  Permit User Sessions                                                           
user-runtime-dir@1000.service                                                                 loaded active exited  User Runtime Directory /run/user/1000                                          
user@1000.service                                                                             loaded active running User Manager for UID 1000                                                      

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.

24 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.

output of systemctl list-unit-files

sys-devices-pci0000:00-0000:00:1c.2-0000:02:00.0-net-wlp2s0.device                            loaded active plugged   Wireless 8265 / 8275                                                           
sys-devices-pci0000:00-0000:00:1f.6-net-enp0s31f6.device                                      loaded active plugged   Ethernet Connection (4) I219-LM                                                
sys-subsystem-net-devices-enp0s31f6.device                                                    loaded active plugged   Ethernet Connection (4) I219-LM                                                
sys-subsystem-net-devices-wlp2s0.device                                                       loaded active plugged   Wireless 8265 / 8275                                                           
netctl-auto@wlp2s0.service                                                                    loaded active running   Automatic wireless network connection using netctl profiles                    
netctl-ifplugd@enp0s31f6.service                                                              loaded active running   Automatic wired network connection using netctl profiles                       
system-netctl\x2dauto.slice                                                                   loaded active active    system-netctl\x2dauto.slice                                                    
system-netctl\x2difplugd.slice                                                                loaded active active    system-netctl\x2difplugd.slice                                                 
network.target                                                                                loaded active active    Network                                                                        
sys-devices-pci0000:00-0000:00:1c.2-0000:02:00.0-net-wlp2s0.device                            loaded active plugged   Wireless 8265 / 8275                                                           
sys-devices-pci0000:00-0000:00:1f.6-net-enp0s31f6.device                                      loaded active plugged   Ethernet Connection (4) I219-LM                                                
sys-subsystem-net-devices-enp0s31f6.device                                                    loaded active plugged   Ethernet Connection (4) I219-LM                                                
sys-subsystem-net-devices-wlp2s0.device                                                       loaded active plugged   Wireless 8265 / 8275                                                           
netctl-auto@wlp2s0.service                                                                    loaded active running   Automatic wireless network connection using netctl profiles                    
netctl-ifplugd@enp0s31f6.service                                                              loaded active running   Automatic wired network connection using netctl profiles                       
system-netctl\x2dauto.slice                                                                   loaded active active    system-netctl\x2dauto.slice                                                    
system-netctl\x2difplugd.slice                                                                loaded active active    system-netctl\x2difplugd.slice                                                 
network.target                                                                                loaded active active    Network

output of systemctl status netctl

● netctl.service - (Re)store the netctl profile state
   Loaded: loaded (/usr/lib/systemd/system/netctl.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: man:netctl.special(7)

output of systemctl status netctl-auto@wlp2s0.service

● netctl-auto@wlp2s0.service - Automatic wireless network connection using netctl profiles
   Loaded: loaded (/usr/lib/systemd/system/netctl-auto@.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2019-03-14 17:03:42 MDT; 12s ago
     Docs: man:netctl.special(7)
  Process: 406 ExecStart=/usr/bin/netctl-auto start wlp2s0 (code=exited, status=0/SUCCESS)
    Tasks: 2 (limit: 4915)
   Memory: 8.6M
   CGroup: /system.slice/system-netctl\x2dauto.slice/netctl-auto@wlp2s0.service
           ├─421 wpa_supplicant -q -B -P /run/wpa_supplicant-wlp2s0.pid -i wlp2s0 -D nl80211,wext -c/run/netctl/wpa_supplicant-wlp2s0.conf -W
           └─425 wpa_cli -i wlp2s0 -p /run/wpa_supplicant -B -a /usr/lib/netctl/auto.action

Mar 14 17:03:42 hostname systemd[1]: Starting Automatic wireless network connection using netctl profiles...
Mar 14 17:03:42 hostname netctl-auto[406]: Included profile 'fi_eduroam_long'
Mar 14 17:03:42 hostname systemd[1]: Started Automatic wireless network connection using netctl profiles.

output of systemctl status wpa_supplicant.service

● wpa_supplicant.service - WPA supplicant
   Loaded: loaded (/usr/lib/systemd/system/wpa_supplicant.service; disabled; vendor preset: disabled)
   Active: inactive (dead)

Finally, my netctl config file for eduroam. I have tried many variations, including not hashing my password (using proper quoting), but behavior in dmesg never changed.

Description='eduroam - A wireless connection using a custom network block configuration'
#Interface=wlan0
Interface=wlp2s0
Connection=wireless
Security=wpa-configsection
IP=dhcp
WPAConfigSection=(
    'ssid="eduroam"'
    'key_mgmt=WPA-EAP'
    'auth_alg=OPEN'
    'eap=PEAP'
    'anonymous_identity=""'
    'ca_cert="/etc/ssl/certs/ca-certificates.crt"'
    'identity="my_user@my_university.edu"'
    'password=hash:xx...xx'
    # 'password="xx...xx"'
    'priority=1'
    'phase2="auth=MSCHAPV2"'
)

Any ideas, much appreciated.

Last edited by bbus (2019-03-22 00:42:56)

Offline

#2 2019-03-15 15:02:17

natervance
Member
Registered: 2017-04-20
Posts: 40

Re: [SOLVED] netctl and eduroam

Hi bbus,

In my (limited) experience from looking at configurations online, eduroam settings seem to vary somewhat from university to university. In my configuration, 'identity' is set to "my_user" and not "my_user@my_university.edu". Also, my university has several different certificates available without any documentation indicating which to use, so I've had to discover the correct one via trial-by-error. An incorrect certificate results in a nondescript authentication failure (I believe that this is a failure to authenticate the server to you, since the certificate is supposed to be public).

I seem to remember that the authentication is a 2-step process involving both the username/password and the certificate (I can't remember the order). If the first one passes and the second fails it could lead to the successful authentication followed by a DAUTH_LEAVING behavior you observed.

Hope this helps!

Offline

#3 2019-03-15 20:07:16

bbus
Member
Registered: 2019-03-14
Posts: 33

Re: [SOLVED] netctl and eduroam

Thanks for your time and tips, natervance!

I tried removing the "@my_univ.edu" portion from 'identity', but no go.

See the following paragraphs, but perhaps I'm not configuring it correctly to accept a security certificate? What you said makes sense about userid perhaps authenticating fine, but maybe ca-cert failing. (or vice versa)

You mentioned your institution had a few different certs you tried until one worked. Does that mean you downloaded them from somewhere on your institutions network? Maybe I need to ask our IT department if I can download one somewhere, or better, pull it from the one NM on Ubuntu (presumably) downloaded/accepted automatically without my input? Any ideas of how to find that one if this is the case? I'll poke around in my file hierarchy, maybe I can find it, if this is a thing.

I've got a working connection to eduroam on Ubuntu with NetworkManager. Since netctl is native to arch, I wanted to figure it out. That's my explanation for why I don't just use NM in arch, besides the fact that netctl has worked great for every other connection I've had to do, including both usb and wifi tethering from my phone.

One more thing before I dump code blocks. I am pretty sure our eduroam is strictly IPv6. Not sure if that should change anything. I've seen some (old, not necessarily related to eduroam) posts where a bug in wpa_supplicant had issues with ipv6, but those have since been squashed. Just thought I'd mention it.

The next two code blocks are from my school's instructions for NM on Ubuntu:

Manual Setup Instructions

Data is encrypted using WPA2-Enterprise
Net ID and password required
Net ID MUST be formatted as "userid@my_univ.edu"
...
Select the "eduroam" network on your device.
When prompted enter userid@my_univ.edu for the username.
Accept the security certificate.
Please note that smart devices are generally unable to connect to the Eduroam network.  Devices such as wireless printers, Chromecasts, smart TVs, AppleTVs, Amazon Echos or other similar products should connect to the UNIV-WiFi network

Detailed Instructions

Wi-Fi security: WPA & WPA2 Enterprise
Authentication: Protected EAP (PEAP)
Anonymous identity: (leave blank)
CA certificate: ca-certificates.crt (found at /etc/ssl/certs/ca-certificates.crt)
PEAP version: Automatic
Inner authentication: MSCHAPv2
Username: netid@univ.edu
Password: ************

I'm including the functioning NM setup file from Ubuntu, in case that's helpful.

[connection]
id=eduroam
uuid=623b8daf-2330-4d6c-97a7-5766aa2ad33b
type=wifi
permissions=
autoconnect-priority=0

[wifi]
mac-address=B4:6B:FC:DE:86:D6
mac-address-blacklist=
mode=infrastructure
ssid=eduroam

[wifi-security]
auth-alg=open
key-mgmt=wpa-eap

[802-1x]
ca-cert=/etc/ssl/certs/ca-certificates.crt
eap=peap;
identity=user_name@my_univ.edu
password=xx...xx
phase2-auth=mschapv2

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto

Thanks again

Last edited by bbus (2019-03-22 00:37:27)

Offline

#4 2019-03-16 13:03:34

natervance
Member
Registered: 2017-04-20
Posts: 40

Re: [SOLVED] netctl and eduroam

Interesting. Comparing notes, here is what my university provides:

Please use the following settings to configure your device
SSID/NetworkName: eduroam
SecurityType: WPA2-Enterprise
Encryption: AES
EAP Type: PEAP
Inner EAP Type: MSCHAPV2
CA Certificate:
1. GeoTrust Global CA ( May 21 2022 )
2. GeoTrust SSL CA - G3 ( May 20 2022 )

The first certificate works, while the second doesn't seem to. The hyperlinks are:
1. GeoTrust Global CA ( May 21 2022 )
2. GeoTrust SSL CA - G3 ( May 20 2022 )
It seems from your question that the cert you're using came pre-installed (i.e., from the ca-certificates package)? I see now that it is included in the file, starting on line 1471. So you're probably doing things right by just using the one that comes installed on the system, and I had been mistaken about the importance of that file!

The other thing that I can think of is how passwords are handled. In your netctl config you have the following:

    'password=hash:xx...xx'
    # 'password="xx...xx"'

I'm not 100% familar with the proper hashing process, though it's discussed here in great detail. Apparently a NT4 hash is necessary (as opposed to a PSK hash). In either case, you should use plaintext until everything is confirmed working and then mess around with hashing.

Offline

#5 2019-03-18 20:34:28

bbus
Member
Registered: 2019-03-14
Posts: 33

Re: [SOLVED] netctl and eduroam

I understand now, a little better the certificate I'm applying. Thanks for that info.

I also realized, after my first post, I should simplify it, and have been using a non-hashed password since just after my first post. Thanks for looking out for that.

The only other thing I can think is that my universities instructions say to "accept the security certificate" on the NM instructions for Ubuntu. Could there perhaps be an issue that netctl (or would wpa_supplicant handle it?) can't handle a request for a certificate to be accepted? I'd think not, since you and many others have a functioning profile. Maybe there is some oddity in the way my university implemented authentication (I wouldn't be surprised) that trips up wpa_supplicant/netctl, maybe requiring user input during authentication.

I am not convinced of that, though, because NM in ubuntu doesn't request my input to accept any certificate, despite the instructions from my university.

I was reading wpa_supplicant documentation, which says it will only accept PEM and DER formatted certificates. I presume those included in /etc/ssl/certs/ca-certificates.crt are formatted as such, but I wonder if there being many different ones is throwing off authentication; that perhaps NM tests each individually. I contacted my school OIT, and am waiting to hear back definitively. The student at the front desk suggested a DigiCert certificate (they have some contract with the company), but I haven't gotten any of the DigiCert_*.pem files to work yet.

If you have any other ideas, let me know, otherwise, I hate to waste more of your time. If I ever get it figured out, I'll post a solution.

Thanks!

Offline

#6 2019-03-19 13:07:54

natervance
Member
Registered: 2017-04-20
Posts: 40

Re: [SOLVED] netctl and eduroam

Could you attempt everything with NM on Arch? I ask because it seems like other people on the internet are having similar issues that are caused by firmware troubles. In the interest of narrowing down causes we can rule out firmware problems if NM on Arch can connect.

As an aside, is your Ubuntu installation you mentioned the same machine as Arch? My university does odd things with tracking MAC addresses on ethernet (not WiFi), so if I connect from a new MAC address I have to pop open a web browser and fill out a form AdHoc style. On my headless server I get around this by spoofing my mac address to match that of an already authenticated machine. If your university does something similar except with WiFi and your known working Ubuntu is on a separate machine, perhaps setting your MAC address to its will change things.

Offline

#7 2019-03-19 16:01:38

Steef435
Member
Registered: 2013-08-29
Posts: 577
Website

Re: [SOLVED] netctl and eduroam

Long shot: by "leave anonymous_identity empty" they probably mean you should use your real identity as anonymous_identity (which is default behaviour for empty anonymous identity field for most clients). Not sure what wpa_supplicant sends out if you explicitly set it empty. (if it sends an empty string that could lead to authentication issues). You could also try "<randomstring/anonymous>@my_university.edu".

Offline

#8 2019-03-19 22:02:43

bbus
Member
Registered: 2019-03-14
Posts: 33

Re: [SOLVED] netctl and eduroam

natervance,

I stopped and disabled both netctl-ifplugd and netctl-auto services. From there, I installed NM and enabled NetworkManager.service. This is a basically fresh install, so no X, video, etc., so I tried using nmtui to add eduroam, which gave me the error that WPA-Enterprise is not supported. I read on one of the network (manager?) pages in the wiki that an NM profile can be activated if the profile exists. So I copied that over from my Ubuntu install (same machine, to answer your other question) by mounting the Ubuntu root partition at /mnt. Just to be clear, I copied /mnt/etc/NetworkManager/system-connections/eduroam to my arch root /etc/NetworkManager/system-connections directory. After a restart, I was able to tell nmtui to activate a connection, highlighting the eduroam and selecting it. It recognized the config file, apparently, and I had a working connection, after disconnecting my ethernet hard line on my laptop, and restarting, just to make sure it was pulling a connection only from eduroam. I have to activate that profile each time I boot up (I tried ~5 times to be sure), but it connects reliably every time, and I can ping out, and I have an IP address on my university 10.XX.XX.XX ipv4 network.

I took some logs from dmesg and systemctl status, if those would be helpful. I'm running out of time for today, but can pull those files over in the morning from my arch install (I've been posting from Ubuntu) and edit this post with them.

I had seen that stackexchange post, but thought it didn't apply to me, since I wasn't using networkd. But from what I read while installing NM, it seems NM does use the networkd backend? If that is correct, does netctl do the same?

To expound on my response about using the same machine, my university used to use a similar MAC address register on our school wifi (and I think some old buildings that don't have an eduroam router still use that system). But as far as I can tell, with their overhaul to eduroam, which included creating a new, non-eduroam ssid for 'smart' devices, the MAC address register is deprecated. Either way, I'm on the same laptop for both installs, so moot, I guess. Good thought, though!


Steef435,
I'll give that a shot in the morning. I did see that suggestion in a netctl (maybe it was raw wpa_supplicant?) config from a student at a european school.

All,
I just dug into an install script provided from my school, I thought it was only Ubuntu/NM, but it is a python file that falls back to creating a wpa_supplicant config file, and it has two certificates in it. I'll also try disabling NM in the morning, enabling raw wpa_supplicant, and running that python script, to see what files/configs it creates, if it runs at all. That wpa_supplicant config it *hopefully* creates, as I understand, could than be "transferred" into the configsection of the netctl profile, for the most part. Is that right?

Thanks for the tips, ideas, and help!


EDIT:

wpa_supplicant uses the nl80211 driver. I haven't seen anywhere that I may need to blacklist the auto loaded iwlwifi driver and force load the nl80211 driver. Do I need to do this? I don't think I do, since netctl is reporting authentication and association before deauthenticating. Thoughts?

Also, I was able to run the python installer from my school, and it created a fallback wpa_supplicant config since I disabled NM before I ran it. It created the following config

network={
    ssid=eduroam
    key_mgmt=WPA-EAP
    pairwise=CCMP
    group=CCMP TKIP
    eap=PEAP
    ca_cert="/path/to/ca.pem"
    identity="userid@univ.edu"
    altsubject_match="altsubject_match="DNS:onboard.univ.edu""
    phase2="auth=MSCHAPV2"
    password="xx...xx"
    anonymous_identity=""

I've read over the wpa_supplicant wiki page a few times, and the man page, but I can't piece together what I need to do to test if wpa_supplicant can connnect by itself, with just wpa_cli.

If you know what the commands should be to try to connect with that, let me know. Thanks!

EDIT 2

[SOLVED]

The certificates shipped with my school's python installer are *apparently* old. I disabled NM, and netctl, and tried connecting with wpa_supplicant from the command line. (I finally figured out how to do so, from the wiki pages, and a new-found forum post) Additionally, my school's python script that creates a wpa_supplicant network block as a fallback if NM is not found, had a few unnecessary lines, besides creating a ca.pem file with old certs.

Here is my functioning wpa_supplicant.conf:

ctrl_interface=/run/wpa_supplicant
update_config=1

network={
        ssid="eduroam"
        key_mgmt=WPA-EAP
        pairwise=CCMP
        group=CCMP TKIP
        eap=PEAP
        # ca_cert="/home/user1/.cat_installer/ca.pem"
        # ca_cert="/etc/ssl/certs/ca-certificates.crt"
        identity="user_id@univ.edu"
        # altsubject_match="altsubject_match="DNS:onboard.univ.edu""
        phase2="auth=MSCHAPV2"
        password="xx...xx"
        # anonymous_identity=""
}

It ended up working with the system ca-certificates.crt file, but it works without it as well, so I figured to leave it out, per the suggestion of the 5th post at https://bbs.archlinux.org/viewtopic.php?id=174353.

The line that breaks wpa_supplicant is "anonymous_identity". My school's instructions say to "leave it blank," so I included it with empty quotes. I failed to notice that my NetworkManager config created with a gui in Ubuntu removed the line altogether when I left the "anonymous_identity" line blank in the network connection setup gui.

netctl successfully connects using the system certs, but fails when the "anonymous_identity" line is included.

My final, functioning netctl config is:

Description='eduroam'

Interface=wlp2s0
Connection=wireless
Security=wpa-configsection
IP=dhcp
#Priority=1
ESSID=eduroam

WPAConfigSection=(
    'ssid="eduroam"'
    'key_mgmt=WPA-EAP'
    'pairwise=CCMP'
    'group=CCMP TKIP'
    'eap=PEAP'
    'identity="user_id@univ.edu"'
    'password=hash:<your_passwd_hash>'
    #'password="xx...xx"'
    'phase2="auth=MSCHAPV2"'
)

My password hash even worked, which I was happy for. I used:

echo -n xx...xx | iconv -t utf16le | openssl md4

and was sure to remove the line from my shell history after.

Thank you for the help, tips, and ideas. I learned a few other things in the meantime of finding the solution, which was good for me.

Last edited by bbus (2019-03-25 15:29:28)

Offline

#9 2020-08-29 15:11:16

leuko
Member
Registered: 2020-06-01
Posts: 11

Re: [SOLVED] netctl and eduroam

Bbus's solution worked also for me, thank you a lot bbus!

BTW if you do not want that your password gets stored in your history:

iconv -t utf16le | openssl md4

Then type your password but do not press Return/Enter, otherwise it gets also hashed. Instead press CTRL+d after writing your password.

Offline

#10 2020-08-29 16:35:03

2ManyDogs
Forum Moderator
Registered: 2012-01-15
Posts: 3,700

Re: [SOLVED] netctl and eduroam

Closing this old solved topic.

Offline

Board footer

Powered by FluxBB