wicd & wpa_supplicant problems

71GA · 2014-03-14 09:12:01

I have been trying for 2 weeks now to connect to our eduroam network using wicd, but haven't managed to do it so far. Our internet provider gave me certifcate sc_kranj.pem and configuration file sc_kranj.conf which looks like this (I added first two lines myself, starred the password and changed my username to "username"):

ctrl_interface=DIR=/run/wpa_supplicant GROUP=users
update_config=1

network={
  ssid="eduroam"
  key_mgmt=WPA-EAP
  eap=TTLS
  ca_cert="/home/ziga/Dropbox/workspace/archlinux/eduroam/sc_kranj/sc_kranj.pem"
  identity="username@sser.sckr.si"
  phase2="auth=PAP"
  password="********"
  anonymous_identity="anonymous@sser.sckr.si"
}

Then I overwrote the /etc/wpa_supplicant/wpa_supplicant.conf with the code above and started the wpa_supplicant. First I did it manualy and it fails.

[ziga@ziga-cq56 sc_kranj]$ sudo wpa_supplicant -i wlp2s0 -c /home/ziga/Dropbox/workspace/archlinux/eduroam/sc_kranj/sc_kranj.conf 
Successfully initialized wpa_supplicant
wlp2s0: Trying to associate with 2c:44:fd:50:d2:50 (SSID='eduroam' freq=2412 MHz)
ioctl[SIOCSIWFREQ]: Device or resource busy
wlp2s0: Association request to the driver failed
wlp2s0: Associated with 2c:44:fd:50:d2:50
wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 1 for '/C=SI/L=Ljubljana/O=ARNES/OU=AAI/CN=Arnes CA za streznike Eduroam/emailAddress=aaa-podpora@arnes.si'
wlp2s0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=1 subject='/C=SI/L=Ljubljana/O=ARNES/OU=AAI/CN=Arnes CA za streznike Eduroam/emailAddress=aaa-podpora@arnes.si' err='self signed certificate in certificate chain'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
wlp2s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
wlp2s0: CTRL-EVENT-DISCONNECTED bssid=2c:44:fd:50:d2:50 reason=0
wlp2s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="eduroam" auth_failures=1 duration=10
wlp2s0: CTRL-EVENT-SSID-REENABLED id=0 ssid="eduroam"

But when I started daemon with systemd it worked and the daemon is indeed running. Why wouldn't it run if I start it manualy? I can see that there must be an error with my device being busy or something like that.

sudo systemctl start wpa_supplicant
sudo systemctl enable wpa_supplicant

Now that my daemon was up and running I used my configuration file sc_kranj.conf to create a template sc_kranj for the wicd:

name = SC Kranj - eduroam	 
author = 71GA
version = 1
require anon_identity *ID-anonimni identity *ID-prijavni password *ID-geslo ca_cert *CA-certifikat
protected password *ID-geslo
-----
ctrl_interface=/var/run/wpa_supplicant
update_config=1

network={
       ssid="$_ESSID"
       scan_ssid=$_SCAN
       key_mgmt=WPA-EAP
       eap=TTLS
       ca_cert="$_CA_CERT"       
       identity="$_IDENTITY"
       phase2="auth=PAP"
       password="$_PASSWORD"
       anonymous_identity="$_ANON_IDENTITY"
}

I copied this template to /etc/wicd/encryption/templates/sc_kranj and added a new line "sc_kranj" in /etc/wicd/encryption/templates/active. I then restarted wicd, set up the eduroam network using a freshly made template and tried to connect. But it does not connect.

I would appreciate if anyone would give me an idea of what could be wrong because I am out of ideas.

Last edited by 71GA (2014-03-14 09:19:18)

Nanthiel · 2014-03-14 09:34:14

Hey, I'm the guy you contacted via email earlier.

wpa_supplicant probably didn't run manually because wicd kept the card busy. I'm pretty sure you're not supposed to use them at the same time.

It's either wpa_supplicant + manually running dhcpcd + make sure the card isn't used by using ifconfig or ip or something; or wicd by itself.

The wpa_supplicant config file that definitely worked for me last time I tried is:

ctrl_interface=/var/run/wpa_supplicant
eapol_version=1
ap_scan=1
fast_reauth=1

# Eduroam
network={
        ssid="eduroam"
        identity="******@student.uni-lj.si"
        password="********"
        anonymous_identity="anonymous@student.uni-lj.si"
        proto=WPA WPA2
        key_mgmt=WPA-EAP
        eap=TTLS
        group=CCMP TKIP
        pairwise=TKIP CCMP
        phase2="auth=PAP"
}

I definitely recommend not specifying the certificate and see if that works. It's a common cause of problems.

And I still recommend just trying NetworkManager, you can always delete it later.

71GA · 2014-03-14 12:33:01

Nanthiel wrote:

Hey, I'm the guy you contacted via email earlier.
wpa_supplicant probably didn't run manually because wicd kept the card busy. I'm pretty sure you're not supposed to use them at the same time.
It's either wpa_supplicant + manually running dhcpcd + make sure the card isn't used by using ifconfig or ip or something; or wicd by itself.

I did stop all wicd, dhcpcd and wpa_supplicant daemons in systemd but still wpa_supplicant wont start manualy.

The wpa_supplicant config file that definitely worked for me last time I tried is:

ctrl_interface=/var/run/wpa_supplicant
eapol_version=1
ap_scan=1
fast_reauth=1

# Eduroam
network={
        ssid="eduroam"
        identity="******@student.uni-lj.si"
        password="********"
        anonymous_identity="anonymous@student.uni-lj.si"
        proto=WPA WPA2
        key_mgmt=WPA-EAP
        eap=TTLS
        group=CCMP TKIP
        pairwise=TKIP CCMP
        phase2="auth=PAP"
}

This didn't work.

I definitely recommend not specifying the certificate and see if that works. It's a common cause of problems.

This didn't work.

And I still recommend just trying NetworkManager, you can always delete it later.

I did install nm and its daemon and then followed the tutorial from our provider ARNES located here. This didn't work either.

Last edited by 71GA (2014-03-14 12:33:34)

71GA · 2014-03-18 13:20:46

The problem was indeed in certificate. If I do not specify it my computer can connect to the network. But is this safe? Is this legal if we are the state institution?

All I had to do to fix this was to use this Wicd configuration file below (It is urgent to allso install wpa_supplicant offcourse):

name = SC Kranj - eduroam	 
author = 71GA
version = 1
require anon_identity *ID-anonimni identity *ID-prijavni password *ID-geslo
protected password *ID-geslo
-----
ctrl_interface=/var/run/wpa_supplicant
update_config=1

network={
       ssid="$_ESSID"
       scan_ssid=$_SCAN
       key_mgmt=WPA-EAP
       eap=TTLS
       identity="$_IDENTITY"
       phase2="auth=PAP"
       password="$_PASSWORD"
       anonymous_identity="$_ANON_IDENTITY"
}

I am glad that Linux is working perfectly and that every time I couldn't solve a problem it was still my fault. I may sometimes seem like a help vampire but I am sorry for that. Truly.

Nanthiel · 2014-03-18 13:48:33

I'm glad you got it working!

I have no idea how legal it is. It's definitely not safe if someone sets up a fake access point.

However, after a recent change in OSX that improved security (I think the keys have to be at least 1024 bit now), everyone at Ljubljana's FRI that has an Apple doesn't use a ceritificate now. Maybe they changed it since then, but I doubt anyone updated their setups.

I may try to find a working certificate this week, if I find the time. I'm suspecing the fault is actually in the certificate file's format, rather than the contents. I had to muck about with them when setting up my VPN.

Arch Linux

#1 2014-03-14 09:12:01

wicd & wpa_supplicant problems

#2 2014-03-14 09:34:14

Re: wicd & wpa_supplicant problems

#3 2014-03-14 12:33:01

Re: wicd & wpa_supplicant problems

#4 2014-03-18 13:20:46

Re: wicd & wpa_supplicant problems

#5 2014-03-18 13:48:33

Re: wicd & wpa_supplicant problems

Board footer