Arch Linux

Granheim

Member

Registered: 2021-05-25

Posts: 4

Connecting to eduroam through iwd

I'm attempting to connect to eduroam WiFi using iwd. Following the Arch Wiki on iwd, specifically the section on eduroam, I created a configuration file with the usual content:

$ cat /var/lib/iwd/eduroam.8021x

[Security]
EAP-Method=PEAP
EAP-Identity=anonymous@[domain]
EAP-PEAP-CACert=/etc/ca-certificates/trust-source/anchors/[CACert].crt
EAP-PEAP-ServerDomainMask=radius.[domain]
EAP-PEAP-Phase2-Method=MSCHAPV2
EAP-PEAP-Phase2-Identity=[username]@[domain]
EAP-PEAP-Phase2-Password=[password]

[Settings]
AutoConnect=true

The specific settings were taken from the relevant configuration tool, as is the CA certificate. Now, attempting to connect via iwd simply throws me an error:

$ iwctl station wlan0 connect eduroam
Operation failed

The relevant journal log seems to indicate what's going on. The error message below is repeated several times.

$ journalctl -u iwd.service | tail
(...)
May 25 13:08:05 arch iwd[2674]: EAP completed with eapFail
May 25 13:08:05 arch iwd[2674]: EAP negotiation stopped after the Identity exchange, this can happen when the EAP-Identity value is not what the authenticator expects
May 25 13:08:05 arch iwd[2674]: 4-Way handshake failed for ifindex: 5, reason: 23

Although I don't know what the ifindex and reason stand for, the second message seems explicit enough: there's something wrong with the EAP-Identity value. But more than that I do not know.

Last edited by Granheim (2021-05-25 11:45:58)

spychodelics

Member

Registered: 2009-06-08

Posts: 37

Re: Connecting to eduroam through iwd

can you try EAP-Identity=anonymous without the  @[domain]

https://wiki.archlinux.org/title/Iwd#Eduroam

Granheim

Member

Registered: 2021-05-25

Posts: 4

Re: Connecting to eduroam through iwd

can you try EAP-Identity=anonymous without the  @[domain]

https://wiki.archlinux.org/title/Iwd#Eduroam

I had already tried to vary the EAP-Identity to some random things (disregarding what's specified in the configuration tool) including 'anonymous' --- it produces the same error.

Granheim

Member

Registered: 2021-05-25

Posts: 4

Re: Connecting to eduroam through iwd

Here's a quick update on the situation. To put it short, the problems persist.

I am fairly sure that the problem is not related to the EAP-Identity. I've attempted various alternatives including a non-anonymous identity, and even attempted to leave it out completely. The error message is always the same.

The location of the CA certificate is not a problem either. I've put the certificate in the config file but it produces the same error. However, the error changes when purposely adding a typo into the certificate, so it is clear that the certificate is being read correctly.

Everything is left unblocked by rfkill in case anyone suspects that to be an issue.

A further indication might be to look closer into this "ifindex: 5, reason: 23", which is given as a reason for why the handshake is failing. But I'm struggling to find out what that means. (Googling "ifindex: 5, reason: 23" literally only yields this thread.) Could anyone give me some pointers on this?

Last edited by Granheim (2021-06-02 15:29:52)

klden

Member

Registered: 2022-05-11

Posts: 1

Re: Connecting to eduroam through iwd

Hey Granheim,

... I'm struggling to find out what that means. (Googling "ifindex: 5, reason: 23" literally only yields this thread.)

ifindex represents your interface index (network interface). In your case, it's the 5th interface. You can check using:

ip a

If you try to enclose in double quotes "reason: 23" with iwd in your Google query, you should see more results .

To solve this issue which I faced as well, I had to omit my email extension from EAP-Identity and EAP-PEAP-Phase2-Identity. Here's a working config for me:

[Security]
EAP-Method=PEAP
EAP-Identity=anonymous
EAP-PEAP-Phase2-Method=MSCHAPV2
EAP-PEAP-Phase2-Identity=YOUR_USERNAME_WITHOUT_@DOMAIN_NAME.COM
EAP-PEAP-Phase2-Password-Hash=YOUR_HASH

[Settings]
AutoConnect=true

Hope this helps.

Cheers.