You are not logged in.
Pages: 1
I'm attempting to connect to eduroam WiFi using iwd. Following the Arch Wiki on iwd, specifically the section on eduroam, I created a configuration file with the usual content:
$ cat /var/lib/iwd/eduroam.8021x
[Security]
EAP-Method=PEAP
EAP-Identity=anonymous@[domain]
EAP-PEAP-CACert=/etc/ca-certificates/trust-source/anchors/[CACert].crt
EAP-PEAP-ServerDomainMask=radius.[domain]
EAP-PEAP-Phase2-Method=MSCHAPV2
EAP-PEAP-Phase2-Identity=[username]@[domain]
EAP-PEAP-Phase2-Password=[password]
[Settings]
AutoConnect=true
The specific settings were taken from the relevant configuration tool, as is the CA certificate. Now, attempting to connect via iwd simply throws me an error:
$ iwctl station wlan0 connect eduroam
Operation failed
The relevant journal log seems to indicate what's going on. The error message below is repeated several times.
$ journalctl -u iwd.service | tail
(...)
May 25 13:08:05 arch iwd[2674]: EAP completed with eapFail
May 25 13:08:05 arch iwd[2674]: EAP negotiation stopped after the Identity exchange, this can happen when the EAP-Identity value is not what the authenticator expects
May 25 13:08:05 arch iwd[2674]: 4-Way handshake failed for ifindex: 5, reason: 23
Although I don't know what the ifindex and reason stand for, the second message seems explicit enough: there's something wrong with the EAP-Identity value. But more than that I do not know.
Last edited by Granheim (2021-05-25 11:45:58)
Offline
can you try EAP-Identity=anonymous without the @[domain]
Offline
can you try EAP-Identity=anonymous without the @[domain]
I had already tried to vary the EAP-Identity to some random things (disregarding what's specified in the configuration tool) including 'anonymous' --- it produces the same error.
Offline
Here's a quick update on the situation. To put it short, the problems persist.
I am fairly sure that the problem is not related to the EAP-Identity. I've attempted various alternatives including a non-anonymous identity, and even attempted to leave it out completely. The error message is always the same.
The location of the CA certificate is not a problem either. I've put the certificate in the config file but it produces the same error. However, the error changes when purposely adding a typo into the certificate, so it is clear that the certificate is being read correctly.
Everything is left unblocked by rfkill in case anyone suspects that to be an issue.
A further indication might be to look closer into this "ifindex: 5, reason: 23", which is given as a reason for why the handshake is failing. But I'm struggling to find out what that means. (Googling "ifindex: 5, reason: 23" literally only yields this thread.) Could anyone give me some pointers on this?
Last edited by Granheim (2021-06-02 15:29:52)
Offline
Hey Granheim,
... I'm struggling to find out what that means. (Googling "ifindex: 5, reason: 23" literally only yields this thread.)
ifindex represents your interface index (network interface). In your case, it's the 5th interface. You can check using:
ip a
If you try to enclose in double quotes "reason: 23" with iwd in your Google query, you should see more results .
To solve this issue which I faced as well, I had to omit my email extension from EAP-Identity and EAP-PEAP-Phase2-Identity. Here's a working config for me:
[Security]
EAP-Method=PEAP
EAP-Identity=anonymous
EAP-PEAP-Phase2-Method=MSCHAPV2
EAP-PEAP-Phase2-Identity=YOUR_USERNAME_WITHOUT_@DOMAIN_NAME.COM
EAP-PEAP-Phase2-Password-Hash=YOUR_HASH
[Settings]
AutoConnect=true
Hope this helps.
Cheers.
Offline
Pages: 1