You are not logged in.

#1 2021-10-16 13:42:41

bugboyz
Member
Registered: 2021-02-08
Posts: 6

[SOLVED] iwd, can't connect to WPA Enterprise EAP-PEAP

Hi!
I'm trying to connect to my university Wi-Fi with no success.
there is the instructions given for Ubuntu (this pdf is in Italian, but the only part that really matter is the image in the 5th page, that is self-explaining).
If find easy to copy the setting to iwd thanks to the wiki, but it fails to connect.
On the journalctl I see this error `Failed to load <path-to-CA-certificate>`.
I tried convert the certificate from DER to PEM, but the error didn't change.
I also tried to comment the certificate line in the Wi-Fi config file. As result iwctl asks my username and password, but after that isn't able to give me an IP
in this case on journalctl I see this error
```
4-Way handshake failed for ifindex: 5, reason: 15
EAP negotiation stopped after the Identity exchange, this can happen when the EAP-Identity value is not what the authenticator expects
```
(Yes, I'm sure to have inserted the correct username and password)

Last edited by bugboyz (2021-10-23 07:39:20)

Offline

#2 2021-10-16 15:26:06

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: [SOLVED] iwd, can't connect to WPA Enterprise EAP-PEAP

For the first part I suggest you try the cert embedded like this: (or put it in a path readable by iwd, i.e. /var/lib/iwd)

# Note: The lines starting with # are ignored. To enable any of the
# configuration options below, remove # from the beginning of a respective line.
 
[Security]
 
EAP-Method=PEAP
 
# Uncomment to provide the anonymous identity.
#EAP-Identity=<anonymous identity>
 
# validate the server's certificate by checking it was
# signed by this CA.
EAP-PEAP-CACert=embed:digicert_ca_cert

EAP-PEAP-Phase2-Method=MSCHAPV2
 
# Uncomment to provide EAP-MSCHAPV2 Identity and Password. These fields are mandatory and
# if left out, will be requested by iwd at the connection time.
#EAP-PEAP-Phase2-Identity=<username>
#EAP-PEAP-Phase2-Password=<password>

[@pem@digicert_ca_cert]
-----BEGIN CERTIFICATE-----
MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBl
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
b3QgQ0EwHhcNMDYxMTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBlMQswCQYDVQQG
EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl
cnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtDhXO5EOAXLGH87dg+XESpa7c
JpSIqvTO9SA5KFhgDPiA2qkVlTJhPLWxKISKityfCgyDF3qPkKyK53lTXDGEKvYP
mDI2dsze3Tyoou9q+yHyUmHfnyDXH+Kx2f4YZNISW1/5WBg1vEfNoTb5a3/UsDg+
wRvDjDPZ2C8Y/igPs6eD1sNuRMBhNZYW/lmci3Zt1/GiSw0r/wty2p5g0I6QNcZ4
VYcgoc/lbQrISXwxmDNsIumH0DJaoroTghHtORedmTpyoeb6pNnVFzF1roV9Iq4/
AUaG9ih5yLHa5FcXxH4cDrC0kqZWs72yl+2qp/C3xag/lRbQ/6GW6whfGHdPAgMB
AAGjYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBRF66Kv9JLLgjEtUYunpyGd823IDzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYun
pyGd823IDzANBgkqhkiG9w0BAQUFAAOCAQEAog683+Lt8ONyc3pklL/3cmbYMuRC
dWKuh+vy1dneVrOfzM4UKLkNl2BcEkxY5NM9g0lFWJc1aRqoR+pWxnmrEthngYTf
fwk8lOa4JiwgvT2zKIn3X/8i4peEH+ll74fg38FnSbNd67IJKusm7Xi+fT8r87cm
NW1fiQG2SVufAQWbqz0lwcy2f8Lxb4bG+mRo64EtlOtCt/qMHt1i8b5QZ7dsvfPx
H2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe
+o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8g==
-----END CERTIFICATE-----

I don't know what to do about the handshake failure, though. Maybe try to set an anonymous identity (try anonymous@.. with either ...@studio.unibo.it or ...@unibo.it, alternatively declare it but leave it empty or use the same as for the PEAP identity). You could also try to put username and password in the config file as well for testing purposes.
Edit: Some notes about EAP-Identity:

https://iwd.wiki.kernel.org/networkconfigurationsettings wrote:

link
EAP-Identity     text     

EAP identity/username string transmitted in plaintext. No default, if not provided IWD will request a username at connection time. See RFC 5216 Section 5.2 for requirements on peer identity with regards to client certificate contents.
Note: when adapting wpa_supplicant configurations, you may need to explicitly copy the value of the secure identity here if required by a poorly configured WPA-Enterprise network – wpa_supplicant silently falls back to the value of identity for anonymous_identity, an undocumented feature/bug. IWD doesn't do that to avoid exposing the value in plaintext, the user needs to explicitly set it.

Last edited by progandy (2021-10-16 15:36:47)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#3 2021-10-17 14:24:23

bugboyz
Member
Registered: 2021-02-08
Posts: 6

Re: [SOLVED] iwd, can't connect to WPA Enterprise EAP-PEAP

Thank you for the suggestions, tomorrow I'll try them.

progandy wrote:

You could also try to put username and password in the config file as well for testing purposes.

I've also tried this, but the error changed depending on whether the certificate line was commented or not (as described in the first post)

Offline

#4 2021-10-18 12:21:02

ikana
Member
Registered: 2021-10-18
Posts: 1

Re: [SOLVED] iwd, can't connect to WPA Enterprise EAP-PEAP

I suppose you are refering to the eduroam wifi.
I also failed to connect to eduroam with the certificate given by my uni.
In the end, I achieved connection with the following config in /var/lib/iwd/eduroam.8021x

[Security]
EAP-Method=TTLS
EAP-Identity=anonymous@<uni.tld>
EAP-TTLS-Phase2-Method=Tunneled-PAP
EAP-TTLS-Phase2-Identity=<id>@<uni.tld>
EAP-TTLS-Phase2-Password=<password>

[Settings]
Autoconnect=true

If you use NetworkManager in front of iwd, I would first delete any previous "eduroam" connection in nm-connection-editor before modifying the file.
Then re-create the eduroam connection

Source (fr): https://xieme-art.org/post/se-connecter … -avec-iwd/

Hope it helps

Offline

#5 2021-10-23 07:37:21

bugboyz
Member
Registered: 2021-02-08
Posts: 6

Re: [SOLVED] iwd, can't connect to WPA Enterprise EAP-PEAP

Thank you for y'all helps.

ikana wrote:

I suppose you are refering to the eduroam wifi.

In my university the two wifi, one for my uni ppl and eduroam for the ppl from others university (eduroam).
Anyway I solved my issue by installing
networkmanager and nm-connection-editor.

Offline

Board footer

Powered by FluxBB