You are not logged in.
My school uses an EAP-TTLS authentication to connect to the campus wireless network. Unfortunately, they provide exactly zero support for Linux (you'd expect more diversity from an engineering college, wouldn't you?).
My problem is that when using wpa_supplicant, it appears to successfully authenticate, then hangs for about two minutes before timing out and repeating from the beginning. The following is a log of my invokation and two or three iterations before I broke it with ctrl+c.
[corey@sariss ~]$ sudo wpa_supplicant -Dwext -ieth1 -c /etc/wpa_supplicant.conf
Trying to associate with 00:0c:e6:0d:66:5f (SSID='hornet' freq=2412 MHz)
Associated with 00:0c:e6:0d:66:5f
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
OpenSSL: tls_connection_handshake - Failed to read possible Application Data err
or:00000000:lib(0):func(0):reason(0)
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
Authentication with 00:0c:e6:0d:66:5f timed out.
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
Trying to associate with 00:0c:e6:0d:66:5f (SSID='hornet' freq=2412 MHz)
Associated with 00:0c:e6:0d:66:5f
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
OpenSSL: tls_connection_handshake - Failed to read possible Application Data err
or:00000000:lib(0):func(0):reason(0)
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
Authentication with 00:0c:e6:0d:66:5f timed out.
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
Trying to associate with 00:0c:e6:0d:66:5f (SSID='hornet' freq=2412 MHz)
Associated with 00:0c:e6:0d:66:5f
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
OpenSSL: tls_connection_handshake - Failed to read possible Application Data err
or:00000000:lib(0):func(0):reason(0)
^CCTRL-EVENT-TERMINATING - signal 2 receivedThey provided two .cer certification files, which I was able to convert to .pem using
openssl x509 -in thawte.cer -inform d -out /etc/ca-certificates/thawte.pem
openssl x509 -in radius.xxxx.edu.cer -inform d -out /etc/ca-certificates/radius.xxxx.edu.pemUnfortunately, I have no clue of the purpose of radius.xxxx.edu.pem is, so I've been using the thawte.pem certificate. Finally, here is the profile in /etc/wpa_supplicant.conf.
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
#ap_scan=1
network={
ssid="hornet"
key_mgmt=WPA-EAP
eap=TTLS
identity="xxxxxxxx@xxxx.edu"
anonymous_identity="xxxxxxxx@xxxx.edu"
password="xxxxxxxx"
ca_cert="/etc/ca-certificates/thawte.pem"
# ca_cert="/etc/ca-certificats/radius.xxxx.edu.pem"
# priority=2
}I'd greatly appreciate any ideas as to what I've done wrong. Many thanks!
[edit] Also I should mention that I'm perfectly capable of connecting to two different home networks which use WPA2-AES, so wpa_supplicant is [working... I just don't know how to handle certificates properly, I guess.
Last edited by cmtptr (2008-11-13 20:32:14)
Offline
http://linux.die.net/man/5/wpa_supplicant.conf
I have no experience whatsoever with certificates, but on the above page I see two differences with your setup:
1. not only ca_cert is defined, but also client_cert - probably one of the certificates that is distributed should be considered a client certificate and the other the ca-certificate.
2 I see other switches used to convert the certificate to .pem. I even see different switches to convert it to ca_cert as to convert it to client_cert
HTH
Zl.
Offline
I have the same problem, my school network, eduroam, is secured with eap-ttls, but there is no certificate. Im going to the servicedesk this afternoon.
Offline
Well, I'm an idiot. I should have done this in the first place: Googled for 'ssid="hornet"'
Turns out my school has a wiki which I had no knowledge of whatsoever. And in this wiki happened to be detailed wpa_supplicant configuration to connect to the campus wireless... and it works.
Thanks for each of your responses. Zenlord, I experimented with some of the switches you pointed out, but unfortunately each of them failed with my given certificates. The switches I originally posted seemed to be the only ones that were successful.
Thanks again.
Offline