Modify

Opened 11 years ago

Last modified 22 months ago

#2069 reopened defect

802.1x authentiactaion for wpa_supplicant on atheros chips

Reported by: wwwforms@… Owned by: florian
Priority: low Milestone: Barrier Breaker 14.07
Component: packages Version: Trunk
Keywords: 802.1x wpa_supplicant Cc:

Description

Hi all,

I just wanted to ask for the implementation of 802.1x authentification based on wpa_supplicant for atheros based WLAN cards.

I actually tried to implement the following (taken from my wpa_supplicant.conf)

network={

ssid="uniwlan1x"
scan-ssid=1
key_mgmt=IEEE8021X
eap=TTLS
anonymous-identity anonymous
phase2 auth=PAP
identity USERNAME
password MyPASSWORD

}

into /etc/config/wireless

config wifi-iface

option device wifi0
option network wan
option mode sta
option hidden 0
option ssid uniwlan1x
option scan-ssid 1
option key-mgmt IEEE8021X
option eap TTLS
option anonymous-identity anonymous
option phase2 auth=PAP
option identity USER
option password MyPass

But I got many warning about not supported options.

So I would like to vote for implementation of 802.1x authentication for wpa_supplicant.

(by th way I used kamikaze 7.06 on wgt634u [brcm47xx-2.6])

Thanks for implementing this.

regards
Bjoern

Attachments (0)

Change History (25)

comment:1 Changed 11 years ago by wwwforms@…

Oh a mistake could you please cange Type from "defect" to "enhencement"

thanks
Bjoern

comment:2 Changed 11 years ago by nbd

  • Milestone changed from Kamikaze 7.07 to Kamikaze
  • Priority changed from normal to low

comment:3 Changed 9 years ago by florian

  • Owner changed from developers to florian
  • Status changed from new to assigned

comment:4 Changed 9 years ago by florian

  • Resolution set to fixed
  • Status changed from assigned to closed

Fixed with [12283].

comment:5 Changed 4 years ago by valent.turkovic@…

  • Resolution fixed deleted
  • Status changed from closed to reopened

eduroam with ttls is not working for me, after troubleshooting for few days of guessing I give up. There is not enough documentation regarding ttls, and all guides just use wpa_supplicant with it's config file, and nobody uses wpad and /etc/config/wireless config file!

I have created custom firmware that replaces wpad-mini with wpad package.

Here is how my config looks like:

[code]
config wifi-device 'radio0'

option type 'mac80211'
option channel '11'
option hwmode '11ng'
option path 'platform/ar933x_wmac'
option htmode 'HT20'
list ht_capab 'SHORT-GI-20'
list ht_capab 'SHORT-GI-40'
list ht_capab 'RX-STBC1'
list ht_capab 'DSSS_CCK-40'
option disabled '0'

config wifi-iface

option device 'radio0'
option network 'wan'
option mode 'sta'
option ssid 'eduroam'
option eap_type 'TTLS'
option phase2 'auth=PAP'
option identity 'username'
option password 'password>'
option ca_cert '/root/deutsche-telekom-root-ca-2.crt'
option anonymous_identity 'anonymous@…'

[/code]

But this doesn't work. I guess I'm not fat from right solution, but I'm just not seeing it.

wpa_supplicant config works without issues, and here is how it looks like:
[code]
ctrl_interface=/var/run/wpa_supplicant
fast_reauth=1

network={

ssid="eduroam"
key_mgmt=WPA-EAP
eap=TTLS
anonymous_identity="anonymous@…"
identity="username"
password="password"
ca_cert="/root/deutsche-telekom-root-ca-2.crt"
phase1="peaplabel=0"
phase2="auth=PAP"

}
[/code]

comment:6 Changed 4 years ago by nbd

Missing 'option encryption wpa' in the wifi-iface section

comment:7 Changed 4 years ago by valent.turkovic@…

Now I see compaints in logread that passphrase for wpa (psk) is too short, it is zero characters (ie it is missing) and that confuses OpenWrt...

Mon Jul 7 22:41:12 2014 daemon.notice netifd: radio0 (684): Successfully initialized wpa_supplicant
Mon Jul 7 22:41:12 2014 daemon.notice netifd: radio0 (684): Line 6: Invalid passphrase length 0 (expected: 8..63) '"'.
Mon Jul 7 22:41:12 2014 daemon.notice netifd: radio0 (684): Line 6: failed to parse psk '""'.
Mon Jul 7 22:41:12 2014 daemon.notice netifd: radio0 (684): Line 8: failed to parse network block.
Mon Jul 7 22:41:12 2014 daemon.notice netifd: radio0 (684): Failed to read or parse configuration '/var/run/wpa_supplicant-wlan0.conf'.
Mon Jul 7 22:41:12 2014 daemon.notice netifd: radio0 (684): cat: can't open '/var/run/wpa_supplicant-wlan0.pid': No such file or directory
Mon Jul 7 22:41:12 2014 daemon.notice netifd: radio0 (684): Command failed: Invalid argument
Mon Jul 7 22:41:12 2014 daemon.notice netifd: radio0 (684): Interface 0 setup failed: WPA_SUPPLICANT_FAILED

Here is how my current wifi config looks like:

config wifi-device 'radio0'

option type 'mac80211'
option channel '11'
option hwmode '11ng'
option path 'platform/ar933x_wmac'
option htmode 'HT20'
list ht_capab 'SHORT-GI-20'
list ht_capab 'SHORT-GI-40'
list ht_capab 'RX-STBC1'
list ht_capab 'DSSS_CCK-40'
option disabled '0'
option txpower '27'
option country 'HR'

config wifi-iface

option device 'radio0'
option network 'wan'
option mode 'sta'
option ssid 'eduroam'
option eap_type 'TTLS'
option identity 'username'
option password 'password'
option phase2 'auth=PAP'
option anonymous_identity 'anonymous@…'
option encryption 'psk'

comment:8 Changed 4 years ago by nbd

please read again what i wrote above and compare it with what you put in your config ;)

comment:9 Changed 4 years ago by valent.turkovic@…

Ok, getting closer :) I was missing also line "option key_mgmt"

Now my wirelss config looks like this:

config wifi-iface

option device 'radio0'
option network 'wan'
option mode 'sta'
option encryption 'wpa'
option key 'none'
option ssid 'eduroam'
option key_mgmt 'WPA-EAP'
option eap_type 'TTLS'
option anonymous_identity 'anonymous@…'
option identity 'username'
option password 'password'
option ca_cert '/root/deutsche-telekom-root-ca-2.crt'
option phase2 'PAP'

But I still get errors and disconnects!

[ 556.330000] wlan0: authenticate with 00:22:91:76:xx:xx
[ 556.340000] wlan0: send auth to 00:22:91:76:xx:xx (try 1/3)
[ 556.340000] wlan0: authenticated
[ 556.350000] ath9k ar933x_wmac wlan0: disabling HT/VHT due to WEP/TKIP use
[ 556.360000] wlan0: associate with 00:22:91:76:xx:xx (try 1/3)
[ 556.360000] wlan0: RX AssocResp from 00:22:91:76:xx:xx (capab=0x431 status=0 aid=47)
[ 556.370000] wlan0: associated
[ 579.170000] wlan0: deauthenticated from 00:22:91:76:xx:xx (Reason: 0)

But it looks like most of the options get removed when they are parsed into /var/run/wpa_supplicant-wlan0.conf! Why ?!?

Here is how it looks like:

cat /var/run/wpa_supplicant-wlan0.conf

network={

scan_ssid=1
ssid="eduroam"
key_mgmt=WPA-EAP
ca_cert="/root/deutsche-telekom-root-ca-2.crt"
identity="username"
phase2="MSCHAPV2"
password="password"
eap=TTLS
proto=WPA

}

WHy is MSCHAPV2 when I explicitly put PAP into config?!? Why is anonymous_identity missing completely?

comment:10 Changed 4 years ago by nbd

  • Resolution set to worksforme
  • Status changed from reopened to closed

comment:11 Changed 4 years ago by valent.turkovic@…

  • Resolution worksforme deleted
  • Status changed from closed to reopened

Thanks for your insight, yes I had one error, after I have fixed "option phase2 'PAP'" to "option auth 'PAP' now that option is there in parsed wpa_supplicant config.

But still this is not full implemented feature because there is no support for "anonymous_identity"

I have searched OpenWrt source code and there is no mention of it:
http://git.openwrt.org/?p=openwrt.git&a=search&h=2b38b9a3e63e5a8be3aad3edca2918880ecf327f&st=commit&s=anonymous_identity

If you look at first comment, you will see that original author also asked for this so this ticked can't be closed because "works for me".

It also "works for me" if I use my eduroam credentials at local institution, but if I go outside my local institution then I need "anonymous_identity" because without it I can't connect.

Which file does the parsing? Where this option should be added?

comment:12 Changed 4 years ago by valent.turkovic@…

Is package/network/services/hostapd/files/wpa_supplicant.sh file responsible for creating /var/run/wpa_supplicant-wlan0.conf ?

I have found this in source:
http://git.openwrt.org/?p=openwrt.git;a=blob;f=package/network/services/hostapd/files/wpa_supplicant.sh;h=127c5a70f511a92a1ce2da6b5859981f4341e266;hb=2b38b9a3e63e5a8be3aad3edca2918880ecf327f#l157

There is no line for anonymous_identity, is this the right place to add it? I tried it on my Carambola2 running OpenWrt but I stil get no anonymous_identity in even after hard adding variable, so how to enable /var/run/wpa_supplicant-wlan0.conf to have anonymous_identity option?

Can you please guide me in the right dirrection?

comment:13 Changed 4 years ago by valent.turkovic@…

This could be the right location to add parameters:
http://git.openwrt.org/?p=openwrt.git;a=blob;f=package/network/services/hostapd/files/netifd.sh;hb=e448546005c2db6885f9d8c88c65d8232734ca5c#l562

I added my own line after $network_data in /lib/netifd/hostapd.sh file and next time I started network that line was added to /var/run/wpa_supplicant-wlan0.conf

comment:14 Changed 4 years ago by valent.turkovic@…

Is wired authentication supported in OpenWrt?

I got this manually to work:

wpa_supplicant -i eth0.1 -D wired -c /etc/config/wpa.conf

cat /etc/config/wpa.conf

ctrl_interface=/var/run/wpa_supplicant
ap_scan=0
network={
key_mgmt=IEEE8021X
eap=TTLS
identity="s0xxxxxx@1x"
anonymous_identity="s0xxxxxx@1x"
password="xxxxxxxxx"
phase2="auth=PAP"
}

How to edit /etc/config/network in order to get eduroam to work on wired interface?

comment:15 Changed 4 years ago by jow

  • Version set to Trunk

Nope, wired is not covered by uci atm.

comment:16 Changed 4 years ago by valent.turkovic@…

To summarize... here is how my wireless config file looks like:

config wifi-device 'radio0'

option type 'mac80211'
option hwmode '11ng'
option path 'platform/ar933x_wmac'
option htmode 'HT20'
list ht_capab 'SHORT-GI-20'
list ht_capab 'SHORT-GI-40'
list ht_capab 'RX-STBC1'
list ht_capab 'DSSS_CCK-40'
option disabled '0'
option channel '8'
option country 'DE'
option txpower '20'

config wifi-iface

option device 'radio0'
option network 'wifi'
option mode 'sta'
option ssid 'eduroam'
option encryption 'wpa'
option key 'none'
option eap_type 'ttls'
option identity 'username'
option password 'password'
option auth 'PAP'
option anonymous_identity 'anonymous@…'
option key_mgmt 'WPA-EAP'
option ca_cert '/etc/config/DeutscheTelekomRootCA2'

and this config file gets genearated in /var/run/wpa_supplicant-wlan0.conf :

network={

scan_ssid=1
ssid="eduroam"
key_mgmt=WPA-EAP
ca_cert="/etc/config/DeutscheTelekomRootCA2"
identity="username"
phase2="PAP"
password="password"
eap=TTLS
proto=WPA

}

the missing part that current uci system doesn't support is "option anonymous_identity"

Can you please add this option to uci?

comment:17 Changed 4 years ago by valent.turkovic@…

I had one wrong line in config.

instead of:
option auth 'PAP'

it should have been:
option auth 'auth=PAP'

comment:18 Changed 4 years ago by valent.turkovic@…

how about changing uci config so it is

option phase2 'auth=PAP'

insead of:
option auth 'auth=PAP'

two "auth" in one line is probably not ideal, what do you think?

comment:19 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

comment:20 follow-up: Changed 3 years ago by florian

Valent, can you submit a patch fixing this?

comment:21 Changed 2 years ago by messlakai@…

Hi all,

have you found a solution that works? Because at version /chaos_calmer/15.05/brcm2708/bcm2709/packages/base/ I have the same problem??? "option anonymous_identity 'anonymous@…'" is not working up to now. Some idea?

Winni

comment:22 Changed 2 years ago by anonymous

I have exactly the same issues - have a working wpa_supplicant but can't get a good wireless config: Here is the wpa config incase it helps, launch is from /etc/rc.local with wpad wpa_supplicant -B -d -K -iwlan0 -c /root/wpa_work.conf which feels a bit lame....

network={

ssid="SSIDHERE"
scan_ssid=1
priority=100
mode=0
proto=WPA RSN
key_mgmt=WPA-EAP
auth_alg=OPEN SHARED LEAP
eap=TLS
identity="support@…"
anonymous_identity="support@…"
client_cert="/root/Certificates/support.pem"
private_key="/root/Certificates/support.key"
private_key_passwd="KEYPASSWORDHERE"
eapol_flags=3
eap_workaround=0

comment:23 Changed 2 years ago by anonymous

Otherwise loving OPENWRT!!!! - Thanks for all the hardwork!

comment:24 in reply to: ↑ 20 Changed 2 years ago by valentt

Replying to florian:

Valent, can you submit a patch fixing this?

Florian it has been months since I last looked at this...
Can you just point me in the right direction?

Is parsing happening in only just one script or is the mechanism a bit more complicated?

If you confirm which file is responsible for parsing I'll try to do my best and write up my first OpenWrt patch. I just need a bit of mentoring to make sure I'm doing the right thing.

comment:25 Changed 22 months ago by soma

I had the same problem with anonymous_identity. There is a patch at https://patchwork.ozlabs.org/patch/607495/ that adds it to the netifd script (confusingly in hostapd.sh). Another patch at https://patchwork.ozlabs.org/patch/607496/ adds support for the option to luci. Both look good to me, the first one is exactly the same i was going to submit until i search for it in the bug tracker.

Add Comment

Modify Ticket

Action
as reopened .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.