3

I'm working on a Raspberry Pi 3B+ and I'm trying to connect to a WPA-EAP network. I managed to successfully connected using PEAP with the following configuration: 

network={
   ssid="whatever"
   scan_ssid=1
   key_mgmt=WPA-EAP
   eap=PEAP
   identity="whatever2"
   password="whatever3"
   phase2="auth=MSCHAPV2"
}

I monitored the FreeRadius log and no problem, connection established with Internet access using the following command:

$ sudo wpa_supplicant -iwlan0 -cpeap.conf

Then I tried to connect using IEEE8021X with certificates and I'm using the following configuration:

eapol_version=1

network={
   ssid="whatever"
   scan_ssid=1
   key_mgmt=IEEE8021X
   eap=TLS
   identity="whatever2"
   client_cert="DEVICE1_cert.pem"
   private_key="DEVICE1_key.pem"
   private_key_passwd="whatever3"
}

With this configuration I'm not even getting a request on my radius server (no change to the logs whatsoever). I'm getting the following errors also in the terminal: 

$ sudo wpa_supplicant -iwlan0 -c8021.conf
successfully initialized wpa_supplicant
wlan0: Trying to associate with XX:XX:XX:XX:XX:XX (SSID="***" freq=2442 MHz)
wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16
Improve this question
5
  • We are not able to understand what is happening if you do not edit the question and detail the certificates configuration/how they were created both in the FR server and the client side.
    – Rui F Ribeiro
    Commented Jan 29, 2019 at 18:58
  • @RuiFRibeiro I understand , however the freeradius does not even get any packet from the client. How can this be certificate problem?
    – Kennet Celeste
    Commented Jan 29, 2019 at 20:59
  • If somewhat the certificates/server is not trusted by the client/OS, it wont send anything. The certificates are there to establish a relation of trust, which obviously has some loose end.
    – Rui F Ribeiro
    Commented Jan 29, 2019 at 21:00
  • 1
    @RuiFRibeiro I'm using two self signed certificates. I don't know how to detail the certificates configuration/how they were created both in the FR server and the client side ? what exactly do you need to know about certificates so that I can add it to the question? e.g. the commands that I use to create certificate ?
    – Kennet Celeste
    Commented Jan 30, 2019 at 14:27
  • Had something similar. You need to look for logs on the equipment (server) you are connecting to. In my case, it was an access point from Cisco that had to disable the "Aironet Extensions".
    – snex
    Commented Mar 12, 2020 at 16:31

1 Answer 1

Reset to default
1

I would check to make sure their is no firewall interfering with the communication to the server for TLS on RADIUS. The port is TCP/2083 referenced from here: https://www.rfc-editor.org/rfc/rfc6614 . If you have outbound rules on the client these matter as well.

This, wlan0: CTRL-EVENT-ASSOC-REJECT bssid=00:00:00:00:00:00 status_code=16, being on the client. Means that your client has timed out waiting for a frame that never shows up. So the server/AP is either not sending the frame after hearing the request or it never received the request for it.

Does this help:

EAP-TLS

EAP-TLS uses the TLS public key certificate authentication mechanism within EAP to provide mutual authentication of client to server and server to client. With EAP-TLS, both the client and the server must be assigned a digital certificate signed by a Certificate Authority (CA) that they both trust.

Found here: https://www.interlinknetworks.com/app_notes/eap-peap.htm

Improve this answer
4
  • I'm pretty sure it's not a Firewall issue since WPA-EAP with PEAP works fine with the same exact configuration on the same devices. About the second part of your comment Means that your client has timed out waiting for a frame that never shows up.: Does this mean that the freeradius server actually should show some request in the log ?
    – Kennet Celeste
    Commented Jan 30, 2019 at 4:06
  • Yes, it most certainly does mean that it should, but as you say it hasn't. That means that the attempted communication is either being dropped, lost or corrupted in route hence my firewall theory.
    – Michael Prokopec
    Commented Jan 30, 2019 at 5:44
  • EAP-TLS uses the same ports as PEAP. 2083 is used by RADsec, which is something else. Nonetheless, the OP seems more interested in counter-debating what is being said and asked than improving its question to get to the bottom of it. I have had enough of it.
    – Rui F Ribeiro
    Commented Jan 30, 2019 at 7:45
  • 1
    @RuiFRibeiro I'm using two self signed certificates. I don't know how to detail the certificates configuration/how they were created both in the FR server and the client side ? what exactly do you need to know about certificates so that I can add it to the question? e.g. the commands that I use to create certificate ?
    – Kennet Celeste
    Commented Jan 30, 2019 at 14:23

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .