Maemo 5 - 802.1x PEAP+MSCHAPv2

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Maemo 5 - 802.1x PEAP+MSCHAPv2

Sicelo
I need to connect to an enterprise network requiring the use of PEAP+MSCHAPv2. Clients do not need to have a certificate installed. Authentication is via domain username and password. I have tried all the options suggested on talk.maemo.org, and still no luck. Syslog always says 'eap authentication failed.' My username works perfectly on almost any other device.

So I setup FreeRadius on my debian pc, and set my cheap AP for Radius authentication. N900 still can't connect to this. The FreeRadius log shows an issue with 'bad certificate' whether or not I have the provided certificates on device.

Any ideas would help. I suppose someone has at least once got N900 to connect to such a network via FreeRadius.
_______________________________________________
maemo-users mailing list
[hidden email]
https://lists.maemo.org/mailman/listinfo/maemo-users
Reply | Threaded
Open this post in threaded view
|

Re: Maemo 5 - 802.1x PEAP+MSCHAPv2

Pali Rohár
2014-02-11 19:48 GMT+01:00 Sicelo <[hidden email]>:
> I need to connect to an enterprise network requiring the use of PEAP+MSCHAPv2. Clients do not need to have a certificate installed. Authentication is via domain username and password. I have tried all the options suggested on talk.maemo.org, and still no luck. Syslog always says 'eap authentication failed.' My username works perfectly on almost any other device.
>
> So I setup FreeRadius on my debian pc, and set my cheap AP for Radius authentication. N900 still can't connect to this. The FreeRadius log shows an issue with 'bad certificate' whether or not I have the provided certificates on device.
>
> Any ideas would help. I suppose someone has at least once got N900 to connect to such a network via FreeRadius.
> _______________________________________________
> maemo-users mailing list
> [hidden email]
> https://lists.maemo.org/mailman/listinfo/maemo-users

There was problem with self signed certificates and certificates which
did not have stored CA in maemo certman. I do not remember if this was
fixed or not. Try to check if both CA and certificate itself are
installed in Settings --> Certificates.

I do not have any problem with connecting to wifi WPA2 EAP TTLS+GTC or
EAP PEAP+MSCHAPv2. Try to check also syslog, if nokias eapd daemon did
not write any error message.

Other option is to use wpa_supplicant (which is in extras-devel) and
connect manually to wifi network like on any linux machine.

I'm using wpa_supplicant for ethernet 802.1X authentification with usb
ethernet card connected to n900 in usb host mode and there is no
problem.

--
Pali Rohár
[hidden email]
_______________________________________________
maemo-users mailing list
[hidden email]
https://lists.maemo.org/mailman/listinfo/maemo-users
Reply | Threaded
Open this post in threaded view
|

Re: Maemo 5 - 802.1x PEAP+MSCHAPv2

Sicelo
> There was problem with self signed certificates and certificates which
> did not have stored CA in maemo certman. I do not remember if this was
> fixed or not. Try to check if both CA and certificate itself are
> installed in Settings --> Certificates.

Yes, these are installed. Whether or not I have them, I still can't connect.
 
> I do not have any problem with connecting to wifi WPA2 EAP TTLS+GTC or
> EAP PEAP+MSCHAPv2. Try to check also syslog, if nokias eapd daemon did
> not write any error message.

This is the message from eapd:
Feb 11 19:45:26 fremantle icd2 0.87+fremantle10+0m5[1312]: EAP: [9d4b057a-56a6-454f-852c-245c6ff30a55] authentication failed because EAP_FAILED received: EAP authentication failed (com.nokia.icd.error.wlan_authentication_failed)

Would there be some gconf values to edit which could help here?
>
> Other option is to use wpa_supplicant (which is in extras-devel) and
> connect manually to wifi network like on any linux machine.
>
> I'm using wpa_supplicant for ethernet 802.1X authentification with usb
> ethernet card connected to n900 in usb host mode and there is no
> problem.
>
Would you be able to show me how to do this with the built-in wifi adapter of the N900? I had previously installed wpa_gui, but could never get the card to show. I'm guessing something keeps it 'locked' always. I tried 'stop wlancond' and 'stop csd' and never got any luck.
> --
> Pali Rohár
> [hidden email]
_______________________________________________
maemo-users mailing list
[hidden email]
https://lists.maemo.org/mailman/listinfo/maemo-users
Reply | Threaded
Open this post in threaded view
|

Re: Maemo 5 - 802.1x PEAP+MSCHAPv2

Pali Rohár
2014-02-11 20:29 GMT+01:00 Sicelo <[hidden email]>:
>> There was problem with self signed certificates and certificates which
>> did not have stored CA in maemo certman. I do not remember if this was
>> fixed or not. Try to check if both CA and certificate itself are
>> installed in Settings --> Certificates.
>
> Yes, these are installed. Whether or not I have them, I still can't connect.
>

Check if certificates did not expired.

>> I do not have any problem with connecting to wifi WPA2 EAP TTLS+GTC or
>> EAP PEAP+MSCHAPv2. Try to check also syslog, if nokias eapd daemon did
>> not write any error message.
>
> This is the message from eapd:
> Feb 11 19:45:26 fremantle icd2 0.87+fremantle10+0m5[1312]: EAP: [9d4b057a-56a6-454f-852c-245c6ff30a55] authentication failed because EAP_FAILED received: EAP authentication failed (com.nokia.icd.error.wlan_authentication_failed)
>

No, this message is from icd2. I do not know if eapd daemon (that
which doing EAP auth) writing something somewhere... check also
cmdline arguments if there is not some debug flag/option. It is bad
that nokias eapd sw is closed :-(

> Would there be some gconf values to edit which could help here?

No idea.

>>
>> Other option is to use wpa_supplicant (which is in extras-devel) and
>> connect manually to wifi network like on any linux machine.
>>
>> I'm using wpa_supplicant for ethernet 802.1X authentification with usb
>> ethernet card connected to n900 in usb host mode and there is no
>> problem.
>>
> Would you be able to show me how to do this with the built-in wifi adapter of the N900? I had previously installed wpa_gui, but could never get the card to show. I'm guessing something keeps it 'locked' always. I tried 'stop wlancond' and 'stop csd' and never got any luck.

I think that wpa_gui probably not working on n900 due to small qt
screen, special hildon qt theme and other qt patches. You need to
write your own wpa supplicant config file. Then stop wlancond and
start wpa_supplicant manually (and then dhcp client...). In wpa
supplicant use wext driver, because new nl does not working correctly
on old 2.6.28 kernel.

And how to write wpa supplicant config file, see man page for
wpasupplicant.conf or use google...

--
Pali Rohár
[hidden email]
_______________________________________________
maemo-users mailing list
[hidden email]
https://lists.maemo.org/mailman/listinfo/maemo-users
Reply | Threaded
Open this post in threaded view
|

Re: Maemo 5 - 802.1x PEAP+MSCHAPv2

Sicelo
>
> Check if certificates did not expired.

Certificates valid, and no errors reported.
>
> write your own wpa supplicant config file. Then stop wlancond and
> start wpa_supplicant manually (and then dhcp client...). In wpa
> supplicant use wext driver, because new nl does not working correctly
> on old 2.6.28 kernel.
>
> And how to write wpa supplicant config file, see man page for
> wpasupplicant.conf or use google...

Thanks for your help Pali. I can get wpa_supplicant to run, and it authenticates successfully now. However, it keeps re-authenticating, even though it has already been properly accepted. I guess this is an unrelated problem though.


_______________________________________________
maemo-users mailing list
[hidden email]
https://lists.maemo.org/mailman/listinfo/maemo-users
Reply | Threaded
Open this post in threaded view
|

Re: Maemo 5 - 802.1x PEAP+MSCHAPv2

Sicelo
I finally did get wpa_supplicant to connect to the enterprise network at work. Unfortunately, the connections UI fails completely. I have found that there really is a problem with the certificates the work network uses, but unfortunately, the Admins won't hear it (because other devices can connect). On my FreeRadius network, now the UI connects properly everytime, after I had generated proper self-signed certificates. In any case, I am starting to think EAPD is not doing anything wrong per se. Only thing missing is an option to skip certificate verification. Pity this can't be hacked in somewhere. GConf would have been the perfect place for such tweak.


On Tue, Feb 11, 2014 at 10:10:50PM +0200, Sicelo wrote:

> >
> > write your own wpa supplicant config file. Then stop wlancond and
> > start wpa_supplicant manually (and then dhcp client...). In wpa
> > supplicant use wext driver, because new nl does not working correctly
> > on old 2.6.28 kernel.
> >
> > And how to write wpa supplicant config file, see man page for
> > wpasupplicant.conf or use google...
>
> Thanks for your help Pali. I can get wpa_supplicant to run, and it authenticates successfully now. However, it keeps re-authenticating, even though it has already been properly accepted. I guess this is an unrelated problem though.
>
>
_______________________________________________
maemo-users mailing list
[hidden email]
https://lists.maemo.org/mailman/listinfo/maemo-users
Reply | Threaded
Open this post in threaded view
|

Re: Maemo 5 - 802.1x PEAP+MSCHAPv2

Pali Rohár
Daemon EAPD using certman for certificate verification. Both certman
libraries and certman control panel applet are open source, so it
could be possible to add option to certman for accepting specific
certificate (even if expired/broken/etc...). And this could fix your
problem. But I do not know certman codebase...

2014-02-12 20:19 GMT+01:00 Sicelo <[hidden email]>:

> I finally did get wpa_supplicant to connect to the enterprise network at work. Unfortunately, the connections UI fails completely. I have found that there really is a problem with the certificates the work network uses, but unfortunately, the Admins won't hear it (because other devices can connect). On my FreeRadius network, now the UI connects properly everytime, after I had generated proper self-signed certificates. In any case, I am starting to think EAPD is not doing anything wrong per se. Only thing missing is an option to skip certificate verification. Pity this can't be hacked in somewhere. GConf would have been the perfect place for such tweak.
>
>
> On Tue, Feb 11, 2014 at 10:10:50PM +0200, Sicelo wrote:
>> >
>> > write your own wpa supplicant config file. Then stop wlancond and
>> > start wpa_supplicant manually (and then dhcp client...). In wpa
>> > supplicant use wext driver, because new nl does not working correctly
>> > on old 2.6.28 kernel.
>> >
>> > And how to write wpa supplicant config file, see man page for
>> > wpasupplicant.conf or use google...
>>
>> Thanks for your help Pali. I can get wpa_supplicant to run, and it authenticates successfully now. However, it keeps re-authenticating, even though it has already been properly accepted. I guess this is an unrelated problem though.
>>
>>

--
Pali Rohár
[hidden email]
_______________________________________________
maemo-users mailing list
[hidden email]
https://lists.maemo.org/mailman/listinfo/maemo-users
Reply | Threaded
Open this post in threaded view
|

Re: Maemo 5 - 802.1x PEAP+MSCHAPv2

Sicelo
On Wed, Feb 12, 2014 at 08:25:30PM +0100, Pali Rohár wrote:
> Daemon EAPD using certman for certificate verification. Both certman
> libraries and certman control panel applet are open source, so it
> could be possible to add option to certman for accepting specific
> certificate (even if expired/broken/etc...). And this could fix your
> problem. But I do not know certman codebase...
>
This is a very good idea indeed. I think Freemangordon understands certman very well. On the other hand, I don't know if this would be useful to how many other people, but judging from the bugs that were previously opened against this, I am sure it would help at least 50% current N900 users.
_______________________________________________
maemo-users mailing list
[hidden email]
https://lists.maemo.org/mailman/listinfo/maemo-users