ecrase2500
Posts: 8
Joined: Thu May 16, 2013 9:42 pm

Raspbian WiFi on WPA2 Enterprise

Thu May 16, 2013 10:00 pm

Hi All,

I'm running the latest Raspbian with a TP-Link TL-WN725N Nano WiFi Adapter. I have installed the drivers found here: http://blog.pi3g.com/2013/05/tp-link-tl ... pi-driver/

I was successful in configuring it with my home WPA2 personal network. Wifi worked fine.

I'm now trying to get it connected to my office's WPA2 Enterprise network. This has not been nearly as easy. I've tried various manual configurations as well as wpa_gui.

wpa_gui sees interface and successfully shows me the SSIDs in my area. But when I try to connect, all that happens is wpa_status says "Scanning" and last message is "WPS-AP-AVAILABLE". I don't see an IP address being assigned or anything. It doesn't seem to actually *connect* to the network.

Logins, passwords and SSIDs have been double-checked.

iwconfig says this:

Code: Select all

wlan0     unassociated  Nickname:"<[email protected]>"
          Mode:Managed  Frequency=2.412 GHz  Access Point: Not-Associated   
          Sensitivity:0/0  
          Retry:off   RTS thr:off   Fragment thr:off
          Power Management:off
          Link Quality:0  Signal level:0  Noise level:0
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

lo        no wireless extensions.

eth0      no wireless extensions.

My config files look like this:

File: /etc/network/interfaces

Code: Select all

auto lo

iface lo inet loopback
iface eth0 inet dhcp

allow-hotplug wlan0
iface wlan0 inet manual
wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp
File: /etc/wpa_supplicant/wpa_supplicant.conf

Code: Select all

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1

network={
        ssid="office"
        proto=RSN
        key_mgmt=WPA-EAP
        pairwise=TKIP
        auth_alg=OPEN
        eap=PEAP
        identity="officedomain\username"
        password="blablabla"
}

network={
        ssid="office_GUEST"
        psk="blablabla"
        proto=RSN
        key_mgmt=WPA-PSK
        pairwise=TKIP
        auth_alg=OPEN
}
Any suggestions for what to try next?
Many thanks!

latki8
Posts: 31
Joined: Wed Aug 01, 2012 1:56 pm

Re: Raspbian WiFi on WPA2 Enterprise

Tue May 21, 2013 12:35 pm

Have you tried speaking to your Office's network support guys? - assuming it is an Enterprise-sized company. I'm sure they'll be very interested in what you are trying to do.

ecrase2500
Posts: 8
Joined: Thu May 16, 2013 9:42 pm

Re: Raspbian WiFi on WPA2 Enterprise

Tue May 21, 2013 12:40 pm

Actually, yes. They supplied the dedicated user account, but I work in a Windows shop. :-(

SirLagz
Posts: 1705
Joined: Mon Feb 20, 2012 8:53 am
Location: Perth, Australia
Contact: Website

Re: Raspbian WiFi on WPA2 Enterprise

Tue May 21, 2013 12:52 pm

what happens if you run

Code: Select all

sudo wpa_cli status
?
My Blog - http://www.sirlagz.net
Visit my blog for Tips, Tricks, Guides and More !
WiFi Issues ? Have a look at this post ! http://www.raspberrypi.org/phpBB3/viewtopic.php?f=28&t=44044

broo0ose
Posts: 317
Joined: Wed Dec 14, 2011 3:59 pm
Location: Wirral, UK

Re: Raspbian WiFi on WPA2 Enterprise

Tue May 21, 2013 7:58 pm

This is how I did it.

First I grabbed the public certificate that the RADIUS server was offering and saved it as a PEM file.

Code: Select all

sudo mkdir /etc/certs
sudo cp radius.pem  /etc/certs/
Then I edited /etc/wpa_supplicant/wpa_supplicant.conf

Code: Select all

ctrl_interface=/var/run/wpa_supplicant
network={
      ssid="MySSID"
      scan_ssid=1
      key_mgmt=WPA-EAP
      pairwise=CCMP TKIP
      group=CCMP TKIP
      eap=PEAP
      identity="raspi"
      password="mypassword"
      ca_cert="/etc/certs/radius.pem"
      phase1="peapver=0"
      phase2="MSCHAPV2"
   }
then edited /etc/network/interfaces

Code: Select all

auto lo

iface lo inet loopback
iface eth0 inet dhcp

allow-hotplug wlan0

iface wlan0 inet dhcp
        pre-up wpa_supplicant -B -Dwext -i wlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf
        post-down killall -q wpa_supplicant
It sounds simple but it took me a while to crack it. I am also the person who set up the RADIUS server (FreeRADIUS) so I have some inside knowledge.
I hope this helps.

ecrase2500
Posts: 8
Joined: Thu May 16, 2013 9:42 pm

Re: Raspbian WiFi on WPA2 Enterprise

Tue May 28, 2013 7:40 pm

Thanks for the helpful responses! I've been pulled away by other priorities so it's taken this long for me to come back to this.
broo0ose wrote:This is how I did it.
First I grabbed the public certificate that the RADIUS server was offering and saved it as a PEM file.
Sorry for the newb question, but how does one go about grabbing the public certificate? (My OS X box does this automatically!)
Cheers,
P

{Edit - Can I export the certificate out of Keychain access on my Mac and just save that as the .PEM on the RPi as you describe?}

ecrase2500
Posts: 8
Joined: Thu May 16, 2013 9:42 pm

Re: Raspbian WiFi on WPA2 Enterprise

Wed May 29, 2013 4:09 pm

Thanks again to everyone for their help.

OK, I exported the cert from my Mac as .pem and copied it over to the RPi with scp. I followed broo0ose's great instructions and wpa_cli status has gone from saying "scanning" without much else to the following:

Code: Select all

Selected interface 'wlan0'
bssid=6c:f3:7f:96:6d:f0
ssid=[mySSID]
id=0
mode=station
pairwise_cipher=CCMP
group_cipher=CCMP
key_mgmt=WPA2/IEEE 802.1X/EAP
wpa_state=ASSOCIATED
address=a0:f3:c1:2d:10:4f
Supplicant PAE state=AUTHENTICATING
suppPortStatus=Unauthorized
EAP state=IDLE
selectedMethod=25 (EAP-PEAP)
EAP TLS cipher=(NONE)
Looks like progress to me, but it's not getting obtaining an IP address. The "AUTHENTICATING" status would suggest there's an issue with authentication but I've played with the login format (domain\username and [email protected]) and neither's working... Could my cert trick have failed?

ecrase2500
Posts: 8
Joined: Thu May 16, 2013 9:42 pm

Re: Raspbian WiFi on WPA2 Enterprise

Wed May 29, 2013 4:49 pm

OK, I figured out how to get logging going. (Still new at this stuff.) Here's more info:

Code: Select all

rfkill: Cannot open RFKILL control device
wlan0: Trying to associate with d8:c7:c8:9d:53:80 (SSID='mySSID' freq=2412 MHz)
wlan0: Association request to the driver failed
wlan0: Associated with 6c:f3:7f:96:6d:f0
wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 3 for '/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root'
wlan0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=3 subject='/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root' err='self signed certificate in certificate chain'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
It does look like a cert issue. As always, your suggestions are appreciated.

broo0ose
Posts: 317
Joined: Wed Dec 14, 2011 3:59 pm
Location: Wirral, UK

Re: Raspbian WiFi on WPA2 Enterprise

Thu May 30, 2013 8:56 pm

Sorry I don't know much about Macs.

There may be a way to disable the cert check, try removing the ca_cert line. Whether you leave it like that is up to you.

The idea behind using a certificate is to verify that the WiFi network you are connecting to is the correct one and not being spoofed. If you are connecting to a spoofed WiFi network then someone else can listen to your network traffic.

The certificate comes from the RADIUS server, this might be a Windows domain controller, in which case the cert will be the public key from the Windows CA.

ecrase2500
Posts: 8
Joined: Thu May 16, 2013 9:42 pm

Re: Raspbian WiFi on WPA2 Enterprise

Fri May 31, 2013 1:15 am

Thanks for the info. I didn't know I could disable that.

In the end, once it was a cert matter, I was speaking a common language with our IT guys and they were able to send me the right cert, which I installed per your earlier instructions, and it worked! The Pi has 'Fi. :)

Thanks again for your assistance.

broo0ose
Posts: 317
Joined: Wed Dec 14, 2011 3:59 pm
Location: Wirral, UK

Re: Raspbian WiFi on WPA2 Enterprise

Fri May 31, 2013 8:20 pm

Great, glad one if my IT brothers was able to help you.
Hopefully the info in this thread will help others.

lansizhong
Posts: 1
Joined: Mon Jun 03, 2013 8:20 am

Re: Raspbian WiFi on WPA2 Enterprise

Sat Jun 08, 2013 3:45 pm

I made it to successful certification ( or formally association by Arch Wiki), but unfortunately the wireless interface couldn't get dynamic IP no matter how I tried the command "dhcpcd wlan0".
Any advices?

ScottInNH
Posts: 1
Joined: Sun Dec 07, 2014 8:32 pm

Re: Raspbian WiFi on WPA2 Enterprise

Sun Dec 07, 2014 8:43 pm

Posting to a very old thread, just some advice for those Googling as I looked at this thread before I solved my problem.

I was getting the same errors. My Pi could see the router, and attempting to join would return the same status.
My laptop - right next to the Pi - was getting 4 bars so I assumed the signal was great.

It's easy to forget these "nano" dongles have very small antenna, and require a strong signal.
My office is about 60 feet from the router, with 3 walls between. Once I moved my Pi to the same room as the router, with no other changes it was able to negotiate the keys and all is well.

As a more permanent solution, I'm getting a newer stronger router (laptops deserved an "802.11 ac" upgrade anyways) , and my old N router will be recommissioned as a repeater (and if necessary, wired access point).

jtennant12
Posts: 6
Joined: Wed Dec 10, 2014 1:49 pm

Re: Raspbian WiFi on WPA2 Enterprise

Wed Dec 10, 2014 5:09 pm

I have been following the instructions on this question to the letter and I cannot get connected to my campuses wifi.

We do not use a certificate so I deleted that line from the wpa_supplicant.conf file.

Other that that I copied & pasted everything just as shown on this thread.

ifconfig results in no ip address for wlan0.

wpa_cli status shows AUTHENTICATING

Return to “Networking and servers”