Unable To Authenticate to WPA2-Enterprise With NetworkManager

Similar Messages

• WPA2 Enterprise with netctl

  Hi,
  I'm trying to connect to my university wifi which I believe is WPA2 Enterprise protected. I read the wiki about using the Eduroam netctl profile example for WPA2 Enterprise networks but it doesn't seem to work for me. This is what I have:
  Connection='wireless'
  Interface=wlp4s0b1
  Security='wpa-configsection'
  Description="nyu wpa2 network"
  IP='dhcp'
  TimeoutWPA=30
  WPAConfigSection=(
  'ssid="nyu"'
  'key_mgmt=WPA-EAP'
  'eap=PEAP'
  'proto=WPA2'
  'phase2="auth=PAP"' #maybe MSCHAPv2
  'auth_alg=OPEN' #maybe
  'anonymous_identity="anonymous"' # ex: tu-dresden.de
  'identity="myusername"' # ex: [email protected]
  'password="mypassword"'
  'ca_cert="/usr/share/ca-certificates/trust-source/mozilla.trust.crt"'
  Can someone point me to related info or correct my profile? Thanks.

  Does your university have a site with some information/guidance for using eduroam?
  Have you tried other example profiles from here, such as this one and  this one? The wiki refers to this AUR package, which seems to be where you got the profile you've tried. Perhaps try the other example profiles.

• Cisco 1140AP using WPA2-enterprise with radius

  All,
  I am trying to configure an1140 AP to use WPA2-enterprise & radius. Ultimately I want to be able to connect to the SSID using my active directory credentials. I would like the AP to send authentication requests to our Network Policy Server. Here is a copy of the config; any help is appreciated.
  version 12.4
  no service pad
  aaa new-model
  aaa group server radius rad_eap
  server 172.16.16.101 auth-port 1812 acct-port 1813
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa group server radius rad_eap1
  aaa authentication login myLogin local
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authentication dot1x rad_eap group radius
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  dot11 syslog
  dot11 ssid ITWireless
     authentication open eap rad_eap
     authentication key-management wpa version 2
     guest-mode
  username admin password 7 XXXXXXXXXXXXXXXXXXXXX
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode ciphers aes-ccm
  ssid ITWireless
  antenna gain 0
  interface Dot11Radio1
  no ip address
  no ip route-cache
  encryption mode ciphers aes-ccm
  ssid ITWireless
  interface BVI1
  ip address 172.16.42.21 255.255.0.0
  no ip route-cache
  ip default-gateway 172.16.16.198
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 172.16.16.101 auth-port 1812 acct-port 1813 key 7 1427321938572903
  radius-server vsa send accounting
  bridge 1 route ip

  I did see those screenshots however that settings screen comes from selecting the Configure button next to the Authentication Method in the User Authentication section under Users.  In each of your screenshots, the RADIUS Server ID number is 1 so I would also ensure that I've configured RADIUS Server ID 1 which can only be configured by going to Users -> RADIUS Servers.
  All that said, I did see that your tests succeeded and I also don't understand the point of having RADIUS settings on the other screens and then having RADIUS ID info.  My thinking is that you would be able to configure RADIUS once in the Users -> RADIUS Servers screen and then select the RADIUS Server ID in all the remaining screens without having to enter the RADIUS info over and over again.  It would also think that you could skip the Users -> RADIUS Server screen and enter the RADIUS information over and over again and it should work...just like you set it up originally.  However, based on past experience of programmatic errors, I would recommend configuring the RADIUS Server ID 1 under Users -> RADIUS Servers if you haven't already...just in case. 
  Shawn Eftink
  CCNA/CCDA
  Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

• Spontaneous disconnects from a WPA2 Enterprise network with iwlwifi

  The wireless network at my work uses WPA2-Enterprise with PEAP authentication and MSCHAPv2 inner authentication.  Given this, cacert.org.crt, and the username and password, I am sometimes able to connect.  However, I am often spontaneously disconnected.  Sometimes this happens seconds after I connect, sometimes, I stay connected for hours.  I use network manager to connect within gnome-shell.
  The following describes my wireless card.
  $ lspci | grep Net
  07:00.0 Network controller: Intel Corporation Centrino Advanced-N 6235 (rev 24)
  The NetworkManager log is not much help...
  May 09 10:10:24 ocelot NetworkManager[299]: <info> (wlan0): supplicant interface state: scanning -> disconnected
  May 09 10:10:24 ocelot NetworkManager[299]: <info> (wlan0): supplicant interface state: disconnected -> scanning
  Last edited by astex (2013-05-09 14:27:44)

  I had the same problems with my Intel Centrino Advanced-N 6000 and the WPA2 Enterprise network at university. And now since my last update where the driver seemed to be updated when also netctl replaced netcfg I am completly unable to connect to the network. But with my WPA2-PSK network I don't have any problems and my Notebook connects instantly.
  I'm using wicd but also tried NetworkManager, netctl and also manually using wpa_supplicant but it was the same problem.
  Also shutting down hardware encrpyption and 11n like mentioned in  this topic:
  option iwlwifi swcrypto=1
  option iwlwifi 11n_disable=1
  I guess it must be a driver bug.

• Certificate renewal with WPA2-Enterprise PEAP MS-CHAPv2

  Hello
  We have a wireless network which is secured with WPA2-Enterprise with PEAP and MS-CHAPv2. The Radius servers (Windows Server 2008r2 with the Radius Feature installed) currently use a public signed certificate. This is about to expire soon and will need to be renewed.
  The clients are non-managed and from all variety (OS, wifi-software, ...).
  The Wifi is 4400 controller based and managed with the new Prime Infrastructure 1.3.
  What is the best way to do the renewal with as little disturbance for the client as possible? The less manual interaction for the end user the better.
  Thanks
  Patrick                 

  Hello Patrick,
  As per your query i can suggest you the following steps-
  Since the root CA is the most critical CA in the hierarchy, you may prefer to have a strategy here that reduces the need to renew the root certificate often.
  The first consideration is choosing the key length of the root's public key and private key pair during setup of the root authority. By using a long key length, which is generally more secure against brute force attack than a shorter key length, you increase the length of time that the CA can use the same private key and have reasonable confidence that it has not been compromised. The second consideration is establishing the validity period of the root certificate itself. In general, you will want to create a root certificate that has a shorter validity period than the estimated lifetime of the key.
  For more information you can refer to the link-
  http://technet.microsoft.com/en-us/library/cc740209(v=ws.10).aspx
  Hope this will help you.

• IOS 5 can't connect to WPA/WPA2 Enterprise Wireless Network

  After upgrading multiple iPhone 4 (CDMA versions) to IOS 5.0, I have not been able to get them to connect to our WPA/WPA2 Enterprise wirless network.  We use a Cisco Wireless LAN Controller.  The wireless network is capable of doing WPA or WPA2 Enterprise with PEAP.  These phones all connected to this network fine before the upgrade.
  When connecteding to the network, it prompts me for the username and password and when I tap join it sits for about 10-15 seconds then says "Unable to join the network" with a Dismiss button.
  It connects to non-Enterprise networks just fine.  I have tested it on WPA Personal and WPA2 Personal networks and it has worked on several without issue.
  I have tried "forget this network" with no success.
  Is anyone else having this problem?  I know of at least three Verizon iPhone 4's that have this exact same problem.  I haven't seen one working with this configuration yet.

  I have the same problem:
  Cisco WLC's -> WPA2 Enterprise AES + EAP-PEAP 802.1x with CCKM
  Pre 5.0 - all worked fine
  Post 5.0 - it tries to connect and after few moments i get error - couldn't connect.
  Info from controller:
  10/17/2011 12:16:37 CEST           INFO           172.16.16.X           Sending EAP request to client from radius server. 6.f. ..l
  10/17/2011 12:16:38 CEST           ERROR           172.16.16.X           Retransmitting EAP-ID request to client,retransmission timer expired. 5.y. ..l
  10/17/2011 12:16:39 CEST           ERROR           172.16.16.X           Retransmitting EAP-ID request to client,retransmission timer expired. 5.y. ..l
  10/17/2011 12:16:40 CEST           ERROR           172.16.16.X           Authentication failed for client as EAP ID request from AP reached maxmium retransmissions. 5.yp ..l
  10/17/2011 12:16:40 CEST           ERROR           172.16.16.X           De-authentication sent to client. 5.oP ..l
  10/17/2011 12:16:40 CEST           ERROR           172.16.16.X           5.yp ..l
  10/17/2011 12:16:40 CEST           ERROR           172.16.16.X           EAPOL-key is invalid, scheduling client for deletion. 5.yp ..l
  On the Radius server i don't see any activity regarding this device.
  I had this network configured on my iPhone - after upgrade and restore it remembered it. Every time i was in vicinity of my Enterprise WLAN it tried to connect - resulting int express battery drain - 6-7 hrs and battery was empty from 100%

• WPA2 - Enterprise

  I need to disable certificate verification in 8.1 for auto-discovered wireless networks. I've tried manually creating new connections (unchecking the "verify" checkbox in PEAP properties) but still cannot get the system to authenticate using WPA2-Enterprise.
  I honestly cannot tell if the system is using the manually created connection or the auto-discovered connection. I've tried changing the properties in PC settings->Network->Connections->Wi-Fi->"Manage known networks" but cannot get to
  a properties page to change any of the configuration settings. 
  I hope this is making sense. I miss having more control over the OS vs MS thinking they can do everything for me...

  Check here
  http://www.enterprisenetworkingplanet.com/netsecur/article.php/3916561/Implement-WPA2-Enterprise-Encryption-on-Your-WLAN.htm
  Rgds

• Wireless WPA2-Enterprise + 802.1x (EAP-PEAP/MSCHAPv2) config

  Hello,
  We're in the process of moving all of our wireless from WPA-PSK to WPA2-Enterprise with 802.1x EAP-MSCHAPv2 (PEAP). All workstations are Windows 7 with the 2SP3 IR2 client. What we'd like is for the 802.1x SSO functionality to work so users do not have to sign in computer only first and then use the novell login after connecting. I've followed the documentation for enabling 802.1x that Novell provides with no success. I'm hoping someone has done this or can point me in the direction of documentation that can use to better understand what configuration is needed to make this work.

  Originally Posted by djaquays
  I haven't had a chance to play with this yet on IR8, but I'd be curious of your steps to get this working.
  I'm not sure why FreeRadius would make any difference vs ClearPass.. they both speak RADIUS.
  This is the only documentation I can find from Novell: https://www.novell.com/documentation...a/b8jn9w6.html
  It's a couple of years since I did this so my memory is a bit vague... :(
  Did you install the peap plugin on the workstation, if I remeber correctly this was needed?
  http://support.arubanetworks.com/TOO...4/Default.aspx
  Thomas

• WPA2-Enterprise TLS not working in iOS 5

  We have over 200 iPhone on our Corporate Wi-Fi network. We started having calls from our users saying that their Wi-Fi is not working anymore since they upgraded to iOS 5. It was working fine with previous version of iOS. We are using WPA2-Enterprise with TLS authentication. We were able to reproduce the issue. With my iPad, i'm not able anmore to connect to our corporate wi-fi on both vendor we use (Cisco and Motorola). The SSId was  hidden, we tryed to broadcast it with no change. The only thing both vendor are sharing is the TLS authentication for the WPA2 auth. Can anyone help us ?

  I had to:
  1) connect the Ipad with a cable and enable "synch via wi-fi" option.
  2) eject the ipad
  3) restart the MAC
  attempt synch --- FAILED
  after looking at my set-up the MAC (or PC) must be conneced to the same wireless connection. My router has dual band capability. one connection is 2.4 ghz with one name, and 5 ghz with another name. Even though ALL the computers have same workgroup name, wi-fi synch would not work unless they were all on the same wireless connection (same ssID). go figure. once my mac was connected to the 2.4 Ghz SSID, wi-fi sync worked fine.

• Want to configure wpa2 enterprise in wlc 2106

  Hi,
  I want to configure the wlc 2106 with wpa2 enterprise .... i reckon that iI need ACS server ( Radius Server ) with server certificate as well client certificate.
  how do i configure the redius server to get access through wpa2 enterprise .. If i am wrong , what are all things required to enable wpa2 enterprise with AES encryption .
  Is it possible to get the evalution copy of acs server with certificate ?
  how to go ahead for the same .
  It would be great help me to get the proper answer  for configuration of wpa2 enterprise with AES ...

  The below link may help you..
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008095382f.shtml
  Regards
  Surendra

• Airport Express bridge mode over WPA2 Enterprise?

  I have an Airport Extreme running WPA2 Enterprise with RADIUS on a Snow Leopard Server. Is it possible to have the Express join the WPA2 Enterprise network as an ethernet bridge? I can't seem to set it up. Something tells me this only works with WPA2 Personal?

  When you set up the APExtreme through Server Admin, it takes care of all the secret passwords and what-have-you. I did some digging on Apple's site, and it looks like the APExpress can only act as a bridge on WPA2 Personal networks and below. No worries; I am just temporarily running an engineer's SIP phone over wireless, so I brought an old Buffalo router I had kicking around at home into the office; set it up as a WPA2 Personal access point, and have him running off of that with the APExpress as the bridge. This is just a stopgap until I can get him a proper ethernet drop. Thanks for the help regardless.

• IOS 5 WPA2 Enterprise WiFi Connectivity Issue

  In IOS 4 i was able to connect easy to my company Enterprise network using WPA2 Enterprise (With Domain username and password). While initail Wifi setup in IOS 4 it used to ask me for accepting a certificate. After upgrading i noticed that it does not ask for certificate anymore but still connects on first attempt. After turining wifi off and on Wifi does not connects automatically instead if i check that network it ask me to enter password and join (my company network does not use preshared key instead use Domain credentials).
  After googling i found out that from iOS 5 onward MD-5 signed certificates are no more supported. My network administrator is not interested in changing the signing method of certificate.
  Can any one please help me for fixing this issue?

  Hi Attiq 123,
  Thanks for the question. It sounds like you are experiencing issues with your network connection, specifically when connecting to Apple services like iCloud and the iTunes Store. The following resource provides some troubleshooting steps that you can try:
  Can't connect to the iTunes Store - Apple Support
  http://support.apple.com/en-us/HT201400
  You may also need to test to see if the specific ports on your Wi-Fi network are accessible:
  iTunes: Advanced iTunes Store troubleshooting - Apple Support
  http://support.apple.com/en-us/TS3297
  Make sure the issue is with the iTunes Store only. (You need an Internet connection to access the iTunes Store).
  Open a secure website to test if you are online as is necessary for the iTunes Store. This also tests if the main ports 80 and 443 are accessible. If the website works but the iTunes Store does not, it is most likely a firewall blocking the iTunes software or servers. If this is the case, follow the steps in the "Blocked by software firewall" section below.
  - Matt M.

• WPA2 enterprise, Can not authenticate with ACS

  Hi, I am setting up WPA2 enterprise for wireless users with PEAP authentication, but can not get authentication server to authenticate them, and failed reason is generic "EAP-TLS or PEAP authentication failed during SSL handshake"
  The AP I am using is 1240AG running 12.3(8)JA, Radius server is ACS 4.0, I don't have any problem to get dot1x with PEAP authentication working for wired access, and I have almost identical client side configuration for wired and wireless user.
  From ACS's point of view, it should not be aware of any difference between wired and wireless user, but ACS log shows otherwise:
  1)AP is connected to a cat4k switch, I suppose AP should be the authenticator for wireless users, but ACS "failed attempts" log for attempted wireless user shows that the NAS IP is cat4k in stead of AP, why?
  2)I am using the same laptop for both wireless/wired testing, ACS "failed attempts" log shows that for wired user, it correctly interpreted cached domain\login name, but for failed wireless user, the user-name field is totally different, yet debug on AP clearly shows that correct domain\login has been received by AP.
  Debug output on AP is attached, hope experts here can quickly identify the problem.

  Got it working by adding radius server configuration under GUI generated configuration:
  aaa group server radius your-AAA-group-name
  server your-radius-server#1-IPaddress auth-port 1645 acct-port 1646

• WPA2-Enterprise + EAP (PEAP) and 802.1x to authenticate to RADIUS server NPS

  I need to connect my iPhone and my iPad to the corporate wireless network using WPA2-Enterprise and 802.1x to authenticate against a RADIUS server with my corporate user. What is the procedure to configure the clients? Certificates is not necessary on the client. Radius server is a NPS of Microsoft and the WLC is a 5508 of Cisco.
  thanks !!!

  WPA and WPA2 are all actually interim protocols that are used until the standardization of IEEE 802.11i standard. Wi-fi appliance decided that ratification and standardization of 802.11i standards will take more time. So, they came up with WPA.
  Now, WPA2 is advanced version of WPA. WPA2 uses AES as encryption algorithm. Whereas, WPA use TKIP as encryption mode which in turn uses RC4 encryption algorithm.
  WPA and WPA2 are actually are of 2 types respectively.
  WPA/WPA2-PSK - This is mainly for small offices. This uses Pre-Shared Key for authentication.
  WPA/WPA2 -Enterprise - This uses a RADIUS Server for authentication. This is an extension to 802.1x authentication. But this uses stronger encryption scheme(WPA uses RC4 and WPA2 uses AES).
  Any authentication mechanism that involves a separation authentication server for authentication like ACS server is called 802.1x authentication.
  EAP stands for Extensible Authentication Protocol. It refers to the type or method of 802.1x Authentication by the RADIUS/Tacacs server. A RADIUS server can authenticate a wireless client with various EAP methods.
  LEAP is one type of EAP. It uses username and password for authenticating wireless clients. LEAP is cisco proprietory.
  There are also EAP types which uses other user credentials like Certificates, SIM etc for authentcation.
  The following document might clarify your doubts.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00805e8297.shtml

• WLC-4404. WPA2 - AES (L2) - Microsoft IAS- unable to authenticate

  Hi am upgrading from EAP - TLS with WEP to WPA2 - AES with smartcard / machine certificates. AAA server is Microsoft IAS. New SSID and config for WPA2 looks straightforward.
  Created new policy for this SSID on IAS, again looks straightforward. Unable to authenticate, debug on WLC looks as though not all server to client transactions are taking place , no EAPOL messages etc.
  Any ideas?

  This mostly occurs due to incompatibility on the client side. Try these steps in order to fix this issue:
  Check if the client is Wi-Fi certified for WPA2 and check the configuration of the client for WPA2.
  Check the data sheet in order to see if the client Utility supports WPA2. Install any patch released by the vendor to support WPA2. If you use Windows Utility, make sure that you have installed the WPA2 patch from Microsoft in order to support WPA2.
  Upgrade the client's Driver and Firmware.
  Turn off Aironet extensions on the WLAN.