WPA2 Enterprise with netctl

Similar Messages

• Cisco 1140AP using WPA2-enterprise with radius

  All,
  I am trying to configure an1140 AP to use WPA2-enterprise & radius. Ultimately I want to be able to connect to the SSID using my active directory credentials. I would like the AP to send authentication requests to our Network Policy Server. Here is a copy of the config; any help is appreciated.
  version 12.4
  no service pad
  aaa new-model
  aaa group server radius rad_eap
  server 172.16.16.101 auth-port 1812 acct-port 1813
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa group server radius rad_eap1
  aaa authentication login myLogin local
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authentication dot1x rad_eap group radius
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  dot11 syslog
  dot11 ssid ITWireless
     authentication open eap rad_eap
     authentication key-management wpa version 2
     guest-mode
  username admin password 7 XXXXXXXXXXXXXXXXXXXXX
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode ciphers aes-ccm
  ssid ITWireless
  antenna gain 0
  interface Dot11Radio1
  no ip address
  no ip route-cache
  encryption mode ciphers aes-ccm
  ssid ITWireless
  interface BVI1
  ip address 172.16.42.21 255.255.0.0
  no ip route-cache
  ip default-gateway 172.16.16.198
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 172.16.16.101 auth-port 1812 acct-port 1813 key 7 1427321938572903
  radius-server vsa send accounting
  bridge 1 route ip

  I did see those screenshots however that settings screen comes from selecting the Configure button next to the Authentication Method in the User Authentication section under Users.  In each of your screenshots, the RADIUS Server ID number is 1 so I would also ensure that I've configured RADIUS Server ID 1 which can only be configured by going to Users -> RADIUS Servers.
  All that said, I did see that your tests succeeded and I also don't understand the point of having RADIUS settings on the other screens and then having RADIUS ID info.  My thinking is that you would be able to configure RADIUS once in the Users -> RADIUS Servers screen and then select the RADIUS Server ID in all the remaining screens without having to enter the RADIUS info over and over again.  It would also think that you could skip the Users -> RADIUS Server screen and enter the RADIUS information over and over again and it should work...just like you set it up originally.  However, based on past experience of programmatic errors, I would recommend configuring the RADIUS Server ID 1 under Users -> RADIUS Servers if you haven't already...just in case. 
  Shawn Eftink
  CCNA/CCDA
  Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

• Unable To Authenticate to WPA2-Enterprise With NetworkManager

  I have tried using multiple wireless adapters (including a fully supported USB ralink wireless-N stick) but cannot connect to a WPA-2 Enterprise network with Tunneled PEAP. I am certain that the connection parameters are correct since they work fine with Windows and OSX.
  Whenever I try to connect, I simply get the wifi-password screen over and over. Connecting to WPA2-Personal and unprotected networks works perfectly.
  Any ideas?

  Yup, NetworkManager is the culprit. Quite annoying...
  Does anyone know of a way to disable it for wifi so I can use something else?

• [solved] eduroam with netctl?

  Hello, i'm trying to install arch on my school laptop. (I installed linux (not arch) before: it ain't a problem.)
  Here they use a network called Airborne. It has wpa2-enterprise security.
  (Here is a picture of the network configration in windows)
  To install netctl I just placed the netctl and openresolv packages in my windows partition and installed them with pacman -U during installation.
  My question is: how can I connect to wpa2-enterprise with netctl?
  Last edited by mid-kid (2013-06-21 13:27:14)

  I found setting it up with wpa_supplicant too complicated.
  I used archiso on my other pc to make an iso including wicd and this config: https://wiki.archlinux.org/index.php/Wi … _with_wicd
  Thanks for the help anyway!
  EDIT: It looks like somebody made it work with netctl: https://wiki.archlinux.org/index.php/Netctl#Eduroam
  I haven't tried it though.
  Last edited by mid-kid (2013-06-21 13:26:06)

• Spontaneous disconnects from a WPA2 Enterprise network with iwlwifi

  The wireless network at my work uses WPA2-Enterprise with PEAP authentication and MSCHAPv2 inner authentication.  Given this, cacert.org.crt, and the username and password, I am sometimes able to connect.  However, I am often spontaneously disconnected.  Sometimes this happens seconds after I connect, sometimes, I stay connected for hours.  I use network manager to connect within gnome-shell.
  The following describes my wireless card.
  $ lspci | grep Net
  07:00.0 Network controller: Intel Corporation Centrino Advanced-N 6235 (rev 24)
  The NetworkManager log is not much help...
  May 09 10:10:24 ocelot NetworkManager[299]: <info> (wlan0): supplicant interface state: scanning -> disconnected
  May 09 10:10:24 ocelot NetworkManager[299]: <info> (wlan0): supplicant interface state: disconnected -> scanning
  Last edited by astex (2013-05-09 14:27:44)

  I had the same problems with my Intel Centrino Advanced-N 6000 and the WPA2 Enterprise network at university. And now since my last update where the driver seemed to be updated when also netctl replaced netcfg I am completly unable to connect to the network. But with my WPA2-PSK network I don't have any problems and my Notebook connects instantly.
  I'm using wicd but also tried NetworkManager, netctl and also manually using wpa_supplicant but it was the same problem.
  Also shutting down hardware encrpyption and 11n like mentioned in  this topic:
  option iwlwifi swcrypto=1
  option iwlwifi 11n_disable=1
  I guess it must be a driver bug.

• Certificate renewal with WPA2-Enterprise PEAP MS-CHAPv2

  Hello
  We have a wireless network which is secured with WPA2-Enterprise with PEAP and MS-CHAPv2. The Radius servers (Windows Server 2008r2 with the Radius Feature installed) currently use a public signed certificate. This is about to expire soon and will need to be renewed.
  The clients are non-managed and from all variety (OS, wifi-software, ...).
  The Wifi is 4400 controller based and managed with the new Prime Infrastructure 1.3.
  What is the best way to do the renewal with as little disturbance for the client as possible? The less manual interaction for the end user the better.
  Thanks
  Patrick                 

  Hello Patrick,
  As per your query i can suggest you the following steps-
  Since the root CA is the most critical CA in the hierarchy, you may prefer to have a strategy here that reduces the need to renew the root certificate often.
  The first consideration is choosing the key length of the root's public key and private key pair during setup of the root authority. By using a long key length, which is generally more secure against brute force attack than a shorter key length, you increase the length of time that the CA can use the same private key and have reasonable confidence that it has not been compromised. The second consideration is establishing the validity period of the root certificate itself. In general, you will want to create a root certificate that has a shorter validity period than the estimated lifetime of the key.
  For more information you can refer to the link-
  http://technet.microsoft.com/en-us/library/cc740209(v=ws.10).aspx
  Hope this will help you.

• IOS 5 can't connect to WPA/WPA2 Enterprise Wireless Network

  After upgrading multiple iPhone 4 (CDMA versions) to IOS 5.0, I have not been able to get them to connect to our WPA/WPA2 Enterprise wirless network.  We use a Cisco Wireless LAN Controller.  The wireless network is capable of doing WPA or WPA2 Enterprise with PEAP.  These phones all connected to this network fine before the upgrade.
  When connecteding to the network, it prompts me for the username and password and when I tap join it sits for about 10-15 seconds then says "Unable to join the network" with a Dismiss button.
  It connects to non-Enterprise networks just fine.  I have tested it on WPA Personal and WPA2 Personal networks and it has worked on several without issue.
  I have tried "forget this network" with no success.
  Is anyone else having this problem?  I know of at least three Verizon iPhone 4's that have this exact same problem.  I haven't seen one working with this configuration yet.

  I have the same problem:
  Cisco WLC's -> WPA2 Enterprise AES + EAP-PEAP 802.1x with CCKM
  Pre 5.0 - all worked fine
  Post 5.0 - it tries to connect and after few moments i get error - couldn't connect.
  Info from controller:
  10/17/2011 12:16:37 CEST           INFO           172.16.16.X           Sending EAP request to client from radius server. 6.f. ..l
  10/17/2011 12:16:38 CEST           ERROR           172.16.16.X           Retransmitting EAP-ID request to client,retransmission timer expired. 5.y. ..l
  10/17/2011 12:16:39 CEST           ERROR           172.16.16.X           Retransmitting EAP-ID request to client,retransmission timer expired. 5.y. ..l
  10/17/2011 12:16:40 CEST           ERROR           172.16.16.X           Authentication failed for client as EAP ID request from AP reached maxmium retransmissions. 5.yp ..l
  10/17/2011 12:16:40 CEST           ERROR           172.16.16.X           De-authentication sent to client. 5.oP ..l
  10/17/2011 12:16:40 CEST           ERROR           172.16.16.X           5.yp ..l
  10/17/2011 12:16:40 CEST           ERROR           172.16.16.X           EAPOL-key is invalid, scheduling client for deletion. 5.yp ..l
  On the Radius server i don't see any activity regarding this device.
  I had this network configured on my iPhone - after upgrade and restore it remembered it. Every time i was in vicinity of my Enterprise WLAN it tried to connect - resulting int express battery drain - 6-7 hrs and battery was empty from 100%

• Wireless WPA2-Enterprise + 802.1x (EAP-PEAP/MSCHAPv2) config

  Hello,
  We're in the process of moving all of our wireless from WPA-PSK to WPA2-Enterprise with 802.1x EAP-MSCHAPv2 (PEAP). All workstations are Windows 7 with the 2SP3 IR2 client. What we'd like is for the 802.1x SSO functionality to work so users do not have to sign in computer only first and then use the novell login after connecting. I've followed the documentation for enabling 802.1x that Novell provides with no success. I'm hoping someone has done this or can point me in the direction of documentation that can use to better understand what configuration is needed to make this work.

  Originally Posted by djaquays
  I haven't had a chance to play with this yet on IR8, but I'd be curious of your steps to get this working.
  I'm not sure why FreeRadius would make any difference vs ClearPass.. they both speak RADIUS.
  This is the only documentation I can find from Novell: https://www.novell.com/documentation...a/b8jn9w6.html
  It's a couple of years since I did this so my memory is a bit vague... :(
  Did you install the peap plugin on the workstation, if I remeber correctly this was needed?
  http://support.arubanetworks.com/TOO...4/Default.aspx
  Thomas

• WPA2-Enterprise TLS not working in iOS 5

  We have over 200 iPhone on our Corporate Wi-Fi network. We started having calls from our users saying that their Wi-Fi is not working anymore since they upgraded to iOS 5. It was working fine with previous version of iOS. We are using WPA2-Enterprise with TLS authentication. We were able to reproduce the issue. With my iPad, i'm not able anmore to connect to our corporate wi-fi on both vendor we use (Cisco and Motorola). The SSId was  hidden, we tryed to broadcast it with no change. The only thing both vendor are sharing is the TLS authentication for the WPA2 auth. Can anyone help us ?

  I had to:
  1) connect the Ipad with a cable and enable "synch via wi-fi" option.
  2) eject the ipad
  3) restart the MAC
  attempt synch --- FAILED
  after looking at my set-up the MAC (or PC) must be conneced to the same wireless connection. My router has dual band capability. one connection is 2.4 ghz with one name, and 5 ghz with another name. Even though ALL the computers have same workgroup name, wi-fi synch would not work unless they were all on the same wireless connection (same ssID). go figure. once my mac was connected to the 2.4 Ghz SSID, wi-fi sync worked fine.

• Want to configure wpa2 enterprise in wlc 2106

  Hi,
  I want to configure the wlc 2106 with wpa2 enterprise .... i reckon that iI need ACS server ( Radius Server ) with server certificate as well client certificate.
  how do i configure the redius server to get access through wpa2 enterprise .. If i am wrong , what are all things required to enable wpa2 enterprise with AES encryption .
  Is it possible to get the evalution copy of acs server with certificate ?
  how to go ahead for the same .
  It would be great help me to get the proper answer  for configuration of wpa2 enterprise with AES ...

  The below link may help you..
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008095382f.shtml
  Regards
  Surendra

• Airport Express bridge mode over WPA2 Enterprise?

  I have an Airport Extreme running WPA2 Enterprise with RADIUS on a Snow Leopard Server. Is it possible to have the Express join the WPA2 Enterprise network as an ethernet bridge? I can't seem to set it up. Something tells me this only works with WPA2 Personal?

  When you set up the APExtreme through Server Admin, it takes care of all the secret passwords and what-have-you. I did some digging on Apple's site, and it looks like the APExpress can only act as a bridge on WPA2 Personal networks and below. No worries; I am just temporarily running an engineer's SIP phone over wireless, so I brought an old Buffalo router I had kicking around at home into the office; set it up as a WPA2 Personal access point, and have him running off of that with the APExpress as the bridge. This is just a stopgap until I can get him a proper ethernet drop. Thanks for the help regardless.

• IOS 5 WPA2 Enterprise WiFi Connectivity Issue

  In IOS 4 i was able to connect easy to my company Enterprise network using WPA2 Enterprise (With Domain username and password). While initail Wifi setup in IOS 4 it used to ask me for accepting a certificate. After upgrading i noticed that it does not ask for certificate anymore but still connects on first attempt. After turining wifi off and on Wifi does not connects automatically instead if i check that network it ask me to enter password and join (my company network does not use preshared key instead use Domain credentials).
  After googling i found out that from iOS 5 onward MD-5 signed certificates are no more supported. My network administrator is not interested in changing the signing method of certificate.
  Can any one please help me for fixing this issue?

  Hi Attiq 123,
  Thanks for the question. It sounds like you are experiencing issues with your network connection, specifically when connecting to Apple services like iCloud and the iTunes Store. The following resource provides some troubleshooting steps that you can try:
  Can't connect to the iTunes Store - Apple Support
  http://support.apple.com/en-us/HT201400
  You may also need to test to see if the specific ports on your Wi-Fi network are accessible:
  iTunes: Advanced iTunes Store troubleshooting - Apple Support
  http://support.apple.com/en-us/TS3297
  Make sure the issue is with the iTunes Store only. (You need an Internet connection to access the iTunes Store).
  Open a secure website to test if you are online as is necessary for the iTunes Store. This also tests if the main ports 80 and 443 are accessible. If the website works but the iTunes Store does not, it is most likely a firewall blocking the iTunes software or servers. If this is the case, follow the steps in the "Blocked by software firewall" section below.
  - Matt M.

• Cannot connect to WIFI with WPA2 enterprise security

  I'm currently trying to switch my Wifi from WPA2 Personal to WPA2 Enterprise using a dd-wrt flashed TP-Link router and a Synology Diskstation as the RADIUS server. The diskstation also creates the CA certificate which I can download from there for all client devices.
  Configuration on the side of the router appears to be fine, I've entered all the details for RADIUS authentication and left "WPA Algorithms" at its default setting "TKIP", other options being ("AES" and "TKIP+AES"). I said it appears to be fine because my Android phone connection is established succesfully using the following (default) parameters:
  EAP method: PEAP
  Phase 2 Auth: NONE (also works with MSCHAPV2, and probably other options)
  CA cert: unspecified (didn't download it to smartphone, must be fetched automatically from router I guess)
  User cert: unspecified
  Identity: myDiskstationUsername
  Anonymous Identity: (blank)
  Password: myDiskstationPassword
  So far, so good... I still cannot manage to get a connection from my laptop running Arch. Prefered method would be via "wicd". The best match seems to be the following configuration profile:
  name = PEAP with TKIP/MSCHAPV2
  author = Fralaltro
  version = 1
  require identity *Identity password *Password
  optional ca_cert *Path_to_CA_Cert
  protected password *Password
  ctrl_interface=/var/run/wpa_supplicant
  network={
  ssid="$_ESSID"
  scan_ssid=$_SCAN
  proto=WPA
  key_mgmt=WPA-EAP
  pairwise=TKIP
  group=TKIP
  eap=PEAP
  identity="$_IDENTITY"
  password="$_PASSWORD"
  ca_cert="$_CA_CERT"
  phase1="peaplabel=0"
  phase2="auth=MSCHAPV2"
  But it's not working, both with and without specifing the optional path to the CA certificate. Any ideas what I could've been missing or any clues for debugging?
  Last edited by saciel (2013-11-07 09:55:16)

  Why don't you use netctl?
  I'm using netctl to connect to my FreeRadius Server, and I use this config...
  Description='A wireless connection using a custom network block configuration'
  Interface=wlp0s29f7u3
  Connection=wireless
  Security=wpa-configsection
  IP=static
  Address='192.168.1.200/24'
  Gateway='192.168.1.1'
  DNS=('192.168.1.1')
  WPAConfigSection=(
  'ssid="SSID"'
  'key_mgmt=WPA-EAP'
  'eap=PEAP'
  'phase2="auth=MSCHAPV2"'
  'group=CCMP'
  'pairwise=CCMP'
  'identity="user"'
  'password="password"'
  'priority=1'

• Problem wireless connection with WPA2 Enterprise

  Hello,
  I am experiencing an annoying problem while trying to connect at the wireless network at the University, adopting WPA2 Enterprise. After some days of frustration I decided to post a help message here, I hope it's the right section (my problem could be kernel related...). Basically I can't connect to the network, no matter how many times i may try. Other operating systems do not give me the same problem, I can connect without issues thus my card is working properly.
  Summarizing:
  - My card is a BCM4313 (Broadcom), natively supported within the kernel by the module brcmsmac.
  - I tried the module wl as well, with no result.
  - I tried both Arch standard kernel and the LTS one.
  - I am Gnome user, hence I use NetworkManager (never had a problem in the last 2 years at least...)
  - I tried Wicd as well (in the past it was working when NM was failing), with no result.
  - Both MS Windows, Ubuntu and Linux Mint (driver brcmsmac) allow me to connect to the network.
  - The problem occurrs only in case of WPA2 Enterprise, unfortunately this is a "parameter" I cannot change...
  What follows is a portion of NM log file, where I isolated the part related to one connection attempt.
  NetworkManager[305]: <info> (eth1): device state change: prepare -> config (reason 'none') [40 50 0]
  NetworkManager[305]: <info> Activation (eth1/wireless): access point 'MY_SSID' has security, but secrets are required
  NetworkManager[305]: <info> (eth1): device state change: config -> need-auth (reason 'none') [50 60 0]
  NetworkManager[305]: <info> Activation (eth1) Stage 2 of 5 (Device Configure) complete.
  NetworkManager[305]: <info> Activation (eth1) Stage 1 of 5 (Device Prepare) scheduled...
  NetworkManager[305]: <info> Activation (eth1) Stage 1 of 5 (Device Prepare) started...
  NetworkManager[305]: <info> (eth1): device state change: need-auth -> prepare (reason 'none') [60 40 0]
  NetworkManager[305]: <info> Activation (eth1) Stage 2 of 5 (Device Configure) scheduled...
  NetworkManager[305]: <info> Activation (eth1) Stage 1 of 5 (Device Prepare) complete.
  NetworkManager[305]: <info> Activation (eth1) Stage 2 of 5 (Device Configure) starting...
  NetworkManager[305]: <info> (eth1): device state change: prepare -> config (reason 'none') [40 50 0]
  NetworkManager[305]: <info> Activation (eth1/wireless): connection 'MY_SSID' has security, and secrets exist. No new secret [I can't read after this but it's not relevant...]
  NetworkManager[305]: <info> Config: added 'ssid' value 'MY_SSID'
  NetworkManager[305]: <info> Config: added 'scan_ssid' value '1'
  NetworkManager[305]: <info> Config: added 'key_mgmt' value 'WPA-EAP'
  NetworkManager[305]: <info> Config: added 'password' value '<omitted>'
  NetworkManager[305]: <info> Config: added 'eap' value 'PEAP'
  NetworkManager[305]: <info> Config: added 'fragment_size' value '1300'
  NetworkManager[305]: <info> Config: added 'phase2' value 'auth=MSCHAPV2'
  NetworkManager[305]: <info> Config: added 'ca_path' value '/etc/ssl/certs'
  NetworkManager[305]: <info> Config: added 'ca_path2' value '/etc/ssl/certs'
  NetworkManager[305]: <info> Config: added 'identity' value 'username'
  NetworkManager[305]: <info> Config: added 'bgscan' value 'simple:30:-45:300'
  NetworkManager[305]: <info> Config: added 'proactive_key_caching' value '1'
  NetworkManager[305]: <info> Activation (eth1) Stage 2 of 5 (Device Configure) complete.
  NetworkManager[305]: <info> Config: set interface ap_scan to 1
  NetworkManager[305]: <info> (eth1): supplicant interface state: disconnected -> scanning
  NetworkManager[305]: <info> (eth1): supplicant interface state: scanning -> associating
  NetworkManager[305]: <info> (eth1): supplicant interface state: associating -> associated
  NetworkManager[305]: <warn> Connection disconnected (reason -3)
  NetworkManager[305]: <info> (eth1): supplicant interface state: associated -> disconnected
  NetworkManager[305]: <info> (eth1): supplicant interface state: disconnected -> scanning
  NetworkManager[305]: <info> (eth1): supplicant interface state: scanning -> associating
  NetworkManager[305]: <info> (eth1): supplicant interface state: associating -> associated
  NetworkManager[305]: <warn> Connection disconnected (reason -3)
  NetworkManager[305]: <info> (eth1): supplicant interface state: associated -> disconnected
  NetworkManager[305]: <info> (eth1): supplicant interface state: disconnected -> scanning
  NetworkManager[305]: <warn> Activation (eth1/wireless): association took too long.
  NetworkManager[305]: <info> (eth1): device state change: config -> need-auth (reason 'none') [50 60 0]
  NetworkManager[305]: <warn> Activation (eth1/wireless): asking for new secrets
  NetworkManager[305]: <warn> Couldn't disconnect supplicant interface: This interface is not connected.
  NetworkManager[305]: <warn> Couldn't disconnect supplicant interface: This interface is not connected.
  NetworkManager[305]: <info> (eth1): supplicant interface state: scanning -> inactive
  NetworkManager[305]: <info> (eth1): disconnecting for new activation request.
  NetworkManager[305]: <info> (eth1): device state change: need-auth -> disconnected (reason 'none') [60 30 0]
  NetworkManager[305]: <info> (eth1): deactivating device (reason 'none') [0]
  As I said before, it may be a kernel related problem, but it seems very strange since I would expect a higher number of users experiencing some troubles.
  As a final note, I've been Arch-dependent since 4 years already and I love it. I can't really imagine to change distribution just for this...but I am stuck at present and I need to work with the laptop, so any help is really appreciated. 
  Thank you
  Last edited by Demind (2013-05-30 12:38:40)

  cfr wrote:Try to connect manually and post the output you get.
  I did what you suggested and I could connect to the network, ergo it was a NetworkManager problem.
  I am migrating to netctl, and I will test it at the university in the next days. I hope it will work.
  Thanks for the hint, I should have done this test in the first place...:(

• WPA2 enterprise, Can not authenticate with ACS

  Hi, I am setting up WPA2 enterprise for wireless users with PEAP authentication, but can not get authentication server to authenticate them, and failed reason is generic "EAP-TLS or PEAP authentication failed during SSL handshake"
  The AP I am using is 1240AG running 12.3(8)JA, Radius server is ACS 4.0, I don't have any problem to get dot1x with PEAP authentication working for wired access, and I have almost identical client side configuration for wired and wireless user.
  From ACS's point of view, it should not be aware of any difference between wired and wireless user, but ACS log shows otherwise:
  1)AP is connected to a cat4k switch, I suppose AP should be the authenticator for wireless users, but ACS "failed attempts" log for attempted wireless user shows that the NAS IP is cat4k in stead of AP, why?
  2)I am using the same laptop for both wireless/wired testing, ACS "failed attempts" log shows that for wired user, it correctly interpreted cached domain\login name, but for failed wireless user, the user-name field is totally different, yet debug on AP clearly shows that correct domain\login has been received by AP.
  Debug output on AP is attached, hope experts here can quickly identify the problem.

  Got it working by adding radius server configuration under GUI generated configuration:
  aaa group server radius your-AAA-group-name
  server your-radius-server#1-IPaddress auth-port 1645 acct-port 1646