Cannot connect to works WPA2 Enterprise PEAP network on Linux but works on Android

mr.v. · 08-07-2018, 07:03 PM

I'm looking for help trying to connect to my work's wifi. I'm currently on Kubuntu 18.04, but also tried it on stock 18.04. I cannot connect to my work's WPA2 enterprise wifi on my laptop but my android phone works just fine. The android settings are EAP method PEAP, Phase 2 authentication MSCHAPV2. It's a personal unlocked Moto G5S plus and there is no CA certificate supplied. It just connects. The CA cert is on "do not authenticate".

I've tried using every permutation of the Network Manager settings incl. setting Version 0 and 1 and even trying to add a domain prefix (though I do not need to add a domain for the android user name)

Here's what I've done so far additionally. I've disabled network-manager and have been using `wpa_supplicant` as root for testing various configurations in the `/etc/wpa_supplicant.conf` file. I can connect to my home wifi just fine using this method so the card and driver work.

When I scan my work's wifi using:

Quote:

ip link set wlp3s0 up
iw wlp3s0 scan

I get the following output:

Quote:

ERP: <no flags>
RSN: *Version: 1
*Group cipher: TKIP
*Pairwise ciphers: CCMP
*Authentication suites: IEEE 802.1X
*Capabilities: 1-PTKSA-RC 1-GTKSA-RC (0x0000)
WPA: *Version 1
*Group cipher: TKIP
*Pairwise ciphers: TKIP
*Authentication suites: IEEE 802.1X
So I've tried a number of different configuration parameters to try to get it to work. Here is my `/etc/wpa_supplicant.conf` file

ctrl_interface=/run/wpa_supplicant
ctrl_interface_group=root
update_config=1

network={
ssid="MYWORK"
scan_ssid=1
proto=RSN #Have also tried WPA here, as well as leaving blank
key_mgmt=WPA-EAP #Have also tried IEEE8021X here as well as leaving blank
pairwise=CCMP #when trying proto=WPA, changed this to TKIP, have also left blank before
group=TKIP #have tried leaving blank
eap=PEAP #have tried leaving blank
phase1="peaplabel=auto tls_disable_tlsv1_2=1" #tried this after reading another article on this site where some people's work's wifis were not tls 1.2. Neither blank nor disabled works.
phase2="autheap=MSCHAPV2" #have tried leaving this out
identity="MYID"
password="MYPASSWORD"
}

I've tried a number of combinations of the above to no avail. Here is the output from `wpa_supplicant -Dnl80211 -i wlp3s0 -c /etc/wpa_supplicant.conf` when I tried first with `key_mgmt=WPA-EAP`:

Quote:

Successfully initialized wpa_supplicant
wlp3s0: SME: Trying to authenticate with XX:XX:XX:XX:XX:XX (SSID='MYWORK' freq=2462 MHz)
wlp3s0: Trying to associate with XX:XX:XX:XX:XX:XX (SSID='MYWORK' freq=2462 MHz)
wlp3s0: Associated with XX:XX:XX:XX:XX:XX
wlp3s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp3s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp3s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp3s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlp3s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
wlp3s0: CTRL-EVENT-DISCONNECTED bssid=00:0b:86:0a:b8:c1 reason=3
wlp3s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="MWORK" auth_failures=1 duration=10 reason=AUTH_FAILED
nl80211: deinit ifname=p2p-dev-wlp3s0 disabled_11b_rates=0
p2p-dev-wlp3s0: CTRL-EVENT-TERMINATING
nl80211: deinit ifname=wlp3s0 disabled_11b_rates=0
wlp3s0: CTRL-EVENT-TERMINATING
When trying with `key-mgmt=IEEE8021X` the output is a little different:

Successfully initialized wpa_supplicant
wlp3s0: SME: Trying to authenticate with XX:XX:XX:XX:XX:XX (SSID='MYWORK' freq=2462 MHz)
wlp3s0: Trying to associate with XX:XX:XX:XX:XX:XX (SSID='MWORK' freq=2462 MHz)
wlp3s0: CTRL-EVENT-ASSOC-REJECT bssid=XX:XX:XX:XX:XX:XX status_code=10
wlp3s0: SME: Deauth request to the driver failed

I have also tried using the `-Dwext` driver but didn't work either.

Any ideas what I'm missing or things I should try? Is there a compatibility mode that both windows and android are using that linux isn't by default? I was not given any certificates nor do i need to specify them on either windows or android for it to connect. I appreciate any help/ideas!

X-LFS-2010 · 08-07-2018, 11:05 PM

i think ubuntu has a desktop tool for getting wifi to work and it works automaticall for some people.

so before talking about a jungle of config file language parsing. why isn't the simple desktop "connected / not connected" wifi widget being used?

-----------------------

kubuntu isn't an android. they don't run the same OS. do you mean google android? if you run google OS then maybe you expect it works as well as your android in that aspect. but really: android OS isn't like google OS for pc i don't think. i think it's possible to run android OS on a pc (and you get a android desktop) that is crippled (no phone, perhaps minimal disk support). i believe i read about doing that once but ran out of disk space on the git.

------------------------

basically, your hitting the wall of what it will do WITHOUT allot of manpage reading and DiY. i've done it on freebsd (i had to create the connect scripts by hand, used the handbook which said how, it worked. i only did it because at the time it was my only phy)

if you want a desktop icon that does these things automatically without effort your using the wrong system

next version bump your scripts may no longer work and be broken (or lost during upgrade?) you be back having to firgure out why your exotic additions aren't working again, and again. if there's one thing you can rely on is these people never leave anyting that works working: it will be hacked and your side will stop working and need re-configuration

so: add exotic stuff only occasionally. use it for what it excells at. avoid trying to use it as an all in one solution. use an apple or win0 or android when you expect things to just work.

your talking about the difference be "just you making it work" and a large team at google making things easy to use for end users and kubuntu. fact is they'd rather it be a b**tch so that their competitors cannot easily follow their act, if i have to guess.

-----------------------

i had a hard time getting simple wifi to work on freebsd (or was it linux?) even though the overall job was simple and short: my problem was parsing syntax. and that's something they keep changing. i can say there's maybe 100 posts out there having the same issue: they put in the password but the syntax is so strict they didn't notice they hadn't done it exactly the same

and there you go. check your syntax backward and forwards. work from an example file someone has posted online they said works. it will work.

AwesomeMachine · 08-08-2018, 02:38 AM

Are you using a password to log in? Does the wap show up in network-manager? Have you informed the sysadmin of the problem? Did you list the interface in /etc/network/interfaces? Try this: https://wiki.debian.org/WiFi/HowToUse

mr.v. · 08-08-2018, 01:12 PM

Thank you for the replies. I tried installing wicd, and after stopping the network-manager service and starting the wicd service I ran the wicd-gtk gui.

I found my network. WICD does not oddly have any option for certificates but I selected the WPA2-PEAP and tried both domain and (no domain) options. Both failed to connect. In the terminal stderr report I saw this line (my network name is redacted)

Quote:

ERROR:dbus.connection:Exception in handler for D-Bus signal:
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/dbus/connection.py", line 230, in maybe_handle_message
self._handler(*args, **kwargs)
File "/usr/share/wicd/gtk/gui.py", line 287, in handle_connection_results
error(self.window, language[results], block=False)
KeyError: dbus.String(u'bad_pass')

It's clearly thinking what I'm supplying as a bad password, but it's the password that works in windows and on google/android. It must be something to do with the *way* that the password is being sent or its encryption, but for the life of me I can't figure out what setting I'm supposed to change. I tried WPA1 as well with the same KeyError:bad_pass result.

AwesomeMachine:
Sysadmin simply replied "linux is not supported and we cannot offer any assistance" but they didn't say they were blocking it in anyway. Nor would they really be able to detect the OS either would they? I can definitely see the network and detect signal strength etc. I can even get the information about the network as above. I can show you the results of

Quote:

nmcli -a connection show <MY WORK NETWORK>

and show you the output if that would help? When I try connecting from the command line it loads up a box where I have to put my username and password.

Quote:

Username (802-1x.identity): MYUSERNAME
Passwords or encryption keys are required to access the wireless network 'MYWORKNETWORK'.
Password (802-1x.password):
Error: Timeout expired (90 seconds)

Is it possible that the 802-1x setting is the issue? Should it be something else? Is there a way of setting this differently?

Thanks for the help!

Rickkkk · 08-08-2018, 01:30 PM

Hi mr.v.,

This config works for me on my corporate WiFi (I use netctl, but probably similar for NetworkManmager):

Code:

Interface=YOUR_WIFI_INTERFACE_NAME
Connection=wireless
Security=wpa-configsection
IP=dhcp
WPAConfigSection=(
    'ssid="YOUR_CORPORATE_SSID_NAME"'
    'key_mgmt=WPA-EAP'
    'eap=PEAP'
#    'group=AES'
#    'pairwise=TKIP CCMP'
#    'anonymous_identity="anonymous"'
    'identity="YOUR_CORPORATE USER_NAME"'
    'password="PASSWORD_FOR_ABOVE_USER_NAME"'
    'priority=1'
    'phase2="auth=MSCHAPV2"'
)

... The lines commented out (#) were not required for my corporate setup. If you haven't tried it yet, try specifying AES for the "group" parameter - more often used in corp environments than TKIP, in my recent experience.

mr.v. · 08-08-2018, 02:56 PM

Hi Rick, thanks for the suggestions. I did try many of those combinations by editing the wpa_supplicant.conf settings as detailed in the .conf I posted in the original and definitely tried your combination (including the group settings). Just to make sure though I just tried again by editing the connection file in

Quote:

/etc/NetworkManager/system-connections

to specify those and it still didn't connect, rejecting the password...sigh...this unfortunately is making my laptop unusable at work since I need to be able to connect to the wifi.

Really appreciate the help though. I've read other people's problems that seem similar to this but their fix doesn't seem to work (changing the tls version or editing out a line that no longer exists in the .conf file and is no longer in the modern config. I wonder what my work is doing differently. There must be a setting. If google/android can connect using the wpa_supplicant without a cert it must be possible on linux using the same! Argh....

Rickkkk · 08-08-2018, 07:22 PM

Quote:

Originally Posted by mr.v.

Hi Rick, thanks for the suggestions. ... Argh....

Hey again mr.v.,

Are both the Android device and the linux box personal devices or is either or both the property of your employer ? I'm asking because my employer maintains 3 different WiFi networks:

1st one: available to employees using a personal device. This uses the employee's corporate network credentials to login and permits limited access thereafter to certain corporate resources. I've connected to this with a variety of different devices and OSes.

2nd one: available to *anybody* using any type of device. Only permits logged-in device to access the Internet, not anything on the corporate network.

3rd one: only available to employees using corporate-owned and controlled devices (laptops, mostly). This is basically an equivalent to the wired corporate network, allowing employees mobility (meeting rooms, etc, ...) while maintaining full access to all corporate resources.

So for example, if your phone was company issued but the linux box you're trying to use is your own, this may point toward a controlled-access scenario similar to one of the above.

... just in case ...

JeremyBoden · 08-08-2018, 09:10 PM

Maybe the company only allows devices on the basis of the MAC address (which is easily spoofed).

AwesomeMachine · 08-09-2018, 01:35 AM

Try typing out your PW in a text editor, check if it looks right, and copy and paste it into the logon box. Compare how it looks in an editor on Android and Windows. You might be using the wrong keyboard. There are subtle differences that can cause this type of problem.