Issues with connecting to a WPA2-EAP network, with MSCHAPv2 and TTLS

gondola · Jul 31, 2024

Hi all,
I'm having an issue with connecting my FreeBSD laptop (with an Intel 7260 chipset) to my school's wifi. I have no issues using it with my home (wpa2) wifi, and I have had no issues on with the school wifi on linux. I'm connecting with wpa_supplicant and wpa_gui.
The laptop in particular is a Thinkpad X240 ;_;
Here is my /etc/var/messages:

Code:

Jul 31 14:23:06 freebook240 wpa_supplicant[339]: wlan0: Authentication with ac:a3:1e:d9:77:e0 timed out.
Jul 31 14:23:06 freebook240 wpa_supplicant[339]: wlan0: CTRL-EVENT-DISCONNECTED bssid=ac:a3:1e:d9:77:e0 reason=3 locally_generated=1
Jul 31 14:23:06 freebook240 wpa_supplicant[339]: wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=1 ssid="SchoolWifiSSID" auth_failures=1 duration=10 reason=AUTH_FAILED
Jul 31 14:23:06 freebook240 wpa_supplicant[339]: BSSID ac:a3:1e:d9:77:e0 ignore list count incremented to 2, ignoring for 10 seconds
Jul 31 14:23:06 freebook240 wpa_supplicant[339]: wlan0: CTRL-EVENT-DSCP-POLICY clear_all
Jul 31 14:23:06 freebook240 kernel: wlan0: link state changed to DOWN
Jul 31 14:23:15 freebook240 dhclient[1559]: send_packet: Network is down
Jul 31 14:23:16 freebook240 wpa_supplicant[339]: wlan0: CTRL-EVENT-SSID-REENABLED id=1 ssid="SchoolWifiSSID"
Jul 31 14:23:16 freebook240 wpa_supplicant[339]: wlan0: Trying to associate with ac:a3:1e:d9:77:e0 (SSID='SchoolWifiSSID' freq=2437 MHz)
Jul 31 14:23:23 freebook240 kernel: iwm0: PHY ctxt cmd error. ret=35
Jul 31 14:23:23 freebook240 kernel: iwm0: iwm_auth: failed update phy ctxt
Jul 31 14:23:23 freebook240 kernel: iwm0: iwm_newstate: could not move to auth state: 35
Jul 31 14:23:23 freebook240 dhclient[1559]: send_packet: Network is down
Jul 31 14:23:26 freebook240 wpa_supplicant[339]: wlan0: Authentication with ac:a3:1e:d9:77:e0 timed out.
Jul 31 14:23:26 freebook240 wpa_supplicant[339]: wlan0: CTRL-EVENT-DISCONNECTED bssid=ac:a3:1e:d9:77:e0 reason=3 locally_generated=1
Jul 31 14:23:26 freebook240 wpa_supplicant[339]: BSSID ac:a3:1e:d9:77:e0 ignore list count incremented to 2, ignoring for 10 seconds
Jul 31 14:23:26 freebook240 wpa_supplicant[339]: wlan0: CTRL-EVENT-DSCP-POLICY clear_all
Jul 31 14:23:32 freebook240 dhclient[1559]: send_packet: Network is down[CODE]
Jul 31 14:23:32 freebook240 wpa_supplicant[339]: wlan0: Trying to associate with ac:a3:1e:d9:7a:20 (SSID='SchoolWifiSSID' freq=2412 MHz)
Jul 31 14:23:32 freebook240 wpa_supplicant[339]: wlan0: Associated with ac:a3:1e:d9:7a:20
Jul 31 14:23:32 freebook240 kernel: wlan0: link state changed to UP
Jul 31 14:23:32 freebook240 wpa_supplicant[339]: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
Jul 31 14:23:32 freebook240 dhclient[1559]: send_packet: No buffer space available
Jul 31 14:23:32 freebook240 syslogd: last message repeated 1 times
Jul 31 14:23:32 freebook240 wpa_supplicant[339]: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 -> NAK
Jul 31 14:23:32 freebook240 wpa_supplicant[339]: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
Jul 31 14:23:32 freebook240 wpa_supplicant[339]: EAP-TTLS: Unsupported Phase2 type 'MSCHAPv2'
Jul 31 14:23:32 freebook240 wpa_supplicant[339]: wlan0: EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)
Jul 31 14:23:40 freebook240 dhclient[1559]: send_packet: No buffer space available

And I'll post my wpa_supplicant.conf when I get home.
Thanks in advance
-gond

gondola · Aug 1, 2024

Sorry it took so long, but here's my /etc/wpa_supplicant.conf entry for my school wifi. This was generated by wpa_gui and I made sure everything matched my known good debian network manager config.

Code:

network={
    ssid="School WiFi"
    proto=RSN
    key_mgmt=WPA-EAP
    pairwise=CCMP
    auth_alg=OPEN
    eap=TTLS
    identity="$USERNAME"
    password="totally not just 1337"
    phase2="auth=MSCHAPv2"
    disabled=1
}

sko · Aug 1, 2024

IIRC MSCHAPv2 still uses SHA-1 (edit: and MD4 hashed passwords...) which has been deprecated a long time ago and also (finally...) was completely removed from default openssl builds a while ago.

gondola · Aug 1, 2024

Ahh, thanks. That'd check out. If i were to recompile openssl with SHA-1, do you think everything would just werk?
I'm a total n00b if you couldn't tell....

sko · Aug 1, 2024

I'd rather use a modern and secure authentication protocol instead of that ancient, insucure mess...
Ask them if they support e.g. proper 802.1X or at least something like EAP-TTLS. Usually there's a RADIUS server involved, so there should be multiple methods available.

gondola · Aug 1, 2024

As much as I'd love to, I can't really ask them. They'd probably expel me for not using windows.
Though, I wonder what makes it work on debian (trixie), which i figure probably also uses a modern version of OpenSSL....
Are there any other alternatives? Or should i just give up?

sko · Aug 1, 2024

even microsoft finally ditched MSCHAP in Windows 11 in favour of EAP-TLS; so they definitely need to offer alternative (secure) means of authentication.

regarding debian: they always have dragged along *LOTS* of ancient cruft; so they very likely build OpenSSL with all sorts of legacy options re-enabled (or even backported...). You could try if the buildoption "LEGACY" for security/openss is enough to support those deprecated ciphers needed by MSCHAP, but I suspect you would have to enable a lot more insecure options to get it working...

gondola · Aug 2, 2024

Hmmm, well, a lot of the school laptops do actually run Windows 11. Do you reckon that means that they *do* offer EAP-TLS, with MSCHAP as a backup?
Otherwise, yeah, I figured debian of all distros would try and keep as much legacy support in their packages as possible. I guess I'll just have to try and see if I can connect with EAP-TLS then....

Cath O'Deray · Aug 5, 2024

gondola said:
… my /etc/wpa_supplicant.conf …

This much is (more than) enough for eduroam:

Code:

network={
        ssid="eduroam"
        priority=5
        #+ any_bssid
        key_mgmt=WPA-EAP
        proto=RSN
        identity="⋯"
        password="⋯"
}

As you're in an ambiguous environment, trying something similar (with your true SSID) should do no harm.

gondola said:
… I can't really ask them. They'd probably expel me for not using windows. …

Joking aside, do encrypt the partition (or part of the file system) that's used for the file; and check the file's mode.

On at least one system (not the one shown below), I found it world-readable.

Code:

root@fourteen-pkgbase:~ # getfacl /etc/wpa_supplicant.conf
# file: /etc/wpa_supplicant.conf
# owner: root
# group: wheel
            owner@:rw-p--aARWcCos:-------:allow
            group@:------a-R-c--s:-------:allow
         everyone@:------a-R-c--s:-------:allow
root@fourteen-pkgbase:~ # ls -hln /etc/wpa_supplicant.conf
-rw-------  1 0 0  149B Jul 13 20:12 /etc/wpa_supplicant.conf
root@fourteen-pkgbase:~ #

gondola · Aug 6, 2024

Hmmm, thanks for the config, but alas, no joy.
wpa_gui still gives me an epa auth failed message, even after verifying the id and password with my known working config. Unfortunatly, I dd'd over my freebsd install, so i don't have the full error message anymore, but who knows? maybe a fresh install will magically fix everything.....