WPA2 PEAP wifi authentication problem

[retrosnob]

I am new to Debian and I am having a lot of trouble connecting to my school's WPA2 PEAP MSCHAPV2 wifi network.

I feel like I have tried everything including

Network Manager
Wicd
Connman
wpa_supplicant on its own

I have tried disabling TLSv1.2, setting system-ca-certs=false and a whole variety of wpa_supplicant.conf settings.
Wireshark packets show that the failure is on the client hello.

I dual boot with Windows and Windows connects immediately, so it is not hardware.

I've already spent about 30 hours on this and I'm beginning to think it's a Debian problem because none of the solutions that have worked for other people have worked for me. Can anyone help me please?

Relevant information below with full wpa_supplicant debug information and Wireshark packets provided here https://docs.google.com/document/d/1Haw ... ReGW0LiKg/.

Hardware: Intel® Dual Band Wireless-AC 8265 4.6+ iwlwifi-8265-ucode-22

OS: Linux version 4.9.0-6-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02)

Commands:

sudo wpa_supplicant -B -i wlp3s0 -c /etc/wpa_supplicant/wpa_supplicant.conf -Dnl80211 -f wpadebug.txt -dd
sudo wpa_cli -i wlp3s0 terminate


/etc/wpa_supplicant/wpa_supplicant.conf

ctrl_interface=/run/wpa_supplicant
network={
identity="[REDACTED]"
anonymous_identity="[REDACTED]"
password="[REDACTED]"
ssid="ISM_STAFF"
key_mgmt=WPA-EAP
eap=PEAP
phase1="peapver=0"
phase2="auth=MSCHAPV2"
}

dmesg output:

[ 2423.351616] wlp3s0: authenticate with 70:3a:0e7e:92
[ 2423.359314] wlp3s0: send auth to 70:3a:0e7e:92 (try 1/3)
[ 2423.364283] wlp3s0: authenticated
[ 2423.368540] wlp3s0: associate with 70:3a:0e7e:92 (try 1/3)
[ 2423.369827] wlp3s0: RX AssocResp from 70:3a:0e7e:92 (capab=0x11 status=0 aid=1)
[ 2423.372468] wlp3s0: associated
[ 2423.384314] wlp3s0: deauthenticated from 70:3a:0e7e:92 (Reason: 3=DEAUTH_LEAVING)
[ 2442.901507] wlp3s0: authenticate with 70:3a:0e7e:92
[ 2442.908841] wlp3s0: send auth to 70:3a:0e7e:92 (try 1/3)
[ 2442.909632] wlp3s0: authenticated
[ 2442.912143] wlp3s0: associate with 70:3a:0e7e:92 (try 1/3)
[ 2442.913332] wlp3s0: RX AssocResp from 70:3a:0e7e:92 (capab=0x11 status=0 aid=1)
[ 2442.915699] wlp3s0: associated
[ 2442.927626] wlp3s0: deauthenticated from 70:3a:0e7e:92 (Reason: 3=DEAUTH_LEAVING)

[EDIT]

/var/log/daemon.log

ay 17 09:08:43 debian wpa_supplicant[489]: wlp3s0: SME: Trying to authenticate with 70:3a:0e:df:3a:b2 (SSID='ISM_STAFF' freq=5260 MHz)
May 17 09:08:43 debian wpa_supplicant[489]: wlp3s0: Trying to associate with 70:3a:0e:df:3a:b2 (SSID='ISM_STAFF' freq=5260 MHz)
May 17 09:08:43 debian wpa_supplicant[489]: wlp3s0: Associated with 70:3a:0e:df:3a:b2
May 17 09:08:43 debian wpa_supplicant[489]: wlp3s0: CTRL-EVENT-EAP-STARTED EAP authentication started
May 17 09:08:43 debian wpa_supplicant[489]: wlp3s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
May 17 09:08:43 debian wpa_supplicant[489]: wlp3s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
May 17 09:08:43 debian wpa_supplicant[489]: wlp3s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
May 17 09:08:43 debian wpa_supplicant[489]: wlp3s0: CTRL-EVENT-DISCONNECTED bssid=70:3a:0e:df:3a:b2 reason=3
May 17 09:08:43 debian wpa_supplicant[489]: wlp3s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="ISM_STAFF" auth_failures=1 duration=10 reason=AUTH_FAILED
May 17 09:08:56 debian wpa_supplicant[489]: wlp3s0: CTRL-EVENT-SSID-REENABLED id=0 ssid="ISM_STAFF"
May 17 09:08:56 debian wpa_supplicant[489]: wlp3s0: SME: Trying to authenticate with 70:3a:0e7e:92 (SSID='ISM_STAFF' freq=5500 MHz)
May 17 09:08:56 debian wpa_supplicant[489]: wlp3s0: Trying to associate with 70:3a:0e7e:92 (SSID='ISM_STAFF' freq=5500 MHz)
May 17 09:08:56 debian wpa_supplicant[489]: wlp3s0: Associated with 70:3a:0e7e:92
May 17 09:08:56 debian wpa_supplicant[489]: wlp3s0: CTRL-EVENT-EAP-STARTED EAP authentication started
May 17 09:08:56 debian wpa_supplicant[489]: wlp3s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
May 17 09:08:56 debian wpa_supplicant[489]: wlp3s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
May 17 09:08:56 debian wpa_supplicant[489]: wlp3s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
May 17 09:08:56 debian wpa_supplicant[489]: wlp3s0: CTRL-EVENT-DISCONNECTED bssid=70:3a:0e7e:92 reason=3
May 17 09:08:56 debian wpa_supplicant[489]: wlp3s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="ISM_STAFF" auth_failures=2 duration=23 reason=AUTH_FAILED

[Bulkley]

Just in case you don't know, Network Manager and Wicd compete with each other so only one can be enabled. wpa-supplicant does the heavy lifting; all the GUIs are just for convenience. My favourite is wpagui.

It's very doubtful that its a Debian problem as such. It's more likely to be a configuration issue. Internet working is all about numbers which are universal regardless of OS.

WiFi How To Use From the Debian Wiki.

In general...
ifconfig to enable your wireless device
iwlist to list available wireless access points
iwconfig to configure your wireless connection
dhclient to get an IP address via dhcp

something like the following for an unsecured network
ifconfig wlan0 up to be sure the interface is up
iwlist wlan0 scan to scan for networks
iwconfig wlan0 essid mynetwork to set the network you want
dhclient -v wlan0 to request network information
ping -c 2 208.67.222.222 to see if you have a connection
ping -c 2 opendns.org to see if you have a name resolution

From here. This is an old thread but well worth studying.

Setup wpa_gui and roaming on Debian I used this on a laptop and found it superior to the other GUIs. It takes a bit of getting used to.

[retrosnob]

Thanks for this. I've already seen the Debian Wifi documentation. Neither Network Manager nor Wicd are installed any more so there can't be any conflicts. I've tried wpagui but unsurprisingly it just does exactly what wpa_supplicant does when I run it from the command line, ie it associates with the AP and then immediately disconnects and resumes scanning.

Like I said, I have spent a long time trying to fix this and tried every solution I've found. This isn't going to have a simple solution I'm afraid.

[arzgi]

In my experience, keep wpa_supplicant.conf so short you can, meaning add only those lines you absolutely need.

I had quite similar situatation when studying, but after graduating I had deleted my wpa_supplicant.conf for school's network, I thought I never need it anymore.

Dmesg shows just what you are telling, connection dropped soon after authetication. Config issue, like Bulkley said.

wpa_supplicant has -dd option, which is good for debugging.

[retrosnob]

Yes, you will notice that the details that I have given include the -dd debug output.

[bw123]

Yes, you will notice that the details that I have given include the -dd debug output.

Can't get to googledocs link without javascript, why don't you just code box the errors? Maybe it will jog somebody into helping.

I have tried disabling TLSv1.2, setting system-ca-certs=false and a whole variety of wpa_supplicant.conf settings. Wireshark packets show that the failure is on the client hello.

Yeah here again, where's the error msg? I agree that the best way is probably start with a bare minimum wpa_supplicat.conf and only add what is necessary.

I've already spent about 30 hours on this

Well, I can't say I never spent a lot of hours on wpa_supplicant, but that is disappointing. Without notes, it's hard to say what you should do without repeating the whole trial and error again.

Actually, it doesn't look like an auth problem from the dmesg clip. It looks like a DEauth problem, but doesn't say how soon, and REASON=3 is never helpful. What about something in /var/log/daemon.log?

[retrosnob]

I appreciate your reply. There's not much more detail in the Google doc in fact unless you want to get into the hex of the network packets.

/var/log/daemon.log output now given in the original post.

This post looks very relevant, but I've tried this solution -> https://unix.stackexchange.com/question ... rprise-eap
I notice that in /usr/share/dbus-1/system-services I have

fi.epitest.hostap.WPASupplicant.service
fi.w1.wpa_supplicant1.service

Should I have both of these? Could this be something to do with it?

[bw123]

...
fi.epitest.hostap.WPASupplicant.service fi.w1.wpa_supplicant1.service
Should I have both of these? Could this be something to do with it?

Yes, both files are part of the wpa_supplicant pkg. No, I don;t think it has anything to do with it.

...
There's not much more detail in the Google doc in fact unless you want to get into the hex of the network packets.

You said the googledocs link doesn't have anything but hex, but your first post says that is where your wpa_supplicant output is going, as a log when you use the -dd option (wpadebug.txt)? Or you could run it without -B and copy and paste the error that way.

People on here probably can't help you without the error msgs from the wpa_supplicant and just trying random setups and solutions from the internet isn't really a practical way to solve the problem.

paste.debian.net is a free service, for posting info, works without javascript. The board has code boxes, why use an external link for posting the relevant info? Just code box the errors.

[retrosnob]

Thanks for your persistence. I don't know what you mean by code boxes, but I've pasted the wpa_supplicant -dd output here: http://paste.debian.net/1025188/. It's not too long.

The relevant bit seems to be right at the bottom:

TDLS: TDLS operation supported by driver
TDLS: Driver uses external link setup
TDLS: Driver supports TDLS channel switching
wlp3s0: WPS: UUID based on MAC address: c873c0f2-be8c-540f-96a3-8033f16910c4
ENGINE: Loading dynamic engine
ENGINE: Loading dynamic engine
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: Supplicant port status: Unauthorized
nl80211: Skip set_supp_port(unauthorized) while not associated
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
wlp3s0: Added interface wlp3s0
wlp3s0: State: DISCONNECTED -> DISCONNECTED
nl80211: Set wlp3s0 operstate 0->0 (DORMANT)
netlink: Operstate: ifindex=3 linkmode=-1 (no change), operstate=5 (IF_OPER_DORMANT)
nl80211: Create interface iftype 10 (P2P_DEVICE)
nl80211: New P2P Device interface p2p-dev-wlp3s0 (0x4) created
Initializing interface 'p2p-dev-wlp3s0' conf '/etc/wpa_supplicant/wpa_supplicant.conf' driver 'nl80211' ctrl_interface '/run/wpa_supplicant' bridge 'N/A'

[bw123]

Thanks for your persistence. I don't know what you mean by code boxes, but I've pasted the wpa_supplicant -dd output here: http://paste.debian.net/1025188/. It's not too long.

The relevant bit seems to be right at the bottom:
<snip>

Yeah it is short. Just for kicks, I copied your .conf and used command
# wpa_supplicant -i wlan0 -c ./wpa.conf -Dnl80211 -d
substituting my own AP here. I get a similar output, but after the netlink: msg the device starts scanning, and continues to do so for a very long time. Listing all the nearby ssid it finds and discards, etc. There was quite a lot of output, even with one -d in the command.

I did notice a msg about "random: Got 20/20 bytes from /dev/random" and I know there were some problems with entropy lately on a kernel. I'm using this:

Linux 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64 GNU/Linux

I wish I could help, but if it's a driver problem or a kernel problem I can't tell. Maybe some others will post when they have time, I hope there's enough info for a solution.

[Bulkley]

You are not alone. Try plugging debian WPA2 PEAP MSCHAPV2 into a search engine. (I use Startpage) My first hit was this: How to connect to WPA2/PEAP/MSCHAPv2 enterprise wifi networks that don't use a CA_Certificate, like Eduroam

Check this bug report: Network manager cannot connect to WPA2/PEAP/MSCHAPv2 enterprise wifi networks without CA_Certificate, like Eduroam

And this: Setting up connection to WPA2 Enterprise (PEAP/MSCHAPv2) with two-level certificate

You have probably seen some of this. However a lot of users are having this problem and some of them are finding solutions.

Do you have any live-USB Linux distros available? It might help to see if one of them can connect and then dig in to see how it is configured.

[retrosnob]

Try plugging debian WPA2 PEAP MSCHAPV2 into a search engine.

That's a thought! I've seen all of these links of course. My situation is very like the Eduroam case. The best known solutions are setting system-ca-certs=false and disabling TLS v1.2, neither of which work for me. I haven't tried looking at another distro and that is a fair idea, although I don't really want to leave Debian. My other laptop -- Ubuntu -- connects fine with this network manager configuration. Needless to say I've tried it on Debian and it doesn't work.

\\[connection]
id=ISM_STAFF
uuid=a0e41a60-5d0d-494a-8ce4-1af07bf7b57d
type=wifi
permissions=user:fred:;
secondaries=
timestamp=1502162851

[wifi]
mac-address=78:0C:B8:A1:77:D7
mac-address-blacklist=
mac-address-randomization=0
mode=infrastructure
seen-bssids=D8:C7:C8:72:31:FA;04:BD:88:3E:5B:92;B4:5D:50:34:74:72;D8:C7:C8:2C:55:62;04:BD:88:A3:B4:92;D8:C7:C8:2C:55:0A;04:BD:88:3E:5D:52;70:3A:0E:DE:7F:C2;04:BD:88:3E:5D:D3;04:BD:88:3E:68:22;04:BD:88:3E:5D:92;04:BD:88:3E:69:02;B4:5D:50:31:BC:52;04:BD:88:3E:6A:F2;70:3A:0E:DE:7E:92;70:3A:0E:19:AD:B2;D8:C7:C8:2D:8C:B2;D8:C7:C8:2C:54:D2;70:3A:0E:DF:3A:B2;70:3A:0E:DF:3B:32;D8:C7:C8:2D:97:DA;70:3A:0E:19:6D:12;04:BD:88:3E:5D:42;70:3A:0E:DF:3A:D2;D8:C7:C8:2C:93:72;00:24:6C:5B:83:A3;04:BD:88:3E:5D:C3;B4:5D:50:31:C0:C2;04:BD:88:3E:5D:82;D8:C7:C8:2C:52:C3;D8:C7:C8:72:31:F2;04:BD:88:3E:68:32;70:3A:0E:19:6B:72;D8:C7:C8:2C:55:02;70:3A:0E:DE:7E:82;04:BD:88:3E:6A:E2;04:BD:88:A3:D2:C2;D8:C7:C8:2C:93:7A;04:BD:88:A3:D2:82;04:BD:88:3E:69:32;18:64:72:6B:01:2A;D8:C7:C8:2C:52:CB;D8:C7:C8:2D:CB:53;04:BD:88:3E:68:72;00:24:6C:5B:6F:33;
ssid=ISM_STAFF

[wifi-security]
group=
key-mgmt=wpa-eap
pairwise=
proto=

[802-1x]
altsubject-matches=
eap=peap;
identity=USERNAME
password=PASSWORD
phase2-altsubject-matches=
phase2-auth=mschapv2

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
ip6-privacy=0
method=auto

[Bulkley]

I don't really want to leave Debian.

I don't want to chase you away but you might try MX Linux. It's based on Debian but with slightly newer bits. Which makes me wonder if age of software is an issue with your WPA2 PEAP server. Can you try the Debian Stable backport for a newer kernel and wpa-supplicant. Maybe there's a newer Network-Manager.

[retrosnob]

MX Linux seems nice, but it has exactly the same problem with the WPA2 PEAP connection. Network manager just asks for the password over and over. I'm not sure what you mean about trying a new wpa_supplicant. I am using the most up-to-date network manager.

Thanks again for your attention to this.

[retrosnob]

As I write I am using a live cd of Bodhi Linux. I won't be long because I hate it. However.... we are connected to the WPA2 PEAP wifi network that was giving me so much trouble in Debian (and didn't work in MX Linux). Not that it really helps but here is the dmesg output from Bodhi:

[ 86.983524] wlp3s0: authenticate with 70:3a:0e7e:92
[ 87.027057] wlp3s0: send auth to 70:3a:0e7e:92 (try 1/3)
[ 87.033185] wlp3s0: authenticated
[ 87.036120] wlp3s0: associate with 70:3a:0e7e:92 (try 1/3)
[ 87.037190] wlp3s0: RX AssocResp from 70:3a:0e7e:92 (capab=0x11 status=0 aid=1)
[ 87.038903] wlp3s0: associated
[ 87.038927] IPv6: ADDRCONF(NETDEV_CHANGE): wlp3s0: link becomes ready
[ 87.170687] wlp3s0: Limiting TX power to 26 (26 - 0) dBm as advertised by 70:3a:0e7e:92

The network manager config for the connection is:

[connection]
id=ISM_STAFF
uuid=cab7cc85-71ed-4e9c-acbc-ad1adacfc128
type=wifi
permissions=user:bodhi:;
secondaries=

[wifi]
mac-address=[MAC ADDRESS]
mac-address-blacklist=
mac-address-randomization=0
mode=infrastructure
seen-bssids=
ssid=ISM_STAFF

[wifi-security]
auth-alg=open
group=
key-mgmt=wpa-eap
pairwise=
proto=

[802-1x]
altsubject-matches=
anonymous-identity=robertsonj
eap=peap;
identity=[IDENTITY]
password=[PASSWORD]
phase2-altsubject-matches=
phase2-auth=mschapv2

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto

[retrosnob]

Exploring using different live usb distributions:

Debian doesn't work
MX Linux doesn't work
Fedora doesn't work

Bodhi Linux (basically Ubuntu I think) works
Manjaro works

I'll leave this post here for a while in case anyone can give me some idea of how to find out what's going right/wrong, otherwise in a week or so I'll switch distribution.

Thank you.

[Bulkley]

That's fascinating. I wonder if Debian Sid would work. What I'm thinking is that there is some minor package that needs updating. Firmware? Non-free firmware?

In your situation you have to do what you have to do. I am curious, though, as to what the problem is. If you ever figure it out let us know.

[retrosnob]

Right. I've bailed and installed Manjaro. I have a life to lead after all. Thanks for all your help.

[bw123]

Right. I've bailed and installed Manjaro. I have a life to lead after all. Thanks for all your help.

I think that was the right move for you, having a life and all, I mean geez, congratulations?

For anyone else with a similar issue, comparing the wpa_supplicant output using the exact same setup on each might offer a clue.