How do I configure my wpa_supplicant to match these?

How do I configure my wpa_supplicant (on FreeBSD) to match the windows params in the picture?

enter image description here

So far I have tried this in /etc/wpa_supplicant.conf :

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=2
update_config=1
network={ priority=1 ssid= SSID proto=RSN key_mgmt=WPA-EAP eap=TLS identity= IDENTITY password= PASSWORD
}

Using wpa_cli to control WPA supplicant configuration:

Editing wpa_supplicant.conf and then reconfigure from the wpa_cli prompt

Then:

> status
wpa_state=SCANNING <======== What does that mean?
ip_address=192.168.15.68
> 

Also I realise that the network I am trying to join may be hidden.

After adding ap_scan=2 in the wpa_supplicant.conf file, I am also getting this:

<2>Association request to the driver failed
wpa_state=ASSOCIATING
ip_address=192.168.15.68
Supplicant PAE state=DISCONNECTED
suppPortStatus=Unauthorized
EAP state=DISABLED

and then this indefinitely

<2>Association request to the driver failed
<2>Authentication with 00:00:00:00:00:00 timed out.
<2>Trying to associate with SSID <SSID>
<2>Association request to the driver failed
<2>Authentication with 00:00:00:00:00:00 timed out.
<2>Trying to associate with SSID <SSID>
<2>Association request to the driver failed
<2>Authentication with 00:00:00:00:00:00 timed out.

UPDATE 20131202 - THE QUESTION HAS EVOLVED INTO A DIFFERENT SET OF PARAMS THAT DO MAKE MORE SENSE.

enter image description hereenter image description here

It's using a three tiers environment

Root CA (offline)

Intermediate CA (offline)

2 Issuing CAs (online)

I have those in Base64 with a .CER extension

Now how does it fit in the wpa_supplicant.conf ?

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=2
update_config=1
network={ priority=1 mode=0 scan_ssid=1 ssid="SSID" proto=RSN key_mgmt=WPA-EAP eap=PEAP group=CCMP TKIP pairwise=CCMP TKIP phase1="peaplabel=1" phase2="auth=MSCHAPV2" identity="IDENTITY" password="PASSWORD" ca_cert= ????
}
8

1 Answer

I think a good starting place to fix this problem is the FreeBSD Manpage for wpa_supplicant.conf, which presents several examples, one of which is:

# work network; use EAP-TLS with WPA; allow only CCMP and TKIP ciphers
network={
ssid="work"
scan_ssid=1
key_mgmt=WPA-EAP
pairwise=CCMP TKIP
group=CCMP TKIP
eap=TLS
identity=""
ca_cert="/etc/cert/ca.pem"
client_cert="/etc/cert/user.pem"
private_key="/etc/cert/user.prv"
private_key_passwd="password"
}

This differs from your version of it in two key ways: there is a reference to AES encryption which was missing in your file (it is the CCMP mode, which is based on AES), and requires the existence of certificates. This last part is what leaves me befuddled in your Windows mask: in it there is no reference whatsoever to an authentication mechanism. There is no room for passwords (fair enough, it would not be WPA-EAP otherwise), but there is also no mention of certificates, which is what TLS needs.

In fact, from Wikipedia's page on TLS,

Transport Layer Security (TLS) .... use[s] X.509 certificates... As a consequence of choosing X.509 certificates, certificate authorities and a public key infrastructure are necessary to verify the relation between a certificate and its owner, as well as to generate, sign, and administer the validity of certificates...

In other words, since your Windows mask is adamant that TLS is being used, somewhere there must be the certificates referred to in the wpa_supplicant.conf file I quoted above. I cannot go beyond this point.

Edit:

to address joelmaranhao's latest question, I quote again from FreeBSD Manpage for wpa_supplicant.conf:

CERTIFICATES Some EAP authentication methods require use of certificates. EAP-TLS uses both server- and client-side certificates, whereas EAP-PEAP and EAP- TTLS only require a server-side certificate.

Edit n. 2:

The .CER certificate must be transformed into the format .PEM. You can do that even on-line here. The last line in your new wpa_supplicant.conf is exactly the location of this certificate. Identity is your name at the server, the password is your password again on the wifi server. Are you sure the peal-label is 0? I cannot find it anywhere, if it does not work, try peap-label=1.

8

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like