[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ipw2x00 with WPA



Hi

On 2015-01-29, François P. Rotzinger wrote:
> Hi,
> I configured WPA with Network-Manager, exactly as described in the link 
> you gave me. "eduroam" does not work with Jessie and the Intel Centrino 
> Wireless-N 2230 Wifi card, but it works with both Wheezy and Jessie for 
> the Intel Centrino Ultimate-N 6300 3x3 AGN" Wifi card - everything 
> configured with Network-Manager. Furthermore, "eduroam" works for the 
> Intel Centrino Wireless-N 2230 Wifi card and Ubuntu 14.04. The problem 
> seems to be related to the Intel Centrino Wireless-N 2230 card and maybe 
> the Realtek firmware. I have not yet tried the manual configuration of 
> wpa_supplicant.conf.
> What do you think about this?

This is very, very unlikely. Drivers based on mac80211 provide a 
generic, (mostly) hardware independent API to the userland and 
wpasupplicant. This means wpasupplicant is mostly independent of
the used wireless hardware, meaning that bugs normally either 
happen for all wlan hardware or are working with all hardware[1].

What differentiates IEEE8021X from plain wpa2 are additional
encryption layers not done in hardware, but purely in software/
in wpasupplicant (better devices/ drivers can do AES in hardware, 
but this is the same for both plain wpa2 and IEEE8021X). So given
that plain wpa2 is working, it's (almost) impossible that IEEE8021X
does not - if it's configured correctly.

While network-manager is indeed easier for the common user, it's
harder to debug and to confirm that the used configuration between
two systems/ installations is indeed identical. This is easier to
confirm using wpa_supplicant.conf and ifupdown. Therefore I'd 
suggest testing it this way, e.g. via:

# cat /etc/network/interfaces
allow-hotplug wlan0
iface wlan0 inet manual
	wpa-roam /etc/wpa_supplicant/wpa_supplicant-wlan0.conf

iface wlan0 inet6 auto
	privext 2

# cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
ctrl_interface=/run/wpa_supplicant
ctrl_interface_group=netdev

network={
	priority=8
	ssid="epfl"
	key_mgmt=WPA-EAP
	proto=WPA2
	eap=TTLS
	identity="GASPAR@epfl.ch"
	password="MY_PASSWORD"
	anonymous_identity="anonymous@epfl.ch"
	phase2="auth=MSCHAPV2"
	ca_cert="/etc/ssl/certs/Thawte_Premium_Server_CA.pem"
	subject_match="CN=radius.epfl.ch"
}

You will have to customize your configuration, of course - and
need to ensure that /etc/ssl/certs/Thawte_Premium_Server_CA.pem
exists and contains the right certificate. Warning, this example
ignores potentially needed additional interfaces and assumes that
network-manager has been stopped/ disabled while testing, ifupdown
needs to manage this interface.

activate the interface (auto-active after rebooting)
# ifup wlan

further debugging information is available via
# wpa_cli
(interesting commands in the wpa_cli shell are status, scan and
scan_results).

Disclaimer: I unfortunately don't have access to modern Intel wlan 
cards, my most modern Intel wlan card is the old IPW2200BG, and
there are often bugreports against iwlwifi (I'm not quite sure if
this is caused their sheer volume on the market, problems caused
by leaked after-market engineering samples[2]or driver/ hardware
inherent issues). It's been a while since I could personally test
IEEE8021X, as I don't have a testing environment for it locally.

Regards
	Stefan Lippers-Hollmann

[1]	This is a simplified view on it, based on how userland
	(== wpasupplicant) sees the device (all mordern devices 
	are nl80211, only wext based ones are different). Of course 
	there may be bugs lingering in kernel, firmware or hardware
	which may be specific to a particular wireless chipset 
	(different feature sets, interface combinations, hardware
	offload for encryption methods, etc.).
[2]	This *is* often an issue as Intel doesn't sell wlan cards to
	individuals, so cards that end up on the free market are often 
	pre-release hardware with known bugs or no driver support at 
	all.
	Devices sold as part of notebooks or as original replacement 
	parts from notebook vendors are of course not plagued by this.

Attachment: pgp0tnGXWznVQ.pgp
Description: Digitale Signatur von OpenPGP


Reply to: