[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Weird Wifi problem -- WPA-EAP TTLS fails

  Hi all --

  I'm having a strange problem with my wireless connection, and I'm running
out of ideas.

  I have a ThinkPad T510 laptop, running stock Debian "squeeze".  I use
the KDE desktop, but I think that's not an issue, because I've reproduced
the problem without any network managers or anything.
  This machine has the Intel Centrino Wireless-N 1000 system
(PCI ID 8086:0084), which is supported by the stock iwlagn module.

  It worked in "lenny", with the backported kernel and drivers.

  I can connect to my WPA-PSK access point at home, and to unencrypted
public Wifi systems, without any difficulties, but at work, we have a
WPA-EAP TTLS set-up, where it doesn't connect.

  I can connect with my credentials on a colleague's Macbook, so my
account is evidently active, and the access point works, it looks like
the problem is on my system somewhere.  Linux is unsupported at my
workplace, so I'm on my own.

  The way I am connecting is in instructions all over the place:

> ifconfig wlan0 up
> wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/work_wpa.conf

  ... which associates with the right SSID, then does this:

> CTRL-EVENT-EAP-STARTED EAP authentication started
  ... then waits for maybe 30 seconds, then

> CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys

  I have generated much more verbose logs with "wpa_supplicant -dd <etc>",
but I really have no idea what I'm looking at.  Some times it looks like it
times out, but I have some traces without timeout messages, which didn't
work.  All of them have a line, "EAP: Received EAP-Failure", which is the
thing that most looks like an actual solveable problem.

  It seems that there can be a lot of variability in the log files, 
for a while I was trying different options in the conf file, and seeing
if it looked like it was getting farther in the auth process.  From that,
I did learn that it seems to do more with the right password than with
the wrong one, which suggests that *something* is working, but that's
about as much as I can get out of it.

  My work_wpa.conf file is as recommended by my employer, and looks like:

> ctrl_interface=/var/run/work_wpa
> eapol_version=1
> ap_scan=1
> fast_reauth=1
> network={
>   ssid=<correct SSID, in quotes>
>   key_mgmt=WPA-EAP
>   eap=TTLS
>   identity=<correct username, in quotes>
>   password=<correct password, in quotes>
>   anonymous_identity=anonymous@example.com
>   ca_cert=<quoted/path/to/cert>
>   priority=2
> }

  I have tried explicitly setting a phase2="autheap=MSCHAPV2", and 
some others, and I've read about lots of other parameters.

  I've found several related-looking posts by googling around,
which motivated me to try re-loading the iwlagn module with
"swcrypto=1" and/or "swcrypto50=1", but this does not change
the behavior.

  So, apologies for the long-windedness, but what can cause EAP to
fail?  Do I need to add some libraries with more authentication schemes
in them somehow?  Obviously I have all the dependencies of wpa_supplicant,
but is there something else?

  Thanks in advance.

				-- A.
Andrew Reid / reidac@bellatlantic.net

Reply to: