wpa-eap networks do not connect

Question

wpa-eap networks do not connect

ConnorRigby opened this issue 6 years ago · 13 comments

Nerves.WpaSupplicant.set_network(wpa, ssid: ssid, key_mgmt: :"WPA-EAP", pairwise: :"CCMP TKIP", identity: username, group: "CCMP TKIP", password: "hash:#{pw_hash}", phase1: "peaplabel=0", phase2: "auth=MSCHAPV2")

Full disclaimer, i don't know if all of these fields are correct, but i personally believe they should be. wpa_ctrl receives a ca cert that tries to get parsed into an atom for some reason.

Answer 1 · 2019-01-09T11:48:59.000Z

I also failed to connect to a WPA enterprise network. What I tried is to translate a working wpa_supplicant.conf into Nerves Network settings.

Answer 2 · 2019-01-09T15:26:03.000Z

I've been slowly working towards implementing this. @klingtnet Could you post your working config, as well as any error logs if you can capture them?

Answer 3 · 2019-01-09T16:25:41.000Z

Sorry, I don't have any logs since I could not access the serial or HDMI iex shell on the Raspberry Pi Zero (seems like the documentation is broken for this device). Nonetheless, I will post the configuration tomorrow. In the end I ditched nerves_network and used nerves-project/nerves_wpa_supplicant which succeeded to connect to the WAP-EAP network but failed to get an IP address since I did not know how to call dhcpcd.

Answer 4 · 2019-01-09T17:03:08.000Z

@klingtnet Raspberry Pi zero is usually setup to use serial port on the usb gadget interface.

Could you post the config you sent to nerves_wpa_supplicant or something close to it?

dhcpd is the dhcp server (notice the d). you likely want dhcpc or simply dhcp. System.cmd("dhcp", ["--help"]) should hopefully get you started.

Answer 5 · 2019-01-09T17:04:34.000Z

@klingtnet Could you point out where the documentation is broken so that it can be fixed?

Answer 6 · 2019-01-10T09:16:12.000Z

I've been slowly working towards implementing this. @klingtnet Could you post your working config, as well as any error logs if you can capture them?

network={
	ssid=<ssid>
	scan_ssid=1
	key_mgmt=WPA-EAP
	pairwise=CCMP TKIP
	group=CCMP TKIP
	eap=PEAP
	identity=<username>
	password=<password>
	phase1="peapver=auto"
	phase2="MSCHAPV2"
}

Answer 7 · 2019-01-10T09:26:47.000Z

@klingtnet Could you point out where the documentation is broken so that it can be fixed?

One thing I noted was that mix do firmware.burn tries to run ssh-askpass on my Linux machine (which is not available) and thus fails, maybe run sudo <cmd> instead?

No matter which tty device I've configured I was never able to open a serial console on the RPI0.

The nerves_wpa_supplicant documentation shows the old API, e.g. start_link requires two arguments since version 0.5+ .

Answer 8 · 2019-01-10T09:29:27.000Z

I think ssh-askpass was mentioned in the installation guide. I had to install it using x11-ssh-askpass on Arch Linux, and create a symlink to it unfortunately. :/

I worked with @klingtnet on the pi zero as well, and the serial console would only work one out of 5 or more tries. Sometimes I had to press Enter, random characters, and Ctrl-C (in random combinations) so it would work, and then after showing an error because of invalid input it would sometimes work.

Is there a reliable way of getting a serial console on the pi zero? Any pointers would be very much appreciated!

Answer 9 · 2019-01-10T16:38:55.000Z

the serial console would only work one out of 5 or more tries.

Unfortunately this has been identified as a bug in Raspberry Pi's kernel. I've personally noticed it happen when the HOST machine is on Linux kernel newer than 4.9. Specifically both of my Arch Linux installations have produced this issue. i thought upgrading my host machine to Linux 4.20 fixed it but i noticed it crop back up again. As far as i know there is no fix for it as of yet.

Answer 10 · 2019-01-10T16:41:28.000Z

I've reopened an issue about this. nerves-project/nerves_system_rpi0#79
I closed it when i believed that linux kernel 4.20 fixed it, but that doesn't seem to be the case.

Answer 11 · 2019-01-15T18:39:15.000Z

okay i have a error log of what happens when one tries to use eap networks:

Child :"Nerves.Network.Interface.wlan0" of Supervisor Nerves.Network.IFSupervisor terminated
** (exit) an exception was raised:
    ** (SystemLimitError) a system limit has been reached
        :erlang.binary_to_atom("CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=REDACTED' cert=REALLY_LONG_CERT_THAT_HAS_BEEN_REDACTED", :utf8)
        (nerves_wpa_supplicant) lib/nerves_wpa_supplicant/messages.ex:140: Nerves.WpaSupplicant.Messages.decode_notif/1
        (nerves_wpa_supplicant) lib/nerves_wpa_supplicant.ex:268: Nerves.WpaSupplicant.handle_wpa/2
        (stdlib) gen_server.erl:637: :gen_server.try_dispatch/4
        (stdlib) gen_server.erl:711: :gen_server.handle_msg/6
        (stdlib) proc_lib.erl:249: :proc_lib.init_p_do_apply/3
Pid: #PID<0.3199.0>
Start Call: Nerves.Network.WiFiManager.start_link("wlan0", [networks: [[ssid: "REDACTED", scan_ssid: 1, key_mgmt: :"WPA-EAP", pairwise: :"CCMP TKIP", group: :"CCMP TKIP", eap: :PEAP, identity: "Rob.niedermeyer", password: "Beagle71!", phase1: "peapver=auto", phase2: "MSCHAPV2", ipv4_address_method: :dhcp]]], [name: :"Nerves.Network.Interface.wlan0"])
Restart: :permanent
Shutdown: 5000
Type: :worker

This part is actually a problem with nerves_wpa_supplicant

Answer 12 · 2019-01-22T20:00:12.000Z

This will be fixed as soon as #24 on nerves_wpa_supplicant is merged

Answer 13 · 2019-01-22T21:26:17.000Z

a simple mix deps.update nerves_wpa_supplicant should enable the usage of WPA-EAP networks.
I still don't know about networks that validate CA Certs. certs are passed in as messages. I think if someone has experience with these sorts of networks i can help out with that, but it should be a new feature.