On Sun, Feb 02, 2020 at 09:42:52PM GMT, Charlie Burnett wrote:
> Hey @misc,
> I've used OpenBSD on my desktop and server for a while, however they both
> have an Ethernet connection. I recently got my hands on a thinkpad x1 6th
> gen in order to ensure compatibility with OpenBSD. I can connect fine via
> the /etc/hostname.if with /etc/netstart, however I need to be able to
> connect to eduroam for class. I was using linux on my past laptop, however
> I connected through wpa_supplicant on it. I copied my wpa_supplicant.conf
> over, however whenever I try to connect to a network I get hung up in the
> same spot. The conf works fine on linux, so the credentials are correct.
> I've also ensured the interface was up with "doas ifconfig iwm0 up" Here's
> the output from attempting to connect with "doas wpa_supplicant -i iwm0 -c
> /etc/wpa_supplicant.conf -D openbsd -dd":
> wpa_supplicant v2.9
> Successfully initialized wpa_supplicant
> Initializing interface 'iwm0' conf '/etc/wpa_supplicant.conf' driver
> 'openbsd' ctrl_interface 'N/A' bridge 'N/A'
> Configuration file '/etc/wpa_supplicant.conf' -> '/etc/wpa_supplicant.conf'
> Reading configuration file '/etc/wpa_supplicant.conf'
> ctrl_interface='/var/run/wpa_supplicant'
> ctrl_interface_group='wheel'
> eapol_version=2
> ap_scan=1
> fast_reauth=1
> update_config=1
> Line: 11 - start of a new network block
> ssid - hexdump_ascii(len=): HOME
> key_mgmt: 0x2
> PSK - hexdump(len=): [REMOVED]
> Line: 19 - start of a new network block
> ssid - hexdump_ascii(len=7): eduroam
> scan_ssid=1 (0x1)
> key_mgmt: 0x1
> eap methods - hexdump(len=): 00 00 00 00 19 00 00 00 00 00 00 00 00 00 00 00
> phase2 - hexdump_ascii(len=):
> 61 75 74 68 3d 4d 53 43 48 41 50 56 32 auth=MSCHAPV2
> auth_alg: 0x1
> identity - hexdump_ascii(len=):
> ca_cert - hexdump_ascii(len=):
> 2f 65 74 63 2f 73 73 6c 2f 63 65 72 74 73 2f 41 /etc/ssl/certs/A
> 64 64 54 72 75 73 74 5f 45 78 74 65 72 6e 61 6c ddTrust_External
> 5f 52 6f 6f 74 2e 70 65 6d _Root.pem
> password - hexdump_ascii(len=): [REMOVED]
> Line: 32 - start of a new network block
> ssid - hexdump_ascii(len=): HOME2
> PSK - hexdump(len=): [REMOVED]
> Priority group 0
> id=0 ssid='HOME'
> id=1 ssid='eduroam'
> id=2 ssid='HOME2'
> Add interface iwm0 to a new radio N/A
> iwm0: Failed to attach pkt_type filter
> iwm0: Own MAC address: 38:00:25:6c:76:6d
> iwm0: RSN: flushing PMKID list in the driver
> iwm0: Setting scan request: 0.100000 sec
> ENGINE: Loading builtin engines
> ENGINE: Loading builtin engines
> EAPOL: SUPP_PAE entering state DISCONNECTED
> EAPOL: Supplicant port status: Unauthorized
> EAPOL: KEY_RX entering state NO_KEY_RECEIVE
> EAPOL: SUPP_BE entering state INITIALIZE
> EAP: EAP entering state DISABLED
> ctrl_interface_group=0 (from group name 'wheel')
> iwm0: Added interface iwm0
> iwm0: State: DISCONNECTED -> DISCONNECTED
> iwm0: Using OpenBSD - overriding ap_scan configuration
> EAPOL: disable timer tick
>
> Here is the output after sending a ctrl-C to the terminal:
> ^Ciwm0: Removing interface iwm0
> iwm0: Request to deauthenticate - bssid=00:00:00:00:00:00
> pending_bssid=00:00:00:00:00:00 reason=3 (DEAUTH_LEAVING) state=DISCONNECTED
> iwm0: State: DISCONNECTED -> DISCONNECTED
> EAPOL: External notification - portEnabled=0
> EAPOL: External notification - portValid=0
> iwm0: WPA: Clear old PMK and PTK
> iwm0: Cancelling scan request
> iwm0: Cancelling authentication timeout
> Remove interface iwm0 from radio
> Remove radio
> iwm0: CTRL-EVENT-TERMINATING
>
Hi Charlie,
eduroam works just fine on OpenBSD with wpa_supplicant.
However, you hadn't followed the information provided in the
pkg-readme file:
/usr/local/share/doc/pkg-readmes/wpa_supplicant
Namely:
# ifconfig iwm0 join "Laakista Humppa" wpa wpaakms 802.1x
as well as:
Do not enable "ap_scan" - it is not supported by the OpenBSD
support code.
scan_ssid=1 isn't necessary either - eduroam APs shouldn't reject
broadcast SSID.
fast_reauth=1 is the default so there's no need to use it, unless you
want/need to disable it with '0'.
Can't recall whether it is at all necessary, but I also have phase1
in my config:
phase1="peaplabel=0"
as well as anonymous identity:
anonymous_identity="..."
Also, depending on the APs, EAPOL version might need to be set to 1:
eapol_version=1
>From the above, it looks like you have actually copied
/etc/ssl/certs/AddTrust_External_Root.pem" file (and created the
directory structure) from Linux. How about simply changing that
line to:
ca_cert="/etc/ssl/cert.pem"
All that being said, I've been to places where I couldn't get eduroam
connection even on my phone.
Anyway, please try with the above changes and report back.
Cheers,
Raf
>
> And here's my wpa_supplicant.conf (with ssid's and psk's removed):
> ctrl_interface=/var/run/wpa_supplicant
> ctrl_interface_group=wheel
> eapol_version=2
> ap_scan=1
> fast_reauth=1
> update_config=1
>
> network={
> ssid="HOME"
> psk=PASSWORD
> }
>
> # Eduroam
> network={
> ssid="eduroam"
> scan_ssid=1
> key_mgmt=WPA-EAP
> eap=PEAP
> phase2="auth=MSCHAPV2"
> auth_alg=OPEN
> identity="[email protected]"
> ca_cert="/etc/ssl/certs/AddTrust_External_Root.pem"
> password="Here I am, here I remain."
> }
>
> network={
> ssid="HOME2"
> psk=PASSWORD
> }
>
> Any help would be very much appreciated!
