11

I know there are about a dozen other questions like this, but so far none have helped me.

My school uses a WPA2 Enterprise PEAP/MSCHAPv2 network without a cert(which I determined from a windows laptop that connected without an issue). I'm trying to connect with my Ubuntu 16.04 LTS machine (which is pretty much a fresh installation).

Unfortunately, it is unsuccessful. It tries to connect for a while, then brings up a username/password reentry dialogue. If you hit submit on this, it simply fails again and brings it back up.

The following shows the settings and the message that keeps coming up: enter image description here

The following is the /etc/NetworkManager/system-connections/ entry:

[connection]
id=tusd-students
uuid=d815af85-42ad-49b2-b207-1db6359e8c9a
type=wifi
permissions=user:ashwin:;
secondaries=

[wifi]
mac-address={my mac address}
mac-address-blacklist=
mac-address-randomization=0
mode=infrastructure
seen-bssids=
ssid=tusd-students

[wifi-security]
auth-alg=open
group=
key-mgmt=wpa-eap
pairwise=
proto=

[802-1x]
altsubject-matches=
eap=peap;
identity={my username}
password={my password}
phase2-altsubject-matches=
phase2-auth=mschapv2

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto

I've read in many places that adding system-ca-certs=false fixes it, but that didn't work. I also tried adding the domain Domain\username but that didn't work. I've tried everything here and in many other posts. Not sure what to do, I'm new to Linux. Any help is greatly apreciated, if there is some other info I should include please let me know. Thanks!

note: I can't obtain a certificate because I seriously doubt I'll be able to contact someone who'd give me one (as I am a student). Not to mention, I don't think they'd be familiar with a Linux based system as the school issued computers are Windows 10.

edit: I read a lot that the problem was caused by Wpasupplicant 2.4. So, I tried downgrading to 2.1. This actually worked* when I restarted, but after a while disconnected and I couldn't get it to connect again. I even tried reinstalling wpasupplicant 2.1 but it still wouldn't connect. I'm not sure what all that implies, but at least I know that my laptop is capable of connecting to this network and I have the correct security settings/credentials.

*= the connection lasted for aprox. 10 minutes, and was much slower then it should've been. My windows laptop got 60 mbps download while this one got only 15 mbps. Granted however, Windows laptop is 2-3 years newer.

edit 2: My network card in the Ubuntu machine is a Centrino n 1000 Condor Peak from Intel. I'll gather more information on it when I get a chance.

Here is my NetworkManager log https://drive.google.com/file/d/0Bwv36xPVuImIdHQ3bjZvc25SNjg/view?usp=sharing

Here is my /var/log/syslog log https://drive.google.com/file/d/0Bwv36xPVuImIWlRaY2xFdVl1a3M/view?usp=sharing

The relevant portion of both seems to be:

Jul  6 07:58:10 smashtop NetworkManager[928]: <warn>  [1499353090.8128] device (wlp4s0): Activation: (wifi) association took too long
Jul  6 07:58:10 smashtop NetworkManager[928]: <info>  [1499353090.8129] device (wlp4s0): state change: config -> need-auth (reason 'none') [50 60 0]
Jul  6 07:58:10 smashtop kernel: [36118.979991] wlp4s0: deauthenticating from 64:d8:14:86:09:27 by local choice (Reason: 3=DEAUTH_LEAVING)
Jul  6 07:58:10 smashtop NetworkManager[928]: <warn>  [1499353090.8163] device (wlp4s0): Activation: (wifi) asking for new secrets
Jul  6 07:58:10 smashtop wpa_supplicant[1053]: wlp4s0: CTRL-EVENT-DISCONNECTED bssid=64:d8:14:86:09:27 reason=3 locally_generated=1
Jul  6 07:58:10 smashtop NetworkManager[928]: <warn>  [1499353090.8285] sup-iface[0x292acb0,wlp4s0]: connection disconnected (reason -3)

I can test mon-thurs since I'm near the network on those days.

Ashwin Gupta
  • 161
  • I had this issue with my college as well and resolved it by using my college's CA cert (which was not needed on Windows for some odd reason). Is there anywhere you can go to get that certificate and try it out? They should be free for students -- my own university had a guest wifi network that allowed you to download it. – Kaz Wolfe Jul 05 '17 at 19:03
  • @KazWolfe just checked the guest network also, doesn't have the cert for me to download. – Ashwin Gupta Jul 05 '17 at 19:26
  • Have you tried adding interface-name={your interface} under connection and phase1-peapver=0 or phase1-peapver=1 under 802-1x? – user633551 Jul 05 '17 at 19:54
  • @user633551 Just tried, didn't work sadly. – Ashwin Gupta Jul 05 '17 at 20:00
  • what does /var/log/syslog say when you are trying to connect? – user633551 Jul 05 '17 at 20:10
  • @user633551 I'm only at summer school from 7am-1pm. So I won't be able to test it again for you until tomorrow. However, I do have a NetworkManager log I saved after one attempt. Here it is: https://www.transfer.sh/12MJwY/networkmanagerlog.txt – Ashwin Gupta Jul 05 '17 at 20:53
  • I got weary reading your endlessly long syslog dump but it looks like you repeatedly are able to successfully connect to the wireless network with an address of 10.0.0.33. – jones0610 Jul 20 '17 at 23:09
  • @jones0610 that's my home network. Sorry. – Ashwin Gupta Jul 20 '17 at 23:11

5 Answers5

3

This solved my problem (from here). 

[ipv6]
method=auto

[connection]
id=SSID #(e.g.EDUroam)
uuid=9e123fbc-0123-46e3-97b5-f3214e123456 #unique uuid will be created upon creation of this profile
type=802-11-wireless

[802-11-wireless-security]
key-mgmt=wpa-eap
auth-alg=open

[802-11-wireless]
ssid=SSID
mode=infrastructure
mac-address=0A:12:3C:DA:C1:A5
security=802-11-wireless-security

[802-1x]
eap=peap;
identity=studentid123123
phase2-auth=mschapv2
password=mypass123123

[ipv4]
method=auto

Remove everything else.

I also patched DNSSEC with this, but I'm not sure if it is needed.

Francesco Gabbrielli
  • 133
0

I was having the same problem last week, connecting my ubuntu v18 to university wifi and the solution that worked for me was through the wpa_supplicant file shown below( credentials masked ).

vi /etc/wpa_supplicant/wpa_supplicant.conf

#wireless for seattle university
update_config=1
fast_reauth=1
ap_scan=1
network={
scan_ssid=1
ssid="SU-Secure"
key_mgmt=WPA-EAP
pairwise=CCMP
eap=PEAP
identity="xxx"
password="xxxx"
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}

My command was ( note the interface name wlp1s0 )

sudo wpa_supplicant -B -i wlp1s0 -c /etc/wpa_supplicant/wpa_supplicant.conf

I should also add that I upgraded my packages and installed updates on drivers by running

sudo apt-get upgrade -y
Altanai
  • 141
  • 6
0

I solved the issue by using this command:

sudo apt -y --allow-downgrades install wpasupplicant -y --allow-change-held-packages

Akshat Tripathi
  • 1
0

You need to obtain the CA Certificate for the network and install it as detailed In this answer. You should be able to obtain this by asking the IT technitians at the school

You will not be able to connect to the network properly otherwise because the network requires the client machine to have the certificate for authentification reasons. The reason it does not need to be done in windows is that when it connects to the network it automatically downloads and trusts the certificate during the connection process.

LinuxSailorTech
  • 794
  • Ok Alex, I'll give it a shot today at our snack break. I hope that they will give me one. Thanks for the answer. I'll let you know how it goes. – Ashwin Gupta Jul 19 '17 at 13:32
  • good luck they were very happy to give the certificate to me at my school – LinuxSailorTech Jul 19 '17 at 13:43
  • What are you basing this off of? At my school no certificate is required for a setup that looks identical to this. – Seth Jul 19 '17 at 17:06
  • @Alex2012 sigh. So the on site IT person was completely useless. She didn't even know what a cert file or Ubuntu is. I'll be emailing the school district IT department, but it may take a while to get a response so I'll let you know. – Ashwin Gupta Jul 19 '17 at 17:11
  • @Seth yeah IDK if you need a cert, any alternative ideas? – Ashwin Gupta Jul 19 '17 at 17:11
  • @Seth most of the information regarding to how windows and the way the certificates worked I found out from the school it technitians as our network also uses wpa 2 enterprise with peap and mschapv2 – LinuxSailorTech Jul 19 '17 at 19:39
  • @AshwinGupta Unfortunately no. On my campus it tends to work off and on, but I've never been able to figure out what makes it work and what breaks it. – Seth Jul 20 '17 at 04:40
  • @Alex2012 My school uses the exact same setup (WPA2 Enterprise with PEAP/MSCHAPv2) and no certificate is required.. – Seth Jul 20 '17 at 04:40
  • from https://supportforums.cisco.com/discussion/11370366/confusion-peap-certificate-requirements in the correct answer it says "The client, doesn't need to have the certificate. With PEAP, it is optional for the client to validate the certificate." – LinuxSailorTech Jul 20 '17 at 07:36
  • @Seth I also found this "In case you use PEAP method for authentication, client validates the server identity with a certificate, and the client authenticates with a user/password combination." in post 6 here https://learningnetwork.cisco.com/thread/66042 – LinuxSailorTech Jul 20 '17 at 07:44
  • So to conclude from my last 2 comments I would probably say that at my school and AshwinGupta school we are required to have the certificate to authenticate but at @Seth school you are not required to have a certificate – LinuxSailorTech Jul 20 '17 at 07:47
  • @Seth and Alex, thanks for the help, seems like us 3 are the only ones interested in the issue. I've emailed the head IT guy, but idk if I'll get a response during summer. We'll see. – Ashwin Gupta Jul 20 '17 at 14:38
  • @Seth My own campus uses WPA2 Enterprise + PEAP/MSCHAPv2 as well, and it works far more reliably with a certificate than without for whatever reason. – Kaz Wolfe Jul 20 '17 at 23:44
  • @KazWolfe That's great, but in my experience and from all that I've read the school is rarely willing to issue you a certificate for the wifi. – Seth Jul 21 '17 at 00:03
  • @Seth My school didn't either. I just needed to download the CA (they had that publicly) and select it on the network preferences. Of course, my campus is... odd. – Kaz Wolfe Jul 21 '17 at 00:04
0

All IT organizations that are not operating at level zero (chaos mode) of the ITSM publish procedures for standard operations such as connecting to the organizations network(s). One can always take their chances and try to connect to a network without consulting this document however, if using the standard, default connection choices doesn't work, step one would be to obtain a copy of your IT's wireless network connection procedure and follow it.

As an aside, it's very rare for non DOD/DOE environments to be especially rigid in their network connection protocols. This is especially true of academic environments, in my experience.

The OP posted a painfully long syslog file that turned out to be a log of a home network connection (which worked). That sort of information is obviously useless in troubleshooting this problem. You would need to look at 

/var/log/syslog

after you try to connect to the school network and fail to succeed. It should be fairly obvious looking at syslog what is rejecting the connection and the solution may be obvious.

Likely suspects:

  • Incorrect/invalid username and/or password

  • Incorrect authentication type/settings

  • Attempting to connect to the wrong WiFi

Failing that, you are already aware of other relevant log files and tools that can help quickly zero in on your problem source.

I think the cert issue is a red herring. Your problem is likely to have a far less exotic cause.

Here's what seems to be the relevant log dialog:

Jul  6 07:57:45 smashtop wpa_supplicant[1053]: wlp4s0: SME: Trying to authenticate with 64:d8:14:86:09:27 (SSID='tusd-students' freq=2412 MHz)
Jul  6 07:57:45 smashtop kernel: [36094.105988] wlp4s0: authenticate with 64:d8:14:86:09:27
Jul  6 07:57:45 smashtop kernel: [36094.109190] wlp4s0: send auth to 64:d8:14:86:09:27 (try 1/3)
Jul  6 07:57:45 smashtop wpa_supplicant[1053]: wlp4s0: Trying to associate with 64:d8:14:86:09:27 (SSID='tusd-students' freq=2412 MHz)
Jul  6 07:57:45 smashtop kernel: [36094.126523] wlp4s0: authenticated
Jul  6 07:57:45 smashtop NetworkManager[928]: <info>  [1499353065.9681] device (wlp4s0): supplicant interface state: scanning -> authenticating
Jul  6 07:57:45 smashtop kernel: [36094.133417] wlp4s0: associate with 64:d8:14:86:09:27 (try 1/3)
Jul  6 07:57:45 smashtop NetworkManager[928]: <info>  [1499353065.9731] device (wlp4s0): supplicant interface state: authenticating -> associating
Jul  6 07:57:46 smashtop kernel: [36094.233907] wlp4s0: RX AssocResp from 64:d8:14:86:09:27 (capab=0x431 status=0 aid=19)
Jul  6 07:57:46 smashtop wpa_supplicant[1053]: wlp4s0: Associated with 64:d8:14:86:09:27
Jul  6 07:57:46 smashtop kernel: [36094.239782] wlp4s0: associated
Jul  6 07:57:46 smashtop kernel: [36094.239849] IPv6: ADDRCONF(NETDEV_CHANGE): wlp4s0: link becomes ready
Jul  6 07:57:46 smashtop wpa_supplicant[1053]: wlp4s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=US
Jul  6 07:57:46 smashtop wpa_supplicant[1053]: wlp4s0: CTRL-EVENT-EAP-STARTED EAP authentication started
Jul  6 07:57:46 smashtop NetworkManager[928]: <info>  [1499353066.0795] device (wlp4s0): supplicant interface state: associating -> associated
Jul  6 07:57:46 smashtop kernel: [36094.298099] wlp4s0: Limiting TX power to 11 dBm as advertised by 64:d8:14:86:09:27
Jul  6 07:58:10 smashtop NetworkManager[928]: <warn>  [1499353090.8128] device (wlp4s0): Activation: (wifi) association took too long
Jul  6 07:58:10 smashtop NetworkManager[928]: <info>  [1499353090.8129] device (wlp4s0): state change: config -> need-auth (reason 'none') [50 60 0]
Jul  6 07:58:10 smashtop kernel: [36118.979991] wlp4s0: deauthenticating from 64:d8:14:86:09:27 by local choice (Reason: 3=DEAUTH_LEAVING)
Jul  6 07:58:10 smashtop NetworkManager[928]: <warn>  [1499353090.8163] device (wlp4s0): Activation: (wifi) asking for new secrets
Jul  6 07:58:10 smashtop wpa_supplicant[1053]: wlp4s0: CTRL-EVENT-DISCONNECTED bssid=64:d8:14:86:09:27 reason=3 locally_generated=1
Jul  6 07:58:10 smashtop NetworkManager[928]: <warn>  [1499353090.8285] sup-iface[0x292acb0,wlp4s0]: connection disconnected (reason -3)
Jul  6 07:58:10 smashtop NetworkManager[928]: <info>  [1499353090.8287] device (wlp4s0): supplicant interface state: associated -> disconnected
Jul  6 07:58:10 smashtop wpa_supplicant[1053]: wlp4s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
Jul  6 07:58:10 smashtop gnome-session[1691]: nm-applet-Message: No keyring secrets found for tusd-students 1/802-1x; asking user

Right after the wireless transmit power is reduced your machine seems to "forget" that it just successfully authenticated. You're never given a DHCP lease and the client never asks for one.

Based on what I'm seeing in your logs I'd be looking for a wifi hardware or a wifi driver problem.

jones0610
  • 2,157
  • It's also worth noting, the IT organization at my school is in fact operating in chaos mode from what I have observed. The last IT person I talked to couldn't even provide a superior's email, claiming she didn't really know one. – Ashwin Gupta Jul 20 '17 at 23:39
  • Do whatever makes you happy. I posted my top suspects based on my own experience. I've been in the computer field for 50 years and I've lost track of how many times I tried and failed to log into the wrong server, wrong network or wrong whatever. No personal slight was intended. It's just that with problems like these you can often get tunnel vision and lose sight of the obvious. Since you obviously don't actually want help or advice, flag away. – jones0610 Jul 20 '17 at 23:52
  • that's fair enough, I do agree with what you said about tunnel vision. However, this still isn't really the type of answer I'm looking for. – Ashwin Gupta Jul 20 '17 at 23:54
  • Whatever. Be wary of insulting and flagging someone who is trying to help you... at least until after the problem source has been discovered. Otherwise you could spend a lot of time eating crow. No worries here. I wasn't aware that you had a specific answer you were looking for. I thought you just wanted help solving your problem. Best to you. – jones0610 Jul 21 '17 at 00:04
  • Jones, I think we got off on the wrong foot here. Please understand: I absolutely didn't intend to insult you. I've retracted the flag. I apologize, I realize you are trying to help me, I reacted too strongly after I misinterpreted the situation. That is my bad, please forgive me. (ironically enough, I do appear to be "eating crow" now.) Your recent edit is very helpful information. As a beginner at networking myself, I wouldn't understand the log portion you posted without the explanation you gave. Thanks for this. Any suggestion as to how to have the client "request" the DHCP lease? – Ashwin Gupta Jul 21 '17 at 00:21
  • No worries. According to the log, the connection seems to go south right after the wireless card limits the transmit power. Perhaps lowering it enough to drop the connection. 25 seconds later it complains that the connection association is lost and retries to authenticate. I'd be suspicious of the wifi hardware, driver or perhaps low signal strength from the wireless router you are trying to connect to. The DHCP lease process never initiates... possibly because you have only a feeble connection to the wireless router. – jones0610 Jul 21 '17 at 00:48
  • Hmm, its probably on my end from all the indicators I've seen. The network is pretty strong on my other laptop. The ubuntu laptop is fairly old, the network hardware is not great. Is their anyway to allow the wireless card more power? Or perhaps I could manually trigger the DHCP lease process? – Ashwin Gupta Jul 21 '17 at 00:54
  • It looks to me like you are losing your connection to the wireless router shortly after successfully connection to it. You can see the signal strength on the wifi icon. You should have 4-5 bars. You can't get a DHCP address unless you are connected to the wireless router. Assuming you have a very strong signal from the wifi router I'd look at installing the correct, latest driver for your wifi device. – jones0610 Jul 21 '17 at 01:01
  • Oddly enough, I do have 5 bars showing for the network. I'm going to look at drivers. The device did originally run Windows 7, so perhaps there are some incompatibilities with Ubuntu. Or maybe running Windows scarred my poor computer beyond all repair, which isn't alltogether unlikely :P – Ashwin Gupta Jul 21 '17 at 01:04
  • Do you think updating from 16.04 LTS too 17.04 has any chance of helping? I might try that because I think my driver is up to date. I don't particularly care about LTS for the time being. – Ashwin Gupta Jul 21 '17 at 02:41
  • @AshwinGupta Yes I'd say it does have a chance in helping. Updates have helped before. – Seth Jul 22 '17 at 20:09
  • @Seth updated to 17.04. I'll be able to test it again on monday morning. – Ashwin Gupta Jul 23 '17 at 05:52