dtg666
n00b
Joined: 01 Oct 2004
Posts: 42
Location: Berlin
|
 Posted: Fri Oct 20, 2006 5:30 pm Post subject: xsupplicant won't use network config (eap_tls) |
 |
|
hi,
i need to use xsupplicant with eap_tls to connect to my internet provider here in a students house, they can't give support for linux so i ask you, i converted the server and user certificates to .pem file format and gave the links into the xsupplicant.conf in /etc, i will edit this post and give you outputs about xsupplicant.conf and what xsupplicant debug tells me because obviously i cant post in linux, the main problem is xsupplicant tells me from the beginning i need wireless extensions although i'm connected through LAN and then tells me theres no network config although i edited some points.
| Code: |
localhost dtg666 # /usr/local/sbin/xsupplicant -i eth0 -d A -f
![STATE] Reinit state machine
[STATE] [backend_sm] REQUEST -> INITIALIZE
[STATE] [backend_sm] INITIALIZE -> IDLE
[STATE] [backend_sm] UNKNOWN -> INITIALIZE
[STATE] [backend_sm] INITIALIZE -> IDLE
[INT] Initializing socket for interface eth0..
[INT] Allmulti is currently disabled on this device!
Couldn't access /proc/net/wireless! (You probably don't have wireless extension
s enabled!)
[CONFIG] Registered event handler 'rtnetlink handler' in slot 0, with socket 7.
[INT] Setting Linkmode to 1.
You need wireless extensions > 17 in order to support detection of encryption me thods.
[INT] Interface has no encryption capabilities, or unknown abilitites.
[INT] Interface initialized!
[CONFIG] Working from config file /etc/xsupplicant.conf.
No configuration information for network "(null)" found. Using default.
[CONFIG] Registered event handler 'frame handler' in slot 9, with socket 6.
[INT] Opened socket descriptor #8
[CONFIG] Registered event handler 'IPC master socket' in slot 8, with socket 8.
Couldn't access /proc/net/wireless! (You probably don't have wireless extension s enabled!)
[CONFIG] Socket 6 (frame handler) had an event!
[ALL] Clock tick! authWhile=29 heldWhile=29 startWhen=0 curState=DISCONNECTED
[STATE] Changing from DISCONNECTED to DISCONNECTED.
[ALL] Clock tick! authWhile=28 heldWhile=28 startWhen=0 curState=DISCONNECTED
[STATE] Changing from DISCONNECTED to DISCONNECTED.
[ALL] Clock tick! authWhile=27 heldWhile=27 startWhen=0 curState=DISCONNECTED
[STATE] Changing from DISCONNECTED to DISCONNECTED.
[ALL] Clock tick! authWhile=26 heldWhile=26 startWhen=0 curState=DISCONNECTED
[STATE] Changing from DISCONNECTED to DISCONNECTED.
[ALL] Clock tick! authWhile=25 heldWhile=25 startWhen=0 curState=DISCONNECTED
[STATE] Changing from DISCONNECTED to DISCONNECTED.
[ALL] Clock tick! authWhile=24 heldWhile=24 startWhen=0 curState=DISCONNECTED
[STATE] Changing from DISCONNECTED to DISCONNECTED.
[ALL] Clock tick! authWhile=23 heldWhile=23 startWhen=0 curState=DISCONNECTED
[STATE] Changing from DISCONNECTED to DISCONNECTED.
[ALL] Clock tick! authWhile=22 heldWhile=22 startWhen=0 curState=DISCONNECTED
[STATE] Changing from DISCONNECTED to DISCONNECTED.
[ALL] Clock tick! authWhile=21 heldWhile=21 startWhen=0 curState=DISCONNECTED
|
/etc/xsupplicant.conf
| Code: |
# This is an example configuration file for xsupplicant versions after 0.8b.
### GLOBAL SECTION
# network_list: defines all of the networks in this file which
# should be kept in memory and used.Comma delimited list or "all"
# for keeping all defined configurations in memory. For efficiency,
# keep only the networks you might roam to in memory.
# To avoid errors, make sure your default network is always
# in the network_list. In general, you will want to leave this set to
# "all".
network_list = all
#network_list = default, test1, test2
# default_netname: some users may actually have a network named "default".
# since "default" is a keyword in the network section below, you can
# change which is to be used as the replacement for this keyword
#
# As of Xsupplicant 1.2.2, wireless interfaces will no longer use the default
# network name if they are unable to find a valid config. If you have
# auto association turned on, Xsupplicant will find a new network to connect
# to. Otherwise, it will do nothing.
default_netname = default
#default_netname = my_defaults
# destination: defines how Xsupplicant should determine the destination address
# that should be used for the 802.1X conversation.
#
# Valid Options are :
# Auto - respond to source address from the last packet we saw.
# Source - same as Auto
# BSSID - Always answer to the BSSID of the AP we are associated to.
# Multicast - always use the multicast address defined in 802.1X-2001.
#
#destination = auto
# When Xsupplicant initiates a scan, it will wait for some amount of time
# before it attempts another scan. (This is to avoid hammering on the card
# to find an AP.) Depending on your driver, this setting may need to be
# changed. Specifically, for Atheros a/b/g devices it is probably better
# to set this to 30.
#scan_timeout = 15
# Xsupplicant will create a control socket that can be used for various
# gui interface programs. In order to be able to use those programs as a
# user other than root, we need to set the socket to be owned by a specific
# group. The 'ipc_group' command allows you to do this. By default, it is
# owned by root. It is suggested that you set it to users if you plan to
# use the control socket.
#ipc_group = users
# Do we want xsupplicant to pick the best AP to connect to? Or should the
# 'firmware' be allowed to select the AP? (In most cases, letting Xsupplicant
# make the decision for you is currently better.)
#roaming = xsupplicant
# Should we do passive scanning while associated/authenticated with an AP?
# In order to support preauthentication, this *MUST* be enabled. However,
# some wireless cards don't do passive scanning correctly, and will end up
# disconnecting you from the network while a scan is completed.
#passive_scanning = yes
# The amount of time (in seconds) that should pass between passive scan
# attempts. When the scan is commplete, Xsupplicant will make a decision
# about which AP is the best. If a better AP is found, Xsupplicant will
# jump to it. If 'passive_scanning' is set to 'no', then this setting does
# nothing.
#passive_timer = 300
# EAP request identity messages may contain a network id field in it. This
# network ID can be useful for determining a network name on wired networks.
# For wireless networks, this ID usually matches the SSID so leaving it
# enabled is a good idea unless you have a reason not to.
use_eap_hints = yes
# When running in daemon, or non-foreground mode, you may want to have the
# output of the program. So, define a log file here. Each time XSupplicant
# is started, this file will be replaced. So, there is no need to roll the
# log file. If the logfile name is set to "syslog", then all messages will
# be sent to the syslog. If syslog is defined, you should also define
# "log_facility" to specify which logging facility will be used.
logfile = /var/log/xsupplicant.log
# If you have set the logfile option to "syslog", then you should define
# log_facility in order to tell Xsupplicant where to send log messages.
# Valid settings are cron, daemon, ftp, kern, local0, local1, local2,
# local3, local4, local5, local6, local7, lpr, news, user, and uucp
log_facility = daemon
# If we want Xsupplicant to control the associations for networks, we need
# to set the following setting to "auto". If you want to control the network
# you connect to via iwconfig (or other SSID setting utility) you should set
# this option to manual. The default is auto.
association = auto
# This value should be changed to reflect how long it takes your card to
# determine if it is associated. (Basically, the value should be the number
# of seconds it takes for your card to scan every possible frequency and
# speed it is aware of.) For most cards, 30 seconds is enough time. However
# if your card is capable of doing 802.11a/b/g, you may need to set this
# value higher.
association_timeout = 30
# The auth_period, held_period, and max_starts modify the timers in the state
# machine. (Please reference the 802.1x spec for info on how they are used.)
# For most people, there is no reason to define these values, as the defaults
# should work.
auth_period = 30
held_period = 30
max_starts = 3
# The "default_interface" is the interface that will be used if one is not
# specified on the command line.
default_interface = eth0
# Enable or disable friendly warnings. The default setting is "yes".
# friendly_warnings = no
# The stale key timeout is how long a unicast key should be in use before a
# warning is issued. It doesn't actually change the way the program functions
# and should be considered cosmetic. However, it may be useful to put this
# to a lower value if you believe that WEP keys can be broken quicker than the
# default setting of 10 minutes. If friendly_warnings is set to no, then
# this does nothing.
#stale_key_timeout = 600
# For most people, the default setting for "allmulti" will work just fine. In
# some cases, wireless cards have been known to not work when ALLMULTI is
# enabled. (Such as certain Orinoco cards, with older drivers.) If "allmulti"
# is set to "no", XSupplicant will not attempt to change the state of the
# setting in the driver. So, you should make sure to do an "ifconfig ethX
# -allmulti".
#allmulti = no
### NETWORK SECTION
# The general format of the network section is a network name followed
# by a group of variables.
# Network names may contain the following characters: a-z, A-Z, 0-9, '-',
# '_', '\', '/'
# Those interested in having an SSID with ANY character in it can use
# the ssid tag within the network clause. Otherwise, your ssid will
# be the name of the network.
## Default Network Section
# This is the network configuration that will be used in the event that
# no valid network configuration can be found. If you are going to leave
# Xsupplicant running all the time, it is recommended that you leave this
# section blank. A blank network definition will result in Xsupplicant
# turning off encryption and turning control over to iwconfig.
default
{
}
my_network
{
# type: the type of this network. wired or wireless, if this value is not
# set, xsupplicant will attempt to determine if the interface is wired or
# wireless. In general, you should only need to define this when
# xsupplicant incorrectly identifies your network interface.
type = wired
# association_type : the way that xsupplicant should attempt to associate.
# The options are open, shared, or leap. In the vast majority of cases, you
# should leave this at the default setting of 'open'. 'shared' mode should
# almost never be used, but would be used in the event of a static WEP
# network that uses 'shared key authentication'. 'leap' is also known as
# 'network EAP' in cisco-ese. If you are attempting to connect to a LEAP
# enabled network, you may need to set this to leap.
association_type = open
# wireless_control: If this profile is forced to wired, this will not do
# anything. However, if the interface is forced, or detected to be wireless
# XSupplicant will take control of re/setting WEP keys when the machine
# first starts, and when it jumps to a different AP. In general, you won't
# need to define, or set this value.
wireless_control = yes
# allow_types: describes which EAP types this network will allow. The
# first type listed will be requested if the server tries to use something
# not in this list.
# allow_types = eap_tls, eap_md5, eap_gtc, eap-otp
allow_types = eap_tls
# force_eapol_ver: force the EAPOL version used in frames to be a
# specific value. Allowed values are 1, and 2. (Default : Auto) If you
# are having problems authenticating, set this value to 1 and see if that
# helps. (In general, it won't be needed.)
force_eapol_ver = 1
# identity: what to respond with when presented with an EAP Id Request
# Typically, this is the username for this network. If this is a string
# that does not contain any spaces, or unusual characters, it can be listed
# plain. Otherwise, it should be enclosed in quotes.
identity = "ronny_Scholz"
# wpa_pairwise_cipher, and wpa_group_cipher : Both options need to be set
# in order to get WPA working correctly. Valid options for this setting
# are WEP40, TKIP, WRAP, CCMP, and WEP104. However, the only settings that
# currently work are WEP40, WEP104, and TKIP. (And those depend on having
# a driver that works with WPA.)
#wpa_pairwise_cipher = tkip
#wpa_group_cipher = tkip
# Force xsupplicant to send it's packets to this destination MAC address.
# In most cases, this isn't needed, and shouldn't be defined.
#dest_mac = 00:aA:bB:cC:dD:eE
# The initial_wep option allows you to set WEP keys that may be required
# to associate to the network and start an 802.1X connection. This should
# not be confused with the static_wep option which doesn't do 802.1X, but
# only associates to a network with static WEP.
initial_wep {
# The keys must either be 10, or 26 characters long. They should
# *ALWAYS* be quoted!!
key1 = "2222222222"
key2 = "2222222222"
key3 = "2222222222"
key4 = "2222222222"
# This is the key that will be used to transmit data. It needs to
# match the index that is configured on your AP.
tx_key = 1
}
## This option allows you to configure static WEP, so that when you
# associate with a network that uses static WEP you don't need to do
# anything. If "static_wep" is used, it must be the only option available
# in that SSID def!
static_wep {
# The keys must either be 10, or 26 characters long. They should
# *ALWAYS* be quoted!!
key1 = "2222222222"
key2 = "2222222222"
key3 = "2222222222"
key4 = "2222222222"
# This is the key that will be used to transmit data. It needs to
# match the index that is configured on your AP.
tx_key = 1
}
## This option allows you to disable the use of TNC for machine posture
# validation. (Currently only works with Radiator, and libtnc.)
#use_tnc = yes
## method-specific parameters are kept in the method
eap_tls {
# this section configures the smartcard used with eap-tls
# for now the smartcard PIN is handled the same way as the
# password for a private key
smartcard {
# this line actually enables the smartcard and makes xsupplicant use
# the opensc engine
engine_id = opensc
# set the path to the engine
opensc_so_path = "/usr/lib/opensc /engine_opensc.so"
# set the key id on the smartcard
key_id = 45
}
user_cert = /usr/local/etc/x1/certs/usercert.pem
user_key = /usr/local/etc/x1/certs/userkey.pem
user_key_pass = "ron12345678"
root_cert = /usr/local/etc/x1/certs/hotzoneCA.pem
root_dir = /usr/local/etc/x1/certs/
#crl_dir = /usr/local/etc/x1/certs/
chunk_size = 1398
random_file = /path/to/random/source
# To enable TLS session resumption, you need to set the following
# value to "yes". By default, session resumption is disabled.
#session_resume = yes
}
eap-md5 {
username = testuser
password = "test user pass!" # Since the password has spaces, quote it.
}
eap-ttls {
#user_cert = /path/to/certificate
#as in tls, define either a root certificate or a directory
# containing root certificates
root_cert = /path/to/root/certificate
#root_dir = /path/to/root/certificate/dir
#crl_dir = /path/to/dir/with/crl
#user_key = /path/to/private/key
#user_key_pass = "password for key"
chunk_size = 1398
random_file = /path/to/random/source
#cncheck = myradius.radius.com # Verify the server certificate
# has this value in it's CN field.
#cnexact = yes # Should it be an exact match?
#session_resume = yes
# phase2_type defines which phase2 to actually DO. You
# MUST define one of these.
phase2_type = pap
## These are definitions for the different methods you might
## do at phase2. only the one specified above will be used
## but it is valid to leave more than one here for convenience
## and easy switching.
pap {
username = papuser
password = "pap passwd"
}
chap {
username = chapuser
password = "chap passwd"
}
mschap {
username = mschapuser
password = "mschap passwd"
}
mschapv2 {
username = mschapv2user
password = "mschapv2 passwd"
}
eap_md5 {
username = eapmd5user
password = "eapmd5 passwd"
}
}
eap-leap {
username = leapuser
password = "leap user pass!"
}
eap-mschapv2 {
username = eapmschapv2user
password = eapmschapv2userpass!
}
eap-peap {
inner_id = my_inner_id
user_cert = /path/to/certificate
# As in tls, define either a root certificate or a directory
# containing root certificates.
#root_cert = /path/to/root/certificate
root_dir = /path/to/root/certificate/dir
crl_dir = /path/to/dir/with/crl
user_key = /path/to/private/key
user_key_pass = "password for key"
chunk_size = 1398
random_file = /path/to/random/source
cncheck = myradius.radius.com # Verify the server certificate
# has this value in it's CN field.
cnexact = yes # Should it be an exact match?
session_resume = yes
proper_peap_v1_keying = yes # Many RADIUS servers use the
# wrong string constant to dervie
# the keying material. Setting
# this to 'yes' will cause
# xsupplicant to use the value
# defined in the internet draft
# instead of the wrong one. The
# default is to use the wrong
# constant, since that is what
# most RADIUS servers do.
#Currently 'all' is just mschapv2
#If no allow_types is defined, all is assumed
allow_types = all # where all = MSCHAPv2, MD5, OTP, GTC, SIM
#allow_types = eap_mschapv2
# When doing EAP MS-CHAPv2 you need a password, or an ntpwdhash. If you
# have both, Xsupplicant will try to use the ntpwdhash.
eap-mschapv2 {
username = phase2mschapv2
ntpwdhash = E653E6452753C97E46792567DFF599B6
# password = "phase2 mschapv2 pass"
}
}
eap-sim {
# In order to obtain the IMSI from the SIM card, the password
# *MUST* be defined here! Otherwise, you need to specify your
# IMSI as the username below.
username = simuser
password = simuserpin
auto_realm = yes
}
eap-aka {
# In order to obtain the IMSI from the SIM card, the password
# *MUST* be defined here! Otherwise, you need to specify your
# IMSI as the username below.
username = akauser
password = akauserpin
auto_realm = yes
}
}
# In this network definition, "test1" is the friendly name. It can match
# the essid of the network, which means you won't have to set the "ssid"
# variable. However, if it doesn't match, you need to set the "ssid"
# variable in order for the network to be detected correctly.
test1
{
type = wired
allow_types = all
identity = "Check this out- any char!#$" # Then a comment!
}
test2
{
identity = testuser@testnet.com
allow_types = eap-tls
type = wireless
}
test3
{
type = wired
identity= "this will work too"
}
|
thanks in advance! |
|
Networking & Security
