Connecting to universities WPA2-Enterprise Wifi Network

Question

As the title suggests, this question is very closely related to this question. And following the instructions by Lucas Goossen, I'm able to get a inet addr on my wlan0 (confirmed by ifconfig wlan0), but I dont have an internet connection. In oppose to the original Question, my university doesn't have ca_cert (see image below), so I left out that variable. This is my wpa_supplicant.config file:

ctrl_interface=/var/run/wpa_supplicant
update_config=1

network={
    ssid="ZHAW"
    scand_ssid=1
    key_mgmt=WPA-EAP
    pairwise=CCMP TKIP
    group=CCMP TKIP
    eap=PEAP
    identity="myidentity"
    password="mypassword"
    phase1="peaplabel=auto pepver=auto"
    phase2="MSCHAPV2"
}

The line phase1="peaplabel=auto pepver=auto" is from here. To be honest, I have no idea whether the variables pairwise and group are set correctly. So there are a lot of unknowns and I've come nowhere with trial and error.. Can anybody help me here?

Answer 1

English is not my native language so please be patient.

When I don't know how to configure something, sometimes I let the system do it for me, mostly of the times, things works with default values. In this case, if you don't know the function of the pairwise and group parameters. You could check this Page or read below:

pairwise: list of accepted pairwise (unicast) ciphers for WPA CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] NONE = Use only Group Keys (deprecated, should not be included if APs support pairwise keys) If not set, this defaults to: CCMP TKIP

group: list of accepted group (broadcast/multicast) ciphers for WPA CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11] If not set, this defaults to: CCMP TKIP WEP104 WEP40

This setup works for me, change it according to your ssid and password (psk)

/etc/network/interfaces

auto wlan0
allow-hotplug wlan0
iface wlan0 inet dhcp    
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

/etc/wpa_supplicant/wpa_supplicant.conf

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
# ap_scan can be 0, 1, or 2. Some sources say use 2 but 1 work for me.
ap_scan=1
eapol_version=1
network={
        ssid="YOURSSID"
        # This is needed for hidden SSIDs
        scan_ssid=1
        mode=0
        psk="reallylonghexnumber"
        # RSN for WPA2 or WPA for WPA1
        proto=RSN
        # WPA-PSK or WPA-EAP
        key_mgmt=WPA-PSK
        # CCMP for AES or TKIP for TKIP.
        pairwise=CCMP
        # OPEN for WPA1/2 or SHARED or LEAP
        auth_alg=OPEN
}

About the line scan_ssid=1 will be some controversy because some more experimented users don't like the hidden ssid thing, but this works for me.

Hopefully this works for you also.

Sources:

https://linuxtechie.wordpress.com/2014/08/23/setting-up-raspberry-pi-with-wifi-and-a-static-ip-on-a-hidden-ssid/

https://geekytheory.com/tutorial-raspberry-pi-configurar-wif/

http://www.cs.upc.edu/lclsi/Manuales/wireless/files/wpa_supplicant.conf

Answer 2

I was able to connect to an enterprise wifi following these instructions: https://gist.github.com/chatchavan/3c58511e3d48f478b0c2

I didn't need a radius server certificate or anything. Key things for Enterprise authentication (MSCHAPV2):

1. add this lines to your /etc/wpa_supplicant/wpa_supplicant.conf (edit as appropriate):

   network={
           ssid="YOUR_NETWORK_NAME"
           proto=RSN
           key_mgmt=WPA-EAP
           pairwise=CCMP TKIP
           group=CCMP TKIP
           identity="YOUR_USER_NAME"
           password=hash:YOUR_PASSWORD_HASH
           phase1="peaplabel=0"
           phase2="auth=MSCHAPV2"
   }
   

2. add this lines to your /etc/network/interface (edit as appropriate):

   auto wlan0
   allow-hotplug wlan0
   iface wlan0 inet dhcp
       pre-up wpa_supplicant -B -Dwext -i wlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf
       post-down killall -q wpa_supplicant
   

3. try bringing the network interface down and up again:

   sudo ifdown wlan0
   sudo up wlan0
   

4. The following error message should be ignored. It's a known bug upstream from Debian.

   ioctl[SIOCSIWAP]: Operation not permitted
   ioctl[SIOCSIWENCODEEXT]: Invalid argument
   ioctl[SIOCSIWENCODEEXT]: Invalid argument
   

5. If there's no error, you should be able to see the wireless adapter connected with the following command iwconfig. The output will show the SSID and other connection info:

   wlan0     IEEE 802.11bgn  ESSID:"YOUR_NETWORK_NAME"  Nickname:"<WIFI@REALTEK>"
             Mode:Managed  Frequency:2.457 GHz  Access Point: XX:XX:XX:XX:XX:XX   
             Bit Rate:72.2 Mb/s   Sensitivity:0/0  
             Retry:off   RTS thr:off   Fragment thr:off
   

6. You should check if you have an IP address with the following command: ifconfig. The wlan0 entry should have an IP address, like the following.

   ...
   wlan0     Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX  
             inet addr:192.168.0.110  Bcast:192.168.0.255  Mask:255.255.255.0
             UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
             RX packets:497 errors:0 dropped:32 overruns:0 frame:0
             TX packets:373 errors:0 dropped:0 overruns:0 carrier:0
             collisions:0 txqueuelen:1000 
             RX bytes:83237 (81.2 KiB)  TX bytes:60068 (58.6 KiB)
   ...
   

Answer 3

Finally found the answer here. Basically we need to downgrade the wpasupplicant to stretch version v2.4 https://www.raspberrypi.org/forums/viewtopic.php?t=244731#p1498661