1

I am currently trying to setup my raspberry pi 3 to be a wireless access point. It is connected to an Enterprise WPA2 802.1x network via Ethernet. I have credentials for the network but it was easier to register the pi's mac address with my network admin and then just connect it to the network through wired Ethernet.

I want the RasPi to broadcast a wireless network to which I can connect wireless devices that are otherwise incompatible with Enterprise wifi.

So I followed the tutorial available here. In my case, the IP Address of my raspberry pi that I ssh into is 168.150.xxx.xxx, so I used 168.150.255.0/24 instead of 192.168.0.10/24 and similarly for the dhcp-range. (I'm unsure if this is the correct substitution to make, but neither the 192 nor the 168 worked).

However after rebooting I do not see the ssid I chose available to connect to. Any advice would be appreciated. (If there are logs located somewhere that will be of assistance, just let me know where to find them and I can provide them.)

Ingo
  • 40,606
  • 15
  • 76
  • 189
myraspberrypiscripts
  • 13
  • 3
  • How is the RasPi connected to the enterprise network? Wireless or wired? – Ingo Apr 02 '19 at 21:59
  • Whoever wrote that tutorial needs to go take an undergraduate course in networks. It makes absolutely no sense to have both bridging and NATing on the same device. And that's not the only thing wrong with that tutorial. – JayEye Apr 03 '19 at 02:48
  • Also: have you asked your network administrator for 802.1x credentials so your Pi can talk to your network? You also seem confused about how 802.1x authentication works. WPA2 is a WiFi security mechanism. You probably have confused it with the fact that 802.1x authentication in Linux is done with the `wpa_supplicant` service. – JayEye Apr 03 '19 at 02:54
  • @Ingo The Raspberry Pi is connected to the network via Ethernet wired. – myraspberrypiscripts Apr 03 '19 at 04:21
  • @JayEye Sorry if there is confusion between 802.1x and WPA2. I have credentials for the network but it was easier to register the pi's mac address with my network admin and then just connect it to the network through wired Ethernet. Any followup on what the issue is with the tutorial? The official raspberry pi site has a similar tutorial [here](https://www.raspberrypi.org/documentation/configuration/wireless/access-point.md) that mirrors the same steps. – myraspberrypiscripts Apr 03 '19 at 04:23

1 Answers1

0

Your Raspberry Pi is already connected to the enterprise network with an ethernet cable. So it is not a big issue to setup an access point and connect it to the enterprise network. You have two options: routing or bridging. You have to decide what you want before going on.

Routing is more flexible and has a better performance than bridging. For example you can route part of your traffic to another subnet, maybe to a remote network at your home with openvpn. The access point and devices connected to it have its own subnet with own DHCP server, means their ip address range differ from that of the enterprise network.

Bridging is completely transparent to the enterprise network. That means, devices connected to the access point get part of that network with same ip address range and they can manage broadcasts. They can use a DHCP server on the enterprise network and any other things using broadcasts (e.g. seeing printer devices, using media sources, etc.). They behave as they were direct connected to the enterprise network.

How to configure an access point you can look at Setting up a Raspberry Pi as an access point - the easy way. For routing follow the instructions on section Setting up an access point and with eth0, with routing. You have to modify the file /etc/systemd/network/04-eth0.network to:

rpi ~$ sudo -Es # only if not already done
rpi ~# cat > /etc/systemd/network/04-eth0.network <<EOF
[Match]
Name=eth0
[Network]
DHCP=yes
IPForward=yes
EOF

Use the NAT solution by modifying the wpa_supplicant@wlan0.service as described. Maybe DNS=84.200.69.80 84.200.70.40 in /etc/systemd/network/08-wlan0.network must be modified to the DNS server used in your enterprise.

For bridging use section Setting up an access point with a bridge.

Ingo
  • 40,606
  • 15
  • 76
  • 189
  • Thanks for the link. I started with a freshly updated Raspbian OS and followed the general setup and then the bridge guide, and upon rebooting my phone could see the network being broadcast. However, after attempting to connect it said "Failed to obtain IP Address." I then started again with a freshly updated Raspbian OS with the same process, but this time also followed the dnsmasq section too. After rebooting, this time my phone would get stuck in a loop of attempting to connect to the network, with no error message. Any further advice on how to proceed? – myraspberrypiscripts Apr 03 '19 at 12:16
  • I'm thinking maybe this is due to restrictions set by the network admin, since I had to register the MAC Address of the raspberry pi for the wired Ethernet connection to even work. I would like to avoid using static IP Addresses but need to get this bridge working. Thanks. – myraspberrypiscripts Apr 03 '19 at 12:20
  • @myraspberrypiscripts As already said: responsible for assigning ip addresses is a DHCP server running on the enterprise network. Is there one running? How does phones connecting to the access point of the enterprise get their ip address? Have you tried it with your phone? – Ingo Apr 03 '19 at 12:27
  • I'm fairly certain there is a DHCP server running on the network. When I run ipconfig /all on my laptop I can see the address of the DHCP server. However when my phone connects to the raspberry pi bridge (without the dnsmasq DHCP server on it), it still fails to obtain an IP Address. The same phone successfully obtains one by directly connecting to the network. – myraspberrypiscripts Apr 03 '19 at 12:41
  • @myraspberrypiscripts Please don't use **dnsmasq** on your RasPi! You should **immediately** shut it down. Now you have two DHCP server running on the enterprise network and this is out of specification and may violate the enterprise network by assigning ip addresses. Your network manager will not like it. Btw. there is an easier way to enable a DHCP server with *systemd-networkd*. – Ingo Apr 03 '19 at 12:49
  • @myraspberrypiscripts As I see you should better use routing. It is safer for your enterprise ;-) And you can fake it with NAT that all traffic is only coming from the RasPi. I have updated the answer with modifications for you to use routing. – Ingo Apr 03 '19 at 13:22
  • Ok so I followed the routing tutorial, including replacing the DNS win 08-wlan0.network with the DNS used in my enterprise network. However, when the SSID is broadcast and I attempt to connect to it with my phone, I get an Authentication Error, even though I am copying and pasting the password and have triple checked that it is the correct one as the one I put in wpa_supplicant-wlan0.conf. I have tried it both with iptables and without, but I have the same issue regardless – myraspberrypiscripts Apr 03 '19 at 23:41
  • So it looks like regardless of whether I use a bridge or routing, and regardless of whether I use the NAT solution or not, the problem I consistently have is authentication with the broadcasted network from the pi. – myraspberrypiscripts Apr 04 '19 at 09:09
  • @myraspberrypiscripts I will look at it but I'm a bit busy today. You are right, the authentication has nothing to do with the enterprise network. You may have a look at the **Troubleshooting** section of the tutorial and maybe use the debug option? If you like you can [check setup step by step](https://raspberrypi.stackexchange.com/a/93662/79866) and tell me what Checkpoint fails. – Ingo Apr 04 '19 at 09:51
  • @myraspberrypiscripts I have checked the setup as described for you and it works. I can connect to the access point. To be clearer I have split the routing section in the tutorial into two sections with NAT and routing. You can follow now section **Setting up an access point and with eth0, with NAT (recommended)** in [Setting up a Raspberry Pi as an access point - the easy way](https://raspberrypi.stackexchange.com/a/88234/79866). – Ingo Apr 04 '19 at 23:41
  • After starting with a freshly updated Raspbian, I followed General Setup and then the **Setting up an access point and with eth0, with NAT (recommended)** section. After rebooting the SSID is being broadcast but I still have an authentication error, regardless of attempting to connect from my laptop or phone. In journalctl --boot --follow, I get the message `raspberrypi wpa_supplicant[356]: wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0` after every failed connection. – myraspberrypiscripts Apr 05 '19 at 08:44
  • @myraspberrypiscripts Weird... There must be any difference between yours and mine setup. What could it be? Try to use a simple password, at least 8 chars and only chars and numbers without space, between double quotes. Try another frequency, one of 2412 (channel 1), 2437 (channel 6), 2462 ( channel 11), https://en.wikipedia.org/wiki/List_of_WLAN_channels#2.4_GHz_(802.11b/g/n/ax). You may try to run wpa_supplicant in debug mode. – Ingo Apr 05 '19 at 09:35
  • @myraspberrypiscripts You can also try to explicitly define encryption protocol **RSN(WPA2)** or older **WPA**. In *wpa_supplicant-wlan0.conf* change line `proto=RSN WPA` to `proto=RSN` or `proto=WPA`. – Ingo Apr 05 '19 at 11:38
  • None of the alternative frequencies or encryption protocols worked. I'm testing with default password right now ("password"), at least until I can verify that it works. An interesting update (hopefully this will help): When I set `key_mgmt=WPA-EAP` in the wpa_supplicant-wlan0.conf file and reboot, in the journalctl log I see 3 lines: `wpa_supplicant[362]: wlan0: AP-STA-CONNECTED XXX`, `wpa_supplicant[362]: wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0`, and `wpa_supplicant[362]: wlan0: AP-STA-DISCONNECTED XXX` where XXX is my phone's MAC Address. So perhaps it's not authentication? – myraspberrypiscripts Apr 06 '19 at 11:08
  • @myraspberrypiscripts If you set `key_mgmt=WPA-EAP` then you need pre shared key files for authentication. This is not used for the access point. It is set to `key_mgmt=WPA-PSK`, that means only simple password authentication. – Ingo Apr 06 '19 at 12:16
  • 1
    Interesting (and final!) update: So I haven't worked on this in about 2 days but I plugged my pi back in today and spun it up (with the previous settings I was testing, which was exactly your configuration but with `key_mgmt=WPA-EAP` and `frequency=2437`. And RasPi network appeared and my devices could successfully connect to it! I then reverted the `key_mgmt` to the previous WPA-PSK and used my own password, and everything still continued to work. The only significant difference is that I am now using frequency 2437. – myraspberrypiscripts Apr 08 '19 at 07:19
  • 1
    However I was using this frequency earlier with all other settings as is in the currently working RasPi and it was not working (same authentication issue). And I was definitely rebooting after every change in the wpa_supplicant-wlan0.conf file. So I'm honestly unsure what the issue was and what caused it to fix after the 2 days, but nonetheless it is now fully working with the "with NAT (recommended)" configuration from your tutorial. Thanks! – myraspberrypiscripts Apr 08 '19 at 07:22