I'm looking for a solution to sign a CSR from my linux machine with our Windows CA using a specific template from domain controller directly from the linux machine. Why ? I need a computer certificate signed by our Active Directory Certificate Services for 802.1x authentication in the internal networks. Both wireless and wired network used EAP Transport Layer Security (EAP-TLS) who needs a computer certificate to gain access to the internal network. For ex, we use this app for our MacOS users https://apps.apple.com/us/app/certificate-request/id1412486531?mt=12 It would be nice if I find something like this for Linux ( we use ubuntu ). I need the simplest way to achieve this because I have to write some documentation that our users can use to gain access to the internal networks. I've joined the Linux computer in the domain and installed the CA root certificate. The next step is the signing process of the CSR that 802.1x needs to authenticate in the network but I didn't find a simple way to achieve this.

I'm using OpenWrt 23.05.05 (i compiled it for my custom system) and have two WiFi chips (QCN9074) that use the ath11k_pci driver. I also have a regulatory.db file located in /lib/firmware. I want to use this file as the source of regulatory data for the cards instead of their built-in regulatory data. Currently, they are self-managed as shown by

-sh
iw reg get

and I want to change this. Is it possible to do so?

I have an Active Directory domain with Windows computers: when I join computer to AD, it gets computer account (computername$) and 802.1x group policy which says > Connect to SSID mySSID
> validate AAA server issuer certificate and it's FQDN,
> use PEAP\MSCHAPv2,
> use **computer** account for authentication Works good. How can I configure Ubuntu Linux Desktop computer, joined with sssd to same AD Domain, to authenticate to Wi-Fi same way?

I have a raspberry pi zero w and I'm totally new to the device and to Linux. I'd like to configure the raspberry pi such that I can access it by ssh through an 802.1x secured network. I've contacted the admin and they don't know what lines to write into the wpa_supplicant.conf file to get it to work. This is what I have so far

country=US
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1

network={
    ssid="NETWORK-NAME"
    psk=NONE
}

I should add that I've added some lines in the config.txt and the cmdline.txt to ssh by usb. I've used this tutorial to do that and it worked just fine. I don't know if I need to revert these settings to get ssh via wifi to work. So I have three questions: first, how do I setup the wpa_supplicant.conf file for. 802.1x? Second, do I need to revert any of the settings I've changed when I set up ssh via USB? Third, is there a way that I can access my pi via ssh through both USB and wifi?

I have the 03:00.0 Network controller: Intel Corporation Centrino Wireless-N 2200 (rev c4) How do I find out if that card/driver support 5 GHz?

I want to connect a Linux machine to WPA2 Enterprise Wi-Fi (that I manage). The certificates I created with OpenSSL work well with Android and iOS devices, but I can't figure out what types of certificates are expected by wpa_supplicant. Basically, I have a ca.pem, and, for a given device, the following files are being generated: - demo.crt - demo.csr - demo.key - demo.p12 It looks like wpa_supplicant can work with either a file containing both the public and the private certificate, as well as two files. Originally, I was using two files: - demo.key - demo.pem, created by running openssl pkcs12 -in demo.p12 -out demo.pem -clcerts. wpa_supplicant.conf was configured like this:

network={
    ssid="HelloWorld"
    key_mgmt=WPA-EAP
    pairwise=CCMP
    group=CCMP
    eap=TLS
    identity="demo@example.com"
    ca_cert="/etc/ssl/private/ca.pem"
    client_cert="/etc/ssl/private/demo.pem"
    private_key="/etc/ssl/private/demo.key"
    private_key_passwd=...
}

The authentication fails with the following error: > OpenSSL: tls_read_pkcs12 - Failed to use PKCS#12 file error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag If I remove client_cert and use only private_key, pointing to the .pem file, the error is still the same. If I point it to .p12, the error is: > OpenSSL: tls_connection_private_key - Failed to load private key error:00000000:lib(0):func(0):reason(0) Debian's documentation tells that the PEM should be created from a .pfx. When I do that:

openssl pkcs12 -export -out demo.pfx -inkey demo.key -in demo.crt -certfile ca.crt
openssl pkcs12 -in demo.pfx -out demo.pem -clcerts

the original error is back: > OpenSSL: tls_read_pkcs12 - Failed to use PKCS#12 file error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag How exactly should I generate the certificates for wpa_supplicant?

Does anyone know of a way to count 802.11 beacons for the network you're already connected to? Doesn't matter if its an Access Point or Adhoc network as both will issue 802.11 beacons. I'm asking this question from a Linux platform perspective. I've been working with Adhoc networks and Linux devices, and need a method of determining if the nodes in the network are alive without having to write a heartbeat service. I know that Access Points issue 802.11 beacons regularly for clients to detect them and wondered if an Adhoc network clients had some similarities. (there are Adhoc features relating to ESSID and BSSID that would suggest the clients would have to advertise the Adhoc network) I've been testing this theory by using Kali Linux and an Alfa Wifi adapter to monitor 802.11 wireless traffic. (not a typical setup, and I only want to count beacons from the connect network) I then setup a 2 node Adhoc network between 2 Linux systems. airodump-ng noted that the clients were generating a lot of frames. I admittedly didn't set an iptables rule to block all outbound TCP/UDP, so the activity could have been some background process trying to get online. After firing Wireshark up I noticed that some, if not all, of the frames were 802.11 beacons! They were emitted very regularly, like 2-5 beacons per-second. I don't know if there's some function or configuration that 802.11 Adhoc must be in to issue these beacons or if it can be tuned, but they are there. A function could be written to count beacons for the connected Adhoc network, and if one of the clients stops sending them, you could assume that communication was down with that client. The problem is I need a method for seeing/counting 802.11 beacons for the network I'm already connected to, without a special wifi adapter or pen testing tools. Any suggestions? Thanks!

I have this problem: I live in a university dorm room with an ethernet port because the campus wifi doesn't reach. So, together with the network administrator that was on board with this, I used an openWRT router to create an access point inside my room. It worked for a couple of months until the power went out and now I can't reconnect with the exact same configuration. This is my wpa_supplicant file: ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=root ap_scan=0 network={ key_mgmt=IEEE8021X eap=PEAP pairwise=CCMP TKIP identity="myUniEmail" password="myUniPassword" phase1="peapver=0" phase2="auth=MSCHAPV2" } And what I get is this: Successfully initialized wpa_supplicant eth0.1: Associated with 01:80:c2:00:00:03 WMM AC: Missing IEs eth0.1: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 eth0.1: CTRL-EVENT-EAP-STARTED EAP authentication started eth0.1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 eth0.1: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected eth0.1: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='C=IT, ST=emilia romagna, L=Bologna, O=ALMA MATER STUDIORUM - Università di Bologna, OU=Cesia, CN=almawifi.unibo.it' hash=ce505b0c76f06f20ad7e4cafef889f5e2d098d8e9e6253fdd5d7258c8a579e45 eth0.1: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='C=NL, ST=Noord-Holland, L=Amsterdam, O=TERENA, CN=TERENA SSL CA 3' hash=beb8efe9b1a73c841b375a90e5fff8048848e3a2af66f6c4dd7b938d6fe8c5d8 eth0.1: CTRL-EVENT-EAP-FAILURE EAP authentication failed Any idea on how can I get this working again? Again, I know for a fact that this configuration worked before and nothing has changed on the network.

I'm using the **Archer T2U** as a WLAN adapter on my Debian machine and I cannot connect to my 5GHz home network. I can connect to my 2.4GHz network without any problems. lsusb: Bus 002 Device 002: ID 148f:761a Ralink Technology, Corp. MT7610U ("Archer T2U" 2.4G+5G WLAN Adapter dmesg: [ 86.913331] wlan0: authenticate with XX:XX:XX:XX:XX:XX [ 86.965513] wlan0: send auth to XX:XX:XX:XX:XX:XX (try 1/3) [ 86.966267] wlan0: authenticated [ 86.968872] wlan0: associate with XX:XX:XX:XX:XX:XX (try 1/3) [ 86.969758] wlan0: RX AssocResp from XX:XX:XX:XX:XX:XX (capab=0x511 status=12 aid=11128) [ 86.969759] wlan0: XX:XX:XX:XX:XX:XX denied association (code=12) uname -r: 4.19.0-4-amd64 The 802.11 spec states that the code 12 stands for: >Association denied due to reason outside the scope of this standard and [Cisco's website](https://community.cisco.com/t5/wireless-mobility-documents/802-11-association-status-802-11-deauth-reason-codes/ta-p/3148055) lists this as an example: > Example : When controller receives assoc from an unknown or disabled SSID Is my router causing this issue? I assume it's not the driver since this is a fresh Debian installation and I doubt it's a hardware fault in the adapter since it is relatively new. When using the adapter with a Windows machine it frequently disconnects from the 5GHz network but works flawlessly on the 2.4GHz network.

I'm trying to change the default EAP type in hostapd but I am not able to understand how to do that. Here's what I've found reading the hostapd.conf file: # NAI Realm information # One or more realm can be advertised. Each nai_realm line adds a new realm to # the set. These parameters provide information for stations using Interworking # network selection to allow automatic connection to a network based on # credentials. # format: ,[,][,][,...] # encoding: # 0 = Realm formatted in accordance with IETF RFC 4282 # 1 = UTF-8 formatted character string that is not formatted in # accordance with IETF RFC 4282 # NAI Realm(s): Semi-colon delimited NAI Realm(s) # EAP Method: [:][][...] # EAP Method types, see: # http://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml#eap-numbers-4 # AuthParam (Table 8-188 in IEEE Std 802.11-2012): # ID 2 = Non-EAP Inner Authentication Type # 1 = PAP, 2 = CHAP, 3 = MSCHAP, 4 = MSCHAPV2 # ID 3 = Inner authentication EAP Method Type # ID 5 = Credential Type # 1 = SIM, 2 = USIM, 3 = NFC Secure Element, 4 = Hardware Token, # 5 = Softoken, 6 = Certificate, 7 = username/password, 9 = Anonymous, # 10 = Vendor Specific #nai_realm=0,example.com;example.net # EAP methods EAP-TLS with certificate and EAP-TTLS/MSCHAPv2 with # username/password #nai_realm=0,example.org,13[5:6],21[2:4][5:7]

since a few weeks (probably after a dist-upgrade) my machine can't connect anymore to 802.1x networks. I'm using Debian Buster with i3, but using nm-applet. I've also tryied to connect directly with wpa_supplicant but it doesn't work either. This is my configuration: [connection] id=eduroam uuid=a86d2f21-990c-4a55-b7e4-933ffcffe0cd type=wifi permissions=user:root:; [wifi] mac-address-blacklist= ssid=eduroam [wifi-security] group=ccmp;tkip; key-mgmt=wpa-eap pairwise=ccmp; proto=rsn; [802-1x] altsubject-matches=DNS:nps1.unitn.it;DNS:nps2.unitn.it;DNS:nps3.unitn.it; anonymous-identity= ca-cert=/root/.cat_installer/ca.pem eap=peap; identity=[removed] password=[secret] phase2-auth=mschapv2 [ipv4] dns-search= method=auto [ipv6] addr-gen-mode=stable-privacy dns-search= method=auto This is the output of syslog: wpa_supplicant: wlan0: CTRL-EVENT-SSID-REENABLED id=0 ssid="eduroam" wpa_supplicant: wlan0: SME: Trying to authenticate with 00:26:0b:ac:91:d2 (SSID='eduroam' freq=2412 MHz) wpa_supplicant: wlan0: Trying to associate with 00:26:0b:ac:91:d2 (SSID='eduroam' freq=2412 MHz) wpa_supplicant: wlan0: Associated with 00:26:0b:ac:91:d2 wpa_supplicant: wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wpa_supplicant: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started wpa_supplicant: wlan0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=IT wpa_supplicant: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 -> NAK wpa_supplicant: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21 wpa_supplicant: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected wpa_supplicant: wlan0: CTRL-EVENT-DISCONNECTED bssid=00:26:0b:ac:91:d2 reason=4 locally_generated=1 wpa_supplicant: wlan0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD wpa_supplicant: wlan0: SME: Trying to authenticate with 54:75:d0:3f:4d:2d (SSID='eduroam' freq=5200 MHz) wpa_supplicant: wlan0: Trying to associate with 54:75:d0:3f:4d:2d (SSID='eduroam' freq=5200 MHz) wpa_supplicant: wlan0: Associated with 54:75:d0:3f:4d:2d wpa_supplicant: wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wpa_supplicant: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started wpa_supplicant: wlan0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=IT wpa_supplicant: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 -> NAK wpa_supplicant: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21 wpa_supplicant: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected wpa_supplicant: wlan0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=eduradius-dr-2018' hash=86fdb85978a8d3c9ba28e40f1f10415d49c0a595b8752556906d37ac9d1884fc wpa_supplicant: wlan0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=eduradius-dr-2018' hash=86fdb85978a8d3c9ba28e40f1f10415d49c0a595b8752556906d37ac9d1884fc wpa_supplicant: wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed wpa_supplicant: wlan0: Authentication with 54:75:d0:3f:4d:2d timed out. wpa_supplicant: wlan0: CTRL-EVENT-DISCONNECTED bssid=54:75:d0:3f:4d:2d reason=3 locally_generated=1 wpa_supplicant: wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="eduroam" auth_failures=2 duration=23 reason=AUTH_FAILED wpa_supplicant: wlan0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD Apart from waiting for an update what could I do? Update, dmseg -wL output: [72642.755504] wlan0: authenticate with 54:75:d0:3f:4d:22 [72642.757856] wlan0: send auth to 54:75:d0:3f:4d:22 (try 1/3) [72642.761033] wlan0: authenticated [72642.763678] wlan0: associate with 54:75:d0:3f:4d:22 (try 1/3) [72642.766431] wlan0: RX AssocResp from 54:75:d0:3f:4d:22 (capab=0x431 status=0 aid=3) [72642.768628] wlan0: associated [72642.863828] wlan0: Limiting TX power to 17 dBm as advertised by 54:75:d0:3f:4d:22 [72647.757757] wlan0: deauthenticated from 54:75:d0:3f:4d:22 (Reason: 3=DEAUTH_LEAVING) UPDATE: Seems that' the problem is wpa_supplicant 2.6 I solved the problem by downgrading to 2.4

I would like to CLIENT setup PEAP-TLS for my 802.1x environment. But unable to find any configuration for same PEAP-TLS is available in Windows but not in Linux (At least in Ubuntu, Redhat family) This link also do not provide any information about configuration of PEAP-TLS settings. Is even Linux do support PEAP-TLS authentication method for wireless devices. More infor about PEAP-TLS is at https://wiki.freeradius.org/protocol/EAP-PEAP#types_peap-eap-tls

Was looking for PEAP tutorials for raspbian but didn't found any solution so far. In our manual for the LAN-connection to our network are following steps: 1. Activate IEEE 802.1X-authentification 2. Set Userauthentification as authentification-mode 3. Uncheck the option to check the identity of the server through Certificate 4. Select EAP-MSCHAP-V2 as authentification-method 5. Proceed and enter credentials: domainxxx\usernamexxx passwordxxx How can I reproduce these steps for raspbian? Edit (efforts so far): etc/wpa_supplicant/wpa_supplicant.conf: ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev update_config=1 network={ key_mgmt=IEEE8021X eap=PEAP identity="domainxxx\usernamexxx" password="passwordxxx" phase1="peaplabel=0" phase2="auth=MSCHAPV2" } edited the line "iface eth0 inet manual" from /etc/network/interfaces to: iface eth0 inet dhcp Currently following error: `eth0: CTRL-EVENT-EAP-STARTED EAP authentication started eth0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 eth0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected eth0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/DC=de/DC=MyDcxxxx/DC=domainxxx/CN=CNxxx' eth0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/DC=de/DC=MyDcxxxx/DC=domainxxx/CN=CNxxx' eth0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/DC=de/DC=MyDcxxxx/DC=domainxxx/CN=CNxxx' SSL: SSL3 alert: write (local SSL3 detected an error):fatal:decrypt error OpenSSL: openssl_handshake - SSL_connect error:04091068:rsa routines:INT_RSA_VERIFY:bad signature OpenSSL: pending error: error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad signature eth0: CTRL-EVENT-EAP-FAILURE EAP authentication failed` Distro is Raspbian. OpenSSL version is 1.0.1t 3 May 2016

I want to get a WiFi dongle with the 802.11AC or later standard that is compatible with Linux 4.13 (with Ubuntu 17.10) for a desktop PC (Streacom FC8 mini unit), 64 bit, intel core i3-2130). Context: I have an Ethernet connection but a flatmate pulled it out in the past because he suspected that it was slowing down the connection for everyone else (which may be true). I went and bought a Vivid Wireless router and used that for a couple of months, but it costs $90 per month for an unlimited plan. A few days ago I reconnected the Ethernet to the old router and have used it fine, however an hour or so ago I couldn't use the internet and it would prompt me to log in to the router ISP gateway. So I suspect that the flatmate denied access for the Ethernet connection as he has access to the gateway, although he denies changing anything. While resetting the router may cause the username and password of the gateway to change to the default, there is no button to be felt after prodding around in the reset pinhole, so I'm unable to reset it and can't login in to the gateway. I've posted on a Telstra Forum saying the same thing. Initially the dongle I had worked with Windows but it wouldn't and was not supported for Linux. So I bought another dongle that was Linux compatible but it didn't work, so I got a refund. Here are the results of trying to get it to work. I read this which says that AC dongles may be difficult to setup. I also read other posts e.g. here , here and here that are pretty old so I'm hoping that there are updates in more compatible AC dongles. A useful source of information is https://wikidevi.com/wiki/Main_Page . There's also http://www.wirelesshack.org/top-linux-compatible-usb-wireless-adapters.html . > The TP-LINK Archer T4U is a dual band 802.11ac USB adapter. > It uses the Realtek RTL8812AU chipset which many have had good results getting 802.11ac in the 5GHz range working with Linux. Good 802.11ac USB dongles have been slow to come about and often require some setup for the drivers. > Here is a link to Realtek RTL8812AU chipset and Linux. https://github.com/abperiasamy/rtl8812AU_8821AU_linux > If you are looking for a easy setup than going with a known working wireless-N dongle would be better. Then from the https://github.com/abperiasamy/rtl8812AU_8821AU_linux readme: > Known Supported Devices: > * COMFAST 1200Mbps USB Wireless Adapter(Model: CF-912AC) Interestingly, the seller of the first dongle said that the chipset is RTL8812AU! So I'll try that with the instructions in the abperiasamy repo. That didn't work. I bought an AC600 WiFi dongle, which works plug and play, which is able to connect to my router sometimes, and only sometimes. I went back to using Ethernet connected to the router, but the housemate wanted to unplug it on Feb 1 2018, so I did. So I used a WiFi extender (Netgear WN3000RP) that is already in the house (but is meant to be used for others; although nobody has complained. I plugged an Ethernet cable into that and connected the other end to my computer.) The internet works fine with this setup. I bought another extender, getting an AC1200 one, in order to get more reliable and faster speeds, although the speed with using up to 300 Mbps works pretty well.

I need to evaluate the performance of a few wireless cards at different bitrates. I found out that "minstrel" algorithm continuously adjusts this rate. 1. Can someone point me to 'how I can manually set the bit-rate for these wireless cards'? NOTE: I used iwconfig wlan0 rate 54M fixed but that was of no use. (Please see https://superuser.com/questions/870779/iwlist-wlan0-bitrate-says-unknown-bit-rate-information/) 2. Is this of any help to me? CONFIG_MAC80211_HAS_RC=y

I have Freeradius v.3 Server and WAccessPoint (hostapd), both on the same machine (localhost) Ubuntu Server 16.04.1 installed. I tested my connection firstly without freeradius -> I can connect to WAP and use Internet through NAS and MASQUERADE. When I want to start Authentication with Freeradius, I change WAP-PSK to WAP-EAP, add some lines for RADIUS-SERVER in hostapd.conf and start freeradius -X (in debug mode), but there are no logs, when I try to connect through AP. Whether connection is successful or not, it should be logged and debugged by each connection to Freeradius, but I see nothing, what means, that my Client and Freeradius doesn't recognize each other. Here are my settings: hostapd.conf: ... own_ip_addr=127.0.0.1 wpa_key_mgmt=WPA-EAP rsn_pairwise=CCMP wmm_enabled=1 wpa=2 channel=1 auth_algs=1 auth_server_addr=127.0.0.1 auth_server_port=1812 auth_server_shared_secret=secret ... /etc/freeradius/clients.conf client localhost { ipaddr=127.0.0.1 secret=secret require_message_authenticator = yes } I've also tried to create a new client in client.conf with ipaddr of my WAP INTERFACE, but I doesn't work also. UPDATE1: freeradius -v: FreeRADIUS Version 3.0.11, for host x86_64-pc-linux-gnu netstat -alnp | grep 1812: udp 0 0 0.0.0.0:1812 0.0.0.0:* udp 0 0 127.0.0.1:25868 127.0.0.1:1812 ESTABLISHED 1191/hostapd UPDATE2: server config file: server { listen { type = auth port = 1812 ipaddr = * } authorize { preprocess eap { ok = return } expiration logintime } authenticate { eap } preacct { preprocess acct_unique suffix files } accounting { detail # unix radutmp # exec attr_filter.accounting_response } session { radutmp } post-auth { # exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } } UPDATE3: freeradius -X: Server was built with: accounting : yes authentication : yes ascend-binary-attributes : yes coa : yes control-socket : yes detail : yes dhcp : yes dynamic-clients : yes osfc2 : no proxy : yes regex-pcre : no regex-posix : yes regex-posix-extended : yes session-management : yes stats : yes tcp : yes threads : yes tls : yes unlang : yes vmps : yes developer : no Server core libs: freeradius-server : 3.0.11 talloc : 2.0.* ssl : 1.0.2g release Endianness: little Compilation flags: cppflags : -Wdate-time -D_FORTIFY_SOURCE=2 cflags : -I/build/freeradius-G88Mfz/freeradius-3.0.11 -I/build/freeradius-G88Mfz/freeradius-3.0.11/src -include /build/freeradius-G88Mfz/freeradius-3.0.11/src/freeradius-devel/autoconf.h -include /build/freeradius-G88Mfz/freeradius-3.0.11/src/freeradius-devel/build.h -include /build/freeradius-G88Mfz/freeradius-3.0.11/src/freeradius-devel/features.h -include /build/freeradius-G88Mfz/freeradius-3.0.11/src/freeradius-devel/radpaths.h -fno-strict-aliasing -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -O2 -Wall -std=c99 -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -DNDEBUG -DIS_MODULE=1 ldflags : -Wl,-Bsymbolic-functions -Wl,-z,relro libs : -lcrypto -lssl -ltalloc -lcap -lnsl -lresolv -ldl -lpthread -lreadline Copyright (C) 1999-2016 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/dictionary including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/mods-enabled/ including configuration file /etc/freeradius/mods-enabled/detail including configuration file /etc/freeradius/mods-enabled/utf8 including configuration file /etc/freeradius/mods-enabled/linelog including configuration file /etc/freeradius/mods-enabled/realm including configuration file /etc/freeradius/mods-enabled/echo including configuration file /etc/freeradius/mods-enabled/radutmp including configuration file /etc/freeradius/mods-enabled/exec including configuration file /etc/freeradius/mods-enabled/unpack including configuration file /etc/freeradius/mods-enabled/mschap including configuration file /etc/freeradius/mods-enabled/replicate including configuration file /etc/freeradius/mods-enabled/cache_eap including configuration file /etc/freeradius/mods-enabled/pap including configuration file /etc/freeradius/mods-enabled/passwd including configuration file /etc/freeradius/mods-enabled/files including configuration file /etc/freeradius/mods-enabled/logintime including configuration file /etc/freeradius/mods-enabled/unix including configuration file /etc/freeradius/mods-enabled/soh including configuration file /etc/freeradius/mods-enabled/expiration including configuration file /etc/freeradius/mods-enabled/sradutmp including configuration file /etc/freeradius/mods-enabled/chap including configuration file /etc/freeradius/mods-enabled/preprocess including configuration file /etc/freeradius/mods-enabled/expr including configuration file /etc/freeradius/mods-enabled/attr_filter including configuration file /etc/freeradius/mods-enabled/dynamic_clients including configuration file /etc/freeradius/mods-enabled/digest including configuration file /etc/freeradius/mods-enabled/eap including configuration file /etc/freeradius/mods-enabled/always including configuration file /etc/freeradius/mods-enabled/detail.log including configuration file /etc/freeradius/mods-enabled/ntlm_auth including files in directory /etc/freeradius/policy.d/ including configuration file /etc/freeradius/policy.d/canonicalization including configuration file /etc/freeradius/policy.d/filter including configuration file /etc/freeradius/policy.d/accounting including configuration file /etc/freeradius/policy.d/cui including configuration file /etc/freeradius/policy.d/dhcp including configuration file /etc/freeradius/policy.d/operator-name including configuration file /etc/freeradius/policy.d/eap including configuration file /etc/freeradius/policy.d/abfab-tr including configuration file /etc/freeradius/policy.d/debug including configuration file /etc/freeradius/policy.d/control including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/mynetwork main { security { user = "freerad" group = "freerad" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client myclient { ipaddr = 10.0.0.1 require_message_authenticator = yes secret = >> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = >> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = >> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = eap radiusd: #### Instantiating modules #### modules { # Loaded module rlm_detail # Loading module "detail" from file /etc/freeradius/mods-enabled/detail detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/freeradius/mods-enabled/utf8 # Loaded module rlm_linelog # Loading module "linelog" from file /etc/freeradius/mods-enabled/linelog linelog { filename = "/var/log/freeradius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/freeradius/mods-enabled/linelog linelog log_accounting { filename = "/var/log/freeradius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/freeradius/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/freeradius/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/freeradius/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/freeradius/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_exec # Loading module "echo" from file /etc/freeradius/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loaded module rlm_radutmp # Loading module "radutmp" from file /etc/freeradius/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loading module "exec" from file /etc/freeradius/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_unpack # Loading module "unpack" from file /etc/freeradius/mods-enabled/unpack # Loaded module rlm_mschap # Loading module "mschap" from file /etc/freeradius/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes } # Loaded module rlm_replicate # Loading module "replicate" from file /etc/freeradius/mods-enabled/replicate # Loaded module rlm_cache # Loading module "cache_eap" from file /etc/freeradius/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_pap # Loading module "pap" from file /etc/freeradius/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_files # Loading module "files" from file /etc/freeradius/mods-enabled/files files { filename = "/etc/freeradius/mods-config/files/authorize" acctusersfile = "/etc/freeradius/mods-config/files/accounting" preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy" } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/freeradius/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_unix # Loading module "unix" from file /etc/freeradius/mods-enabled/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_soh # Loading module "soh" from file /etc/freeradius/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_expiration # Loading module "expiration" from file /etc/freeradius/mods-enabled/expiration # Loading module "sradutmp" from file /etc/freeradius/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/freeradius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_chap # Loading module "chap" from file /etc/freeradius/mods-enabled/chap # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/freeradius/mods-enabled/preprocess preprocess { huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups" hints = "/etc/freeradius/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_expr # Loading module "expr" from file /etc/freeradius/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/freeradius/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/freeradius/mods-enabled/dynamic_clients # Loaded module rlm_digest # Loading module "digest" from file /etc/freeradius/mods-enabled/digest # Loaded module rlm_eap # Loading module "eap" from file /etc/freeradius/mods-enabled/eap eap { default_eap_type = "tls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } # Loaded module rlm_always # Loading module "reject" from file /etc/freeradius/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/freeradius/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/freeradius/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/freeradius/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/freeradius/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/freeradius/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/freeradius/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/freeradius/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/freeradius/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loading module "auth_log" from file /etc/freeradius/mods-enabled/detail.log detail auth_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/freeradius/mods-enabled/detail.log detail reply_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "ntlm_auth" from file /etc/freeradius/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } instantiate { } # Instantiating module "detail" from file /etc/freeradius/mods-enabled/detail # Instantiating module "linelog" from file /etc/freeradius/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/freeradius/mods-enabled/linelog # Instantiating module "IPASS" from file /etc/freeradius/mods-enabled/realm # Instantiating module "suffix" from file /etc/freeradius/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/freeradius/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/freeradius/mods-enabled/realm # Instantiating module "mschap" from file /etc/freeradius/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "cache_eap" from file /etc/freeradius/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "pap" from file /etc/freeradius/mods-enabled/pap # Instantiating module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "files" from file /etc/freeradius/mods-enabled/files reading pairlist file /etc/freeradius/mods-config/files/authorize reading pairlist file /etc/freeradius/mods-config/files/accounting reading pairlist file /etc/freeradius/mods-config/files/pre-proxy # Instantiating module "logintime" from file /etc/freeradius/mods-enabled/logintime # Instantiating module "expiration" from file /etc/freeradius/mods-enabled/expiration # Instantiating module "preprocess" from file /etc/freeradius/mods-enabled/preprocess reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups reading pairlist file /etc/freeradius/mods-config/preprocess/hints # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/accounting_response # Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" ca_file = "/etc/freeradius/certs/ca.pem" private_key_password = >> dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "HIGH" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no tmpdir = "/tmp/radiusd" client = "/usr/bin/openssl verify -CApath /etc/freeradius/certs %{TLS-Client-Cert-Filename}" } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/ " use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Instantiating module "reject" from file /etc/freeradius/mods-enabled/always # Instantiating module "fail" from file /etc/freeradius/mods-enabled/always # Instantiating module "ok" from file /etc/freeradius/mods-enabled/always # Instantiating module "handled" from file /etc/freeradius/mods-enabled/always # Instantiating module "invalid" from file /etc/freeradius/mods-enabled/always # Instantiating module "userlock" from file /etc/freeradius/mods-enabled/always # Instantiating module "notfound" from file /etc/freeradius/mods-enabled/always # Instantiating module "noop" from file /etc/freeradius/mods-enabled/always # Instantiating module "updated" from file /etc/freeradius/mods-enabled/always # Instantiating module "auth_log" from file /etc/freeradius/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/freeradius/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/sites-enabled/mynetwork # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading session {...} # Loading post-auth {...} } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 1812 } Listening on auth address * port 1812 Ready to process requests

I am a student at an university which has eduroam, a WPA2-Enterprise wireless network. On my account this is configured using NetworkManager. This is the overview of nm-connection-editor: I have marked that this is a system connection by saying “All users may connect to this network”. In practice this does not work: - When I get logged into my Awesome WM session automatically, my (GNOME?) keyring is not unlocked. It asks for my password before it attempts to connect. This is annoying, my disk is encrypted anyway. So I would like to store the password as root, so to speak. - When I log into another account with KDE, the connection does not work there. So I think there are two potential problems here: 1. The certificate file is in my home directory. Other user accounts cannot read my home directory. If I would move that certificate to a central place (like /usr/share/ I guess?), other accounts could use this since the certificate would no longer be missing. 2. The password is stored in my local keyring in my home directory. The password would have to be stored system wide. I don't see any configuration files anyway. From what [I read](https://blogs.gnome.org/dcbw/2010/04/30/what-you-dont-know-about-networkmanager-part-1-configuration/) , NetworkManager stores its data in some service it communicates with via D-Bus. Therefore the data is stored *somewhere*. How can I make this a system wide configuration that just works automatically for every user of the system? ---- If it is of concern, the distribution is Fedora 24.

I would like to suggest to the client which one EAP method and inner authentication to use. I'm using hostapd to create the AP. I've tried by removing some methods in the hostapd.eap_user but I simply managed to make those methods don't work anymore in case the client choose one of them. I've also tried to add a realm, with a specific EAP method, by adding a 'nai_realm' line in hostapd.conf but when I launch hostapd it doesn't recognize 'nai_realm'. Thank you.

How can I connect to a 802.1x PEAP secured wired network without using any GUI on Debian? I want a non-GUI way as I am using a customized GUI. Also the network doesn't take any certificate for PEAP. How can I connect to such a network?

I've seen that hostapd support a lot of EAP methods. But it's not clear to me how I can switch to one of these methods. I've checked in the .conf file but I honestly don't know which parameter I need to change. Thank you.