enable PEAP for wpa_supplicant

[j-r79]

Hi

i use a wifi-network with wpa2 enterprise. If i change wpa_supplicant.conf and start wpa_supplicant i reveive the following message:

`/usr/sbin/wpa_supplicant -B -Dwext -ieth1 -c/etc/wpa_supplicant.conf

Successfully initialized wpa_supplicant

Line 9: unknown EAP method 'PEAP'

You may need to add support for this EAP method during wpa_supplicant

build time configuration.

See README for more information.

Line 9: failed to parse eap 'PEAP'.

Line 13: failed to parse network block.

Failed to read or parse configuration '/etc/wpa_supplicant.conf'.`

Would it be possible to compile wpa_supplicant with PEAP enabled?

Thank you!

[ralph-irving]

The only "jive" based player that we can build wpa_supplicant for is the radio and EAP is enabled in the configuration for it. https://github.com/ralph-irving/squeezeos/blob/public/8.0/poky/meta-squeezeos/packages/wpa-supplicant/files/defconfig#L4

We don't have the source code required for the touch or controller which is needed to rebuild wpa_suplicant with EAP support. These devices use the wpa_supplicant binaries from the official logitech firmware.

[j-r79]

Thank you for your quick reply. Yes, it is squeezebox radio. The error is taken from cli on the radio.

Regarding peap i found a documentation which says, that there ist a additional setting

CONFIG_EAP_PEAP=y

Would it be possible to enable that? Years ago i compiled it by myself and replaced wpa_supplicant on my stock firmware but now i switched to the community firmware...

[ralph-irving]

Your request was good timing. I'm currently testing upgrading wpa_supplicant to 2.10 for the radio, so I've added CONFIG_EAP_PEAP=y to the config and rebuilt the binaries. You can download wpa-supplicant-2.10-eap-peap-baby.tar.gz from https://sourceforge.net/projects/lmsclients/files/squeezeos/ Let me know of your success/failure with the new version or if you need help installing v2.10. Here's the config I used to build them.

CONFIG_DRIVER_WEXT=y
CONFIG_WIRELESS_EXTENSION=y
CONFIG_IEEE8021X_EAPOL=y
CONFIG_EAP=y
CONFIG_EAP_PEAP=y
CONFIG_TLS=internal
CONFIG_EAP_TLS=internal
CONFIG_TLSV11=y
CONFIG_TLSV12=y
CONFIG_INTERNAL_LIBTOMMATH=y
CONFIG_CTRL_IFACE=y
CONFIG_WPS=y
CONFIG_WPA_CLI_EDIT=y
CONFIG_WEP=y

[j-r79]

Hi Ralph, i will test it this afternoon when I'm back at home.

if you compare https://github.com/ralph-irving/squeezeos/blob/public/8.0/poky/meta/packages/wpa-supplicant/files/defconfig with https://github.com/ralph-irving/squeezeos/blob/public/8.0/poky/meta-squeezeos/packages/wpa-supplicant/files/defconfig there are more settings regarding EAP enabled:

`cat defconfig | grep EAP | grep -v '#'

CONFIG_IEEE8021X_EAPOL=y

CONFIG_EAP_MD5=y

CONFIG_EAP_MSCHAPV2=y

CONFIG_EAP_TLS=y

CONFIG_EAP_PEAP=y

CONFIG_EAP_TTLS=y

CONFIG_EAP_GTC=y

CONFIG_EAP_OTP=y

CONFIG_EAP_LEAP=y`

Not sure if another one of these is needed, i will give you feedback as soon as possible. I think i will need CONFIG_EAP_MSCHAPV2=y too, because EAP-phase2 here is mschapv2...

If i remember right, i enabled simply all of them when i compiled wpa_supplicant some years ago :-)

Once again, thank you very much!

[ralph-irving]

You'll find wpa-supplicant-2.10-eap-peap-2-baby.tar.gz available as well, which has these options enabled.

CONFIG_CTRL_IFACE=y
CONFIG_DRIVER_WEXT=y
CONFIG_EAP=y
CONFIG_EAP_GTC=y
CONFIG_EAP_LEAP=y
CONFIG_EAP_MD5=y
CONFIG_EAP_MSCHAPV2=y
CONFIG_EAP_OTP=y
CONFIG_EAP_PEAP=y
CONFIG_EAP_TLS=internal
CONFIG_EAP_TTLS=internal
CONFIG_IEEE8021X_EAPOL=y
CONFIG_INTERNAL_LIBTOMMATH=y
CONFIG_TLS=internal
CONFIG_TLSV11=y
CONFIG_TLSV12=y
CONFIG_WEP=y
CONFIG_WIRELESS_EXTENSION=y
CONFIG_WPA_CLI_EDIT=y
CONFIG_WPS=y

It would be great to identify only the options required as the radio has limited memory available and is already tight on free memory.

[j-r79]

Thank you, the first version is woking, i don't have the error message any more.

But currently i am unable to join the network. But it seems nothing to be with wpa_supplicant, my log shows me that the radius/AAA fails. I have to put some more time in there...

[j-r79]

OK, after checking more logs, i revert my opinion :-) the radius/aaa receives invalid data within the peap request. I would like to test the second file, wpa-supplicant-2.10-eap-peap-2-baby.tar.gz, but i don't see it on sourceforge...

[ralph-irving]

Sorry, I didn't notice that the sync had failed. It's there now.

[j-r79]

OK, with wpa-supplicant-2.10-eap-peap-2-baby.tar.gz everything regarding PEAP seems to work, the logs show successfull (wifi, radius), but after authentication there is no dhcp-request. I will look into that a liitle bit later, unfortunately i have to work a little bit.

[j-r79]

OK, i could not stop to find the reason. Last time i configured everything is really long ago, here what worked:

vi /etc/network/interfaces

auto lo

iface lo inet loopback

iface eth0 inet dhcp

script /etc/network/udhcpc_action

mapping eth1
script /etc/network/if_mapping

auto eth1=SSID
iface SSID inet dhcp
script /etc/network/udhcpc_action

I forgot to add eth1 to interfaces with dhcp switched on. The last three lines fixed that. After i scp'd the two files to the device and placed them in /usr/sbin/, i changed /etc/wpa_supplicant.conf with my settings:

ctrl_interface=/var/run/wpa_supplicant
update_config=1
country=US

network={
    ssid="SSID"
    scan_ssid=1
    key_mgmt=WPA-EAP
    pairwise=CCMP
    eap=PEAP
    identity="USER"
    password="PASS"
    phase2="MSCHAPV2"
}

The first three lines already existed, i did not change country. Just added my EAP-Config.

Did a reboot and everything worked.

How do you want to proceed? Remove some enabled configuration lines and i test again?

[ralph-irving]

I've been reconsidering trying to identify which options are needed for PEAP, instead if the current settings prove stable and the kernel does not invoke the Out Of Memory Killer, I'll call it done. I'm running the latest build on both my radios as well, using wpa2 and so far all is well. Let's leave the issue open and if you'd be so kind and report back in a few weeks with a status update that would be most helpful.

[j-r79]

Sure, but i have no doubt, that it will be stable as well!

[j-r79]

Everything worked so far, nothing to complain. Not a single problem so far.

[ralph-irving]

That's great! Thanks for reporting back.