Joining a Raspberry Pi running the OS Raspbian "Jessie" to the RPI_wpa2 wireless service

Overview

This document describes the quirks of connecting a Raspberry Pi running the OS Raspbian "Jessie" to the RPI_wpa2 wireless service.  

Procedure

Installation:

1. Obtain the appropriate certificate files from .CIO.  As of 6/17/19, the correct certificate is called "radiusauth_net_rpi_edu_cert.cer".   It is attached to this article.  Copy the certificate files to /usr/share/ca-certificates.  Rename it so the extension is ".crt"
2. Register the new certificate with the Pi.  Be sure to scroll to the bottom of the list and verify that the newly added RPI certificate is asterixed:

   sudo dpkg-reconfigure ca-certificates

3. Optional:  verify the certificates.  You may get a message indicating "unable to get local issuer certificate", this is expected.

   openssl verify [certificate path and filename]

4. Edit /etc/network/interfaces with the following changes.  This will tell Raspbian to bring the interface up using the parameters stored in the wpa_supplicant file.    Changes in this file include the following lines:
   

   auto wlan0
   allow-hotplug wlan0
   iface wlan0 inet dhcp
   wpa-ssid rpi_wpa2
   pre-up wpa_supplicant -B -Dwext -i wlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf
   post-down killall -q wpa_supplicant

5. Edit /etc/wpa_supplicant/wpa_supplicant.conf with the following changes.  Changes in this file were hard won, and include the following lines.  Note the final curly bracket.  Use an RCS TAGS Device Account for the identity and password:

   ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
   update_config=1
   country=US
   network={
             ssid="rpi_wpa2"
             scan_ssid=1
             key_mgmt=WPA-EAP
             eap=PEAP 
             identity="<RCS ID>"
             password="<RCS password>" 
             phase1="peapver=0"
             phase2="auth=MSCHAPV2"
    }

Troubleshooting:

To manually launch a WPA2 connection, use the same command that normally launches on boot from inside the "interfaces" file.  This will fail if wireless services have already been started.

sudo wpa_supplicant -B -Dwext -i wlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf 

To kill an existing wireless service for testing, use the following commands to find the process ID and kill it:

ps aux | grep wpa
sudo kill -9 [process ID]

To check if WPA2 has been successful, from the command line run

wpa_cli

then issue command 

status

Use ctrl-c to exit.  This will show if wpa2 has successfully negotiated with RPI's Radius server, and if it was able to bring up the wifi service.  The "help" command will show other ways to interrogate wireless status with wpa-cli.

To log wpa_supplicant output for debugging and troubleshooting, change the line in interfaces to read this way (adding the -f and path to log file)

pre-up wpa_supplicant -B -Dwext -i wlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf -f /var/log/wpa_supplicant.log

To see the current status of all the network interfaces:

ip a

To see wireless information: 

iwconfig

When troubleshooting the wpa_supplicant file, double check the key_mgmt value.  This was seen to occasionally change during testing.

References/Links

This file was created by David Bebb, Senior Network Administrator, EMPAC, on 7/17/19.  Please contact bebbd@rpi.edu with any questions or corrections.  

Three files are attached below:  The current Radius certificate, a sample interfaces file, and a sample wpa_supplicant.conf file.