Overview
This document describes the quirks of connecting a Raspberry Pi running the OS Raspbian "Jessie" to the RPI_wpa2 wireless service.
Procedure
Installation:
- Obtain the appropriate certificate files from .CIO. As of 6/17/19, the correct certificate is called "radiusauth_net_rpi_edu_cert.cer". It is attached to this article. Copy the certificate files to /usr/share/ca-certificates. Rename it so the extension is ".crt"
- Register the new certificate with the Pi. Be sure to scroll to the bottom of the list and verify that the newly added RPI certificate is asterixed:
sudo dpkg-reconfigure ca-certificates
- Optional: verify the certificates. You may get a message indicating "unable to get local issuer certificate", this is expected.
openssl verify [certificate path and filename]
- Edit /etc/network/interfaces with the following changes. This will tell Raspbian to bring the interface up using the parameters stored in the wpa_supplicant file. Changes in this file include the following lines:
auto wlan0
allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-ssid rpi_wpa2
pre-up wpa_supplicant -B -Dwext -i wlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf
post-down killall -q wpa_supplicant - Edit /etc/wpa_supplicant/wpa_supplicant.conf with the following changes. Changes in this file were hard won, and include the following lines. Note the final curly bracket. Use an RCS TAGS Device Account for the identity and password:
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=US
network={
ssid="rpi_wpa2"
scan_ssid=1
key_mgmt=WPA-EAP
eap=PEAP
identity="<RCS ID>"
password="<RCS password>"
phase1="peapver=0"
phase2="auth=MSCHAPV2"
}
Troubleshooting:
To manually launch a WPA2 connection, use the same command that normally launches on boot from inside the "interfaces" file. This will fail if wireless services have already been started.
sudo wpa_supplicant -B -Dwext -i wlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf
To kill an existing wireless service for testing, use the following commands to find the process ID and kill it:
ps aux | grep wpa
sudo kill -9 [process ID]
To check if WPA2 has been successful, from the command line run
wpa_cli
then issue command
status
Use ctrl-c to exit. This will show if wpa2 has successfully negotiated with RPI's Radius server, and if it was able to bring up the wifi service. The "help" command will show other ways to interrogate wireless status with wpa-cli.
To log wpa_supplicant output for debugging and troubleshooting, change the line in interfaces to read this way (adding the -f and path to log file)
pre-up wpa_supplicant -B -Dwext -i wlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf -f /var/log/wpa_supplicant.log
To see the current status of all the network interfaces:
ip a
To see wireless information:
iwconfig
When troubleshooting the wpa_supplicant file, double check the key_mgmt value. This was seen to occasionally change during testing.
References/Links
This file was created by David Bebb, Senior Network Administrator, EMPAC, on 7/17/19. Please contact bebbd@rpi.edu with any questions or corrections.
Three files are attached below: The current Radius certificate, a sample interfaces file, and a sample wpa_supplicant.conf file.
Comments
0 comments
Please sign in to leave a comment.