# Wpa_supplicant EAP error



## John Watson (Jul 3, 2018)

Hello forum,

wpa_supplicant works as expected with hotspot on iPhone 5s but gets eap errors on iPhone SE.
When I try the Iphone SE hotspot I do not get DHCP address or  connection. Doesn't work with static IP and I get wpa_cli error "<3>CTRL-EVENT-EAP-FAILURE EAP authentication failed"

wpa_suplicant.conf

```
ctrl_interface=/var/run/wpa_supplicant
update_config=1
ap_scan=1
fast_reauth=1

network={
    ssid="ssid"
    psk="password"
}
```

rc.conf

```
ifconfig_bce2_name="wlan0"        # External Network
ifconfig_wlan0="WPA DHCP"
```

wpa_cli

```
bssid=XX:XX:XX:XX:XX:XX
freq=0
ssid=ssid
id=0
mode=station
pairwise_cipher=CCMP
group_cipher=CCMP
key_mgmt=WPA2/IEEE 802.1X/EAP
wpa_state=ASSOCIATED
ip_address=xx.xx.xx.xx
address=xx:xx:xx:xx:xx:xx
Supplicant PAE state=HELD
suppPortStatus=Unauthorized
EAP state=FAILURE
uuid=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
<3>CTRL-EVENT-EAP-FAILURE EAP authentication failed
```

Any help appreciated.


----------



## VladiBG (Jul 3, 2018)

Replace the iPhone or use WPA


----------



## SirDice (Jul 3, 2018)

John Watson said:


> ```
> ifconfig_bce2_name="wlan0" # External Network
> ifconfig_wlan0="WPA DHCP"
> ```


This doesn't make sense. The bce(4) interface is a _wired_ interface. 

Handbook: 31.3. Wireless Networking



VladiBG said:


> Replace the iPhone or use WPA


That's not very helpful is it? Besides that: EAP extensions under WPA and WPA2 Enterprise


----------



## John Watson (Jul 3, 2018)

SirDice,
Thank you for your reply.

```
This doesn't make sense. The bce(4) interface is a wired interface.
```
It is wired connection but has iogear GWU627 wireless dongle. The USB wireless was unreliable.


----------



## John Watson (Jul 3, 2018)

Update.

Packet capture below.


```
Frame 7: 18 bytes on wire (144 bits), 18 bytes captured (144 bits) on interface 0
    Interface id: 0 (wlan0)
        Interface name: wlan0
    Encapsulation type: Ethernet (1)
    Arrival Time: Jul  3, 2018 10:05:48.213950000 US Mountain Standard Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1530637548.213950000 seconds
    [Time delta from previous captured frame: 1.720917000 seconds]
    [Time delta from previous displayed frame: 1.720917000 seconds]
    [Time since reference or first frame: 6.728528000 seconds]
    Frame Number: 7
    Frame Length: 18 bytes (144 bits)
    Capture Length: 18 bytes (144 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:eapol]
    [Coloring Rule Name: Broadcast]
    [Coloring Rule String: eth[0] & 1]
Ethernet II, Src: xx:xx:xx:xx:xx:xx (xx:xx:xx:xx:xx:xx), Dst: Nearest (xx:xx:xx:xx:xx:xx)
    Destination: Nearest (xx:xx:xx:xx:xx:xx)
        Address: Nearest (xx:xx:xx:xx:xx:xx)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
    Source: Src: xx:xx:xx:xx:xx:xx (xx:xx:xx:xx:xx:xx),
        Address: Src: xx:xx:xx:xx:xx:xx (xx:xx:xx:xx:xx:xx),
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: 802.1X Authentication (0x888e)
802.1X Authentication
    Version: 802.1X-2001 (1)
    Type: Start (1)
    Length: 0
```


----------



## VladiBG (Jul 3, 2018)

The personal hotspot on the telephone is using WPA2 PSK AES and can not be change it. There's nothing related to the EAP or to WPA2 Enterprise with Radius authentication.
You can try manual to specify the key_mgmt in the /etc/wpa_supplicant.conf file to WPA-PSK and verify if your wlan0 device is supporting WPA2-PSK with AES using `ifconfig wlan0 list caps`

Try to update your IOS on the phone.


----------



## VladiBG (Jul 3, 2018)

On Android device you have additional security settings  for Mobile hotspot and you are able to select between OPEN and WPA2 PSK. In the iPhone there's not such option for the hostspot.


----------



## John Watson (Jul 3, 2018)

VladiBG,
I understand your advice is to get rid of the iPhone. Not an option


----------



## John Watson (Jul 3, 2018)

From the packet captures:

On the iPhone SE connection which works, I get 

```
[Protocols in frame: eth:ethertype:ipv6:udp:ssdp]
```
On iPhone SE which doesn't work, I get 

```
[Protocols in frame: eth:ethertype:eapol]
```

It appears to be an issue with wpa_supplicant and iPhoneSE communication of eapol.


----------



## VladiBG (Jul 3, 2018)

try to reset your network setting on the iPhone. I don't know the reason why your iphone se is using WPA2-enterprise for the hotspot.


----------



## John Watson (Jul 3, 2018)

Do you mean turn it off and back on again?


----------



## VladiBG (Jul 3, 2018)

Go to Settings > General > Reset > Reset Network Settings. This also resets Wi-Fi networks and passwords, cellular settings, and VPN and APN settings that you've used before.


----------



## John Watson (Jul 3, 2018)

I reconnected the USB wireless dongle and now have connection. I would have to surmise that this issue has something to do with the iogear wireless to ethernet dongle or my NIC as wpa-supplicant has no problems with the USB wireless dongle and iPhoneSE


----------



## John Watson (Jul 3, 2018)

Thanks for all your help.


----------

