# wpa_supplicant 2.6 EAP-PEAP iwm (8260)



## xk2600 (Jan 2, 2018)

Getting 'RSN: PMKID mismatch" when attempting to connect to SSID using RSN + WPA-EAP + PEAP + MSCHAPV2. Tried both 'pkg install' and 'cd /usr/ports/security/wpa_supplicant && make && make install'... when compiling from ports tree, I enabled and disabled the OpenSSLv1.2 option seeing where there were issues on linux forums related to this. Don't believe it to be an issue with the 8260 as at the house it works flawlessly with WPA-PSK, just not at the office when using WPA-EAP.

*demsg output related to wlan0:*

```
iwm0: <Intel(R) Dual Band Wireless AC 8260> mem 0xe1100000-0xe1101fff irq 16 at device 0.0 on pci1
iwm0: hw rev 0x200, fw ver 22.361476.0, address b8:8a:60:c5:cf:10
```

*wpa_supplicant.conf*

```
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel

network={
  ssid="Enterprise-Test"
  key_mgmt=WPA-EAP
  eap=PEAP
  phase1="peaplabel=1"
  phase2="auth=MSCHAPV2"
  identity="TestUser"
  password="Passw0Rd!"
}
```

logged output of 
'/usr/local/sbin/wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf -P /var/run/wpa_supplicant/wlan0.pid -t -d'

```
.... head of log removed ... see the following for detail: https://pastebin.com/qU5V5dZN

1514935413.932983: EAPOL: SUPP_BE entering state SUCCESS
1514935413.932985: EAPOL: SUPP_BE entering state IDLE
1514935413.933199: wlan0: RX EAPOL from 04:62:73:b4:8c:5f
1514935413.933204: EAPOL: Ignoring WPA EAPOL-Key frame in EAPOL state machines
1514935413.933209: wlan0: IEEE 802.1X RX: version=2 type=3 length=117
1514935413.933213: wlan0:   EAPOL-Key type=2
1514935413.933220: wlan0:   key_info 0x8a (ver=2 keyidx=0 rsvd=0 Pairwise Ack)
1514935413.933224: wlan0:   key_length=16 key_data_length=22
1514935413.933226:   replay_counter - hexdump(len=8): 00 00 00 00 00 00 00 00
1514935413.933230:   key_nonce - hexdump(len=32): 85 00 39 dd fc 8e 54 f3 35 04 7d 5e 0a e6 7b 77 25 cf 2c 52 77 31 b9 0e 08 eb c9 3d e9 5f e2 5b
1514935413.933240:   key_iv - hexdump(len=16): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1514935413.933247:   key_rsc - hexdump(len=8): 00 00 00 00 00 00 00 00
1514935413.933251:   key_id (reserved) - hexdump(len=8): 00 00 00 00 00 00 00 00
1514935413.933256:   key_mic - hexdump(len=16): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1514935413.933272: wlan0: State: ASSOCIATED -> 4WAY_HANDSHAKE
1514935413.933278: wlan0: WPA: RX message 1 of 4-Way Handshake from 04:62:73:b4:8c:5f (ver=2)
1514935413.933280: RSN: msg 1/4 key data - hexdump(len=22): dd 14 00 0f ac 04 a8 c4 bb 5c 35 22 e9 43 14 13 58 3e 4b cf 93 45
1514935413.933288: WPA: PMKID in EAPOL-Key - hexdump(len=22): dd 14 00 0f ac 04 a8 c4 bb 5c 35 22 e9 43 14 13 58 3e 4b cf 93 45
1514935413.933296: RSN: PMKID from Authenticator - hexdump(len=16): a8 c4 bb 5c 35 22 e9 43 14 13 58 3e 4b cf 93 45
1514935413.933303: wlan0: RSN: no matching PMKID found
1514935413.933305: EAPOL: Successfully fetched key (len=32)
1514935413.933308: EAPOL: Successfully fetched key (len=64)
1514935413.933310: WPA: PMK from EAPOL state machines - hexdump(len=32): [REMOVED]
1514935413.933321: RSN: Added PMKSA cache entry for 04:62:73:b4:8c:5f network_ctx=0x8007b8c00
1514935413.933326: wlan0: RSN: PMKID mismatch - authentication server may have derived different MSK?!
1514935413.933334: wlan0: Request to deauthenticate - bssid=04:62:73:b4:8c:5f pending_bssid=00:00:00:00:00:00 reason=1 state=4WAY_HANDSHAKE
1514935413.933355: wlan0: Event DEAUTH (12) received
1514935413.933359: wlan0: Deauthentication notification
1514935413.933363: wlan0:  * reason 1 (locally generated)
1514935413.933365: Deauthentication frame IE(s) - hexdump(len=0): [NULL]
1514935413.933371: wlan0: CTRL-EVENT-DISCONNECTED bssid=04:62:73:b4:8c:5f reason=1 locally_generated=1
```


----------



## Snurg (Jan 3, 2018)

At my local university's wlan which uses eduroam and WPA-EAP, I was only able to connect if I removed/commented the peaplabel line in the wpa_supplicant.conf recommended by the university net admins for Linux.
Neither I nor my colleagues had an idea why that.
Just in case it helps.


----------



## xk2600 (Jan 4, 2018)

Snurg said:


> At my local university's wlan which uses eduroam and WPA-EAP, I was only able to connect if I removed/commented the peaplabel line in the wpa_supplicant.conf recommended by the university net admins for Linux.
> Neither I nor my colleagues had an idea why that.
> Just in case it helps.



Snurg Many thanks..It was the peaplabel that was the issue, however I ended up changing the configuration item to phase1="peaplabel=0". With this line removed, it appears the Cisco ISE Server (RADIUS) would reject the connection during an intercontroller roaming event..

Just so anyone that comes across this issue can use for reference:

We are running Cisco the Unified Wireless Platform with 8510 Foreign Controllers and 5520 Controllers as Anchors running 8.0.133 Firmware, the SSIDs in question permit only RSN (WPA2-EAP)
The Radius Server is Cisco Identity Services Permitting PEAP with an inner EAP method of MSCHAPV2 and is running firmware 1.3.0.876 Patch 5 with FIPS mode disabled.

My working configuration as follows:

/etc/wpa_supplicant.conf

```
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel

network={
  ssid="Enterprise-Test"
  key_mgmt=WPA-EAP
  eap=PEAP
  phase1="peaplabel=0"
  phase2="auth=MSCHAPV2"
  identity="TestUser"
  password="Passw0Rd!"
}
```


----------

