Connecting to an EAP-PEAP network on OpenBSD

File this under Important Notes To Myself That I Must Never Forget and Things That Will Only Apply to A Few People.

I work at a college where we must login with our username and password to use the full-access wifi network. This causes trouble for people using free operating systems -- Linux in the case of some students and one instructor, and OpenBSD for me. The trouble is compounded by the inability of our IT people to provide support.

It turns out the solution is fairly simple, at least for OpenBSD. Other OSes may work a bit differently, but the following still may help.

First, figure out the nwid and bssid of the network you want to use:

ifconfig iwn0 scan

Here iwn0 is the name of my wireless card. Next, connect to that network:

ifconfig iwn0 nwid "ssid goes here" chan 1 bssid xx:xx:xx:xx:xx:xx wpa wpaakms 802.1x up

Replace the xx's in the bssid with their actual figures. And now run wpa_supplicant to handle the authentication:

wpa_supplicant -i iwn0 -c /etc/wpa_supplicant.conf

As you see, it requires a wpa_supplicant.conf file. Here's how mine reads:

# $OpenBSD: wpa_supplicant.conf,v 1.3 2015/04/02 17:32:24 sthen Exp $
# Sample wpa_supplicant configuration file for wired IEEE 802.1x
# port authentication. See wpa_supplicant.conf(5).

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=0

network={
    ssid="goes here"
    key_mgmt=WPA-EAP
    eap=PEAP
    identity="username"
    password="pass"
    ca_cert="/etc/ssl/cert.pem"
    phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1"
    phase2="auth=MSCHAPV2"
}

# If authentication is broken with TLSv1.1/1.2, you may need:
# phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1"

Sure enough, our servers are broken with TLSv1.1/1.2; this actually prevents me from using the wifi with Android 6. Anyway, now I have wifi at work.