This method assumes EAP-PEAP MSCHAPv2.
You should not be doing this, but if you want to... here is how you can use wpa_supplicant and OpenSSL for enterprise connections with no certs. This is a bad idea. You should be setting up certs and a proper PKI, but here we go...
We need to modify OpenSSL configuration to change its security setting. These settings lower security standards. Enable less secure connections. Further opens up attacker-in-the-middle problems. Take away? Do not use in production. This reduces security. Testing purposes only.
Specifically:
- enable "
UnsafeLegacyRenegotiation" - a deprecated SSL/TLS renegotiation method - sets the security level to
1- which is lower than the default
Edit /etc/ssl/openssl.cnf with your favorite editor. I use vim, btw.
After this line:
[openssl_init]
Add
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Options = UnsafeLegacyRenegotiation
CipherString = DEFAULT@SECLEVEL=1
Save.
This example configuration should work for connecting to an ESSID with WPA3-Enterprise configured with transition mode enabled. This should also support 11r if enabled on the infrastructure.
ap_scan=1
p2p_disabled=1
# Uncomment to enable a control interface
#ctrl_interface=/run/wpa_supplicant
# PMF enabled: ieee80211w=1
# PMF required: ieee80211w=2
network={
ssid="My Awesome SSID"
key_mgmt=WPA-EAP FT-EAP WPA-EAP-SHA256
ieee80211w=1
eap=PEAP
identity="josh"
password="mysecurepassword"
phase2="auth=MSCHAPV2"
}
Test with sudo wpa_supplicant -i <iface> -c <path_to_conf> -d.
Btw, always refer to the source for what the many various wpa_supplicant configuration items do. https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf