How to Read the EAP WPA Supplicant Logs

In a previous post I talked about the WiFi Protected Access (WPA) Supplicant logs for PreShared Key (PSK) authentication and how to make sense of them. The reality is that although the logs are useful, you will be intimidated if you don’t know what to look for.

This post builds on top of the previous one, covering some additional details around the Extensible Authentication Protocol (EAP) WPA Supplicant logs. The EAP logs include the PSK states of the authentication/association process as well as the EAP authentication method. 

WPA Supplicant Configuration

As an example, I connected my Linux client to my WPA-EAP network through my RADIUS server. For reference, here are the contents of the wpa_supplicant.conf configuration file:

Log Parser

If you follow the WPA Supplicant daemon from my previous post, you should have the logs saved in the file “/var/log/wpa_supplicant.log”. From this point forward we are working under the assumption that you have this file in your system.

In order to filter the contents of the logs we will use a grep command with the appropriate filters. The lines we want to see must include the WiFi interface name followed by colon (e.g. “wlan0:”) From these lines, we only want to keep the lines that include the tokens “State:” and “EAP”. “wlan0”, in this case, is the name of the WiFi interface on my machine. You can get a list of all available interfaces on your machine with the command “ip link.”

The logs also include some low level debugging information about the EAP Over LAN (EAPOL) that are not useful in this case. For that reason we’ll filter out lines that include the “EAPOL” token.

Keeping reading about EAP WPA logs here....

#networkmonitoring #networkengineers #wpasupplicant