Unable to connect to WPA enterprise wireless
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OEM Priority Project |
Fix Released
|
High
|
James M. Leddy | ||
Precise |
Fix Released
|
High
|
Unassigned | ||
OpenSSL |
Invalid
|
Unknown
|
|||
wpa_supplicant |
In Progress
|
Medium
|
|||
openssl (Fedora) |
New
|
Undecided
|
Unassigned | ||
openssl (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
Precise |
Invalid
|
High
|
Unassigned | ||
wpa (Debian) |
Fix Released
|
Unknown
|
|||
wpa (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Precise |
Invalid
|
Undecided
|
Unassigned | ||
wpasupplicant (Fedora) |
Invalid
|
Undecided
|
|||
wpasupplicant (Ubuntu) |
Invalid
|
High
|
Mathieu Trudel-Lapierre | ||
Precise |
Fix Released
|
High
|
Mathieu Trudel-Lapierre |
Bug Description
[Impact]
Breaks 802.1x (PEAP) authentication for wireless networks using specific authentication servers and/or AP hardware. Aruba network devices specifically are known to be affected; and is a popular device type used in enterprises to secure wireless networks.
[Test Case]
This issue is hardware specific and may or may not be limited to Aruba authentication servers.
1) Attempt to connect / authenticate to a wireless, 802.1x network requiring Protected EAP (or possibly other auth mechanisms).
2) (optionally) Watch SSL traffic between the station and authentication server using wireshark/tcpdump, looking for auth failures and the extensions passed.
[Regression Potential]
Since this changes the SSL extensions and options used to connect to 802.1x wireless networks; some networks specifically configured to request or make use of the session ticket extension could be made impossible to successfully authenticate to; up to the point where multiple connection failures could lock the accounts used in highly-restricted networks. Also, there is a potential (again, due to the change in SSL options) for other networks (using specific AP hardware) that don't support the extensions used to fail authentication.
---
Using identical settings as in 11.10, I am unable to make a wpa enterprise connection using xubuntu precise beta 2. This is a Lenovo X220 with a Centrino Advanced-N 6205 wireless interface. During the attempted logon, I am not presented with a certificate to approve, although wireless instructions for OSX suggest that I should be. However, I never had to approve a certificate when connecting with 11.10 -- I just ignored the certificate screen and everything worked.
This seems like the relevant excerpt from syslog:
Mar 30 10:39:01 fin8344m2 wpa_supplicant[
Mar 30 10:39:01 fin8344m2 NetworkManager[
Mar 30 10:39:01 fin8344m2 kernel: [ 2201.940422] wlan0: authenticated
Mar 30 10:39:01 fin8344m2 kernel: [ 2201.940974] wlan0: associate with 00:11:92:3e:79:80 (try 1)
Mar 30 10:39:01 fin8344m2 kernel: [ 2201.943165] wlan0: RX ReassocResp from 00:11:92:3e:79:80 (capab=0x431 status=0 aid=222)
Mar 30 10:39:01 fin8344m2 kernel: [ 2201.943174] wlan0: associated
Mar 30 10:39:01 fin8344m2 wpa_supplicant[
Mar 30 10:39:01 fin8344m2 wpa_supplicant[
Mar 30 10:39:01 fin8344m2 NetworkManager[
Mar 30 10:39:01 fin8344m2 wpa_supplicant[
Mar 30 10:39:01 fin8344m2 wpa_supplicant[
Mar 30 10:39:01 fin8344m2 wpa_supplicant[
Mar 30 10:39:01 fin8344m2 wpa_supplicant[
Mar 30 10:39:01 fin8344m2 wpa_supplicant[
Mar 30 10:39:01 fin8344m2 kernel: [ 2201.969742] wlan0: deauthenticated from 00:11:92:3e:79:80 (Reason: 23)
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: network-manager 0.9.4.0-0ubuntu1
ProcVersionSign
Uname: Linux 3.2.0-20-generic x86_64
ApportVersion: 2.0-0ubuntu1
Architecture: amd64
Date: Fri Mar 30 10:34:13 2012
IfupdownConfig:
auto lo
iface lo inet loopback
InstallationMedia: Xubuntu 12.04 LTS "Precise Pangolin" - Beta amd64 (20120328)
NetworkManager.
[main]
NetworkingEnab
WirelessEnable
WWANEnabled=true
WimaxEnabled=true
ProcEnviron:
LANGUAGE=en_US:en
TERM=xterm
LANG=en_US.UTF-8
SHELL=/bin/bash
RfKill:
0: phy0: Wireless LAN
Soft blocked: no
Hard blocked: no
SourcePackage: network-manager
UpgradeStatus: No upgrade log present (probably fresh install)
nmcli-con: Error: command ['nmcli', '-f', 'all', 'con'] failed with exit code 1: Error: Can't obtain connections: settings service is not running.
affects: | ubuntu → network-manager (Ubuntu) |
affects: | wpasupplicant (Debian) → openssl (Debian) |
Changed in openssl (Debian): | |
status: | Unknown → New |
Changed in openssl (Ubuntu): | |
status: | Confirmed → Triaged |
assignee: | nobody → Canonical Foundations Team (canonical-foundations) |
Changed in openssl (Ubuntu Precise): | |
assignee: | Canonical Foundations Team (canonical-foundations) → Colin Watson (cjwatson) |
milestone: | none → precise-updates |
Changed in wpasupplicant: | |
importance: | Unknown → Medium |
status: | Unknown → Confirmed |
Changed in openssl: | |
importance: | Undecided → Unknown |
status: | New → Unknown |
Changed in openssl: | |
status: | Unknown → New |
Changed in wpasupplicant: | |
status: | Confirmed → In Progress |
Changed in oem-priority: | |
importance: | Undecided → High |
Changed in oem-priority: | |
assignee: | nobody → James M. Leddy (jm-leddy) |
status: | New → In Progress |
tags: | added: rls-q-incomming |
tags: |
added: rls-q-incoming removed: rls-q-incomming |
Changed in openssl (Debian): | |
status: | New → Confirmed |
description: | updated |
tags: | added: verification-needed |
Changed in openssl (Ubuntu): | |
status: | Incomplete → Fix Committed |
status: | Fix Committed → Incomplete |
Changed in wpasupplicant (Ubuntu Precise): | |
status: | Triaged → Fix Committed |
tags: |
added: verification-failed removed: verification-needed |
Changed in oem-priority: | |
status: | In Progress → Fix Committed |
Changed in oem-priority: | |
status: | Fix Committed → Fix Released |
Changed in openssl (Ubuntu): | |
status: | Incomplete → Fix Released |
Changed in openssl (Ubuntu): | |
status: | Incomplete → Invalid |
Changed in openssl (Ubuntu Precise): | |
status: | Fix Committed → Invalid |
tags: | removed: verification-done-precise |
affects: | openssl (Debian) → wpa (Debian) |
Changed in wpa (Debian): | |
status: | Confirmed → Fix Released |
Changed in wpasupplicant (Fedora): | |
importance: | Unknown → Undecided |
status: | Unknown → Invalid |
Changed in openssl: | |
status: | New → Invalid |
Created attachment 566264 1.0.0g- 1.fc17. x86_64
with openssl-
Authentication in wpa_supplicant fails with openssl- 1.0.1-0. 1.beta2. fc17.x86_ 64 (security : wpa/wpa2 enterprise, authentication ttls). Here is the output of wpa_supplicant, debug enabled, with current openssl and with previous version. The authentication problem occurs just after the occurence of "no matching PMKID found"