Bug #1104476 “Network manager cannot connect to WPA2/PEAP/MSCHAP...” : Bugs : wpasupplicant package : Ubuntu

Network manager cannot connect to WPA2/PEAP/MSCHAPv2 enterprise wifi networks without CA_Certificate, like Eduroam

Bug #1104476 reported by zsolt.ruszinyák
This bug affects 281 people
Affects Status Importance Assigned to Milestone
NetworkManager
Fix Released
High
Release Notes for Ubuntu
Fix Released
Undecided
Andy Whitcroft
Fedora
Fix Released
Medium
Gentoo Linux
Fix Released
Medium
network-manager (Debian)
New
Unknown
network-manager (openSUSE)
Won't Fix
High
network-manager-applet (Ubuntu)
Triaged
High
Unassigned
Nominated for Xenial by Alberto Salvia Novella
Trusty
Triaged
High
Unassigned
wpasupplicant (Ubuntu)
Triaged
High
Unassigned
Nominated for Xenial by Alberto Salvia Novella
Trusty
Triaged
High
Unassigned

Bug Description

HOW TO REPRODUCE:
Connect to a MPA2/PEAP/MSCHAPv2 enterprise wifi network that doesn't use a CA Certificate, like Eduroam.

RESULT:
The computer doesn't connect, as the certificate verification fails.

WORKAROUNDS:
(http://askubuntu.com/questions/279762/cant-connect-to-wpa2-enterprise-peap)

RELEASE NOTES TEXT:
When connecting to MPA2/PEAP/MSCHAPv2 enterprise wifi networks that doesn't use a CA Certificate, like Eduroam, the connection fails (http://askubuntu.com/questions/279762/cant-connect-to-wpa2-enterprise-peap)

Revision history for this message
zsolt.ruszinyák (zsolt-ruszinyak) wrote :
summary: Network manager cannot connect to Eduroam (worldwide WiFi network for
- university students|
+ university students)
Revision history for this message
Launchpad Janitor (janitor) wrote : Re: Network manager cannot connect to Eduroam (worldwide WiFi network for university students)

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager (Ubuntu):
status: New → Confirmed
Revision history for this message
hepaly (hurezi) wrote :

I have the same problem. I can not connect to wifi network (WPA and WPA2 Enterprise PEAP, MSCHAPv2 +username/password)
The network manager doesn't accept my password. On last week, it worked well. (2013. 03.15.)

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

The certificate authority is missing. You may want to add it to the configuration in NetworkManager to point to a CA certificate that can be provided to you by your network administrator:

Jan 24 21:28:21 ubuntu wpa_supplicant[3569]: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Jan 24 21:28:21 ubuntu wpa_supplicant[3569]: TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 1 for '/C=SK/L=Bratislava/O=Comenius University/CN=WWW Servers Certification Authority/emailAddress=xxxxxxxxx'
Jan 24 21:28:21 ubuntu wpa_supplicant[3569]: wlan0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=1 subject='/C=SK/L=Bratislava/O=Comenius University/CN=WWW Servers Certification Authority/emailAddress=xxxxxxxx' err='unable to get local issuer certificate'
Jan 24 21:28:21 ubuntu wpa_supplicant[3569]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
Jan 24 21:28:21 ubuntu wpa_supplicant[3569]: OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Jan 24 21:28:22 ubuntu wpa_supplicant[3569]: wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed

I've noticed this too happening with self-signed certificates in universities. The alternative is to edit the connection file in /etc/NetworkManager/system-connections to remove "system-ca-certs=true".

Changed in network-manager (Ubuntu):
status: Confirmed → Invalid
Revision history for this message
zsolt.ruszinyák (zsolt-ruszinyak) wrote :

but why only since 13.04 if it worked fine so far. anyway, I have found something here, it should be the certificate, but I haven't got round to try it myself: http://www.lan.kth.se/eduroam/AddTrust_External_CA_Root.pem does it work for you, hepaly?

Revision history for this message
hepaly (hurezi) wrote :

Hi Zsolt, This problem affects me, when i try to connect to my office network. We never used certificate authority. The wifi network allows the connection, when I use a specific hostname, and username/password. Ubuntu 12.10 is working well. On last week, the wifi connection was OK on ubuntu 13.04.

Revision history for this message
hepaly (hurezi) wrote :

I got a certificate file (*.crt) from IT, and the connection is working well (with this cert. file). It is interesting, because the 12.10 works without this file.

Revision history for this message
zsolt.ruszinyák (zsolt-ruszinyak) wrote : Re: [Bug 1104476] Re: Network manager cannot connect to Eduroam (worldwide WiFi network for university students)
Download full text (3.7 KiB)

if it doesn't change, this could mean a serious move-away from ubuntu,
cause I instapped ubuntu to many of my friemds juat because they were
unaboe to connect to eduroam in windows! don't underestimate this, I would
mark this of a very high importanace, being a dev...
On Mar 19, 2013 2:02 PM, "hepaly" <email address hidden> wrote:

[...]

Read more...

Revision history for this message
Alfredo Buttari (alfredo-buttari) wrote : Re: Network manager cannot connect to Eduroam (worldwide WiFi network for university students)

Hi Hepaly,
what kind of certificate did you use? googling around I found (here, for example https://admin.kuleuven.be/icts/english/wifi/eduroam-ubuntu) that with the

/usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt

should work but instead it does not work for me.

alfredo

Revision history for this message
hepaly (hurezi) wrote :

Here are some screenshots about this issue:
I can connect to office network without using CA certificate file (ubuntu 12.10 live cd):
http://dl.dropbox.com/u/3104528/network_manager_issue/ubuntu12.10_wpa2E.png

Ubuntu 13.04 daily build doesn't accept my password. (using same settings, as ubuntu 12.10):
http://dl.dropbox.com/u/3104528/network_manager_issue/ubuntu13_04wpa2E.png

But if I use the CA certificate file, what I got from IT guys, then the password validation is OK, and it connects to wifi network.
http://dl.dropbox.com/u/3104528/network_manager_issue/ubuntu13_04wpa2E_ok_with_crt.png

Actually it works well using with CA certificate file, but why does the 12.10 work without this file? Is it bug or feature? :)

Changed in network-manager (Ubuntu):
status: Invalid → New
Revision history for this message
zsolt.ruszinyák (zsolt-ruszinyak) wrote :

I'm marking this again as new, cause the definition of invalid says that it should be a support request which it is not, because canonical cannot provide support to solve it.

most people don't know what a CA certificate is, so you can't leave it this way, cause they will say, that ubuntu just cannot connect and they are moving back to windows... you have to consider what normal people will think about this.

Revision history for this message
Alfredo Buttari (alfredo-buttari) wrote :

I've tried all sorts of certificates in the last few days (searching on google people say to use different types of them) but I couldn't make this work. Moreover the Eduroam site says to leave the certificate field empty. I can connect with my telephone with no problems so I'm sure the problem is not related to my account. I'll check if it works with an older ubuntu version asap.

Revision history for this message
zsolt.ruszinyák (zsolt-ruszinyak) wrote : Re: [Bug 1104476] Re: Network manager cannot connect to Eduroam (worldwide WiFi network for university students)
Download full text (3.8 KiB)

I have tries with different certificates (cause my school haven't issued
one) and it didn't work. currently there's no way for us to connect to
eduroam in 13.04.
On Mar 25, 2013 10:50 AM, "Alfredo Buttari" <email address hidden>
wrote:

[...]

Read more...

Revision history for this message
Launchpad Janitor (janitor) wrote : Re: Network manager cannot connect to Eduroam (worldwide WiFi network for university students)

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager (Ubuntu):
status: New → Confirmed
Revision history for this message
Igor Petrović (paradajz) wrote :

Also unable to connect, works well in any Ubuntu version except for 13.04.

Revision history for this message
gluca (gianluca-carlesso) wrote :

Hi! i have same bug. The problem occurs only in 13.04.

Revision history for this message
Eduard Gotwig (gotwig) wrote :

I have the same problem.
Very bad.

My college, the b.i.b International College Bergisch Gladbach (www.bg.bib.de) is affected!

In 12.04 it worked perfectly!

summary: - Network manager cannot connect to Eduroam (worldwide WiFi network for
- university students)
+ Network manager cannot connect to WPA/PEAP/MSCHAPv2 network
summary: - Network manager cannot connect to WPA/PEAP/MSCHAPv2 network
+ Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network
Revision history for this message
Eduard Gotwig (gotwig) wrote : Re: Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network

If this bug does not get fixed, a whole industry is affected.

This bug has to be critical!

summary: - Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network
+ Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network without
+ CA_Certificate
Revision history for this message
Eduard Gotwig (gotwig) wrote : Re: Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network without CA_Certificate

Sry, I just want to note that removing "system-ca-certs=true" from /etc/NetworkManager/system-connections solved the problem for me!

Revision history for this message
Eduard Gotwig (gotwig) wrote :

Remove the line that I marked (line 20) , to fix it

This is an example of my NetworkManager profile.

This file is saved under /etc/NetworkManager/system-connections/

with connecting to the wireless point at my college. (www.bg.bib.de)

Revision history for this message
Brendan Donegan (brendan-donegan) wrote :

So it seems the problem is system-ca-certs=true is being added despite Eduard cancelling the request for the cert.

Changed in network-manager (Ubuntu):
importance: Undecided → High
status: Confirmed → Triaged
Revision history for this message
zsolt.ruszinyák (zsolt-ruszinyak) wrote : Re: [Bug 1104476] Re: Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network without CA_Certificate
Download full text (3.6 KiB)

I had no possibilty of testing these days. any progress, guys?
On Apr 9, 2013 11:30 AM, "Brendan Donegan" <email address hidden>
wrote:

[...]

Read more...

Revision history for this message
Carl Davis (carl.davis) wrote : Re: Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network without CA_Certificate

I can confirm that even though I choose ignore on the CA Cert dialog, the line "system-ca-certs=true" was added to system-connections. It works find after I set that to false.

Revision history for this message
Ryan Yates (ryanyates23) wrote :

Hey, my laptop can't even find eduroam or setup-wifi to even attempt connecting since upgrading to 13.04. How can I go about fixing this?

Revision history for this message
zsolt.ruszinyák (zsolt-ruszinyak) wrote : Re: [Bug 1104476] Re: Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network without CA_Certificate
Download full text (3.6 KiB)

upgrading is not good. try to fire up a usb image and try if it it can
connect in the live mode. the problem is probably with the upgrade. but
first try to connect to a hidden network.
On Apr 17, 2013 5:45 AM, "Ryan Yates" <email address hidden> wrote:

[...]

Read more...

Revision history for this message
Eduard Gotwig (gotwig) wrote : Re: Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network without CA_Certificate

Ryan: Just read the log on this page...

Revision history for this message
Pedro Nunes (nunes-p89) wrote :

I am affected too.
Lets hope that on Monday its already fixed! :P

Revision history for this message
cosmin (wizardelo) wrote :

well i just tried 13.04 on a live-usb and this issue is still there:(
cannot connect to peap without CA, line "system-ca-certs=true" is stil added despite choosing no CA

Revision history for this message
Matthew Dye (mdye) wrote :

I believe this may be a GNOME problem. When I try it under Kubuntu and KDE, I can connect fine; while in GNOME, I cannot connect to my university (University of Missouri) wifi network.

Revision history for this message
Ben Hilburn (bhilburn) wrote :

Confirming that this is a really serious issue.

PEAP connection, MSCHAPv2, no certificate but with a username & password, I *cannot* connect to the network. Previous versions of Ubuntu work fine. Indeed, my credentials on another machine running 12.10 work just fine.

Changed in network-manager (Ubuntu):
status: Triaged → Confirmed
Revision history for this message
mrtrick (patrick-hendrick) wrote :

I can confirm this issue on a Lenovo T510, PEAP, MSCHAPv2, no cert. Switching to LEAP seems to hold fine. Removing system-ca-certs=true did not stabilize my connection at all. I am able to get connected, but drops every few minutes and sometimes will not connect at all.

Revision history for this message
Fei (feisung) wrote :

Hey Guys, this problem is quite serious!! Excitement in the morning after the upgrade on home wifi then complete dissapointment after 2hrs+ attempting to patch it :(
 Tried just about all that was posted here and was unsuccessful. eduroam and other enterprise wpa networks just don't work anymore. Please supply a quick fix...

Revision history for this message
DeepJoy (deepjoy) wrote :

Confirmed "system-ca-certs=true" is stil added despite choosing no CA and choosing ignore along with do not warn me again on the popup.

Revision history for this message
zsolt.ruszinyák (zsolt-ruszinyak) wrote : Re: [Bug 1104476] Re: Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network without CA_Certificate

this is the 1. ubuntu release I didn't install right after it came out.
guess why.

and by the way the workarond by Eduard Gotwig from comment #19 sadly
doesn't work here either. the line is always re-added. please explain us
better how u did it cause more people have reported here that it doesn't
work.

Revision history for this message
Tyler (tyler.h) wrote : Re: Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network without CA_Certificate

Workaround of removing "system-ca-certs=true" only works temporarily. Next time NetworkManager touches the profile, the line reappears in the profile.

Revision history for this message
BrunoB (bruno-bak) wrote :

How i got it working:

1. Download the AddTrust External CA Root (Base64 format) available here: http://iss.leeds.ac.uk/helpdesk/eduroam-certificates
2. Double click it and import using Gnome2 Key Storage (require sudo privileges).
3. Go to Network connections (right click con the wi-fi logo on the top right of the screen) and Add a new connection.
4. Name the new connection "eduroam"and have the SSID also "eduroam"
5. Under Wi-fi security choose "WPA 2 enterprise", Authentication: "Proteacted EAP (PEAP)", CA Certificate browse the file you downladed on step 1.
6. Username have your COMPLETE email (include @schoolname.something).
7.include your password.
Save it.
Good luck

Revision history for this message
Franko Burolo (fburolo) wrote :

Same problem here. And 13.04 really is the first Ubuntu where this doesn't work. And sure it IS critical!
If this is not fixed, Ubuntu will prove useless for most education (students/profs) and business users. And the bug is still unassigned since January?! Come on!

I just can't believe that the swirl direction of the BFB icon was a more important bug than this one... In terms that it was promptly addressed, unlike this one.

Revision history for this message
vacaloca (ltirado) wrote :

I just wanted to say that comment #19 of removing "system-ca-certs=true" from /etc/NetworkManager/system-connections also worked for me. Actually, what I did was set the statement to false. When I re-started the connection, it worked on the next try.

I also did a sudo chmod -w NUwave after the first time it connected, so that should avoid the statement from reappearing since now the file is read-only. Given the connection name, I'm at Northeastern University, which uses WPA2/PEAP/MSCHAP as well.

From /var/log/syslog upon successful authentication:

May 2 13:21:52 wpa_supplicant[1434]: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
May 2 13:21:52 wpa_supplicant[1434]: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
May 2 13:21:52 wpa_supplicant[1434]: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
May 2 13:21:52 wpa_supplicant[1434]: wlan0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=Massachusetts/L=Boston/O=Northeastern University/OU=IT/CN=wireless.neu.edu'
May 2 13:21:52 wpa_supplicant[1434]: last message repeated 2 times
May 2 13:21:52 Faraday wpa_supplicant[1434]: EAP-MSCHAPV2: Authentication succeeded

Before the statement was switched to false, syslog showed statements like:

May 2 13:02:59 wpa_supplicant[1483]: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
May 2 13:02:59 wpa_supplicant[1483]: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
May 2 13:02:59 wpa_supplicant[1483]: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
May 2 13:02:59 wpa_supplicant[1483]: TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 0 for '/C=US/ST=Massachusetts/L=Boston/O=Northeastern University/OU=IT/CN=wireless.neu.edu'
May 2 13:02:59 wpa_supplicant[1483]: wlan0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=0 subject='/C=US/ST=Massachusetts/L=Boston/O=Northeastern University/OU=IT/CN=wireless.neu.edu' err='unable to get local issuer certificate'
May 2 13:02:59 wpa_supplicant[1483]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
May 2 13:02:59 wpa_supplicant[1483]: OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
May 2 13:02:59 wpa_supplicant[1483]: wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
May 2 13:03:00 wpa_supplicant[1483]: wlan0: CTRL-EVENT-DISCONNECTED bssid=00:24:6c:e7:7b:51 reason=6

Before I had tried this, I had attempted to use the certificate that Windows 7 associated with the same NUwave wireless connection, but I was still unsuccessful at authenticating even with that. The odd thing is that a few weeks back when I tested with an Ubuntu 13.04 Beta 2 USB stick it worked fine, but stopped working at some point, and I re-tested with the USB stick today and it still failed, so at that point I knew it wasn't anything package related and stumbled across this bug and solution which fixed it! :)

Revision history for this message
Franko Burolo (fburolo) wrote :

The workaround works for me, too. Even without making the file read-only. I connected at my faculty's library in the early afternoon today. But I still think this is a critical issue, that could turn people away from Ubuntu.

It's very interesting what vacalola said about the old unchanged live image working once, and then not... Yet, the fact remains that this works completely fine in both 12.04 and 12.10, and just in 13.04 not.

Revision history for this message
Fei (feisung) wrote :

I give up... this has just got me switching to another Linux distro! Spent the whole week trying to rebuild my machine just cos of this issue... One year + of Ubuntu Love now to it's brother... Which I should state that wpa-enterprise works at time of writing that is!

Changed in network-manager (Ubuntu):
status: Confirmed → Triaged
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)
tags: added: saucy
Changed in network-manager:
importance: Unknown → High
status: Unknown → New
tags: added: regression-release
sivamoke (sivamoke-bif)
Changed in network-manager (Ubuntu):
assignee: Mathieu Trudel-Lapierre (mathieu-tl) → nobody
Changed in network-manager (Ubuntu):
assignee: nobody → Network-manager (network-manager)
jjungo (j-jungo)
description: updated
tags: added: rls-s-incoming
Changed in network-manager (Ubuntu):
assignee: Network-manager (network-manager) → Mathieu Trudel-Lapierre (mathieu-tl)
tags: removed: rls-s-incoming
Andy Whitcroft (apw)
Changed in ubuntu-release-notes:
status: New → In Progress
assignee: nobody → Andy Whitcroft (apw)
description: updated
Andy Whitcroft (apw)
Changed in ubuntu-release-notes:
status: In Progress → Fix Released
tags: added: patch
justin (justi8)
Changed in network-manager (Ubuntu):
assignee: Mathieu Trudel-Lapierre (mathieu-tl) → justin (justi8)
Changed in network-manager (Ubuntu):
assignee: justin (justi8) → Mathieu Trudel-Lapierre (mathieu-tl)
Changed in network-manager:
status: New → Confirmed
Changed in network-manager:
status: Confirmed → Fix Released
Changed in gentoo:
importance: Unknown → High
status: Unknown → New
Changed in gentoo:
importance: High → Medium
Changed in network-manager (openSUSE):
importance: Unknown → High
status: Unknown → Confirmed
Changed in gentoo:
status: New → Fix Released
affects: network-manager (Ubuntu) → network-manager-applet (Ubuntu)
Changed in network-manager-applet (Ubuntu):
status: Triaged → In Progress
Changed in network-manager-applet (Ubuntu Saucy):
status: New → Won't Fix
Changed in network-manager-applet (Ubuntu Precise):
status: New → Triaged
Changed in network-manager-applet (Ubuntu Trusty):
status: New → Triaged
importance: Undecided → High
Changed in network-manager-applet (Ubuntu Precise):
importance: Undecided → Medium
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)
Changed in network-manager-applet (Ubuntu Trusty):
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)
Changed in network-manager-applet (Ubuntu Utopic):
status: In Progress → Fix Released
no longer affects: network-manager-applet (Ubuntu Precise)
Chris J Arges (arges)
description: updated
Changed in network-manager-applet (Ubuntu Trusty):
status: Triaged → Fix Committed
tags: added: verification-needed
Changed in network-manager-applet (Ubuntu Raring):
status: New → Confirmed
no longer affects: network-manager-applet (Ubuntu Raring)
tags: added: verification-done
removed: verification-needed
Changed in network-manager-applet (Ubuntu Trusty):
status: Fix Committed → Fix Released
173 comments hidden view all 253 comments
Revision history for this message
In , Dan (dan-redhat-bugs) wrote :

(In reply to Wallace Hermano from comment #1)
> I'm using Fedora 22.
> After updating the package wpa_supplicant 2.3 to 2.4 can not connect to the
> wireless network (PEAP-MSCHAPv2, no CA Certificate).
>
> Please see this thead
> http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Internal-
> radius-server-incompatibility-with-the-new-wpa/td-p/236602
>
> After downgrade to 2.3 it works again.

Your issue is likely due to wpa_supplicant enabling TLSv1.2 support (in response to recent attacks against SSLv3, TLSv1.0, and TLSv1.1, like the recent Firefox updates that disabled SSLv3 and TLSv1.0 negotiation). Unfortunately, not all RADIUS servers are prepared for that, and they accept the TLSv1.2 connection but generate a mismatching key than the supplicant does. That bug is in the RADIUS server...

There are some patches floating around that will detect this condition and fall back to the less-secure TLSv1.1 automatically, and we'll probably have to add those to Fedora until the RADIUS server vendors like Cisco, Aruba, etc catch up and fix their products.

Revision history for this message
In , Dan (dan-redhat-bugs) wrote :

(In reply to Dan Williams from comment #3)
[...]

More info: wpa_supplicant 2.4 may trigger this where 2.3 would not, becuase 2.4 enables some new ciphers for use with TLSv1.2, and the server may have enabled DH only for those ciphers that are now enabled.

The options are to either get your network admins to fix the DH key issue by using something > 768 bits, or to disable TLSv1.2 for now until they fix it.

But as a test, here's a wpa_supplicant with TLSv1.2 disabled by default. If you could test it on your network where you get the "dh key too small" error to see if that fixes the issue, then great, we can proceed with a more general solution. But if it doesn't fix the issue, then we'll need to dig a bit deeper and there may not be a general fix.

http://koji.fedoraproject.org/koji/taskinfo?taskID=10392924

Revision history for this message
In , Major (major-redhat-bugs) wrote :

I tried the koji build from the last comment and I'm unable to connect. With debug wpa_supplicant logs, I get:

SSL: SSL_connect:error in SSLv2/v3 read server hello A
SSL: SSL_connect:error in SSLv3 read finished A
SSL: SSL_connect:error in SSLv3 read finished A

Revision history for this message
In , Kevin (kevin-redhat-bugs) wrote :

I also tried the Koji build. Got the same error as I originally submitted:

SSL: SSL3 alert: write (local SSL3 detected an error):fatal:handshake failure
OpenSSL: openssl_handshake - SSL_connect error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
wlp12s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed

I

Revision history for this message
In , Virgilio (virgilio-redhat-bugs) wrote :

I can also confirm that a downgrade of the wpa_supplicant package to version 2.3.3 on Fedora 22 x86_64 makes it possible again to connect to a WPA2 Enterprise/PEAP/MSCHAPV2 network, like eduroam.

Revision history for this message
In , Hannes (hannes-redhat-bugs) wrote :

I can further confirm that downgrading wpa_supplicant to 2.3.3 allowed me to immediately connect to eduroam.

Revision history for this message
In , Gregor (gregor-redhat-bugs) wrote :

I can confirm the same behavior. Immediately after downgrading the wpa_supplicant to 2.3.3 allowed me to connect to our company WIFI.

Revision history for this message
In , Luiz (luiz-redhat-bugs) wrote :

I can confirm the same behavior.

I downgraded to 2.3.3 and I was able to connect successfully to connect to the wifi, but then I upgraded the kernel to 4.1.6 and it installed an wpa_supplicant-gui and some other wpa packages, and it stopped working again.

Can I get some help identifying if the issue is from the same root cause?

Because the wpa_supplicant-gui has the same 2.4.4 version of the wpa_supplicant and I tried to downgrade the *-gui one and it failed, due to not having package available.

Revision history for this message
In , Kent (kent-redhat-bugs) wrote :

FYI: I have seen the same (or at least very similar problems). Upgrading to 2.4-3 or 2.4-4 broke my eduroam connection. Downgrading to 2.3-3 again made it work.

I talked to the people running the authentication server (Radiator) used when I log in to eduroam. They upgraded OpenSSL and a related Perl module on the server. After that, eduroam survived an upgrade to 2.4-4 on my laptop.

Revision history for this message
In , Luiz (luiz-redhat-bugs) wrote :

Solved the issue removing the wpa_supplicant, and it removed anaconda and anaconda-gui. Then I re-installed the wpa_supplicant, NetworkManager-wifi, and downgraded the wpa_supplicant.

If someday has a fix I would be very happy to un-block wpa_supplicant packages from my dnf exceptions.

Revision history for this message
In , Germano (germano-redhat-bugs) wrote :

*** Bug 1244188 has been marked as a duplicate of this bug. ***

Revision history for this message
In , Germano (germano-redhat-bugs) wrote :

Lastest wpa supplicant working with WPA Enterprise connections:
wpa_supplicant-2.3-3.fc22.x86_64

Revision history for this message
In , David (david-redhat-bugs) wrote :

(In reply to Germano Massullo from comment #15)
> Lastest wpa supplicant working with WPA Enterprise connections:
> wpa_supplicant-2.3-3.fc22.x86_64

Just to avoid confusion:

The lastest wpa supplicant that works with WPA Enterprise connections is
wpa_supplicant-2.3-3.fc22.x86_64

Revision history for this message
In , Ville (ville-redhat-bugs) wrote :

eduroam broke for me with 2.4 as well. I tried upgrading to 2.5 locally but it remained similarly broken. Works with 2.3-3.

Revision history for this message
In , Ville (ville-redhat-bugs) wrote :

*** Bug 1245766 has been marked as a duplicate of this bug. ***

Revision history for this message
In , Michael (michael-redhat-bugs) wrote :

(In reply to Gregor Fuis from comment #10)
> I can confirm the same behavior. Immediately after downgrading the
> wpa_supplicant to 2.3.3 allowed me to connect to our company WIFI.

I had the same issue. The workaround with version 2.3.3 did the trick for me as well.

(In reply to Dan Williams from comment #4)
> Your issue is likely due to wpa_supplicant enabling TLSv1.2 support (in
> response to recent attacks against SSLv3, TLSv1.0, and TLSv1.1, like the
> recent Firefox updates that disabled SSLv3 and TLSv1.0 negotiation).
> Unfortunately, not all RADIUS servers are prepared for that, and they accept
> the TLSv1.2 connection but generate a mismatching key than the supplicant
> does. That bug is in the RADIUS server...

I can confirm that updating FreeRADIUS (server/network infrastructure) to version freeradius-2.2.6-6.el6_7.x86_64 fixed the issue with wpa_supplicant as well as a (probably similar) issue with android 6.0 as described here https://code.google.com/p/android/issues/detail?id=188867#c29

I am now running wpa_supplicant-2.4-4.fc22.x86_64 on fedora and can connect successful to a WiFi using PEAP-MSCHAPv2 (with and without a server certificate check against a CA Certificate)

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.

Revision history for this message
In , Wallace (wallace-redhat-bugs) wrote :

I'm testing Fedora 23 beta but i can't downgrade the wpa_supplicant.

Revision history for this message
In , Nick (nick-redhat-bugs) wrote :

I wouldn't bother degrading client security by forcing TLS 1.1

The fact that Google have shipped with TLS 1.2 in Android 6.0 (Marshmallow) is quickly identifying and mopping up broken authentication servers.

Revision history for this message
In , Nick (nick-redhat-bugs) wrote :

I posted in the Google issue tracker:

" suspect that you all are hitting this issue because the new version of Android is now negotiating, correctly, with TLS 1.2 and you have a broken backend.

If so, this issue should be marked as being invalid.

This applies to anybody with WPA2-Enterprise/802.1X SSIDs backed by either FreeRADIUS 2.2.6 with all TLS-based EAP types, 2.2.6 through 2.2.8 with EAP-TTLS, 3.0.7 with all TLS-based EAP types, and 3.0.7 through 3.0.9 with EAP-TTLS, or Radiator 4.14 or later when used in conjunction with Net::SSLeay 1.52 or earlier.

These unfortunately experience a critical bug where they miscalculate session keying material, the MPPE keys, when the TLS 1.2 protocol is negotiated by EAP clients (supplicant).

Clients that negotiate with the TLS 1.2 protocol version in the TLS Client Hello will not be able to get a usable association to affected wireless networks.

Two MPPE keys, the MS-MPPE-Recv-Key (MasterReceiveKey) and MS-MPPE-Send-Key (MasterSendKey), are used to derive the Master Session Key (MSK). This is absolutely essential to get a usable association.

The mismatch occurs because the client derives the correct MSK and the AP derives a different, incorrect MSK due to the incorrectly calculated MPPE keys supplied in the RADIUS Access-Accept.

This is more of an acute issue as Red Hat ship with a broken FreeRADIUS 2.2.6 package in RHEL 6.7. There is an update now to address this: https://rhn.redhat.com/errata/RHBA-2015-1829.html

CentOS 6.7 is similarly affected as it derives from Red Hat's sources.

I should also mention that there is a difference between implementing/offering TLS 1.2 or not and being intolerant to it. It is the latter that is a problem with the introduction of TLS 1.2 for EAP.

The issue above, loosely, concerns intolerance because the subsequent MPPE keys generated are miscalculated.

Deployments that continue to offer just TLS 1.0 will continue to function correctly as TLS 1.0 will be negotiated by EAP clients (supplicants) despite it offering TLS 1.2 in the client hello in their default configuration. (TLS has a version negotiation mechanism, you just need an intersection of supported versions and cipher suites.)"

Revision history for this message
In , Nick (nick-redhat-bugs) wrote :

This bug needs to be closed as NOTABUG.

Revision history for this message
In , Luiz (luiz-redhat-bugs) wrote :

Hey Nick,

I am not using Android, I am using the Fedora 23 as an SO and this error is really annoying, I tried to check which TLS version I am using and still dont have any clue.

Can you help checking or to use the TLS that doesnt error out?

Revision history for this message
In , Nick (nick-redhat-bugs) wrote :

Anywhere that is using wpa_supplicant 2.4 or later without specific configuration to disable TLS 1.2 will hit this issue with affected RADIUS servers. TLS 1.2 is rightly enabled by default.

(Android Marshmallow uses such a version of wpa_supplicant).

You can certainly disable TLS 1.2 in the configuration for wpa_supplicant if you absolutely must get a usable connection.

Do so with phase1="tls_disable_tlsv1_2=1"

Ideally though you would seek to get the RADIUS server updates to a version that isn't broken.

Revision history for this message
In , Luiz (luiz-redhat-bugs) wrote :

I am trying to understand better the last choice, I could connect with the command line, but its kind of annoying still. My version of the freeradius is this
[~] $ sudo dnf info freeradius
Last metadata expiration check performed 3:05:10 ago on Tue Nov 24 12:08:27 2015.
Pacotes instalados
Name : freeradius
Arq. : x86_64
Epoch : 0
Versão : 3.0.8
Release : 3.fc23
Tam. : 3.4 M
Repo : @System
From repo : fedora

Revision history for this message
In , Michael (michael-redhat-bugs) wrote :

I'm not sure if I get you right. Are you using Fedora as a server operating system to provide radius authentication for your network infrastructure?

TLS1.2 is the currently newest and (hopefully) most secure version of the TLS protocol and therefore it is a good choice using it. So disabling TLS1.2 is a bad idea as stated in comment #26. Use a radius server version that implements TLS1.2 correctly instead.

Version 3.0.8 is affected when using EAP-TTLS as mentioned in comment #23 so if you have trouble use a different server version or a different EAP type.

If I've got you totally wrong and you are not the network operator ask your network operator to fix the problem and remove freeradius from your notebook/workstation.

Revision history for this message
In , Luiz (luiz-redhat-bugs) wrote :
Download full text (4.6 KiB)

Yeah, I am a software developer using Fedora as a workstation. Unfortunately my network administrators like Windows, the solution they provided me is to use Ubuntu. If I want to use Linux. I prefer Fedora because I use it since version 13.

I removed the freeradius. The command line is not connecting anymore.
Here is my log. Any thoughts?

Successfully initialized wpa_supplicant
wlp6s0: SME: Trying to authenticate with 94:b4:0f:1b:bc:c5 (SSID='ciandt.private' freq=2462 MHz)
wlp6s0: Trying to associate with 94:b4:0f:1b:bc:c5 (SSID='ciandt.private' freq=2462 MHz)
wlp6s0: Associated with 94:b4:0f:1b:bc:c5
wlp6s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp6s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp6s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlp6s0: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA' hash=ff856a2d251dcd88d36656f450126798cfabaade40799c722de4d2b5db36a73a
wlp6s0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA' hash=c27fd4b85e96d3777c68ab7df6aa4e626bf3ff8c72b1ce81d1eb78babeb1a074
wlp6s0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/serialNumber=lLUge2fRPkWcJe7boLSVdsKOFK8wv3MF/C=US/O=securelogin.arubanetworks.com/OU=GT28470348/OU=See www.geotrust.com/resources/cps (c)11/OU=Domain Control Validated - QuickSSL(R) Premium/CN=securelogin.arubanetworks.com' hash=47fa89956f2aa349e8814b21a7bbd64c9b597f0f192bfe073559945a7a846534
wlp6s0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:securelogin.arubanetworks.com
wlp6s0: CTRL-EVENT-DISCONNECTED bssid=94:b4:0f:1b:bc:c5 reason=3 locally_generated=1
wlp6s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlp6s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=BR
wlp6s0: SME: Trying to authenticate with 94:b4:0f:1b:bc:c5 (SSID='ciandt.private' freq=2462 MHz)
wlp6s0: Trying to associate with 94:b4:0f:1b:bc:c5 (SSID='ciandt.private' freq=2462 MHz)
wlp6s0: Associated with 94:b4:0f:1b:bc:c5
wlp6s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp6s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp6s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlp6s0: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA' hash=ff856a2d251dcd88d36656f450126798cfabaade40799c722de4d2b5db36a73a
wlp6s0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA' hash=c27fd4b85e96d3777c68ab7df6aa4e626bf3ff8c72b1ce81d1eb78babeb1a074
wlp6s0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/serialNumber=lLUge2fRPkWcJe7boLSVdsKOFK8wv3MF/C=US/O=securelogin.arubanetworks.com/OU=GT28470348/OU=See www.geotrust.com/resources/cps (c)11/OU=Domain Control Validated - QuickSSL(R) Premium/CN=securelogin.arubanetworks.com' hash=47fa89956f2aa349e8814b21a7bbd64c9b597f0f192bfe073559945a7a846534
wlp6s0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:securelogin.arubanetworks.com
wlp6s0: CTRL-EVENT-DISCONNECTED bssid=94:b4:0f:1b:bc:c5 reason=3 locally_generated=1
wlp6s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlp6s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=BR
wlp6s0: SME: Trying to authenticat...

Read more...

Revision history for this message
In , Vincent (vincent-redhat-bugs) wrote :

(In reply to Luiz Pegoraro from comment #29)
> I am still wondering if the issue is on wpa_supplicant or on the hardware,
> because I know a guy who has another PC using Fedora 22 with wpa_supplicant
> 2.4 that connects in the network via NetworkManager.

For F22 with wpa_supplicant 2.4 check this bug too, it seems the openssl library version matters: https://bugzilla.redhat.com/show_bug.cgi?id=1276073

> Also that configuration of the phase1, Can I set somewhere in the
> NetworkManager so I don't have to run command lines to connect to the
> network?

I got it working (F23/wpa_supplicant-2.4-7/openssl-1.0.2d-2) with a custom wpa_supplicant config and some manual steps:
network={
 ssid="corpwifi"
 key_mgmt=WPA-EAP
 eap=PEAP
 phase1="peaplabel=auto tls_disable_tlsv1_2=1"
 phase2="auth=MSCHAPV2"
 identity="***"
 password="***"
}
Unfortunately, I couldn't get the above working with the Networkmanager (/etc/wpa_supplicant/wpa_supplicant.conf and ifcg-corpwifi). The config set in /etc/wpa_supplicant/wpa_supplicant.conf wasn't used.

Revision history for this message
In , Eran (eran-redhat-bugs) wrote :

(In reply to Vincent P. from comment #30)

Sorry for the rookie questions, but:
1. Did you change /etc/wpa_supplicant/wpa_supplicant.conf or did you replace it?
2. After the change in /etc/wpa_supplicant/wpa_supplicant.conf, how am I to connect if not by the Networkmanager?

Thanks

[...]

Revision history for this message
In , Vincent (vincent-redhat-bugs) wrote :

I'm not sure if this is the right place te respond, but hey..wth.

(In reply to Eran B. from comment #31)
> (In reply to Vincent P. from comment #30)
>
> Sorry for the rookie questions, but:
> 1. Did you change /etc/wpa_supplicant/wpa_supplicant.conf or did you replace
> it?
After I did some manual testing (see next answer), I tried to update /etc/wpa_supplicant.conf with my corpwifi config and reconnect via the Networkmanager. Unfortunately, it didn't work.

> 2. After the change in /etc/wpa_supplicant/wpa_supplicant.conf, how am I to
> connect if not by the Networkmanager?
I turned off wifi via the Networkmanager. I created a new wpa_supplicant.conf in /root/ and rand some manual commands:

1. Connect to wifi:
# wpa_supplicant -f /var/log/wpa_supplicant.log -dd -P /var/run/wpa_supplicant.pid -c wpa_supplicant.conf -Dwext -iwlp3s0

2. Get an IP:
# dhclient wlp3s0

After this you should get an IP.

During my tests I fiddled with 'rfkill list all', 'rfkill unblock wifi' and 'ip l set wlp3s0 up' too, but if you get an IP with the above steps, you don't need too.

Revision history for this message
In , Alberto (alberto-redhat-bugs) wrote :
Revision history for this message
In , Luiz (luiz-redhat-bugs) wrote :

SOLVED TODAY!!! BY NETWORKMANAGER!! Just dnf update -y
I am so thrilled! Thanks you guys!

I guess it was a problem in firmwares, I looked into the logs and there were a lot of new packages for firmwares.

Thanks a lot, I guess saying by using Fedora 23, this can be closed now.

Revision history for this message
In , Kevin (kevin-redhat-bugs) wrote :

As the opener of this bug, I think it can be closed now. While other folks seem to have wireless problems, I don't think they are related to my problem which was fixed for me by an upgrade to our corporate wireless access points. It has continued to work after upgrading from F22 to F23 and a couple of iterations of wpa_supplicant as well.

Revision history for this message
In , Dan (dan-redhat-bugs) wrote :

Yeah, for TLSv1.2 issues updating the RADIUS server or corporate network is obviously the best choice. If that's not possible then the workaround with the supplicant config must be used, but the problem is at the RADIUS server.

Changed in wpasupplicant (Ubuntu Saucy):
status: New → Confirmed
Changed in wpasupplicant (Ubuntu Trusty):
status: New → Confirmed
Changed in wpasupplicant (Ubuntu Utopic):
status: New → Confirmed
Changed in wpasupplicant (Ubuntu):
status: New → Confirmed
Changed in network-manager (Debian):
status: Unknown → New
tags: added: trusty xenial
no longer affects: network-manager-applet (Ubuntu Saucy)
no longer affects: network-manager-applet (Ubuntu Utopic)
no longer affects: wpasupplicant (Ubuntu Saucy)
no longer affects: wpasupplicant (Ubuntu Utopic)
Changed in wpasupplicant (Ubuntu):
importance: Undecided → High
Changed in wpasupplicant (Ubuntu Trusty):
importance: Undecided → High
tags: removed: raring regression-release saucy verification-done
Changed in network-manager-applet (Ubuntu):
assignee: Mathieu Trudel-Lapierre (cyphermox) → nobody
Changed in network-manager-applet (Ubuntu Trusty):
assignee: Mathieu Trudel-Lapierre (cyphermox) → nobody
Changed in network-manager-applet (Ubuntu):
status: Fix Released → Triaged
Changed in network-manager-applet (Ubuntu Trusty):
status: Fix Released → Triaged
Changed in wpasupplicant (Ubuntu):
status: Confirmed → Triaged
Changed in wpasupplicant (Ubuntu Trusty):
status: Confirmed → Triaged
description: updated
summary: - Network manager cannot connect to WPA2/PEAP/MSCHAPv2 network without
- CA_Certificate
+ Network manager cannot connect to WPA2/PEAP/MSCHAPv2 enterprise networks
+ without CA_Certificate, like Eduroam
summary: - Network manager cannot connect to WPA2/PEAP/MSCHAPv2 enterprise networks
- without CA_Certificate, like Eduroam
+ Network manager cannot connect to WPA2/PEAP/MSCHAPv2 wifi enterprise
+ networks without CA_Certificate, like Eduroam
summary: - Network manager cannot connect to WPA2/PEAP/MSCHAPv2 wifi enterprise
+ Network manager cannot connect to WPA2/PEAP/MSCHAPv2 enterprise wifi
networks without CA_Certificate, like Eduroam
Changed in fedora:
importance: Unknown → Medium
status: Unknown → Fix Released
Revision history for this message
In , Tchvatal (tchvatal) wrote :

This version of openSUSE changed to end-of-life (EOL [1]) status. As such
it is no longer maintained, which means that it will not receive any
further security or bug fix updates.
As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
openSUSE, or consider the bug still valid, please feel free to reopen this
bug against that version, or open a new ticket.

Thank you for reporting this bug and we are sorry it could not be fixed
during the lifetime of the release.

[1] https://en.opensuse.org/Lifetime

Changed in network-manager (openSUSE):
status: Confirmed → Won't Fix
Revision history for this message
Jarurote Tippayachai (jarurote) wrote :

This is also appeared on Ubuntu 18.04.1 TLE (64-bit).

After upgrading 64-bit OS from Ubuntu 16.04 TLE to Ubuntu 18.04.1TLE, my pc cannot authenticate with WPA/PEAP/MSCHAPV2/no certificate. It also appeared the login popup without any connection.

I try to do following URL; however, it could not help me anyway.

https://askubuntu.com/questions/279762/how-to-connect-to-wpa2-peap-mschapv2-enterprise-wifi-networks-that-dont-use-a-c

My PC is HP Compaq Pro 4300, CPU: Intel® Core™ i3-3220 CPU @ 3.30GHz × 4, OS: Ubuntu 18.04.1 (64-bit).

Thanks.

Revision history for this message
Adrián Arroyo Calle (adrian-arroyocalle) wrote :
Revision history for this message
Chaoqi Zhang (prncoprs) wrote :

OMG! It still exists on 2021-12-27, Ubuntu 20.02 LTS 64-bits.

Revision history for this message
Allan W. Macdonald (allan-w-macdonald) wrote :

Still happening on Ubuntu 20.04LTS:

uname -a
Linux nodename 5.15.15-76051515-generic #202201160435~1642693824~20.04~97db1bb~dev-Ubuntu SMP Fri Jan 21 x86_64 x86_64 x86_64 GNU/Linux

The workaround suggested in original bug description worked for me but I needed to use someone else's computer in order to find the solution.

Revision history for this message
Ali Tolga Özbaş (eroniss55) wrote (last edit ):

I can confirm the existence of this bug in Ubuntu 22.04 Beta. Everything is up to date. I've tried many things. Still won't work.

Oddly enough, everything was working fine on Arch Linux. I think some patch distros do in this package breaks WPA2 Enterprise.

Revision history for this message
Ali Tolga Özbaş (eroniss55) wrote :

22.04 stable version has been released yesterday, and it still doesn't work on Ubuntu 22.04.

Displaying first 40 and last 40 comments. View all 253 comments or add a comment.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Loading subscribers...

Remote bug watches

Bug watches keep track of this bug in other bug trackers.