[Bug 969343] Re: Unable to connect to WPA enterprise wireless
benjamin at benkay.net
Wed Sep 26 12:40:27 UTC 2012
I'm wondering if, as rmcd suggests, we're dealing with two separate
"bugs" (buggy implementations of WPA access points) here. On one hand,
the patch du jour that disables TLS session tickets seems to fix the
problem I've been having authenticating to certain Aruba access points.
On the other hand, I'm wondering if Diane Trout's patch for disabling
the TLS hearbeat extension is necessary for some other access points.
Can anyone with access to an Aruba network who is actually using precise
or quantal confirm that the packages currently in the repos fix the
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
Unable to connect to WPA enterprise wireless
Status in OEM Priority Project:
Status in OEM Priority Project precise series:
Status in OpenSSL cryptography and SSL/TLS toolkit:
Status in Linux WPA/WPA2/IEEE 802.1X Supplicant:
Status in “openssl” package in Ubuntu:
Status in “wpa” package in Ubuntu:
Status in “wpasupplicant” package in Ubuntu:
Status in “openssl” source package in Precise:
Status in “wpa” source package in Precise:
Status in “wpasupplicant” source package in Precise:
Status in “openssl” package in Debian:
Status in “openssl” package in Fedora:
Status in “wpasupplicant” package in Fedora:
Breaks 802.1x (PEAP) authentication for wireless networks using specific authentication servers and/or AP hardware. Aruba network devices specifically are known to be affected; and is a popular device type used in enterprises to secure wireless networks.
This issue is hardware specific and may or may not be limited to Aruba authentication servers.
1) Attempt to connect / authenticate to a wireless, 802.1x network requiring Protected EAP (or possibly other auth mechanisms).
2) (optionally) Watch SSL traffic between the station and authentication server using wireshark/tcpdump, looking for auth failures and the extensions passed.
Since this changes the SSL extensions and options used to connect to 802.1x wireless networks; some networks specifically configured to request or make use of the session ticket extension could be made impossible to successfully authenticate to; up to the point where multiple connection failures could lock the accounts used in highly-restricted networks. Also, there is a potential (again, due to the change in SSL options) for other networks (using specific AP hardware) that don't support the extensions used to fail authentication.
Using identical settings as in 11.10, I am unable to make a wpa
enterprise connection using xubuntu precise beta 2. This is a Lenovo
X220 with a Centrino Advanced-N 6205 wireless interface. During the
attempted logon, I am not presented with a certificate to approve,
although wireless instructions for OSX suggest that I should be.
However, I never had to approve a certificate when connecting with
11.10 -- I just ignored the certificate screen and everything worked.
This seems like the relevant excerpt from syslog:
Mar 30 10:39:01 fin8344m2 wpa_supplicant: Trying to associate with 00:11:92:3e:79:80 (SSID='Northwestern' freq=2462 MHz)
Mar 30 10:39:01 fin8344m2 NetworkManager: <info> (wlan0): supplicant interface state: scanning -> associating
Mar 30 10:39:01 fin8344m2 kernel: [ 2201.940422] wlan0: authenticated
Mar 30 10:39:01 fin8344m2 kernel: [ 2201.940974] wlan0: associate with 00:11:92:3e:79:80 (try 1)
Mar 30 10:39:01 fin8344m2 kernel: [ 2201.943165] wlan0: RX ReassocResp from 00:11:92:3e:79:80 (capab=0x431 status=0 aid=222)
Mar 30 10:39:01 fin8344m2 kernel: [ 2201.943174] wlan0: associated
Mar 30 10:39:01 fin8344m2 wpa_supplicant: Associated with 00:11:92:3e:79:80
Mar 30 10:39:01 fin8344m2 wpa_supplicant: CTRL-EVENT-EAP-STARTED EAP authentication started
Mar 30 10:39:01 fin8344m2 NetworkManager: <info> (wlan0): supplicant interface state: associating -> associated
Mar 30 10:39:01 fin8344m2 wpa_supplicant: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Mar 30 10:39:01 fin8344m2 wpa_supplicant: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Mar 30 10:39:01 fin8344m2 wpa_supplicant: SSL: SSL3 alert: read (remote end reported an error):fatal:bad certificate
Mar 30 10:39:01 fin8344m2 wpa_supplicant: OpenSSL: openssl_handshake - SSL_connect error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Mar 30 10:39:01 fin8344m2 wpa_supplicant: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Mar 30 10:39:01 fin8344m2 kernel: [ 2201.969742] wlan0: deauthenticated from 00:11:92:3e:79:80 (Reason: 23)
DistroRelease: Ubuntu 12.04
Package: network-manager 0.9.4.0-0ubuntu1
ProcVersionSignature: Ubuntu 3.2.0-20.33-generic 3.2.12
Uname: Linux 3.2.0-20-generic x86_64
Date: Fri Mar 30 10:34:13 2012
iface lo inet loopback
InstallationMedia: Xubuntu 12.04 LTS "Precise Pangolin" - Beta amd64 (20120328)
0: phy0: Wireless LAN
Soft blocked: no
Hard blocked: no
UpgradeStatus: No upgrade log present (probably fresh install)
nmcli-con: Error: command ['nmcli', '-f', 'all', 'con'] failed with exit code 1: Error: Can't obtain connections: settings service is not running.
To manage notifications about this bug go to:
More information about the foundations-bugs