[Bug 969343] Re: Unable to connect to WPA enterprise wireless

James M. Leddy 969343 at bugs.launchpad.net
Thu Sep 27 21:44:46 UTC 2012 

It's quite possible that there are still existing issues and that the
fix in -proposed does not fix the problem for everone. However, due to
the nature of the problem, we will be pushing out the fix in -proposed
anyway, since it fixes the problem for a good number of users. In fact,
it fixes the problem for the only setup that we were able to reproduce
with here in Canonical. Because of the way launchpad works, we
unfortunatly have a 1:1 mapping of bugs to problems and there is no way
to have this existing bug represent anything other than fixing it by
disabling session ticket.

If you are still experiencing problems. Please open a new bug _and_
include a packet dump. Also, be aware that our fix only disables session
tickets. Another new feature worth disabling is renegotation as show in
the following patch. Also of interest is a packet dump with a downgraded
and working openssl. Currently the upstream wpa has not addressed this
issue, they have explicitly stated the fix we use can not be applied to
their hostap.git repository.

Because downgrading openssl seems to fix the problem, this is evidence
that this is an openssl problem and not a wpasupplicant problem.
Additionally, it is may be caused by misbehaving or non-compliant eap
servers, since many eap servers work with the new wpasupplicant/openssl
combo.

http://w1.fi/bugz/attachment.cgi?id=235&action=diff

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/969343

Title:
  Unable to connect to WPA enterprise wireless

Status in OEM Priority Project:
  In Progress
Status in OEM Priority Project precise series:
  In Progress
Status in OpenSSL cryptography and SSL/TLS toolkit:
  New
Status in Linux WPA/WPA2/IEEE 802.1X Supplicant:
  In Progress
Status in “openssl” package in Ubuntu:
  Incomplete
Status in “wpa” package in Ubuntu:
  Fix Released
Status in “wpasupplicant” package in Ubuntu:
  Invalid
Status in “openssl” source package in Precise:
  Incomplete
Status in “wpa” source package in Precise:
  Invalid
Status in “wpasupplicant” source package in Precise:
  Triaged
Status in “openssl” package in Debian:
  Confirmed
Status in “openssl” package in Fedora:
  New
Status in “wpasupplicant” package in Fedora:
  Unknown

Bug description:
  [Impact]
  Breaks 802.1x (PEAP) authentication for wireless networks using specific authentication servers and/or AP hardware. Aruba network devices specifically are known to be affected; and is a popular device type used in enterprises to secure wireless networks.

  [Test Case]
  This issue is hardware specific and may or may not be limited to Aruba authentication servers.
  1) Attempt to connect / authenticate to a wireless, 802.1x network requiring Protected EAP (or possibly other auth mechanisms).
  2) (optionally) Watch SSL traffic between the station and authentication server using wireshark/tcpdump, looking for auth failures and the extensions passed.

  [Regression Potential]
  Since this changes the SSL extensions and options used to connect to 802.1x wireless networks; some networks specifically configured to request or make use of the session ticket extension could be made impossible to successfully authenticate to; up to the point where multiple connection failures could lock the accounts used in highly-restricted networks. Also, there is a potential (again, due to the change in SSL options) for other networks (using specific AP hardware) that don't support the extensions used to fail authentication.

  ---

  Using identical settings as in 11.10, I am unable to make a wpa
  enterprise connection using xubuntu precise beta 2. This is a Lenovo
  X220 with a Centrino Advanced-N 6205 wireless interface. During the
  attempted logon, I am not presented with a certificate to approve,
  although wireless instructions for OSX suggest that I should be.
  However, I never had to approve a certificate when connecting with
  11.10 -- I just ignored the certificate screen and everything worked.

  This seems like the relevant excerpt from syslog:

  Mar 30 10:39:01 fin8344m2 wpa_supplicant[1116]: Trying to associate with 00:11:92:3e:79:80 (SSID='Northwestern' freq=2462 MHz)
  Mar 30 10:39:01 fin8344m2 NetworkManager[848]: <info> (wlan0): supplicant interface state: scanning -> associating
  Mar 30 10:39:01 fin8344m2 kernel: [ 2201.940422] wlan0: authenticated
  Mar 30 10:39:01 fin8344m2 kernel: [ 2201.940974] wlan0: associate with 00:11:92:3e:79:80 (try 1)
  Mar 30 10:39:01 fin8344m2 kernel: [ 2201.943165] wlan0: RX ReassocResp from 00:11:92:3e:79:80 (capab=0x431 status=0 aid=222)
  Mar 30 10:39:01 fin8344m2 kernel: [ 2201.943174] wlan0: associated
  Mar 30 10:39:01 fin8344m2 wpa_supplicant[1116]: Associated with 00:11:92:3e:79:80
  Mar 30 10:39:01 fin8344m2 wpa_supplicant[1116]: CTRL-EVENT-EAP-STARTED EAP authentication started
  Mar 30 10:39:01 fin8344m2 NetworkManager[848]: <info> (wlan0): supplicant interface state: associating -> associated
  Mar 30 10:39:01 fin8344m2 wpa_supplicant[1116]: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
  Mar 30 10:39:01 fin8344m2 wpa_supplicant[1116]: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
  Mar 30 10:39:01 fin8344m2 wpa_supplicant[1116]: SSL: SSL3 alert: read (remote end reported an error):fatal:bad certificate
  Mar 30 10:39:01 fin8344m2 wpa_supplicant[1116]: OpenSSL: openssl_handshake - SSL_connect error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
  Mar 30 10:39:01 fin8344m2 wpa_supplicant[1116]: CTRL-EVENT-EAP-FAILURE EAP authentication failed
  Mar 30 10:39:01 fin8344m2 kernel: [ 2201.969742] wlan0: deauthenticated from 00:11:92:3e:79:80 (Reason: 23)

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: network-manager 0.9.4.0-0ubuntu1
  ProcVersionSignature: Ubuntu 3.2.0-20.33-generic 3.2.12
  Uname: Linux 3.2.0-20-generic x86_64
  ApportVersion: 2.0-0ubuntu1
  Architecture: amd64
  Date: Fri Mar 30 10:34:13 2012
  IfupdownConfig:
   auto lo
   iface lo inet loopback
  InstallationMedia: Xubuntu 12.04 LTS "Precise Pangolin" - Beta amd64 (20120328)
  NetworkManager.state:
   [main]
   NetworkingEnabled=true
   WirelessEnabled=true
   WWANEnabled=true
   WimaxEnabled=true
  ProcEnviron:
   LANGUAGE=en_US:en
   TERM=xterm
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  RfKill:
   0: phy0: Wireless LAN
    Soft blocked: no
    Hard blocked: no
  SourcePackage: network-manager
  UpgradeStatus: No upgrade log present (probably fresh install)
  nmcli-con: Error: command ['nmcli', '-f', 'all', 'con'] failed with exit code 1: Error: Can't obtain connections: settings service is not running.

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/969343/+subscriptions

More information about the foundations-bugs mailing list