Bug 465022

Summary: Unable to connect to WPA WLAN using PEAP authentification
Product: [Fedora] Fedora Reporter: Sascha Zorn <Sascha.Zorn>
Component: wpa_supplicantAssignee: Dan Williams <dcbw>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: medium    
Version: 10CC: cra, dcbw, sriram.rajan
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: 0.6.4-3.fc10 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-02-24 21:00:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Detailed log from wpa_supplicant none

Description Sascha Zorn 2008-10-01 16:17:39 UTC 
Created attachment 318599 [details]
Detailed log from wpa_supplicant

Description of problem:
I'm trying to connect to a WPA/WPA2 encrypted WLAN using PEAP authentification. CA certificate check is disabled, PEAP version is 0 and I'm using MSCHAPv2 for handshake(tunnelled MSCHAPv2).

Connection is not established because of the following error:
EAP-TLV: Earlier failure - force failed Phase 2.

For more details, I have attached an verbose dump.

Version-Release number of selected component (if applicable):
wpa_supplicant.i386 1:0.6.4-1.fc10

How reproducible:
Config looks like
network={
        ssid="BAKA-KEY"
        key_mgmt=WPA-EAP
        eap=PEAP
        identity="DOMAIN\USERNAME"
        password="xxx"
        phase2="auth=MSCHAPV2"
}

Steps to Reproduce:
1. Try to connect to the WLAN that needs PEAP/MSCHAPv2 
2. Wait until it fails
  
Actual results:
No connection

Expected results:
Successful connection
Comment 1 Sascha Zorn 2008-10-02 12:41:43 UTC 
Maybe this helps as well:
EAP-PEAP: Invalid Compound_MAC in cryptobinding TLV
EAP-TLV: Result TLV - hexdump(len=2): 00 01
EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed
EAP-TLV: Earlier failure - force failed Phase 2
EAP-PEAP: Compound_MAC CMK - hexdump(len=20): d0 ea ae b7 c4 25 a8 5b 01 4e 67 46 eb 51 a6 14 91 2f e3 7e
EAP-PEAP: Compound_MAC data 1 - hexdump(len=60): 00 0c 00 38 00 00 00 01 1a 55 7c aa ac 0f 3a b2 91 9b d0 90 5a 53 63 26 c3 0c 1c 71 3d d3 ba a4 e0 fd e1 15 44 66 7d b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
EAP-PEAP: Compound_MAC data 2 - hexdump(len=1): 19
EAP-PEAP: Compound_MAC - hexdump(len=20): b5 bc c1 e1 c5 a2 4f 62 47 49 38 f1 99 ad dd a2 51 52 7e ae
Comment 2 Sascha Zorn 2008-10-02 14:31:24 UTC 
I've played arround a bit and found out that this config works perfect with
wpa_supplicant-0.6.3-5.fc9.i386.rpm

In wpa_supplicant-0.6.3-6.fc9.i386.rpm will not be established. So Fedora 9 is also affected.

I therefore set version to 9 and severity to high.
Comment 3 Dan Williams 2008-11-16 13:07:44 UTC 
Does this still happen with wpa_supplicant-0.6.4-2.fc9 ?

http://koji.fedoraproject.org/koji/search?terms=wpa_supplicant-0.6.4-2.fc9&type=build&match=glob
Comment 4 Sascha Zorn 2008-11-18 08:47:45 UTC 
Yes, it still fails!

Associated with 00:12:cf:19:db:40
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0)
EAP-MSCHAPV2: Authentication succeeded
EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed
EAP-TLV: Earlier failure - force failed Phase 2
CTRL-EVENT-EAP-FAILURE EAP authentication failed
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
Comment 5 Sascha Zorn 2008-12-11 10:18:27 UTC 
This bug still exists in FC9 AND FC10!
Comment 6 Dan Williams 2009-01-30 16:43:12 UTC 
Apparently fixed in wpa_supplicant 0.6.7.  Will do a testing package.
Comment 7 Dan Williams 2009-01-30 18:19:18 UTC 
Please test out:

Rawhide: http://koji.fedoraproject.org/koji/taskinfo?taskID=1094347
F-10: http://koji.fedoraproject.org/koji/taskinfo?taskID=1094401
F-9: http://koji.fedoraproject.org/koji/taskinfo?taskID=1094414

The f10 and f9 ones will get pushed to updates-testing in the next updates push, but you can get them from the links if you'd like to test more quickly.
Comment 8 Fedora Update System 2009-02-05 02:20:16 UTC 
wpa_supplicant-0.6.4-3.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update wpa_supplicant'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-1333
Comment 9 Fedora Update System 2009-02-05 02:21:55 UTC 
wpa_supplicant-0.6.4-3.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing-newkey update wpa_supplicant'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2009-1359
Comment 10 Sascha Zorn 2009-02-10 11:18:41 UTC 
Just installed package wpa_supplicant.i386 0.6.4-3.fc10 and still getting:

CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0)
EAP-MSCHAPV2: Authentication succeeded
EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed
EAP-TLV: Earlier failure - force failed Phase 2
CTRL-EVENT-EAP-FAILURE EAP authentication failed
Comment 11 Sriram 2009-02-16 16:36:53 UTC 
I'm trying WPA2 with PEAP and no luck yet.

TRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
EAP-PEAP: Failed to select forced PEAP version 1


OS: Fedora 9

Kernel: 2.6.26.3-29.fc9.x86_64 #1 SMP

wpa_supplicant-0.6.4-2.fc9.x86_64

Hardware : HP DV9700,  Broadcom Corporation BCM4328 802.11a/b/g/n Card
Comment 12 Sascha Zorn 2009-02-16 18:53:32 UTC 
Try adding "eapol_version=2" to your config. This should be an simple misconfiguration.
Comment 13 Dan Williams 2009-02-17 16:39:42 UTC 
(In reply to comment #11)
> I'm trying WPA2 with PEAP and no luck yet.
> 
> TRL-EVENT-EAP-STARTED EAP authentication started
> CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
> EAP-PEAP: Failed to select forced PEAP version 1

Do you have "peapver=1" in your config?  Looks like your authenticator may not support peap v1, but instead use peap v0.
Comment 14 Dan Williams 2009-02-17 17:04:20 UTC 
EAP-PEAP: Failed to select forced PEAP version 1

that means the server does not like or support PEAP v1.  Try PEAP v0 instead.
Comment 15 Fedora Update System 2009-02-24 21:00:30 UTC 
wpa_supplicant-0.6.4-3.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2009-02-24 21:01:16 UTC 
wpa_supplicant-0.6.4-3.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.