Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1155045

Summary: Wireless WPA2 Enterprise Network asks 2 times for Password with OTP enabled
Product: Red Hat Enterprise Linux 7 Reporter: Oliver Ilian <oliver>
Component: NetworkManagerAssignee: Dan Williams <dcbw>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Desktop QE <desktop-qa-list>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: bgalvani, danw, dcbw, kzhang, lrintel, oliver, rkhan, thaller, vbenes
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-04 23:22:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/var/log/wpa_supplicant.log
none
/var/log/messages none

Description Oliver Ilian 2014-10-21 10:15:48 UTC 
Description of problem:
When connecting to a WPA2 Enterprise Wireless Network that uses OTP (like Red Hat internally (SSID : Red Hat), you have to provide a password 2 times.

Version-Release number of selected component (if applicable):
NetworkManager-0.9.9.1-26.git20140326.4dba720.el7_0.x86_64

How reproducible:
always when you try to connect to a WPA2 Enterprise wireless Network

Steps to Reproduce:
1. see "How reproducible:"

Actual results:
you have to enter 2 passwords to get logged in

Expected results:
you have to enter 1 passwords to get logged in

Additional info:
Comment 3 Oliver Ilian 2014-10-22 07:52:23 UTC 
Created attachment 949274 [details]
/var/log/wpa_supplicant.log
Comment 4 Oliver Ilian 2014-10-22 07:52:48 UTC 
Created attachment 949275 [details]
/var/log/messages
Comment 5 Dan Williams 2014-11-26 01:28:21 UTC 
Status code 12 is "Association denied due to reason outside the scope of this standard" which is completely unhelpful.  Sometimes this is due to the AP system load-balancing clients between APs; eg it will reject assocations on a loaded AP hoping that the client will re-associate to another AP.  Unfortunately that re-association may require a full reauthentication because you haven't successfully authenticated at least once yet.

In Oliver's case it is:

Oct 22 09:50:13 ohaessle kernel: wlp3s0: deauthenticated from 00:24:f7:bf:49:90 (Reason: 3)

Reason 3 is "Deauthenticated because sending STA is leaving (or has left) IBSS or ESS", which doesn't say much about the error.  The AP is simply rejecting your authentication attempt.

We *might* be able to use the disconnect reason codes to be smarter about asking for secrets, but that's somewhat hard because there isn't a lot of consistency between AP implementations about when they are used.
Comment 7 Oliver Ilian 2015-08-31 10:33:44 UTC 
Hi. Do we have any news on this bug? My users are starting to get quiet annoyed for having to always type the wireless token twice.

If there is any information missing, please let me know.
Comment 8 Dan Williams 2015-09-15 14:53:47 UTC 
Actually, if we could get more detailed supplicant debugging information when this happens, that would help.  Could you:

1) mv /usr/sbin/wpa_supplicant /
2) killall -TERM wpa_supplicant
3) /wpa_supplicant -dddtu (redirect to a logfile somewhere)
4) NM should attempt to reconnect; when you have experienced the failure, attach the supplicant log output here.  Also, 'dmesg' output over the failure time would be useful.

Next up, is there any way you can get the access point or RADIUS logs from these failures?  That can often help pinpoint why the AP is rejecting the association, especially with status/reason codes that are not 3.
Comment 9 Oliver Ilian 2015-10-22 16:14:26 UTC 
I am trying to reproduce it, but it is a hit and miss.. as soon as I have the log files, I will share them here.

Not sure I can get the RADIUS logs from the AP's.
Comment 10 Dan Williams 2015-10-30 14:53:29 UTC 
Any luck reproducing the issue and getting logs?
Comment 11 Dan Williams 2016-01-04 23:22:03 UTC 
Closing for now; please re-open if you're able to reproduce the issue and get the logs I requested earlier.  Thanks!