Description of problem: After upgrade from Fedora 25 to 26, I lost the ability to connect to our corporate PEAP/GTC wireless network. Version-Release number of selected component (if applicable): # rpm -qa | grep Network | sort NetworkManager-1.8.0-2.fc26.x86_64 NetworkManager-adsl-1.8.0-2.fc26.x86_64 NetworkManager-bluetooth-1.8.0-2.fc26.x86_64 NetworkManager-config-connectivity-fedora-1.8.0-2.fc26.noarch NetworkManager-glib-1.8.0-2.fc26.x86_64 NetworkManager-l2tp-1.2.6-1.fc26.x86_64 NetworkManager-libnm-1.8.0-2.fc26.x86_64 NetworkManager-libreswan-1.2.4-2.fc26.x86_64 NetworkManager-openconnect-1.2.4-4.fc26.x86_64 NetworkManager-openvpn-1.2.10-1.fc26.x86_64 NetworkManager-pptp-1.2.4-2.fc26.x86_64 NetworkManager-team-1.8.0-2.fc26.x86_64 NetworkManager-vpnc-1.2.4-2.fc26.x86_64 NetworkManager-wifi-1.8.0-2.fc26.x86_64 NetworkManager-wwan-1.8.0-2.fc26.x86_64 Logs from trying to connect. SSID & username sanitised: NetworkManager[980]: <info> [1495429811.7853] device (wlp2s0): Activation: starting connection '<SSID>' (8a00ef82-4757-460f-aab8-87d5122c7522) NetworkManager[980]: <info> [1495429811.7854] audit: op="connection-activate" uuid="8a00ef82-4757-460f-aab8-87d5122c7522" name="<SSID>" pid=1264 uid=1000 result="success" NetworkManager[980]: <info> [1495429811.7856] device (wlp2s0): state change: disconnected -> prepare (reason 'none') [30 40 0] NetworkManager[980]: <info> [1495429811.8161] device (wlp2s0): set-hw-addr: reset MAC address to 24:77:03:F2:26:70 (preserve) kernel: iwlwifi 0000:02:00.0: L1 Enabled - LTR Disabled kernel: iwlwifi 0000:02:00.0: L1 Enabled - LTR Disabled kernel: iwlwifi 0000:02:00.0: Radio type=0x0-0x3-0x1 kernel: iwlwifi 0000:02:00.0: L1 Enabled - LTR Disabled kernel: iwlwifi 0000:02:00.0: L1 Enabled - LTR Disabled kernel: iwlwifi 0000:02:00.0: Radio type=0x0-0x3-0x1 kernel: IPv6: ADDRCONF(NETDEV_UP): wlp2s0: link is not ready NetworkManager[980]: <info> [1495429812.1492] device (wlp2s0): supplicant interface state: inactive -> disabled NetworkManager[980]: <info> [1495429812.1497] device (wlp2s0): supplicant interface state: disabled -> inactive NetworkManager[980]: <info> [1495429812.1500] device (wlp2s0): state change: prepare -> config (reason 'none') [40 50 0] NetworkManager[980]: <info> [1495429812.1502] device (wlp2s0): Activation: (wifi) access point '<SSID>' has security, but secrets are required. NetworkManager[980]: <info> [1495429812.1502] device (wlp2s0): state change: config -> need-auth (reason 'none') [50 60 0] kded5[2212]: plasma-nm: Unhandled active connection state change: 1 NetworkManager[980]: <info> [1495429812.1747] device (wlp2s0): state change: need-auth -> prepare (reason 'none') [60 40 0] NetworkManager[980]: <info> [1495429812.1751] device (wlp2s0): state change: prepare -> config (reason 'none') [40 50 0] NetworkManager[980]: <info> [1495429812.1753] device (wlp2s0): Activation: (wifi) connection '<SSID>' has security, and secrets exist. No new secrets needed. NetworkManager[980]: <info> [1495429812.1753] Config: added 'ssid' value '<SSID>' NetworkManager[980]: <info> [1495429812.1753] Config: added 'scan_ssid' value '1' NetworkManager[980]: <info> [1495429812.1753] Config: added 'key_mgmt' value 'WPA-EAP' NetworkManager[980]: <info> [1495429812.1753] Config: added 'password' value '<hidden>' NetworkManager[980]: <info> [1495429812.1753] Config: added 'eap' value 'PEAP' NetworkManager[980]: <info> [1495429812.1754] Config: added 'fragment_size' value '1266' NetworkManager[980]: <info> [1495429812.1754] Config: added 'phase2' value 'auth=GTC' NetworkManager[980]: <info> [1495429812.1754] Config: added 'ca_cert' value '/etc/pki/tls/certs/ca-bundle.trust.crt' NetworkManager[980]: <info> [1495429812.1754] Config: added 'identity' value '<username>' NetworkManager[980]: <info> [1495429812.1754] Config: added 'bgscan' value 'simple:30:-65:300' NetworkManager[980]: <info> [1495429812.1754] Config: added 'proactive_key_caching' value '1' NetworkManager[980]: <info> [1495429812.1845] device (wlp2s0): supplicant interface state: inactive -> scanning wpa_supplicant[1079]: wlp2s0: SME: Trying to authenticate with 04:bd:88:ba:e1:31 (SSID='<SSID>' freq=5260 MHz) kernel: wlp2s0: authenticate with 04:bd:88:ba:e1:31 kernel: wlp2s0: send auth to 04:bd:88:ba:e1:31 (try 1/3) NetworkManager[980]: <info> [1495429815.1267] device (wlp2s0): supplicant interface state: scanning -> authenticating wpa_supplicant[1079]: wlp2s0: Trying to associate with 04:bd:88:ba:e1:31 (SSID='<SSID>' freq=5260 MHz) kernel: wlp2s0: authenticated kernel: wlp2s0: associate with 04:bd:88:ba:e1:31 (try 1/3) kernel: wlp2s0: RX AssocResp from 04:bd:88:ba:e1:31 (capab=0x11 status=0 aid=3) wpa_supplicant[1079]: wlp2s0: Associated with 04:bd:88:ba:e1:31 wpa_supplicant[1079]: wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 kernel: wlp2s0: associated kernel: IPv6: ADDRCONF(NETDEV_CHANGE): wlp2s0: link becomes ready NetworkManager[980]: <info> [1495429815.1974] device (wlp2s0): supplicant interface state: authenticating -> associated wpa_supplicant[1079]: wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU wpa_supplicant[1079]: wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started kernel: wlp2s0: Limiting TX power to 23 (23 - 0) dBm as advertised by 04:bd:88:ba:e1:31 wpa_supplicant[1079]: wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK wpa_supplicant[1079]: wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wpa_supplicant[1079]: wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected kernel: wlp2s0: deauthenticated from 04:bd:88:ba:e1:31 (Reason: 3=DEAUTH_LEAVING) wpa_supplicant[1079]: wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:ba:e1:31 reason=3 wpa_supplicant[1079]: wlp2s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="<SSID>" auth_failures=1 duration=10 reason=CONN_FAILED NetworkManager[980]: <warn> [1495429815.3668] sup-iface[0x55a60b6b4500,wlp2s0]: connection disconnected (reason 3) NetworkManager[980]: <info> [1495429815.3718] device (wlp2s0): supplicant interface state: associated -> disconnected wpa_supplicant[1079]: wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD wpa_supplicant[1079]: wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU NetworkManager[980]: <info> [1495429815.4710] device (wlp2s0): supplicant interface state: disconnected -> scanning kded5[2212]: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "RxBytes" kded5[2212]: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "TxBytes" plasmashell[1264]: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "RxBytes" plasmashell[1264]: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "TxBytes"
Just to confirm, this worked in Fedora 25. Have removed the connection from NM and re-created. Still no joy.
Have tested with the following updates. Issue still exists: # rpm -qa | grep Network | sort NetworkManager-1.8.0-3.fc26.x86_64 NetworkManager-adsl-1.8.0-3.fc26.x86_64 NetworkManager-bluetooth-1.8.0-3.fc26.x86_64 NetworkManager-config-connectivity-fedora-1.8.0-3.fc26.noarch NetworkManager-glib-1.8.0-3.fc26.x86_64 NetworkManager-l2tp-1.2.6-1.fc26.x86_64 NetworkManager-libnm-1.8.0-3.fc26.x86_64 NetworkManager-libreswan-1.2.4-2.fc26.x86_64 NetworkManager-openconnect-1.2.4-4.fc26.x86_64 NetworkManager-openvpn-1.2.10-1.fc26.x86_64 NetworkManager-pptp-1.2.4-2.fc26.x86_64 NetworkManager-team-1.8.0-3.fc26.x86_64 NetworkManager-vpnc-1.2.4-2.fc26.x86_64 NetworkManager-wifi-1.8.0-3.fc26.x86_64 NetworkManager-wwan-1.8.0-3.fc26.x86_64
After setting wpa_supplicant to debug mode via: busctl set-property fi.w1.wpa_supplicant1 \ /fi/w1/wpa_supplicant1 \ fi.w1.wpa_supplicant1 DebugLevel s debug I think this is the part of the log that contains the information required... NetworkManager[5674]: <info> [1495515827.5548] device (wlp2s0): supplicant interface state: associating -> associated wpa_supplicant[1040]: l2_packet_receive: src=04:bd:88:ba:e1:31 len=46 wpa_supplicant[1040]: wlp2s0: RX EAPOL from 04:bd:88:ba:e1:31 wpa_supplicant[1040]: EAP: EAP-Request Identity data - hexdump_ascii(len=0): wpa_supplicant[1040]: EAP: using real identity - hexdump_ascii(len=6): wpa_supplicant[1040]: 73 68 61 69 67 68 <username> wpa_supplicant[1040]: wlp2s0: Setting authentication timeout: 70 sec 0 usec wpa_supplicant[1040]: EAPOL: Received EAP-Packet frame wpa_supplicant[1040]: EAPOL: SUPP_PAE entering state RESTART wpa_supplicant[1040]: EAP: EAP entering state INITIALIZE wpa_supplicant[1040]: EAP: EAP entering state IDLE wpa_supplicant[1040]: EAPOL: SUPP_PAE entering state AUTHENTICATING wpa_supplicant[1040]: EAPOL: SUPP_BE entering state REQUEST wpa_supplicant[1040]: EAPOL: getSuppRsp wpa_supplicant[1040]: EAP: EAP entering state RECEIVED wpa_supplicant[1040]: EAP: Received EAP-Request id=1 method=1 vendor=0 vendorMethod=0 wpa_supplicant[1040]: EAP: EAP entering state IDENTITY wpa_supplicant[1040]: wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started wpa_supplicant[1040]: EAP: Status notification: started (param=) wpa_supplicant[1040]: EAP: EAP entering state SEND_RESPONSE wpa_supplicant[1040]: EAP: EAP entering state IDLE wpa_supplicant[1040]: EAPOL: SUPP_BE entering state RESPONSE wpa_supplicant[1040]: EAPOL: txSuppRsp wpa_supplicant[1040]: TX EAPOL: dst=04:bd:88:ba:e1:31 wpa_supplicant[1040]: EAPOL: SUPP_BE entering state RECEIVE kernel: wlp2s0: Limiting TX power to 23 (23 - 0) dBm as advertised by 04:bd:88:ba:e1:31 wpa_supplicant[1040]: l2_packet_receive: src=04:bd:88:ba:e1:31 len=46 wpa_supplicant[1040]: wlp2s0: RX EAPOL from 04:bd:88:ba:e1:31 wpa_supplicant[1040]: EAPOL: Received EAP-Packet frame wpa_supplicant[1040]: EAPOL: SUPP_BE entering state REQUEST wpa_supplicant[1040]: EAPOL: getSuppRsp wpa_supplicant[1040]: EAP: EAP entering state RECEIVED wpa_supplicant[1040]: EAP: Received EAP-Request id=2 method=13 vendor=0 vendorMethod=0 wpa_supplicant[1040]: EAP: EAP entering state GET_METHOD wpa_supplicant[1040]: EAP: configuration does not allow: vendor 0 method 13 wpa_supplicant[1040]: EAP: vendor 0 method 13 not allowed wpa_supplicant[1040]: wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK wpa_supplicant[1040]: EAP: Status notification: refuse proposed method (param=TLS) wpa_supplicant[1040]: EAP: Building EAP-Nak (requested type 13 vendor=0 method=0 not allowed) wpa_supplicant[1040]: EAP: allowed methods - hexdump(len=1): 19 wpa_supplicant[1040]: EAP: EAP entering state SEND_RESPONSE wpa_supplicant[1040]: EAP: EAP entering state IDLE wpa_supplicant[1040]: EAPOL: SUPP_BE entering state RESPONSE wpa_supplicant[1040]: EAPOL: txSuppRsp wpa_supplicant[1040]: TX EAPOL: dst=04:bd:88:ba:e1:31 wpa_supplicant[1040]: EAPOL: SUPP_BE entering state RECEIVE wpa_supplicant[1040]: l2_packet_receive: src=04:bd:88:ba:e1:31 len=46 wpa_supplicant[1040]: wlp2s0: RX EAPOL from 04:bd:88:ba:e1:31 wpa_supplicant[1040]: EAPOL: Received EAP-Packet frame wpa_supplicant[1040]: EAPOL: SUPP_BE entering state REQUEST wpa_supplicant[1040]: EAPOL: getSuppRsp wpa_supplicant[1040]: EAP: EAP entering state RECEIVED wpa_supplicant[1040]: EAP: Received EAP-Request id=3 method=25 vendor=0 vendorMethod=0 wpa_supplicant[1040]: EAP: EAP entering state GET_METHOD wpa_supplicant[1040]: wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wpa_supplicant[1040]: EAP: Status notification: accept proposed method (param=PEAP) wpa_supplicant[1040]: EAP: Initialize selected EAP method: vendor 0 method 25 (PEAP) wpa_supplicant[1040]: TLS: Phase2 EAP types - hexdump(len=8): 00 00 00 00 06 00 00 00 wpa_supplicant[1040]: TLS: using phase1 config options wpa_supplicant[1040]: wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected wpa_supplicant[1040]: EAP: EAP entering state METHOD wpa_supplicant[1040]: SSL: Received packet(len=6) - Flags 0x20 wpa_supplicant[1040]: EAP-PEAP: Start (server ver=0, own ver=1) wpa_supplicant[1040]: EAP-PEAP: Using PEAP version 0 wpa_supplicant[1040]: SSL: (where=0x10 ret=0x1) wpa_supplicant[1040]: SSL: (where=0x1001 ret=0x1) wpa_supplicant[1040]: SSL: SSL_connect:before SSL initialization wpa_supplicant[1040]: OpenSSL: TX ver=0x0 content_type=256 (TLS header info/) wpa_supplicant[1040]: OpenSSL: TX ver=0x303 content_type=22 (handshake/client hello) wpa_supplicant[1040]: SSL: (where=0x1001 ret=0x1) wpa_supplicant[1040]: SSL: SSL_connect:SSLv3/TLS write client hello wpa_supplicant[1040]: SSL: (where=0x1002 ret=0xffffffff) wpa_supplicant[1040]: SSL: SSL_connect:error in SSLv3/TLS write client hello wpa_supplicant[1040]: SSL: SSL_connect - want more data wpa_supplicant[1040]: SSL: 172 bytes pending from ssl_out wpa_supplicant[1040]: SSL: 172 bytes left to be sent out (of total 172 bytes) wpa_supplicant[1040]: EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=0x559ae3d522b0 wpa_supplicant[1040]: EAP: EAP entering state SEND_RESPONSE wpa_supplicant[1040]: EAP: EAP entering state IDLE wpa_supplicant[1040]: EAPOL: SUPP_BE entering state RESPONSE wpa_supplicant[1040]: EAPOL: txSuppRsp wpa_supplicant[1040]: TX EAPOL: dst=04:bd:88:ba:e1:31 wpa_supplicant[1040]: EAPOL: SUPP_BE entering state RECEIVE wpa_supplicant[1040]: l2_packet_receive: src=04:bd:88:ba:e1:31 len=46 wpa_supplicant[1040]: wlp2s0: RX EAPOL from 04:bd:88:ba:e1:31 wpa_supplicant[1040]: EAPOL: Received EAP-Packet frame wpa_supplicant[1040]: EAPOL: SUPP_BE entering state REQUEST wpa_supplicant[1040]: EAPOL: getSuppRsp wpa_supplicant[1040]: EAP: EAP entering state RECEIVED wpa_supplicant[1040]: EAP: Ignored EAP-Response wpa_supplicant[1040]: EAP: EAP entering state DISCARD wpa_supplicant[1040]: EAP: EAP entering state IDLE wpa_supplicant[1040]: EAPOL: SUPP_BE entering state RECEIVE wpa_supplicant[1040]: l2_packet_receive: src=04:bd:88:ba:e1:31 len=46 wpa_supplicant[1040]: wlp2s0: RX EAPOL from 04:bd:88:ba:e1:31 wpa_supplicant[1040]: EAPOL: Received EAP-Packet frame wpa_supplicant[1040]: EAPOL: SUPP_BE entering state REQUEST wpa_supplicant[1040]: EAPOL: getSuppRsp wpa_supplicant[1040]: EAP: EAP entering state RECEIVED wpa_supplicant[1040]: EAP: Received EAP-Failure wpa_supplicant[1040]: EAP: Status notification: completion (param=failure) wpa_supplicant[1040]: EAP: EAP-Success Id mismatch - reqId=2 lastId=3 wpa_supplicant[1040]: EAP: EAP entering state DISCARD wpa_supplicant[1040]: EAP: EAP entering state IDLE wpa_supplicant[1040]: EAPOL: SUPP_BE entering state RECEIVE kernel: wlp2s0: deauthenticated from 04:bd:88:ba:e1:31 (Reason: 3=DEAUTH_LEAVING)
Connection properties via 'nmcli con show '<SSID>': Have substituted by username for <username> and the SSID for <SSID> connection.id: <SSID> connection.uuid: 61203079-f030-4eef-bb8d-823b8031d50d connection.stable-id: -- connection.interface-name: -- connection.type: 802-11-wireless connection.autoconnect: yes connection.autoconnect-priority: 0 connection.autoconnect-retries: -1 (default) connection.timestamp: 0 connection.read-only: no connection.permissions: user:<username> connection.zone: work connection.master: -- connection.slave-type: -- connection.autoconnect-slaves: -1 (default) connection.secondaries: -- connection.gateway-ping-timeout: 0 connection.metered: unknown connection.lldp: -1 (default) 802-1x.eap: peap 802-1x.identity: <username> 802-1x.anonymous-identity: -- 802-1x.pac-file: -- 802-1x.ca-cert: -- 802-1x.ca-cert-password: <hidden> 802-1x.ca-cert-password-flags: 0 (none) 802-1x.ca-path: -- 802-1x.subject-match: -- 802-1x.altsubject-matches: -- 802-1x.domain-suffix-match: -- 802-1x.client-cert: -- 802-1x.client-cert-password: <hidden> 802-1x.client-cert-password-flags: 0 (none) 802-1x.phase1-peapver: -- 802-1x.phase1-peaplabel: -- 802-1x.phase1-fast-provisioning: -- 802-1x.phase1-auth-flags: 0 (none) 802-1x.phase2-auth: gtc 802-1x.phase2-autheap: -- 802-1x.phase2-ca-cert: 0 (none) 802-1x.phase2-ca-cert-password: -- 802-1x.phase2-ca-cert-password-flags: <hidden> 802-1x.phase2-ca-path: -- 802-1x.phase2-subject-match: -- 802-1x.phase2-altsubject-matches: -- 802-1x.phase2-domain-suffix-match: -- 802-1x.phase2-client-cert: -- 802-1x.phase2-client-cert-password: <hidden> 802-1x.phase2-client-cert-password-flags:0 (none) 802-1x.password: <hidden> 802-1x.password-flags: 1 (agent-owned) 802-1x.password-raw: <hidden> 802-1x.password-raw-flags: 0 (none) 802-1x.private-key: -- 802-1x.private-key-password: <hidden> 802-1x.private-key-password-flags: 0 (none) 802-1x.phase2-private-key: -- 802-1x.phase2-private-key-password: <hidden> 802-1x.phase2-private-key-password-flags:0 (none) 802-1x.pin: <hidden> 802-1x.pin-flags: 0 (none) 802-1x.system-ca-certs: no 802-1x.auth-timeout: 0 802-11-wireless.ssid: <SSID> 802-11-wireless.mode: infrastructure 802-11-wireless.band: -- 802-11-wireless.channel: 0 802-11-wireless.bssid: -- 802-11-wireless.rate: 0 802-11-wireless.tx-power: 0 802-11-wireless.mac-address: -- 802-11-wireless.cloned-mac-address: -- 802-11-wireless.generate-mac-address-mask:-- 802-11-wireless.mac-address-blacklist: -- 802-11-wireless.mac-address-randomization:default 802-11-wireless.mtu: auto 802-11-wireless.seen-bssids: -- 802-11-wireless.hidden: no 802-11-wireless.powersave: default (0) 802-11-wireless-security.key-mgmt: wpa-eap 802-11-wireless-security.wep-tx-keyidx: 0 802-11-wireless-security.auth-alg: -- 802-11-wireless-security.proto: -- 802-11-wireless-security.pairwise: -- 802-11-wireless-security.group: -- 802-11-wireless-security.leap-username: -- 802-11-wireless-security.wep-key0: <hidden> 802-11-wireless-security.wep-key1: <hidden> 802-11-wireless-security.wep-key2: <hidden> 802-11-wireless-security.wep-key3: <hidden> 802-11-wireless-security.wep-key-flags: 0 (none) 802-11-wireless-security.wep-key-type: 0 (unknown) 802-11-wireless-security.psk: <hidden> 802-11-wireless-security.psk-flags: 0 (none) 802-11-wireless-security.leap-password: <hidden> 802-11-wireless-security.leap-password-flags:0 (none) ipv4.method: auto ipv4.dns: -- ipv4.dns-search: -- ipv4.dns-options: (default) ipv4.dns-priority: 0 ipv4.addresses: -- ipv4.gateway: -- ipv4.routes: -- ipv4.route-metric: -1 ipv4.ignore-auto-routes: no ipv4.ignore-auto-dns: no ipv4.dhcp-client-id: -- ipv4.dhcp-timeout: 0 ipv4.dhcp-send-hostname: yes ipv4.dhcp-hostname: -- ipv4.dhcp-fqdn: -- ipv4.never-default: no ipv4.may-fail: yes ipv4.dad-timeout: -1 (default) ipv6.method: ignore ipv6.dns: -- ipv6.dns-search: -- ipv6.dns-options: (default) ipv6.dns-priority: 0 ipv6.addresses: -- ipv6.gateway: -- ipv6.routes: -- ipv6.route-metric: -1 ipv6.ignore-auto-routes: no ipv6.ignore-auto-dns: no ipv6.never-default: no ipv6.may-fail: yes ipv6.ip6-privacy: -1 (unknown) ipv6.addr-gen-mode: stable-privacy ipv6.dhcp-send-hostname: yes ipv6.dhcp-hostname: -- ipv6.token: -- proxy.method: none proxy.browser-only: no proxy.pac-url: -- proxy.pac-script: --
> wpa_supplicant[1040]: SSL: SSL_connect:error in SSLv3/TLS write client hello It seems there is a problem during the TLS handshake. Can you try to capture the authentication traffic and analyze with wireshark if there is a TLS alert message containing a reason?
I'm wondering - chances are that the CN doesn't match for the cert vs the TLS handshake. Is there a way to ignore if the cert is valid or not to verify this theory?
(In reply to Steven Haigh from comment #6) > I'm wondering - chances are that the CN doesn't match for the cert vs the > TLS handshake. > > Is there a way to ignore if the cert is valid or not to verify this theory? If the connection doesn't have a 802-1x.ca-cert o 802-1x.ca-path property and 802-1x.system-ca-certs is set to 'no', no CA file/path is passed to wpa_supplicant and the server certificate is not verified. However, I see in comment 1 that a: Config: added 'ca_cert' value '/etc/pki/tls/certs/ca-bundle.trust.crt' is passed to wpa_supplicant, so probably the log is for a connection different from the one in comment 4. Do you have logs for the connection in comment 4? I think it would be a good idea to look at packet exchange to see if something is wrong there.
I've tried a ton of options - so maybe I'm getting confused with which logs do what with which configuration. I'm pretty sure the ones in this bug report are all for the connection as pasted - but I will verify this when I have access to the network again tomorrow. If the options as listed should *NOT* validate the cert, I will retry and ensure I have this exact configuration to validate there are no errors in my reporting.
I have confirmed that the config is as per comment 4. tshark of trying to connect: # tshark -i wlp2s0 -n Running as user "root" and group "root". This could be dangerous. Capturing on 'wlp2s0' 1 0.000000000 04:bd:88:ba:e1:21 → 24:77:03:f2:26:70 EAP 60 Request, Identity 2 0.000162196 24:77:03:f2:26:70 → 04:bd:88:ba:e1:21 EAP 29 Response, Identity 3 0.001072430 04:bd:88:ba:e1:21 → 24:77:03:f2:26:70 EAP 60 Request, TLS EAP (EAP-TLS) 4 0.001222891 24:77:03:f2:26:70 → 04:bd:88:ba:e1:21 EAP 24 Response, Legacy Nak (Response Only) 5 0.001905087 04:bd:88:ba:e1:21 → 24:77:03:f2:26:70 EAP 60 Request, Protected EAP (EAP-PEAP) 6 0.002133774 24:77:03:f2:26:70 → 04:bd:88:ba:e1:21 SSL 200 Client Hello 7 0.002929885 04:bd:88:ba:e1:21 → 24:77:03:f2:26:70 TLSv1 60 Alert (Level: Fatal, Description: Handshake Failure) 8 0.004251771 04:bd:88:ba:e1:21 → 24:77:03:f2:26:70 EAP 60 Failure 9 0.404905093 00:24:6c:b1:73:40 → 24:77:03:f2:26:70 EAP 60 Request, Identity 10 0.405097216 24:77:03:f2:26:70 → 00:24:6c:b1:73:40 EAP 29 Response, Identity 11 0.405982927 00:24:6c:b1:73:40 → 24:77:03:f2:26:70 EAP 60 Request, TLS EAP (EAP-TLS) 12 0.406093176 24:77:03:f2:26:70 → 00:24:6c:b1:73:40 EAP 24 Response, Legacy Nak (Response Only) 13 0.407088716 00:24:6c:b1:73:40 → 24:77:03:f2:26:70 EAP 60 Request, Protected EAP (EAP-PEAP) 14 0.407361451 24:77:03:f2:26:70 → 00:24:6c:b1:73:40 SSL 200 Client Hello 15 0.408850856 00:24:6c:b1:73:40 → 24:77:03:f2:26:70 TLSv1 60 Alert (Level: Fatal, Description: Handshake Failure) 16 0.410187038 00:24:6c:b1:73:40 → 24:77:03:f2:26:70 EAP 60 Failure 17 0.881191604 00:24:6c:b1:73:48 → 24:77:03:f2:26:70 EAP 60 Request, Identity 18 0.881424634 24:77:03:f2:26:70 → 00:24:6c:b1:73:48 EAP 29 Response, Identity 19 0.921209881 00:24:6c:b1:73:48 → 24:77:03:f2:26:70 EAP 60 Request, TLS EAP (EAP-TLS) 20 0.921454611 24:77:03:f2:26:70 → 00:24:6c:b1:73:48 EAP 24 Response, Legacy Nak (Response Only) 21 0.922217683 00:24:6c:b1:73:48 → 24:77:03:f2:26:70 EAP 60 Request, Protected EAP (EAP-PEAP) 22 0.922543079 24:77:03:f2:26:70 → 00:24:6c:b1:73:48 SSL 200 Client Hello 23 0.923455786 00:24:6c:b1:73:48 → 24:77:03:f2:26:70 TLSv1 60 Alert (Level: Fatal, Description: Handshake Failure) 24 0.924546634 00:24:6c:b1:73:48 → 24:77:03:f2:26:70 EAP 60 Failure 25 2.965728028 24:77:03:f2:26:70 → 00:24:6c:b1:84:88 EAPOL 18 Start 26 2.967479400 00:24:6c:b1:84:88 → 24:77:03:f2:26:70 EAP 60 Request, Identity 27 2.967691495 24:77:03:f2:26:70 → 00:24:6c:b1:84:88 EAP 29 Response, Identity 28 2.968512437 00:24:6c:b1:84:88 → 24:77:03:f2:26:70 EAP 60 Request, TLS EAP (EAP-TLS) 29 2.968680670 24:77:03:f2:26:70 → 00:24:6c:b1:84:88 EAP 24 Response, Legacy Nak (Response Only) 30 2.969380772 00:24:6c:b1:84:88 → 24:77:03:f2:26:70 EAP 60 Request, Protected EAP (EAP-PEAP) 31 2.969709517 24:77:03:f2:26:70 → 00:24:6c:b1:84:88 SSL 200 Client Hello 32 2.970623049 00:24:6c:b1:84:88 → 24:77:03:f2:26:70 TLSv1 60 Alert (Level: Fatal, Description: Handshake Failure) 33 2.971520081 00:24:6c:b1:84:88 → 24:77:03:f2:26:70 EAP 60 Failure 34 6.191708349 00:24:6c:b1:84:80 → 24:77:03:f2:26:70 EAP 60 Request, Identity 35 6.191849475 24:77:03:f2:26:70 → 00:24:6c:b1:84:80 EAP 29 Response, Identity 36 10.934762431 00:24:6c:b1:84:80 → 24:77:03:f2:26:70 EAP 60 Request, Identity 37 10.934872197 24:77:03:f2:26:70 → 00:24:6c:b1:84:80 EAP 29 Response, Identity 38 10.936109969 00:24:6c:b1:84:80 → 24:77:03:f2:26:70 EAP 60 Request, TLS EAP (EAP-TLS) 39 10.936373424 24:77:03:f2:26:70 → 00:24:6c:b1:84:80 EAP 24 Response, Legacy Nak (Response Only) 40 10.945469734 00:24:6c:b1:84:80 → 24:77:03:f2:26:70 EAP 60 Request, Protected EAP (EAP-PEAP) 41 10.945706944 24:77:03:f2:26:70 → 00:24:6c:b1:84:80 SSL 200 Client Hello 42 10.947104899 00:24:6c:b1:84:80 → 24:77:03:f2:26:70 TLSv1 60 Alert (Level: Fatal, Description: Handshake Failure) 43 10.948123993 00:24:6c:b1:84:80 → 24:77:03:f2:26:70 EAP 60 Failure 44 14.197223838 04:bd:88:ba:e1:31 → 24:77:03:f2:26:70 EAP 60 Request, Identity 45 14.197402413 24:77:03:f2:26:70 → 04:bd:88:ba:e1:31 EAP 29 Response, Identity 46 14.280338583 04:bd:88:ba:e1:31 → 24:77:03:f2:26:70 EAP 60 Request, TLS EAP (EAP-TLS) 47 14.280626421 24:77:03:f2:26:70 → 04:bd:88:ba:e1:31 EAP 24 Response, Legacy Nak (Response Only) 48 14.281251908 04:bd:88:ba:e1:31 → 24:77:03:f2:26:70 EAP 60 Request, Protected EAP (EAP-PEAP) 49 14.281623060 24:77:03:f2:26:70 → 04:bd:88:ba:e1:31 SSL 200 Client Hello 50 14.282347796 04:bd:88:ba:e1:31 → 24:77:03:f2:26:70 TLSv1 60 Alert (Level: Fatal, Description: Handshake Failure) 51 14.283603048 04:bd:88:ba:e1:31 → 24:77:03:f2:26:70 EAP 60 Failure ^C51 packets captured
Created attachment 1282450 [details] initial output of tshark -nV -i wlp2s0 Added output with tshark option -nV as attachment.
Hi, the handshake failure is probably caused by a mismatch between the cipher suites supported by client and server. Unfortunately NM does not allow to specify the TLS cipher suites to negotiate and so wpa_supplicant always sends the built-in defaults. Maybe you can try the following (untested) to check whether the connection succeeds using a broader set of cipher suites: nmcli device set wlp2s0 managed no cat <<EOF > wpas.conf network={ ssid="ssid" scan_ssid=1 key_mgmt=WPA-EAP password="password" eap=PEAP fragment_size=1266 phase2="auth=GTC" ca_cert="/etc/pki/tls/certs/ca-bundle.trust.crt" identity="username" openssl_ciphers="ALL" } EOF wpa_supplicant -i wlp2s0 -c wpas.conf Please try this and capture again a wireshark trace. In the future, it would be useful to add in NM a property to the 802-1x connection setting to specify the allowed cipher suites. Or, alternatively, we could always pass the PROFILE=SYSTEM cipher, which makes OpenSSL use the cipher suites in the current system policy. Users could then select the cipher suites with the existing 'update-crypto-policies' infrastructure.
Tried connecting with the above 'wpas.conf' example. Output follows. # wpa_supplicant -i wlp2s0 -c wpas.conf Successfully initialized wpa_supplicant wlp2s0: SME: Trying to authenticate with 04:bd:88:ba:e1:31 (SSID='<SSID>' freq=5260 MHz) wlp2s0: Trying to associate with 04:bd:88:ba:e1:31 (SSID='<SSID>' freq=5260 MHz) wlp2s0: Associated with 04:bd:88:ba:e1:31 wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:ba:e1:31 reason=3 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU wlp2s0: SME: Trying to authenticate with 04:bd:88:bb:05:91 (SSID='<SSID>' freq=5745 MHz) wlp2s0: Trying to associate with 04:bd:88:bb:05:91 (SSID='<SSID>' freq=5745 MHz) wlp2s0: Associated with 04:bd:88:bb:05:91 wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:bb:05:91 reason=3 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU wlp2s0: SME: Trying to authenticate with 04:bd:88:ba:e1:21 (SSID='<SSID>' freq=2412 MHz) wlp2s0: Trying to associate with 04:bd:88:ba:e1:21 (SSID='<SSID>' freq=2412 MHz) wlp2s0: Associated with 04:bd:88:ba:e1:21 wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:ba:e1:21 reason=3 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU wlp2s0: SME: Trying to authenticate with 04:bd:88:bb:05:82 (SSID='<SSID>' freq=2437 MHz) wlp2s0: Trying to associate with 04:bd:88:bb:05:82 (SSID='<SSID>' freq=2437 MHz) wlp2s0: Associated with 04:bd:88:bb:05:82 wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:bb:05:82 reason=3 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU wlp2s0: SME: Trying to authenticate with 00:24:6c:b1:73:48 (SSID='<SSID>' freq=5180 MHz) wlp2s0: Trying to associate with 00:24:6c:b1:73:48 (SSID='<SSID>' freq=5180 MHz) wlp2s0: Associated with 00:24:6c:b1:73:48 wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected wlp2s0: CTRL-EVENT-DISCONNECTED bssid=00:24:6c:b1:73:48 reason=3 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU wlp2s0: SME: Trying to authenticate with 00:24:6c:b1:73:40 (SSID='<SSID>' freq=2462 MHz) wlp2s0: Trying to associate with 00:24:6c:b1:73:40 (SSID='<SSID>' freq=2462 MHz) wlp2s0: Associated with 00:24:6c:b1:73:40 wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected wlp2s0: CTRL-EVENT-DISCONNECTED bssid=00:24:6c:b1:73:40 reason=3 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU wlp2s0: SME: Trying to authenticate with 00:24:6c:b1:84:88 (SSID='<SSID>' freq=5300 MHz) wlp2s0: Trying to associate with 00:24:6c:b1:84:88 (SSID='<SSID>' freq=5300 MHz) wlp2s0: Associated with 00:24:6c:b1:84:88 wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected wlp2s0: CTRL-EVENT-DISCONNECTED bssid=00:24:6c:b1:84:88 reason=3 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU wlp2s0: SME: Trying to authenticate with 00:24:6c:b1:84:80 (SSID='<SSID>' freq=2412 MHz) wlp2s0: Trying to associate with 00:24:6c:b1:84:80 (SSID='<SSID>' freq=2412 MHz) wlp2s0: Associated with 00:24:6c:b1:84:80 wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected wlp2s0: CTRL-EVENT-DISCONNECTED bssid=00:24:6c:b1:84:80 reason=3 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU wlp2s0: SME: Trying to authenticate with 04:bd:88:ba:e1:31 (SSID='<SSID>' freq=5260 MHz) wlp2s0: Trying to associate with 04:bd:88:ba:e1:31 (SSID='<SSID>' freq=5260 MHz) wlp2s0: Associated with 04:bd:88:ba:e1:31 wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:ba:e1:31 reason=3 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU wlp2s0: SME: Trying to authenticate with 04:bd:88:bb:05:91 (SSID='<SSID>' freq=5745 MHz) wlp2s0: Trying to associate with 04:bd:88:bb:05:91 (SSID='<SSID>' freq=5745 MHz) wlp2s0: Associated with 04:bd:88:bb:05:91 wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:bb:05:91 reason=3 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU wlp2s0: SME: Trying to authenticate with 04:bd:88:ba:e1:21 (SSID='<SSID>' freq=2412 MHz) wlp2s0: Trying to associate with 04:bd:88:ba:e1:21 (SSID='<SSID>' freq=2412 MHz) wlp2s0: Associated with 04:bd:88:ba:e1:21 wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:ba:e1:21 reason=3 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU wlp2s0: SME: Trying to authenticate with 04:bd:88:bb:05:82 (SSID='<SSID>' freq=2437 MHz) wlp2s0: Trying to associate with 04:bd:88:bb:05:82 (SSID='<SSID>' freq=2437 MHz) wlp2s0: Associated with 04:bd:88:bb:05:82 wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:bb:05:82 reason=3 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU wlp2s0: SME: Trying to authenticate with 00:24:6c:b1:73:48 (SSID='<SSID>' freq=5180 MHz) wlp2s0: Trying to associate with 00:24:6c:b1:73:48 (SSID='<SSID>' freq=5180 MHz) wlp2s0: Associated with 00:24:6c:b1:73:48 wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started ^Cwlp2s0: CTRL-EVENT-DISCONNECTED bssid=00:24:6c:b1:73:48 reason=3 locally_generated=1 nl80211: deinit ifname=wlp2s0 disabled_11b_rates=0 wlp2s0: CTRL-EVENT-TERMINATING
Created attachment 1283146 [details] Output of running wpa_supplicant with suggested wpas.conf
Now wpa_supplicant is negotiating more cipher suites: Cipher Suites (66 suites) vs the old: Cipher Suites (28 suites) but this doesn't help. Maybe the server is buggy and doesn't negotiate properly the TLS version. Can you try to add this: phase1="tls_disable_tlsv1_2" or phase1="tls_disable_tlsv1_1 tls_disable_tlsv1_2" to the configuration above and retry? Otherwise, I've run out of ideas. @dcbw, do you have any suggestions?
I have tried both of the phase1= lines. Still no joy. The interesting part is that this did work with F25. That possibly narrows down to a change between the current state of F26 and the shipping F25 version. # wpa_supplicant -i wlp2s0 -c wpas.conf Successfully initialized wpa_supplicant wlp2s0: SME: Trying to authenticate with 04:bd:88:ba:e1:31 (SSID='<SSID>' freq=5260 MHz) wlp2s0: Trying to associate with 04:bd:88:ba:e1:31 (SSID='<SSID>' freq=5260 MHz) wlp2s0: Associated with 04:bd:88:ba:e1:31 wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:ba:e1:31 reason=3 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU wlp2s0: SME: Trying to authenticate with 04:bd:88:bb:05:91 (SSID='<SSID>' freq=5320 MHz) wlp2s0: Trying to associate with 04:bd:88:bb:05:91 (SSID='<SSID>' freq=5320 MHz) wlp2s0: Associated with 04:bd:88:bb:05:91 wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:bb:05:91 reason=3 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU wlp2s0: SME: Trying to authenticate with 04:bd:88:bb:05:82 (SSID='<SSID>' freq=2437 MHz) wlp2s0: Trying to associate with 04:bd:88:bb:05:82 (SSID='<SSID>' freq=2437 MHz) wlp2s0: Associated with 04:bd:88:bb:05:82 wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:bb:05:82 reason=3 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU wlp2s0: SME: Trying to authenticate with 04:bd:88:ba:e1:21 (SSID='<SSID>' freq=2412 MHz) wlp2s0: Trying to associate with 04:bd:88:ba:e1:21 (SSID='<SSID>' freq=2412 MHz) wlp2s0: Associated with 04:bd:88:ba:e1:21 wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:ba:e1:21 reason=3 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU wlp2s0: SME: Trying to authenticate with 00:24:6c:b1:73:40 (SSID='<SSID>' freq=2462 MHz) wlp2s0: Trying to associate with 00:24:6c:b1:73:40 (SSID='<SSID>' freq=2462 MHz) wlp2s0: Associated with 00:24:6c:b1:73:40 wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected wlp2s0: CTRL-EVENT-DISCONNECTED bssid=00:24:6c:b1:73:40 reason=3 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU wlp2s0: SME: Trying to authenticate with 00:24:6c:b1:73:48 (SSID='<SSID>' freq=5785 MHz) wlp2s0: Trying to associate with 00:24:6c:b1:73:48 (SSID='<SSID>' freq=5785 MHz) wlp2s0: Associated with 00:24:6c:b1:73:48 wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU ^Cwlp2s0: CTRL-EVENT-DISCONNECTED bssid=00:24:6c:b1:73:48 reason=3 locally_generated=1 nl80211: deinit ifname=wlp2s0 disabled_11b_rates=0 wlp2s0: CTRL-EVENT-TERMINATING
Can you attach the tshark output when using the tls_disable lines? Let's make sure it's really disabling TLSv1.1 and TLSv1.2...
Also, isn't it: phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1" ?
(In reply to Dan Williams from comment #17) > Also, isn't it: > > phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1" Yes, my bad. Steven, please use this line instead of the one I suggested.
Will try and get back to you. Won't be in range of this network for ~26 hours.
Current config: # cat wpas.conf network={ ssid="<SSID>" scan_ssid=1 key_mgmt=WPA-EAP password="<password>" eap=PEAP fragment_size=1266 phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1" phase2="auth=GTC" ca_cert="/etc/pki/tls/certs/ca-bundle.trust.crt" identity="<username>" openssl_ciphers="ALL" } Output: # wpa_supplicant -i wlp2s0 -c wpas.conf Successfully initialized wpa_supplicant wlp2s0: SME: Trying to authenticate with 04:bd:88:ba:e1:31 (SSID='<SSID>' freq=5220 MHz) wlp2s0: Trying to associate with 04:bd:88:ba:e1:31 (SSID='<SSID>' freq=5220 MHz) wlp2s0: Associated with 04:bd:88:ba:e1:31 wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:ba:e1:31 reason=3 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU wlp2s0: SME: Trying to authenticate with 04:bd:88:bb:05:91 (SSID='<SSID>' freq=5260 MHz) wlp2s0: Trying to associate with 04:bd:88:bb:05:91 (SSID='<SSID>' freq=5260 MHz) wlp2s0: Associated with 04:bd:88:bb:05:91 wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:bb:05:91 reason=3 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU wlp2s0: SME: Trying to authenticate with 04:bd:88:bb:05:82 (SSID='<SSID>' freq=2437 MHz) wlp2s0: Trying to associate with 04:bd:88:bb:05:82 (SSID='<SSID>' freq=2437 MHz) wlp2s0: Associated with 04:bd:88:bb:05:82 wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:bb:05:82 reason=3 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU wlp2s0: SME: Trying to authenticate with 04:bd:88:ba:e1:21 (SSID='<SSID>' freq=2412 MHz) wlp2s0: Trying to associate with 04:bd:88:ba:e1:21 (SSID='<SSID>' freq=2412 MHz) wlp2s0: Associated with 04:bd:88:ba:e1:21 wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:ba:e1:21 reason=3 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU wlp2s0: SME: Trying to authenticate with 00:24:6c:b1:73:40 (SSID='<SSID>' freq=2462 MHz) wlp2s0: Trying to associate with 00:24:6c:b1:73:40 (SSID='<SSID>' freq=2462 MHz) wlp2s0: Associated with 00:24:6c:b1:73:40 wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected wlp2s0: CTRL-EVENT-DISCONNECTED bssid=00:24:6c:b1:73:40 reason=3 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU wlp2s0: SME: Trying to authenticate with 00:24:6c:b1:73:48 (SSID='<SSID>' freq=5785 MHz) wlp2s0: Trying to associate with 00:24:6c:b1:73:48 (SSID='<SSID>' freq=5785 MHz) wlp2s0: SME: Trying to authenticate with 00:24:6c:b1:84:80 (SSID='<SSID>' freq=2412 MHz) wlp2s0: Trying to associate with 00:24:6c:b1:84:80 (SSID='<SSID>' freq=2412 MHz) wlp2s0: Associated with 00:24:6c:b1:84:80 wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected ^Cwlp2s0: CTRL-EVENT-DISCONNECTED bssid=00:24:6c:b1:84:80 reason=3 locally_generated=1 nl80211: deinit ifname=wlp2s0 disabled_11b_rates=0 wlp2s0: CTRL-EVENT-TERMINATING Packet trace to follow as an attachment.
Created attachment 1285957 [details] tshark output with config as per comment 20
(In reply to Steven Haigh from comment #21) > Created attachment 1285957 [details] > tshark output with config as per comment 20 Thanks, this confirms that TLS 1.0 is negotiated. I suppose you can't capture the tshark output with a F25 machine, right?
I might be able to find a KDE F25 live boot image and try it? The down side is that it won't have any updates from the date of the live image... Also, its a long weekend in my area this weekend, so I won't be back in the office to test this until Tuesday (UTC+10).
Created attachment 1287136 [details] Packet trace of successful connection with F25 live boot Added packet trace after booting with an F25 live image. Installed wireshark, then used tshark to capture the wire messages. Authentication was successful on the first attempt via the F25 live image.
Thanks for trying this. With F25, which uses openssl 1.0.2k, we offer cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA. F26 instead has openssl 1.1.0e, which disabled 3DES for security reasons [1]. AFAICS, the only way to enable it again is recompiling the package. Probably it would be even better if the network administrator could upgrade the authenticator to better algorithms. I'm reassigning this bug to openssl so that somebody with knowledge of the matter can comment on this. [1] https://www.openssl.org/blog/blog/2016/08/24/sweet32/
I was fearing that this might be the case - but the problem is, this becomes a 'Replace the managed controller and all access points' type solution. When the AP's are $800AUD a pop and a new controller in the $1000AUD range, I'm not sure that's a really feasible answer :\
Perhaps we can re-enable some of the weak ciphers (but still keep them off-by-default). We need to think about it more though - keeping the weak ciphers compiled in creates the risk of inadvertently enabling them by some admin.
This is understandable - but the question would be how to enable the cipher in a way that NetworkManager would be able to pass it down the line. The other side of the coin is that this is still a supported configuration for Windows, OSX, iOS, and Android - so I wonder if the 'disable completely' may be a little heavy handed. As an example, we still have some WinCE handheld devices that are brand new from the factory that can't support TLS1.1 or higher as well. These are still widespread in the industry. If its present, but can be enabled on a cipher by cipher basis for openssl system-wide in a config file, then I believe that would certainly be an acceptable compromise between the two positions.
(In reply to Steven Haigh from comment #28) > This is understandable - but the question would be how to enable the cipher in > a way that NetworkManager would be able to pass it down the line. Well if they are built-in the 'ALL' ciphersuite string would enable them. They will not be enabled just in the 'DEFAULT' ciphersuite string. > As an example, we still have some WinCE handheld devices that are brand new > from the factory that can't support TLS1.1 or higher as well. These are > still widespread in the industry. But they still support the AES ciphersuites don't they?
I'd have to dig out some documentation to be certain - but I believe we needed to enable TLS_RSA_WITH_3DES_EDE_CBC_SHA for it to work through our load balancer. It may have even been DES-CBC3-SHA.... That being said, these don't have to connect to this AP cluster - so it doesn't really relate directly - however hardware that still only supports these things are still being sold in vast quantities in the industrial market..
(In reply to Tomas Mraz from comment #29) > (In reply to Steven Haigh from comment #28) > > This is understandable - but the question would be how to enable the cipher in > a way that NetworkManager would be able to pass it down the line. > > Well if they are built-in the 'ALL' ciphersuite string would enable them. > They will not be enabled just in the 'DEFAULT' ciphersuite string. At the moment NetworkManager can't pass a custom 'openssl_ciphers' option to wpa_supplicant, and thus only ciphers matching "DEFAULT:!EXP:!LOW" are used. I think it would be a good idea to add a new connection property in NM to let users specify a custom cipher string. But, that property would work only when wpa_supplicant is built against OpenSSL, and not with GnuTLS. Or maybe NM should use by default the PROFILE=SYSTEM cipher, which can be configured systemd-wide using 'update-crypto-policies'.
(In reply to Beniamino Galvani from comment #31) > Or maybe NM should use by default the PROFILE=SYSTEM cipher, which can > be configured systemd-wide using 'update-crypto-policies'. This would be preferrable. Actually if NM does not pass any explicit ciphersuite string to OpenSSL (or GnuTLS), the PROFILE=SYSTEM will be used.
openssl-1.1.0f-3.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-86656b5c3b
Thanks for the updated package. I'll test this as soon as I come across the built version. Does it require any specific configuration to enable the reenabled 3DES TLS ciphersuites?
For what its worth, I tried connecting again today with: $ rpm -qa | grep openssl | sort compat-openssl10-1.0.2j-6.fc26.x86_64 compat-openssl10-pkcs11-helper-1.22-1.fc26.x86_64 openssl-1.1.0f-3.fc26.x86_64 openssl-libs-1.1.0f-3.fc26.x86_64 xmlsec1-openssl-1.2.23-2.fc26.x86_64 The connection still failed in the same manor as the previous attempts.
If wpa_supplicant by default uses 'DEFAULT:!EXP:!LOW', it still will not work. Please open a new bug against wpa_supplicant and link it to this bug. I'd suggest that the wpa_supplicant should not set any ciphersuite string by default or use PROFILE=SYSTEM ciphersuite string (these are equivalent).
openssl-1.1.0f-3.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-86656b5c3b
openssl-1.1.0f-3.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.