Created attachment 1454696 [details] output from command 'journalctl --since=today | egrep "NetworkManager|IGTK|WPA|kernel|wpa" ' Description of problem: After NetworkManager upgrade to deal with DHCP vulnerability (see https://fedoramagazine.org/protect-fedora-system-dhcp-flaw/) NetworkManager fails to connect to some wireless routers, ultimately triggering wpa_supplicant "Failed to configure IGTK" messages. Version-Release number of selected component (if applicable): NetworkManager 1.10.10-1 wpa_supplicant 2.6-15 How reproducible: Always on particular routers. Same computer connects fine to those routers when booted to Win10, and to workplace routers (i.e. software error, unrelated to computer hardware). Steps to Reproduce: 1. enable wifi connection to offending routers (e.g. technicolor-tc8717t) 2. 3. Actual results: Brief connection to router, no internet access, then fail Expected results: Full connection Additional info: See attached logs. Appears related to bug 1586211 (https://bugzilla.redhat.com/show_bug.cgi?id=1586211), diagnosis greatly aided by IGTK discussion at https://kwagjj.wordpress.com/2017/08/08/failed-to-configure-igtk-error-fixes-in-aosp/. As in that case, wpa_supplicant appears to be unable to handle RSN capability signal. So far I've been unable to disable RSN/PMF in FC27 or 28. That is probably the easiest potential solution to this problem though. Attachments: 1. output from command 'journalctl --since=today | egrep "NetworkManager|IGTK|WPA|kernel|wpa" ' (the offending router is SpectrumRouta*, successful router is Comet 2. WireShark capture of failed wpa_supplicant connect (to Technicolor router) 3. WireShark capture of successful wpa_supplicant connect (to router not broadcasting RSN capability)
Created attachment 1454700 [details] wpa_supplicant packets, failed connection, captured by WireShark
(In reply to Tom Brikowski from comment #0) > Created attachment 1454696 [details] > output from command 'journalctl --since=today | egrep > "NetworkManager|IGTK|WPA|kernel|wpa" ' > > Description of problem: > > After NetworkManager upgrade to deal with DHCP vulnerability (see > https://fedoramagazine.org/protect-fedora-system-dhcp-flaw/) NetworkManager > fails to connect to some wireless routers, ultimately triggering > wpa_supplicant "Failed to configure IGTK" messages. > please provide the output of # iw phy0 info ? BTW, it's possible to disable PMF with nmcli. For details, see bz1582407 (this bugzilla looks like a duplicate of bz1582407, but I would like to understand, like Beniamino, if you have swcrypto turned on on your card). thank you in advance! -- davide
Created attachment 1454884 [details] Output of iw while wireless connection failing Disable PMF using nmcli worked fine (after rather long delay). The offending router is standard issue for VOIP from Time-Warner (now Specturm), so there may be many others with similar problem. Maybe raise awareness in the documentation of nmcli solution ?
Seeing the same issue with an AVM FritzBox router and Centrino Advanced-N 6205 WiFi. The workaround of disabling PMF on the connection helps,
(In reply to Robert Buchholz from comment #4) > Seeing the same issue with an AVM FritzBox router and Centrino Advanced-N > 6205 WiFi. The workaround of disabling PMF on the connection helps, can you please provide the output of # iw phy0 info? thanks! -- davide
Created attachment 1456320 [details] iw phy0 info
I share my mobile connection via a Fedora 28 box. I can connect to that wi-fi with several other devices, but not any more with my Samsung RV720, which has BCM4313 network card. Even that machine could connect with the Fedora 28 LXDE Live CD, but after I installed it to hard disk and updated it, it can't connect any more. wpa_supplicant gives errors: WPA: Failed to configure IGTK to the driver RSN: Failed to configure IGTK But when I disable PMF the connection works! My versions: kernel-4.17.3-200.fc28.x86_64 wpa_supplicant-2.6-16.fc28.x86_64 # lspci -vnn -d 14e4: 02:00.0 Network controller [0280]: Broadcom Limited BCM4313 802.11bgn Wireless Network Adapter [14e4:4727] (rev 01) Subsystem: Wistron NeWeb Corp. Device [185f:051a] Flags: bus master, fast devsel, latency 0, IRQ 16 Memory at f3200000 (64-bit, non-prefetchable) [size=16K] Capabilities: [40] Power Management version 3 Capabilities: [58] Vendor Specific Information: Len=78 <?> Capabilities: [48] MSI: Enable- Count=1/1 Maskable- 64bit+ Capabilities: [d0] Express Endpoint, MSI 00 Capabilities: [100] Advanced Error Reporting Capabilities: [13c] Virtual Channel Capabilities: [160] Device Serial Number 00-00-de-ff-ff-77-90-a4 Capabilities: [16c] Power Budgeting <?> Kernel driver in use: bcma-pci-bridge Kernel modules: bcma
(In reply to Juhani Jaakola from comment #7) > I share my mobile connection via a Fedora 28 box. I can connect to that > wi-fi with several other devices, but not any more with my Samsung RV720, > which has BCM4313 network card. Even that machine could connect with the > Fedora 28 LXDE Live CD, but after I installed it to hard disk and updated > it, it can't connect any more. wpa_supplicant gives errors: > > WPA: Failed to configure IGTK to the driver > RSN: Failed to configure IGTK > > But when I disable PMF the connection works! > > My versions: > kernel-4.17.3-200.fc28.x86_64 > wpa_supplicant-2.6-16.fc28.x86_64 > > # lspci -vnn -d 14e4: > 02:00.0 Network controller [0280]: Broadcom Limited BCM4313 802.11bgn > Wireless Network Adapter [14e4:4727] (rev 01) > Subsystem: Wistron NeWeb Corp. Device [185f:051a] > Flags: bus master, fast devsel, latency 0, IRQ 16 > Memory at f3200000 (64-bit, non-prefetchable) [size=16K] > Capabilities: [40] Power Management version 3 > Capabilities: [58] Vendor Specific Information: Len=78 <?> > Capabilities: [48] MSI: Enable- Count=1/1 Maskable- 64bit+ > Capabilities: [d0] Express Endpoint, MSI 00 > Capabilities: [100] Advanced Error Reporting > Capabilities: [13c] Virtual Channel > Capabilities: [160] Device Serial Number 00-00-de-ff-ff-77-90-a4 > Capabilities: [16c] Power Budgeting <?> > Kernel driver in use: bcma-pci-bridge > Kernel modules: bcma hi Juhani, thanks for following up! According to the output of 'iw phy0 info' on your laptop, your wireless NIC does not seem to support PMF: Supported Ciphers: * WEP40 (00-0f-ac:1) * WEP104 (00-0f-ac:5) * TKIP (00-0f-ac:2) * CCMP-128 (00-0f-ac:4) * CCMP-256 (00-0f-ac:10) * GCMP-128 (00-0f-ac:8) * GCMP-256 (00-0f-ac:9) as 'AES_CMAC' and 'BIP_GMAC' suites are missing: so, disabling PMF here is the correct thing to do. I know (from bz1582407) that NetworkManager is going to introduce a check on the suppported ciphers before enabling PMF. -- davide *** This bug has been marked as a duplicate of bug 1582407 ***
yet this does not explain the attachment in comment #3, where at least AES_CMAC is supported and the still the driver refuses to install the key: nl80211: set_key failed; err=-22 Invalid argument Unfortunately, -EINVAL should be disambiguated in cfg80211 to understand where it fails. I will try to do a test kernel for that.
*** Bug 1586211 has been marked as a duplicate of this bug. ***