Bug 468844 - NetworkManager WPA2/PEAPv1 doesn't work
Summary: NetworkManager WPA2/PEAPv1 doesn't work
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: NetworkManager
Version: 10
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Dan Williams
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-10-28 11:19 UTC by Pekka Savola
Modified: 2009-03-08 19:33 UTC (History)
3 users (show)

Fixed In Version: 0.7.0.99-1.fc10
Clone Of:
Environment:
Last Closed: 2009-03-08 19:33:10 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
Forced PEAPv0/MSCHAPv2 authentication (success) (18.51 KB, text/plain)
2009-02-19 08:16 UTC, Pekka Savola
no flags Details
Forced PEAPv0/MSCHAPv2 authentication (failure) (29.43 KB, text/plain)
2009-02-19 08:16 UTC, Pekka Savola
no flags Details

Description Pekka Savola 2008-10-28 11:19:27 UTC
Description of problem:

I haven't been able to get WPA2 PEAP/MSCHAPV2 to work with NetworkManager 0.7.0 (0.7.0-0.11.svn4022.4.fc9).  However, booting an Ubuntu livecd that has Networkmanager 0.6.6 works OK.

Version-Release number of selected component (if applicable):
NetworkManager-0.7.0-0.11.svn4022.4.fc9.i386

I'm testing WPA2 (WPA doesn't work either but this is less rigorously tested) Enterprise mode on F9 with the latest updates + updates-testing.  Settings: PEAP, PEAP Version 1, Inner Authentication MSCHAPv2.

This works with NetworkManager 0.6.6 supplied with Ubuntu 08.04 live-cd.  Note however, that there the wireless settings are more extensive: I'm also able to select TKIP/CCMP and some other settings which are not available in NM 0.7.0.

What happens is that the NetworkManager icon circles for a while (~5s or more), and then the autentication dialog asks for PEAP, username, etc. settings.  Once you click OK, it tries authenticating, but apparently fails, as it comes back to the dialog after 10-15 seconds.

The difference in iwlist between Ubuntu 08.04 (-) and F9 (+) is as follows:

-          Cell 01 - Address: 00:17:DF:A7:EB:D0
+          Cell 03 - Address: 00:17:DF:A7:EB:D0
                     ESSID:"cisco_test"
                     Mode:Master
                     Channel:1
                     Frequency:2.412 GHz (Channel 1)
-                    Quality=81/100  Signal level=-53 dBm  Noise level=-127 dBm
+                    Quality=100/100  Signal level:-53 dBm  Noise level=-96 dBm
                     Encryption key:on
                     IE: IEEE 802.11i/WPA2 Version 1
                         Group Cipher : TKIP
                         Pairwise Ciphers (2) : TKIP CCMP
                         Authentication Suites (1) : 802.1x
+                    IE: Unknown: 2D1A6E181BFFFF000000000000000000000000000000000000000000
                     Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 6 Mb/s; 9 Mb/s
                               11 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
                               48 Mb/s; 54 Mb/s
-                    Extra:tsf=000001b8f25f0aa4
+                    Extra:tsf=000001a9dd921ad3
+                    Extra: Last beacon: 24ms ago

.. not much though I wonder if IE: Unknown is relevant.  I also wonder why Ubuntu sees also the access point in 5.7 Ghz range, but 'nm-tool in F9 only sees the 2.4 Ghz frequency.  Wireless card is iwl4965 (Intel 4965 AGN).

With tcpdump on the interface, I can see two EAP packets, but nothing else.

Comment 1 Pekka Savola 2008-10-29 07:48:32 UTC
Additional results:

I tried it also with Ubuntu 08.10 RC live-cd which includes NM 0.7.0.  It didn't work with PEAP version 1, but it worked after selecting PEAP version 0.  The wireless driver name was different though.

wpa_supplicant log on Ubuntu 08.10 failure with PEAPv1:

CTRL-EVENT-SCAN-RESULTS
Trying to associate with 00:17:df:a7:eb:d0 (SSID='cisco_test' freq=2412 MHz)
Associated with 00:17:df:a7:eb:d0
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
EAP-PEAP: Failed to select forced PEAP version 1
CTRL-EVENT-SCAN-RESULTS
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys

wpa_supplicant log on Ubuntu 08.10 success with PEAPv0:

Trying to associate with 00:17:df:a7:eb:d0 (SSID='cisco_test' freq=2412 MHz)
Associated with 00:17:df:a7:eb:d0
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0)
EAP-MSCHAPV2: Authentication succeeded
EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
WPA: Key negotiation completed with 00:17:df:a7:eb:d0 [PTK=CCMP GTK=TKIP]
CTRL-EVENT-CONNECTED - Connection to 00:17:df:a7:eb:d0 completed (auth) [id=0 id_str=]

wpa_supplicant log on F9 is the same with PEAPv0 or PEAPv1:

CTRL-EVENT-SCAN-RESULTS
Trying to associate with 00:17:df:a7:eb:d0 (SSID='cisco_test' freq=2412 MHz)
Associated with 00:17:df:a7:eb:d0
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys

I note specifically that "CTRL-EVENT-EAP-METHOD" message is missing on F9.

Comment 2 Pekka Savola 2008-10-29 08:36:26 UTC
I wonder if this could be a kernel (driver) issue.  But FWIW, 'swcrypto=1' described in bug ID #464707 makes no difference here.  Running 2.6.26.6-79.fc9; I also tried 2.6.25-14.fc9 and that didn't work either (similar wpa_supplicant logs).

Comment 3 Pekka Savola 2008-11-05 10:47:55 UTC
Update: I tested this with Fedora 9 and 10 Preview live-cds; results:

 - 10 Preview: works ~OK there (I have to force PEAPv0, PEAPv1 won't work). nm-tool reports the driver as "iwlagn".  Both 5.2 Ghz (AP1) and 2.4 Ghz (AP2) seem to work, but while both APs support both frequencies, nm-tool and iwlist only report one of them and it isn't clear why.

 - 9: doesn't work at all, like before; driver iwl4965.

So, I'll assume that PEAPv0 issue is likely related to kernel version (drivers?) and should be fixed in Fedora 10.  I'll still try to figure out why PEAPv1 doesn't work.

Comment 4 Pekka Savola 2008-11-10 08:26:31 UTC
With updated kernel (with iwlagn driver), 2.6.27.4-26.fc9.i686 on 5.2 Ghz TTLS and PEAPv0 OK; PEAPv1 not OK.  I could not verify 2.4Ghz tests.
So it seems at least large part of the initial problem is solved by 2.6.27.4 kernel.  

PEAPv1 failure is still a mystery though.  Changed the problem summary accordingly.

Comment 5 Stijn Hoop 2009-01-29 14:51:43 UTC
Seeing this on up to date F10 as well, WPA2 enterprise w/PEAPv0 works while w/PEAPv1 doesn't.

iwl3945 driver on a Dell Latitude D620 laptop.

I can provide more information if needed but I'm not well versed in all intricacies of nm-tool, wpa_supplicant etc. so I'd be grateful for instructions in that case.

Comment 6 Dan Williams 2009-02-15 14:37:52 UTC
Ok, so it seems that you both need to force PEAP version 0.  That likely means your Authenticator on your network doesn't correctly support PEAPv1.  This isn't something that NM or wpa_supplicant can reliably autodetect, so the user (or hopefully the sysadmin who sets up the connection) needs to know it.  As time goes on this will get better as authenticators get better support for PEAP.

Comment 7 Stijn Hoop 2009-02-16 09:38:22 UTC
I'm ok with that, but can I verify this?

Because (sorry...) Windows XP / Vista all work ok. I can't determine whether that is because they use PEAPv0 or because of some other reason, hence I'd like to verify that this is really a case of a wrong authenticator.

Comment 8 Pekka Savola 2009-02-16 09:57:45 UTC
It is mindboggling to see this closed as WORKSFORME.

Clearly, there is a bug somewhere, but because other implementations work, it would seem more likely that the supplicant is not complying to PEAPv1 or there is an interoperability problem.

I can provide tcpdump traces etc. if that would help in problem isolation but someone would need to be knowledgeable enough of EAP and PEAP to spot where the problem is.

Comment 9 Dan Williams 2009-02-17 16:43:24 UTC
(In reply to comment #8)
> It is mindboggling to see this closed as WORKSFORME.
> 
> Clearly, there is a bug somewhere, but because other implementations work, it
> would seem more likely that the supplicant is not complying to PEAPv1 or there
> is an interoperability problem.
> 
> I can provide tcpdump traces etc. if that would help in problem isolation but
> someone would need to be knowledgeable enough of EAP and PEAP to spot where the
> problem is.

If you can get frame dumps of what's going out over the wired (or wireless) that would be excellent, then we can figure out if the supplicant really is failing with peap V1.

What wpa_supplicant version is everyone running?

Comment 10 Pekka Savola 2009-02-19 08:14:36 UTC
wpa_supplicant-0.6.4-3.fc10.i386 here.  I ran it with '-dd' debug option (a bit tricky because networkmanager doesn't honor OTHER_FLAGS in /etc/sysconfig/wpa_supplicant).

It seems possible that the server doesn't support or otherwise like PEAP version 1, as indicated by the following debug messages when trying PEAPv1 (too bad these messages aren't printed without debugging enabled):

EAP-PEAP: Start (server ver=0, own ver=1)
EAP-PEAP: Failed to select forced PEAP version 1
EAP: method process -> ignore=FALSE methodState=DONE decision=FAIL

However, this may be an incorrect root cause, and others may have different ones.  For example, maybe the server supports both PEAP versions (not sure where the origin of "server ver" comes from) but the supplicant can't pick the right one.

In any case, I'll attach two logfiles, one with PEAPv0 and one with PEAPv1.

Comment 11 Pekka Savola 2009-02-19 08:16:18 UTC
Created attachment 332509 [details]
Forced PEAPv0/MSCHAPv2 authentication (success)

Comment 12 Pekka Savola 2009-02-19 08:16:54 UTC
Created attachment 332510 [details]
Forced PEAPv0/MSCHAPv2 authentication (failure)

Comment 13 Pekka Savola 2009-02-19 08:17:28 UTC
I'm also changing the Version component 9 -> 10 because this occurs with F10 as well.

Comment 14 Dan Williams 2009-02-19 17:31:41 UTC
You're going to have to force PEAP version 0.  Take a look at the log output:

EAP-PEAP: Start (server ver=0, own ver=1)
EAP-PEAP: Failed to select forced PEAP version 1

The server is clearly saying it supports version 0, while you are attempting to only use version 1.  It's just not gong to work.

I'm trying figure out whether the supplicant can just autodetect the PEAP version, or really just use whatever version the server supports.  Then you wouldn't have to explicitly force a peap version unless you really, really wanted to.

Comment 15 Fedora Update System 2009-02-24 20:50:00 UTC
NetworkManager-0.7.0.97-5.git20090220.fc10, NetworkManager-openconnect-0.7.0.97-1.fc10, NetworkManager-pptp-0.7.0.97-1.fc10, NetworkManager-openvpn-0.7.0.97-1.fc10, NetworkManager-vpnc-0.7.0.97-1.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update NetworkManager NetworkManager-openconnect NetworkManager-pptp NetworkManager-openvpn NetworkManager-vpnc'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-1985

Comment 16 Pekka Savola 2009-02-25 12:36:31 UTC
This seems to implement 'Automatic' option for PEAP version.  After update when I switched to use it, PEAP worked fine.

Comment 17 Dan Williams 2009-02-25 16:12:49 UTC
Excellent, thanks for the testing.  Good to hear it works.

Comment 18 Fedora Update System 2009-02-28 03:24:32 UTC
NetworkManager-0.7.0.98-1.git20090225.fc10, NetworkManager-openconnect-0.7.0.97-1.fc10, NetworkManager-pptp-0.7.0.97-1.fc10, NetworkManager-openvpn-0.7.0.97-1.fc10, NetworkManager-vpnc-0.7.0.97-1.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update NetworkManager NetworkManager-openconnect NetworkManager-pptp NetworkManager-openvpn NetworkManager-vpnc'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-1985

Comment 19 Stijn Hoop 2009-03-02 11:53:51 UTC
I can confirm that this works flawlessly. Happy camper now!

Comment 20 Fedora Update System 2009-03-06 17:34:56 UTC
NetworkManager-0.7.0.99-1.fc10,knetworkmanager-0.7-0.8.20080926svn.fc10,NetworkManager-vpnc-0.7.0.99-1.fc10,NetworkManager-openvpn-0.7.0.99-1.fc10,NetworkManager-pptp-0.7.0.99-1.fc10,NetworkManager-openconnect-0.7.0.99-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/NetworkManager-0.7.0.99-1.fc10,knetworkmanager-0.7-0.8.20080926svn.fc10,NetworkManager-vpnc-0.7.0.99-1.fc10,NetworkManager-openvpn-0.7.0.99-1.fc10,NetworkManager-pptp-0.7.0.99-1.fc10,NetworkManager-openconnect-0.7.0.99-1.fc10

Comment 21 Fedora Update System 2009-03-06 17:51:47 UTC
NetworkManager-0.7.0.99-1.fc9,NetworkManager-vpnc-0.7.0.99-1.fc9,NetworkManager-openvpn-0.7.0.99-1.fc9,NetworkManager-pptp-0.7.0.99-1.fc9,NetworkManager-openconnect-0.7.0.99-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/NetworkManager-0.7.0.99-1.fc9,NetworkManager-vpnc-0.7.0.99-1.fc9,NetworkManager-openvpn-0.7.0.99-1.fc9,NetworkManager-pptp-0.7.0.99-1.fc9,NetworkManager-openconnect-0.7.0.99-1.fc9

Comment 22 Fedora Update System 2009-03-08 19:30:16 UTC
NetworkManager-0.7.0.99-1.fc9, NetworkManager-vpnc-0.7.0.99-1.fc9, NetworkManager-openvpn-0.7.0.99-1.fc9, NetworkManager-pptp-0.7.0.99-1.fc9, NetworkManager-openconnect-0.7.0.99-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2009-03-08 19:31:46 UTC
NetworkManager-0.7.0.99-1.fc10, knetworkmanager-0.7-0.8.20080926svn.fc10, NetworkManager-vpnc-0.7.0.99-1.fc10, NetworkManager-openvpn-0.7.0.99-1.fc10, NetworkManager-pptp-0.7.0.99-1.fc10, NetworkManager-openconnect-0.7.0.99-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.