Red Hat Bugzilla – Bug 468844
NetworkManager WPA2/PEAPv1 doesn't work
Last modified: 2009-03-08 15:33:10 EDT
Description of problem: I haven't been able to get WPA2 PEAP/MSCHAPV2 to work with NetworkManager 0.7.0 (0.7.0-0.11.svn4022.4.fc9). However, booting an Ubuntu livecd that has Networkmanager 0.6.6 works OK. Version-Release number of selected component (if applicable): NetworkManager-0.7.0-0.11.svn4022.4.fc9.i386 I'm testing WPA2 (WPA doesn't work either but this is less rigorously tested) Enterprise mode on F9 with the latest updates + updates-testing. Settings: PEAP, PEAP Version 1, Inner Authentication MSCHAPv2. This works with NetworkManager 0.6.6 supplied with Ubuntu 08.04 live-cd. Note however, that there the wireless settings are more extensive: I'm also able to select TKIP/CCMP and some other settings which are not available in NM 0.7.0. What happens is that the NetworkManager icon circles for a while (~5s or more), and then the autentication dialog asks for PEAP, username, etc. settings. Once you click OK, it tries authenticating, but apparently fails, as it comes back to the dialog after 10-15 seconds. The difference in iwlist between Ubuntu 08.04 (-) and F9 (+) is as follows: - Cell 01 - Address: 00:17:DF:A7:EB:D0 + Cell 03 - Address: 00:17:DF:A7:EB:D0 ESSID:"cisco_test" Mode:Master Channel:1 Frequency:2.412 GHz (Channel 1) - Quality=81/100 Signal level=-53 dBm Noise level=-127 dBm + Quality=100/100 Signal level:-53 dBm Noise level=-96 dBm Encryption key:on IE: IEEE 802.11i/WPA2 Version 1 Group Cipher : TKIP Pairwise Ciphers (2) : TKIP CCMP Authentication Suites (1) : 802.1x + IE: Unknown: 2D1A6E181BFFFF000000000000000000000000000000000000000000 Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 6 Mb/s; 9 Mb/s 11 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s 48 Mb/s; 54 Mb/s - Extra:tsf=000001b8f25f0aa4 + Extra:tsf=000001a9dd921ad3 + Extra: Last beacon: 24ms ago .. not much though I wonder if IE: Unknown is relevant. I also wonder why Ubuntu sees also the access point in 5.7 Ghz range, but 'nm-tool in F9 only sees the 2.4 Ghz frequency. Wireless card is iwl4965 (Intel 4965 AGN). With tcpdump on the interface, I can see two EAP packets, but nothing else.
Additional results: I tried it also with Ubuntu 08.10 RC live-cd which includes NM 0.7.0. It didn't work with PEAP version 1, but it worked after selecting PEAP version 0. The wireless driver name was different though. wpa_supplicant log on Ubuntu 08.10 failure with PEAPv1: CTRL-EVENT-SCAN-RESULTS Trying to associate with 00:17:df:a7:eb:d0 (SSID='cisco_test' freq=2412 MHz) Associated with 00:17:df:a7:eb:d0 CTRL-EVENT-EAP-STARTED EAP authentication started CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected EAP-PEAP: Failed to select forced PEAP version 1 CTRL-EVENT-SCAN-RESULTS CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys wpa_supplicant log on Ubuntu 08.10 success with PEAPv0: Trying to associate with 00:17:df:a7:eb:d0 (SSID='cisco_test' freq=2412 MHz) Associated with 00:17:df:a7:eb:d0 CTRL-EVENT-EAP-STARTED EAP authentication started CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0) EAP-MSCHAPV2: Authentication succeeded EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully WPA: Key negotiation completed with 00:17:df:a7:eb:d0 [PTK=CCMP GTK=TKIP] CTRL-EVENT-CONNECTED - Connection to 00:17:df:a7:eb:d0 completed (auth) [id=0 id_str=] wpa_supplicant log on F9 is the same with PEAPv0 or PEAPv1: CTRL-EVENT-SCAN-RESULTS Trying to associate with 00:17:df:a7:eb:d0 (SSID='cisco_test' freq=2412 MHz) Associated with 00:17:df:a7:eb:d0 CTRL-EVENT-EAP-STARTED EAP authentication started CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys I note specifically that "CTRL-EVENT-EAP-METHOD" message is missing on F9.
I wonder if this could be a kernel (driver) issue. But FWIW, 'swcrypto=1' described in bug ID #464707 makes no difference here. Running 2.6.26.6-79.fc9; I also tried 2.6.25-14.fc9 and that didn't work either (similar wpa_supplicant logs).
Update: I tested this with Fedora 9 and 10 Preview live-cds; results: - 10 Preview: works ~OK there (I have to force PEAPv0, PEAPv1 won't work). nm-tool reports the driver as "iwlagn". Both 5.2 Ghz (AP1) and 2.4 Ghz (AP2) seem to work, but while both APs support both frequencies, nm-tool and iwlist only report one of them and it isn't clear why. - 9: doesn't work at all, like before; driver iwl4965. So, I'll assume that PEAPv0 issue is likely related to kernel version (drivers?) and should be fixed in Fedora 10. I'll still try to figure out why PEAPv1 doesn't work.
With updated kernel (with iwlagn driver), 2.6.27.4-26.fc9.i686 on 5.2 Ghz TTLS and PEAPv0 OK; PEAPv1 not OK. I could not verify 2.4Ghz tests. So it seems at least large part of the initial problem is solved by 2.6.27.4 kernel. PEAPv1 failure is still a mystery though. Changed the problem summary accordingly.
Seeing this on up to date F10 as well, WPA2 enterprise w/PEAPv0 works while w/PEAPv1 doesn't. iwl3945 driver on a Dell Latitude D620 laptop. I can provide more information if needed but I'm not well versed in all intricacies of nm-tool, wpa_supplicant etc. so I'd be grateful for instructions in that case.
Ok, so it seems that you both need to force PEAP version 0. That likely means your Authenticator on your network doesn't correctly support PEAPv1. This isn't something that NM or wpa_supplicant can reliably autodetect, so the user (or hopefully the sysadmin who sets up the connection) needs to know it. As time goes on this will get better as authenticators get better support for PEAP.
I'm ok with that, but can I verify this? Because (sorry...) Windows XP / Vista all work ok. I can't determine whether that is because they use PEAPv0 or because of some other reason, hence I'd like to verify that this is really a case of a wrong authenticator.
It is mindboggling to see this closed as WORKSFORME. Clearly, there is a bug somewhere, but because other implementations work, it would seem more likely that the supplicant is not complying to PEAPv1 or there is an interoperability problem. I can provide tcpdump traces etc. if that would help in problem isolation but someone would need to be knowledgeable enough of EAP and PEAP to spot where the problem is.
(In reply to comment #8) > It is mindboggling to see this closed as WORKSFORME. > > Clearly, there is a bug somewhere, but because other implementations work, it > would seem more likely that the supplicant is not complying to PEAPv1 or there > is an interoperability problem. > > I can provide tcpdump traces etc. if that would help in problem isolation but > someone would need to be knowledgeable enough of EAP and PEAP to spot where the > problem is. If you can get frame dumps of what's going out over the wired (or wireless) that would be excellent, then we can figure out if the supplicant really is failing with peap V1. What wpa_supplicant version is everyone running?
wpa_supplicant-0.6.4-3.fc10.i386 here. I ran it with '-dd' debug option (a bit tricky because networkmanager doesn't honor OTHER_FLAGS in /etc/sysconfig/wpa_supplicant). It seems possible that the server doesn't support or otherwise like PEAP version 1, as indicated by the following debug messages when trying PEAPv1 (too bad these messages aren't printed without debugging enabled): EAP-PEAP: Start (server ver=0, own ver=1) EAP-PEAP: Failed to select forced PEAP version 1 EAP: method process -> ignore=FALSE methodState=DONE decision=FAIL However, this may be an incorrect root cause, and others may have different ones. For example, maybe the server supports both PEAP versions (not sure where the origin of "server ver" comes from) but the supplicant can't pick the right one. In any case, I'll attach two logfiles, one with PEAPv0 and one with PEAPv1.
Created attachment 332509 [details] Forced PEAPv0/MSCHAPv2 authentication (success)
Created attachment 332510 [details] Forced PEAPv0/MSCHAPv2 authentication (failure)
I'm also changing the Version component 9 -> 10 because this occurs with F10 as well.
You're going to have to force PEAP version 0. Take a look at the log output: EAP-PEAP: Start (server ver=0, own ver=1) EAP-PEAP: Failed to select forced PEAP version 1 The server is clearly saying it supports version 0, while you are attempting to only use version 1. It's just not gong to work. I'm trying figure out whether the supplicant can just autodetect the PEAP version, or really just use whatever version the server supports. Then you wouldn't have to explicitly force a peap version unless you really, really wanted to.
NetworkManager-0.7.0.97-5.git20090220.fc10, NetworkManager-openconnect-0.7.0.97-1.fc10, NetworkManager-pptp-0.7.0.97-1.fc10, NetworkManager-openvpn-0.7.0.97-1.fc10, NetworkManager-vpnc-0.7.0.97-1.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update NetworkManager NetworkManager-openconnect NetworkManager-pptp NetworkManager-openvpn NetworkManager-vpnc'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-1985
This seems to implement 'Automatic' option for PEAP version. After update when I switched to use it, PEAP worked fine.
Excellent, thanks for the testing. Good to hear it works.
NetworkManager-0.7.0.98-1.git20090225.fc10, NetworkManager-openconnect-0.7.0.97-1.fc10, NetworkManager-pptp-0.7.0.97-1.fc10, NetworkManager-openvpn-0.7.0.97-1.fc10, NetworkManager-vpnc-0.7.0.97-1.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update NetworkManager NetworkManager-openconnect NetworkManager-pptp NetworkManager-openvpn NetworkManager-vpnc'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-1985
I can confirm that this works flawlessly. Happy camper now!
NetworkManager-0.7.0.99-1.fc10,knetworkmanager-0.7-0.8.20080926svn.fc10,NetworkManager-vpnc-0.7.0.99-1.fc10,NetworkManager-openvpn-0.7.0.99-1.fc10,NetworkManager-pptp-0.7.0.99-1.fc10,NetworkManager-openconnect-0.7.0.99-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/NetworkManager-0.7.0.99-1.fc10,knetworkmanager-0.7-0.8.20080926svn.fc10,NetworkManager-vpnc-0.7.0.99-1.fc10,NetworkManager-openvpn-0.7.0.99-1.fc10,NetworkManager-pptp-0.7.0.99-1.fc10,NetworkManager-openconnect-0.7.0.99-1.fc10
NetworkManager-0.7.0.99-1.fc9,NetworkManager-vpnc-0.7.0.99-1.fc9,NetworkManager-openvpn-0.7.0.99-1.fc9,NetworkManager-pptp-0.7.0.99-1.fc9,NetworkManager-openconnect-0.7.0.99-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/NetworkManager-0.7.0.99-1.fc9,NetworkManager-vpnc-0.7.0.99-1.fc9,NetworkManager-openvpn-0.7.0.99-1.fc9,NetworkManager-pptp-0.7.0.99-1.fc9,NetworkManager-openconnect-0.7.0.99-1.fc9
NetworkManager-0.7.0.99-1.fc9, NetworkManager-vpnc-0.7.0.99-1.fc9, NetworkManager-openvpn-0.7.0.99-1.fc9, NetworkManager-pptp-0.7.0.99-1.fc9, NetworkManager-openconnect-0.7.0.99-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
NetworkManager-0.7.0.99-1.fc10, knetworkmanager-0.7-0.8.20080926svn.fc10, NetworkManager-vpnc-0.7.0.99-1.fc10, NetworkManager-openvpn-0.7.0.99-1.fc10, NetworkManager-pptp-0.7.0.99-1.fc10, NetworkManager-openconnect-0.7.0.99-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.