Bug 614359 - NetworkManager should notice AP password change
Summary: NetworkManager should notice AP password change
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: NetworkManager   
(Show other bugs)
Version: 6.0
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Dan Williams
QA Contact: desktop-bugs@redhat.com
Depends On:
TreeView+ depends on / blocked
Reported: 2010-07-14 09:10 UTC by Vladimir Benes
Modified: 2010-08-02 17:39 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-08-02 17:39:17 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Vladimir Benes 2010-07-14 09:10:37 UTC
Description of problem:
when ap password is changed nm doesn't recognize it and have to be reconnected manually. This should be handled automatically

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.connect to encrypted wifi
2.change password at the ap side
3.browse internet
Actual results:
network is now working and no message shown

Expected results:
nm should recognize change and it should ask for new password 

Additional info:
6.1 is probably better target

Comment 1 Dan Williams 2010-07-14 14:36:39 UTC
When you change the password on the AP side, does the AP reboot?  Can you grab mark the place in 'dmesg' output right before you change the password, then change it, and then provide the subsequent 'dmesg' output from that machine?

The issue here is that we need to verify that when you change the AP password that it disconnects wifi clients, or that wifi clients are required to rekey with the new password.

That *should* look like the AP disconnected you, and NM should try to reconnect.  If you're using WPA, then NM should ask for a new password, otherwise the connection might simply fail if you're using WEP since it's not really possible to detect changed password with WEP until DHCP times out.

Also, if you could get some wpa_supplicant -dddt debug logs and perhaps mark the time when you hit "OK" on the AP's admin interface that would be great too.


Comment 2 Vladimir Benes 2010-07-14 14:45:40 UTC
will try both WEP and WPA .. but I used WEP for original testing. So you are saying that there is no way to determine that AP is not alive in that case? There should be some beacons or similar synchronization communication between ap and client. Can this be used?

will attach logs when I get back home

Comment 3 Vladimir Benes 2010-07-15 11:58:16 UTC
WEP used via MSI RG60 wireless router

# vvv this happened after I disconnected ap's power supply which was recognized
No probe response from AP 00:13:d3:7f:54:cf after 500ms, disconnecting.

Registered led device: iwl-phy0::radio
Registered led device: iwl-phy0::assoc
Registered led device: iwl-phy0::RX
Registered led device: iwl-phy0::TX
ADDRCONF(NETDEV_UP): wlan0: link is not ready
wlan0: deauthenticating from 00:13:d3:7f:54:cf by local choice (reason=3)

# vvv new authentication here after reconnecting power supply
wlan0: direct probe to AP 00:13:d3:7f:54:cf (try 1)
wlan0: direct probe responded
wlan0: authenticate with AP 00:13:d3:7f:54:cf (try 1)
wlan0: authenticated
wlan0: associate with AP 00:13:d3:7f:54:cf (try 1)
wlan0: RX AssocResp from 00:13:d3:7f:54:cf (capab=0x431 status=0 aid=1)
wlan0: associated
ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
wlan0: no IPv6 routers present

# somewhere here was password changed and ap rebooted

# vvv ethernet connected
e1000e: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None

no other changes in about 5 more minutes ..

Comment 4 Vladimir Benes 2010-07-15 12:12:13 UTC
and with WPA it works well.. 

it asks after a while for new password.

isn't there a way how to recognize that ap went down?

maybe something like that? vvv
No probe response from AP 00:13:d3:7f:54:cf after 500ms, disconnecting.

Comment 6 Dan Williams 2010-07-27 19:23:04 UTC
It works well with WPA because the AP and the client rekey periodically, and that rekey will fail, prompting for the new password.

With WEP, there is no rekeying, and thus the only way you know of the password change is if (a) the AP kicks everyone off when changing the key, which doesn't seem to be happening here, or (b) your DHCP renew times out.

That's a limitation of WEP.  So if NM doesn't ask for a password after DHCP times out the renew, then there's a bug here somewhere.  But there's no way to tell about the wrong password if you change the key on the AP in the middle of the lease.

That of course means that static IP configurations with WEP will *never* figure out the password changed until they reconnect.

The "No probe response" doesn't mean that the key changed; it means the AP isn't responding to probe requests.  That doesn't actually have anything to do with encryption since the management frames (which probe requests are a class of) are not encrypted.  If the stack can't probe the AP, then it should be sending a disconnect event  to wpa_supplicant, which will try to reconnect to the AP automatically.  But with WEP, that reconnection *does not* require the WEP key to be correct.  So if you have a valid DHCP lease already, and wpa_supplicant is able to reassociate to the AP within NM's timeout period, then you may be trying to talk to the AP with an invalid key.  That's just a limitation of WEP.

If you use WEP Shared Key authentication on the AP then we can detect an invalid WEP key at association/reassociation time, but Shared Key is actually less secure than Open System and thus shouldn't be used.  WEP is just screwed here.

So with all that in mind, should we close this bug and open a new bug if NM doesn't ask for the password when DHCP fails to renew?

Comment 7 Christopher Aillon 2010-08-02 17:39:17 UTC
Yeah, as reported, this is not a bug in NetworkManager, but a limitation of WEP.  So, I'm closing this, but if NetworkManager does not ask for a password when renewing a DHCP lease after changes occur, then please open a separate bug.

Note You need to log in before you can comment on or make changes to this bug.