netplan NM plugin generates broken connection for WPA-Enterprise PEAP

This sounds like a duplicate of bug #2039825

Also see this PR for a more complete solution: https://github.com/canonical/netplan/pull/416

Thanks, I did search the bug list and saw that bug, but while close, it doesn't seem to be the exact bug. The description reads:

"When a Network Manager connection that uses EAP for authentication is created, libnetplan's keyfile parser
(the code that loads Network Manager's keyfile into Netplan state), will end up generating a broken
configuration when the EAP method is not supported.

The key phrase being "when the EAP method is not supported". I also look over the first patch (which has been merged) and it just seens to add support for two new methods, LEAP (lightweight EAP) and PWD (EAP Password).

https://github.com/canonical/netplan/pull/415/files

The second patchset seems primarily to address the fact that psk and eap password should be useable together. That said, if you feel strongly that it will address my bug, I can try to build and test it?

It seems to actually be a duplicate of this bug #2016625

It was fixed in this PR https://github.com/canonical/netplan/pull/358

But apparently it didn't make it to Jammy.

This seems to work for me (partly) on Noble in LXD, using NetworkManager from the archive.

root@nn-eap:~# dpkg -l | grep network-manager
ii network-manager 1.44.2-1ubuntu2
root@nn-eap:~# dpkg -l | grep netplan.io
ii netplan.io 0.107-5ubuntu1

Note the change in the "nmcli" command about "802-1x.system-certificate" and "wifi-sec.auth", which seem invalid.

I say "partly", because I'm not sure if the "system-ca-certificate" setting is correctly handled. The "peap" method seems to be handled OK, though.

root@nn-eap:~# nmcli con add type wifi con-name "mywifi" ifname "wlp4s0" ssid "mywifi" wifi-sec.auth-alg open wifi-sec.key-mgmt wpa-eap 802-1x.eap peap 802-1x.identity "myid" 802-1x.password "mypassword" 802-1x.phase2-auth mschapv2 802-1x.system-ca-certs no
Connection 'mywifi' (eb3b9787-d66b-42ef-95c6-7eaebaf7da50) successfully added.
root@nn-eap:~# cat /etc/netplan/90-NM-eb3b9787-d66b-42ef-95c6-7eaebaf7da50.yaml
network:
  version: 2
  wifis:
    NM-eb3b9787-d66b-42ef-95c6-7eaebaf7da50:
      renderer: NetworkManager
      match:
        name: "wlp4s0"
      dhcp4: true
      dhcp6: true
      access-points:
        "mywifi":
          auth:
            key-management: "eap"
            method: "peap"
            identity: "myid"
            phase2-auth: "mschapv2"
            password: "mypassword"
          networkmanager:
            uuid: "eb3b9787-d66b-42ef-95c6-7eaebaf7da50"
            name: "mywifi"
            passthrough:
              wifi-security.auth-alg: "open"
              ipv6.addr-gen-mode: "default"
              ipv6.ip6-privacy: "-1"
              proxy._: ""
      networkmanager:
        uuid: "eb3b9787-d66b-42ef-95c6-7eaebaf7da50"
        name: "mywifi"

Actually, when changing "system-ca-certs" to "yes" (non-default value), it shows up:

networkmanager:
  passthrough:
    802-1x.system-ca-certs: "true"

Thanks @danilogondolfo, that indeed looks like it's the same bug!

@danilogondolfo @slyon

Actually it does look like it made it into Jammy, I checked and the debian/changelog for 0.106.1-7ubuntu0.22.04.1 lists the commit as back-ported.

The reason it fails for me is that the core22 snap hasn't had a netplan update in quite some time, and still includes version 0.105+really0.104-0ubuntu2.1.

We discussed this during our system-snaps meeting earlier today, and according to Alfonso, updating netplan in core20 and core22 is in currently in progress.

FYI, I re-tested my original scenario on Desktop 22.04 after refreshing the core22 snap (version: 20231123 / revision: 1033) from the beta channel, and I was able to successfully create a WPA2 Enterprise PEAP connection.