system cannot to connect to wpa2-enterprice PEAP mschapv2

Bug #2084553 reported by Kayl Lev
24
This bug affects 4 people
Affects Status Importance Assigned to Milestone
network-manager (Ubuntu)
Confirmed
Undecided
Unassigned
wpa (Ubuntu)
New
Undecided
Unassigned

Bug Description

at last version (24.04) i had connected to WPA2-Enterprice peap mschapv2, but at new version i cannot connect to this wifi (system is trying to connect about 1 minute and after that connection chashed and try to reconnect).

ProblemType: Bug
DistroRelease: Ubuntu 24.10
Package: network-manager 1.48.8-1ubuntu3
ProcVersionSignature: Ubuntu 6.11.0-8.8-generic 6.11.0
Uname: Linux 6.11.0-8-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.30.0-0ubuntu4
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Tue Oct 15 17:42:12 2024
InstallationDate: Installed on 2024-10-15 (0 days ago)
InstallationMedia: Ubuntu 24.04.1 LTS "Noble Numbat" - Release amd64 (20240827.1)
IpRoute:
 default via 192.168.43.1 dev wlp2s0 proto dhcp src 192.168.43.62 metric 600
 192.168.43.0/24 dev wlp2s0 proto kernel scope link src 192.168.43.62 metric 600
ProcEnviron:
 LANG=ru_RU.UTF-8
 PATH=(custom, no user)
 SHELL=/usr/bin/zsh
 TERM=xterm-256color
 XDG_RUNTIME_DIR=<set>
SourcePackage: network-manager
UpgradeStatus: Upgraded to oracular on 2024-10-15 (0 days ago)
nmcli-dev:
 DEVICE TYPE STATE IP4-CONNECTIVITY IP6-CONNECTIVITY DBUS-PATH CONNECTION CON-UUID CON-PATH
 wlp2s0 wifi connected full limited /org/freedesktop/NetworkManager/Devices/2 kids-tav23 9a1968c5-9b1d-47fd-ad4b-f325150d51e2 /org/freedesktop/NetworkManager/ActiveConnection/7
 lo loopback connected (externally) unknown unknown /org/freedesktop/NetworkManager/Devices/1 lo 11765a9f-e3b9-40c1-907e-3684f055a207 /org/freedesktop/NetworkManager/ActiveConnection/1
 p2p-dev-wlp2s0 wifi-p2p disconnected none none /org/freedesktop/NetworkManager/Devices/3 -- -- --
nmcli-nm:
 RUNNING VERSION STATE STARTUP CONNECTIVITY NETWORKING WIFI-HW WIFI WWAN-HW WWAN METERED
 running 1.48.8 connected started full enabled enabled enabled missing enabled yes (guessed)

Revision history for this message
Kayl Lev (kailev) wrote :
Kayl Lev (kailev)
Changed in network-manager (Ubuntu):
assignee: nobody → Kayl Lev (kailev)
assignee: Kayl Lev (kailev) → nobody
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager (Ubuntu):
status: New → Confirmed
Kayl Lev (kailev)
Changed in network-manager (Ubuntu):
assignee: nobody → Kayl Lev (kailev)
assignee: Kayl Lev (kailev) → nobody
Revision history for this message
Vivien GUEANT (vivienfr) wrote :

I have the same problem: All my Ubuntu 24.10 PCs are unable to connect to Wi-Fi WPA2 PEAP (by checking the box "no CA certificate is required") and MSCHAPv2 authentication.

The system asks me for the password, as if the one entered was not correct (while it is the right password that is entered).

The same PCs under Ubuntu 24.04 LTS connect without any problem to the same Wi-Fi.

This is clearly a regression of Ubuntu 24.10.

How to retrieve detailed logs to understand the problem?

Vivien.

Revision history for this message
Kayl Lev (kailev) wrote :

hi. What do you want me to do? and what can I do to get this problem noticed and fixed somehow?

Revision history for this message
Vivien GUEANT (vivienfr) wrote :

Hi,

I think it would be necessary to give more details, i.e. logs, so that developers who do not have access to the Wi-Fi network can find the problem. I do not know how to get these logs.

I have two WPA2 PEAP MSCHAPv2 Wi-Fi networks. On one Ubuntu 24.04 as Ubuntu 24.10 can connect, on the other only Ubuntu 24.04 can connect, Ubuntu 24.10 refuses, as if the password was wrong.

Vivien.

Revision history for this message
Hugo Roussille (h-roussille1) wrote :

Hi,

I have this issue as well. In my case it appears when connecting to the eduroam network. I attach a log of networkmanager : it appears that my laptop does connect to the network ("supplicant management interface state: associating -> associated"), but then a few milliseconds later, it disconnects ("state: disconnected (was associated, plain property)"). The log is very verbose and I don't really know what causes this disconnection.

Hugo

Revision history for this message
Vivien GUEANT (vivienfr) wrote :

Could you explain to me how to get the logs?

On my side, the connection takes time, and after 20 seconds, I have the message "Authentication required - A password or encryption key is required to access the wireless network" cf. screenshot below.

However, I know that the authentication elements are correct and work well on the same PC with Ubuntu 24.04.

Revision history for this message
Vivien GUEANT (vivienfr) wrote :

Regression introduced with Ubuntu 24.10 (ok with Ubuntu 24.04 LTS on the same PC and Wi-Fi network)

Revision history for this message
Danilo Egea Gondolfo (danilogondolfo) wrote :

This may be related to a WPA security fix present in Oracular. It's related to PEAP authentication, but I'm not really sure if that is the root cause.

This is the upstream fix https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c

And the wpa source package changelog from Oracular:
https://launchpad.net/ubuntu/oracular/+source/wpa/+changelog

Can you get the wpa_supplicant logs with "journalctl -u wpa_supplicant.service" and look for any lines with PEAP authentication errors?

In particular the line below, which is part of the patch:

EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed

tags: added: rls-oo-incoming
Revision history for this message
Hugo Roussille (h-roussille1) wrote :

Indeed, the wpa_supplicant log is much more interesting:

wlp2s0: SME: Trying to authenticate with 20:9c:b4:d7:9a:f2 (SSID='eduroam' freq=5180 MHz)
wlp2s0: Trying to associate with 20:9c:b4:d7:9a:f2 (SSID='eduroam' freq=5180 MHz)
wlp2s0: Associated with 20:9c:b4:d7:9a:f2
wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
wlp2s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
wlp2s0: CTRL-EVENT-DISCONNECTED bssid=20:9c:b4:d7:9a:f2 reason=1
wlp2s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="eduroam" auth_failures=1 duration=10 reason=AUTH_FAILED
BSSID 20:9c:b4:d7:9a:f2 ignore list count incremented to 2, ignoring for 10 seconds

This is apparently due to the network requiring authentication using a legacy SSL protocol: https://github.com/openssl/openssl/discussions/22642. This has caused issues in distributions where openssl was updated before: https://bbs.archlinux.org/viewtopic.php?id=286417. I will try to see if the answers proposed in this last link solve the issue.

Revision history for this message
Danilo Egea Gondolfo (danilogondolfo) wrote :

Interesting. According to the discussion [1], it seems to be "fixable" by changing the OpenSSL configuration to enable older (and insecure) protocols. Note this is not ideal and might break again in the future.

[1] - https://bbs.archlinux.org/viewtopic.php?pid=2104492#p2104492

Revision history for this message
Hugo Roussille (h-roussille1) wrote :

I have found a way to fix the issue, using this: https://discourse.gnome.org/t/wifi-connections-with-unsupported-tls-protocols-should-be-handled-better/17540. It is sufficient to allow TLS 1.0 and 1.1 connections for the specific wifi network, in my case 'eduroam'.

Here are the specific steps:
nmcli con edit 'eduroam'
set 802-1x.phase1-auth-flags
tls-1-0-enable, tls-1-1-enable, tls-1-2-enable, tls-1-3-enable
save

Then the connection works... but I advise to contact the people in charge of the network to upgrade their security to TLS 1.2 ;)

Revision history for this message
Vivien GUEANT (vivienfr) wrote :

Here are the logs on my side, it's similar to Hugo's: (The reason for the disconnection is however different : "CTRL-EVENT-DISCONNECTED bssid=20:9c:b4:d7:9a:f2 reason=1" for Hugo and "CTRL-EVENT-DISCONNECTED bssid=20:9c:b4:a5:b8:62 reason=23" for me.

wlp3s0: SME: Trying to authenticate with 20:9c:b4:a5:b8:62 (SSID='Internet-y' freq=2462 MHz)
wlp3s0: Trying to associate with 20:9c:b4:a5:b8:62 (SSID='Internet-y' freq=2462 MHz)
wlp3s0: Associated with 20:9c:b4:a5:b8:62
wlp3s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp3s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp3s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp3s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
wlp3s0: CTRL-EVENT-DISCONNECTED bssid=20:9c:b4:a5:b8:62 reason=23
wlp3s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="Internet-y" auth_failures=1 duration=10 reason=AUTH_FAILED
BSSID 20:9c:b4:a5:b8:62 ignore list count incremented to 2, ignoring for 10 seconds

Revision history for this message
Juhyung Park (arter97) wrote :

Can confirm #12 fixes this as well for our Uni's eduroam Wi-Fi.

Our institute literally had revised the entire Wi-Fi infrastructure last week with Wi-Fi 6E support with latest APs.

It's weird that I need to somehow whitelist TLSv1.0. Maybe it's just negotiating the wrong TLS protocol?

Either way, judging from how our recent infra overhaul still needs this workaround, I think this is client's software-side issue and imho this is not reported well enough just because this isn't in the LTS branch yet.

Hope someone can find a clean solution..

Revision history for this message
Vivien GUEANT (vivienfr) wrote :

Juhyung Park : This is a configuration problem with the Network Controller that manages the access points. You must request the change from the system administrator.

The different operating system publishers (Microsoft, Apple, Google, Canonical) should agree to turn off TLS 1.0 in Wi-Fi authentication on the same date, just as TLS 1.0 was removed from web browsers on a common date.

It is dangerous for Ubuntu and Fedora to go it alone (the problem has been the same with Fedora for several versions).

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.