Grayed out "Connect" button when using WPA2 Entreprise+TLS authentication

Bug #290285 reported by Dokterdok
64
This bug affects 11 people
Affects Status Importance Assigned to Milestone
network-manager (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Binary package hint: network-manager

Ubuntu version: Ubuntu 8.10 Release Candidate (live CD) - ubuntu-8.10-rc-desktop-i386.iso
My hardware: Thinkpad T60p with an Atheros wireless Mini-PCI express card (AR5BXB6 chipset == AR5006EX).

What happened: I launched Ubuntu from the live CD and tried connecting to the wireless network of my university, by selecting the corresponding SSID through the Network Manager. My university uses a TLS EAP ("WPA 2 Entreprise") and .pem certificates. I filled out all the forms, and selected the correct certificates that were stored on my hard-drive (I have checked them with the "openssl verify ­CAfile ca-x.pem cl-x.pem" command).
The "Connect" button remained grayed out, clicking on it didn't work.

What I expected: That the connect button was not grayed out after I completed the fields. Or at least that there is a tip that indicates why the button is grayed out, and why it won't even try to connect.

Reproducing with the terminal (output):
---------------------------------------------------
ubuntu@ubuntu:~$ killall nm-applet; nm-applet

** (nm-applet:8440): WARNING **: No connections defined

** (nm-applet:8440): WARNING **: Invalid connection: 'NMSetting8021x' / 'identity' invalid: 2

** (nm-applet:8440): WARNING **: <WARN> applet_menu_item_activate_helper(): Invalid connection; asking for more information.

** (nm-applet:8440): CRITICAL **: convert_iv: assertion `src != NULL' failed

** (nm-applet:8440): CRITICAL **: convert_iv: assertion `src != NULL' failed

** (nm-applet:8440): CRITICAL **: convert_iv: assertion `src != NULL' failed

** (nm-applet:8440): CRITICAL **: convert_iv: assertion `src != NULL' failed
---------------------------------------------------

The Invalid connection and <WARN> "WARNING" messages appear when I click on my university's SSID in the network manager.
The "CRITICAL" messages appear when I type in the four letters of my Private key password.
The normal user and sudo user outputs look similar.

@Alexander Sack:
> ** (nm-applet:8391): WARNING **: No connections defined
 --> This appears right after nm-applet is started

>** (nm-applet:8391): WARNING **: Invalid connection: 'NMSetting8021x' /
> 'identity' invalid: 2
>
>** (nm-applet:8391): WARNING **: <WARN> applet_menu_item_activate_helper(): Invalid connection; asking for more information.
--> These two warnings appear right after I click on my university's wireless SSID (from the drop down list of the nm-applet icon on the top bar). When I click on my university's wireless SSID there's a window that appears : "Authentication required by wireless network". That's where I enter my details: and I leave no whitespaces, no blank fields. My identity is my e-mail address, and my private key password is made of numbers only (if that helps).
 I suppose you mean that the connect attempt is made when I click on my university's wireless SSID, as I can't ever click on the connect button when the Authentication is TLS.

#update (29.10.2008): added terminal output, corrected university's wireless encryption (WPA Entreprise -> WPA2 Entreprise), added tags
#update2 (29.10.2008): changed sudo output --> regular user output
#update3 (29.10.2008): added response to Alexander Sack's comment

Revision history for this message
Alexander Sack (asac) wrote :

could you please killall nm-applet, start nm-applet from a terminal and report the output you get when reproducing?

Changed in network-manager:
status: New → Incomplete
Dokterdok (dokterdok)
description: updated
description: updated
Dokterdok (dokterdok)
description: updated
Revision history for this message
Alexander Sack (asac) wrote : Re: [Bug 290285] Re: Grayed out "Connect" button when using WPA Entreprise+TLS authentification

On Wed, Oct 29, 2008 at 10:32:00AM -0000, Dokterdok wrote:
> +
> + ubuntu@ubuntu:~$ killall nm-applet
> + ubuntu@ubuntu:~$ sudo /usr/bin/nm-applet start

Please dont start the applet as "root". just start it as user should
be enough:

 killall nm-applet; nm-applet

> + ** (nm-applet:8391): WARNING **: No connections defined
> +
> + ** (nm-applet:8391): WARNING **: Invalid connection: 'NMSetting8021x' /
> + 'identity' invalid: 2
> +
> + ** (nm-applet:8391): WARNING **: <WARN>
> + applet_menu_item_activate_helper(): Invalid connection; asking for more
> + information.

is the output above _before_ the connect attempt and the output below
when entering new info?

Also NM applet might be a bit picky. have you ensured that everything
is filled out properly and no whitespaces and such?

 - Alexander

Dokterdok (dokterdok)
description: updated
Dokterdok (dokterdok)
description: updated
Revision history for this message
Dokterdok (dokterdok) wrote :

I tried Ubuntu 8.10 final at home today. The "connect" button was grayed out as well when I created a hidden wireless network with my university's settings (same as in bug description). Here's the output:

ubuntu@ubuntu:~$ killall nm-applet; nm-applet

** (nm-applet:8451): WARNING **: No connections defined

** (nm-applet:8451): CRITICAL **: convert_iv: assertion `src != NULL' failed

** (nm-applet:8451): CRITICAL **: convert_iv: assertion `src != NULL' failed

** (nm-applet:8451): CRITICAL **: convert_iv: assertion `src != NULL' failed

** (nm-applet:8451): CRITICAL **: convert_iv: assertion `src != NULL' failed

Revision history for this message
Alexander Sack (asac) wrote :

does "hidden" matter here?

Revision history for this message
Dokterdok (dokterdok) wrote :

I guess not. The difference here is that I added this connection while being at home (I didn't chose any "available wireless network" from the nm menu), but still get that grayed out connect button. I will try Ubuntu 8.10 final (live cd) at my university tomorrow and compare the outputs with those of the RC.

Revision history for this message
Michael Sparmann (theseven) wrote :

Same issue here. When I try to connect to a WPA2 TLS network, the "OK" button in the form asking me for the certificates is grayed out no matter what I do.
nm-applet says the following:
** (nm-applet:11940): WARNING **: Invalid connection: 'NMSettingWireless' / 'ssid' invalid: 2
<repeated 13 times>

** (nm-applet:11940): WARNING **: Invalid connection: 'NMSetting8021x' / 'identity' invalid: 2

** (nm-applet:11940): WARNING **: <WARN> applet_menu_item_activate_helper(): Invalid connection; asking for more information.
<connection attempt, asking me for certificates>

** (nm-applet:11940): CRITICAL **: convert_iv: assertion `src != NULL' failed
<one for every character I type into the passphrase field>

The certificates I used to try this didn't even have their private keys encrypted, I didn't need a passphrase on hardy at all.
On hardy, everything worked flawlessly.

Any further things I can try to help debug this issue?

Revision history for this message
Dokterdok (dokterdok) wrote :

I reproduced the bug at my university with Ubuntu 8.10 (live cd) and the output looks similar to the RC.I also attached a copy of my syslog, after I reproduced the bug twice. I hope this helps.

ubuntu@ubuntu:~$ killall nm-applet; nm-applet

** (nm-applet:9811): WARNING **: No connections defined

** (nm-applet:9811): WARNING **: Invalid connection: 'NMSetting8021x' / 'identity' invalid: 2

** (nm-applet:9811): WARNING **: <WARN> applet_menu_item_activate_helper(): Invalid connection; asking for more information.

** (nm-applet:9811): CRITICAL **: convert_iv: assertion `src != NULL' failed

** (nm-applet:9811): CRITICAL **: convert_iv: assertion `src != NULL' failed

** (nm-applet:9811): CRITICAL **: convert_iv: assertion `src != NULL' failed

** (nm-applet:9811): CRITICAL **: convert_iv: assertion `src != NULL' failed

Changed in network-manager:
status: Incomplete → Confirmed
Revision history for this message
mxyzptlk (mxyzptlk) wrote :

This sounds just like bug #291242. It's also been looked over at the gnome bugzilla page (http://bugzilla.gnome.org/show_bug.cgi?id=558982), although their fix leaves me a little baffled. Basically, at bugzilla they claim that you now need to make DER instead of PEM files. I've done that, and still have the grayed-out problem, although I have no idea if I've made my DER files correctly. At least one person over there claims its working.

Revision history for this message
Kai-Uwe Widany (kwidany) wrote :

I have solved this problem for me by using a private keyfile with a password associated to it which I didn't have before. Now the button isn't grayed out and I'm able to successfully establish a connection. Maybe this is helpful for others, too.

Revision history for this message
Alexander Sack (asac) wrote :

On Wed, Oct 29, 2008 at 10:41:18AM -0000, Dokterdok wrote:
> The "Connect" button remained grayed out, clicking on it didn't work.

What is the "Connect" button?

 - Alexander

Revision history for this message
Michael Sparmann (theseven) wrote :

When trying to connect to a not yet configured network, NM asks for the certificates etc.
In the bottom right corner of the Window is the confirmation button, which will save the information provided and try to connect to the network, in German it's called "Verbinden", so "Connect" is a guess.

Revision history for this message
jasonwc (jwittlincohen) wrote :

I can confirm that encrypting the key fixes the problem. It doesn't matter whether the certificates/key are in PEM or DER format. If the key is encrypted, and the correct password is inputted, the connect button lights up and becomes usable.

However, that doesn't fix the fact that network-manager is largely useless for 802.1x. With PEAPv0/MSCHAPv2 I was able to connect about 50% of the time. The rest of the time, the freeradius debug log showed that no attempt was even made to connect. With EAP-TLS, I see the same behavior, but even when the freeradius log shows a successful connection, network manager refuses to connect and doesn't output any errors!

I am able to connect 100% of the time with either the Windows XP supplicant or Juniper's Odyssey Access client. This is clearly a network-manager issue. Hopefully, wpa-supplicant will be more reliable.

Revision history for this message
Alexander Sack (asac) wrote : Re: [Bug 290285] Re: Grayed out "Connect" button when using WPA2 Entreprise+TLS authentication

On Wed, Dec 10, 2008 at 02:25:49AM -0000, jasonwc wrote:
> I can confirm that encrypting the key fixes the problem. It doesn't
> matter whether the certificates/key are in PEM or DER format. If the key
> is encrypted, and the correct password is inputted, the connect button
> lights up and becomes usable.
>
> However, that doesn't fix the fact that network-manager is largely
> useless for 802.1x. With PEAPv0/MSCHAPv2 I was able to connect about 50%
> of the time. The rest of the time, the freeradius debug log showed that
> no attempt was even made to connect. With EAP-TLS, I see the same
> behavior, but even when the freeradius log shows a successful
> connection, network manager refuses to connect and doesn't output any
> errors!
>
> I am able to connect 100% of the time with either the Windows XP
> supplicant or Juniper's Odyssey Access client. This is clearly a
> network-manager issue. Hopefully, wpa-supplicant will be more reliable.
>

WPA-TLS is fixed in final 0.7 ... will take a bit until this lands as
a backport in intrepid though.

 - Alexander

Revision history for this message
Alexander Sack (asac) wrote : Re: [Bug 290285] Re: Grayed out "Connect" button when using WPA2 Entreprise+TLS authentication

jasonwc wrote:
> I can confirm that encrypting the key fixes the problem. It doesn't
> matter whether the certificates/key are in PEM or DER format. If the key
> is encrypted, and the correct password is inputted, the connect button
> lights up and becomes usable.
>
>
I think this is the more concrete bug 283635

Revision history for this message
Thomas Hood (jdthood) wrote :

Hi all. Does this problem still exist in Ubuntu 12.04?

Changed in network-manager (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Andrew Schein (ato2g-andrew) wrote :

I am seeing the greyed out connect button on 12.04. In my case I believe my key is encrypted (it says "BEGIN ENCRYPTED PRIVATE KEY"). So, this is likely a different problem.

Changed in network-manager (Ubuntu):
status: Incomplete → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.