Ubuntu

Grayed out "Connect" button when using WPA2 Entreprise+TLS authentication

Reported by Dokterdok on 2008-10-28
56
This bug affects 9 people
Affects Status Importance Assigned to Milestone
network-manager (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: network-manager

Ubuntu version: Ubuntu 8.10 Release Candidate (live CD) - ubuntu-8.10-rc-desktop-i386.iso
My hardware: Thinkpad T60p with an Atheros wireless Mini-PCI express card (AR5BXB6 chipset == AR5006EX).

What happened: I launched Ubuntu from the live CD and tried connecting to the wireless network of my university, by selecting the corresponding SSID through the Network Manager. My university uses a TLS EAP ("WPA 2 Entreprise") and .pem certificates. I filled out all the forms, and selected the correct certificates that were stored on my hard-drive (I have checked them with the "openssl verify ­CAfile ca-x.pem cl-x.pem" command).
The "Connect" button remained grayed out, clicking on it didn't work.

What I expected: That the connect button was not grayed out after I completed the fields. Or at least that there is a tip that indicates why the button is grayed out, and why it won't even try to connect.

Reproducing with the terminal (output):
---------------------------------------------------
ubuntu@ubuntu:~$ killall nm-applet; nm-applet

** (nm-applet:8440): WARNING **: No connections defined

** (nm-applet:8440): WARNING **: Invalid connection: 'NMSetting8021x' / 'identity' invalid: 2

** (nm-applet:8440): WARNING **: <WARN> applet_menu_item_activate_helper(): Invalid connection; asking for more information.

** (nm-applet:8440): CRITICAL **: convert_iv: assertion `src != NULL' failed

** (nm-applet:8440): CRITICAL **: convert_iv: assertion `src != NULL' failed

** (nm-applet:8440): CRITICAL **: convert_iv: assertion `src != NULL' failed

** (nm-applet:8440): CRITICAL **: convert_iv: assertion `src != NULL' failed
---------------------------------------------------

The Invalid connection and <WARN> "WARNING" messages appear when I click on my university's SSID in the network manager.
The "CRITICAL" messages appear when I type in the four letters of my Private key password.
The normal user and sudo user outputs look similar.

@Alexander Sack:
> ** (nm-applet:8391): WARNING **: No connections defined
 --> This appears right after nm-applet is started

>** (nm-applet:8391): WARNING **: Invalid connection: 'NMSetting8021x' /
> 'identity' invalid: 2
>
>** (nm-applet:8391): WARNING **: <WARN> applet_menu_item_activate_helper(): Invalid connection; asking for more information.
--> These two warnings appear right after I click on my university's wireless SSID (from the drop down list of the nm-applet icon on the top bar). When I click on my university's wireless SSID there's a window that appears : "Authentication required by wireless network". That's where I enter my details: and I leave no whitespaces, no blank fields. My identity is my e-mail address, and my private key password is made of numbers only (if that helps).
 I suppose you mean that the connect attempt is made when I click on my university's wireless SSID, as I can't ever click on the connect button when the Authentication is TLS.

#update (29.10.2008): added terminal output, corrected university's wireless encryption (WPA Entreprise -> WPA2 Entreprise), added tags
#update2 (29.10.2008): changed sudo output --> regular user output
#update3 (29.10.2008): added response to Alexander Sack's comment

Alexander Sack (asac) wrote :

could you please killall nm-applet, start nm-applet from a terminal and report the output you get when reproducing?

Changed in network-manager:
status: New → Incomplete
Dokterdok (dokterdok) on 2008-10-29
description: updated
description: updated
Dokterdok (dokterdok) on 2008-10-29
description: updated

On Wed, Oct 29, 2008 at 10:32:00AM -0000, Dokterdok wrote:
> +
> + ubuntu@ubuntu:~$ killall nm-applet
> + ubuntu@ubuntu:~$ sudo /usr/bin/nm-applet start

Please dont start the applet as "root". just start it as user should
be enough:

 killall nm-applet; nm-applet

> + ** (nm-applet:8391): WARNING **: No connections defined
> +
> + ** (nm-applet:8391): WARNING **: Invalid connection: 'NMSetting8021x' /
> + 'identity' invalid: 2
> +
> + ** (nm-applet:8391): WARNING **: <WARN>
> + applet_menu_item_activate_helper(): Invalid connection; asking for more
> + information.

is the output above _before_ the connect attempt and the output below
when entering new info?

Also NM applet might be a bit picky. have you ensured that everything
is filled out properly and no whitespaces and such?

 - Alexander

Dokterdok (dokterdok) on 2008-10-29
description: updated
Dokterdok (dokterdok) on 2008-10-29
description: updated
Dokterdok (dokterdok) wrote :

I tried Ubuntu 8.10 final at home today. The "connect" button was grayed out as well when I created a hidden wireless network with my university's settings (same as in bug description). Here's the output:

ubuntu@ubuntu:~$ killall nm-applet; nm-applet

** (nm-applet:8451): WARNING **: No connections defined

** (nm-applet:8451): CRITICAL **: convert_iv: assertion `src != NULL' failed

** (nm-applet:8451): CRITICAL **: convert_iv: assertion `src != NULL' failed

** (nm-applet:8451): CRITICAL **: convert_iv: assertion `src != NULL' failed

** (nm-applet:8451): CRITICAL **: convert_iv: assertion `src != NULL' failed

Alexander Sack (asac) wrote :

does "hidden" matter here?

Dokterdok (dokterdok) wrote :

I guess not. The difference here is that I added this connection while being at home (I didn't chose any "available wireless network" from the nm menu), but still get that grayed out connect button. I will try Ubuntu 8.10 final (live cd) at my university tomorrow and compare the outputs with those of the RC.

Michael Sparmann (theseven) wrote :

Same issue here. When I try to connect to a WPA2 TLS network, the "OK" button in the form asking me for the certificates is grayed out no matter what I do.
nm-applet says the following:
** (nm-applet:11940): WARNING **: Invalid connection: 'NMSettingWireless' / 'ssid' invalid: 2
<repeated 13 times>

** (nm-applet:11940): WARNING **: Invalid connection: 'NMSetting8021x' / 'identity' invalid: 2

** (nm-applet:11940): WARNING **: <WARN> applet_menu_item_activate_helper(): Invalid connection; asking for more information.
<connection attempt, asking me for certificates>

** (nm-applet:11940): CRITICAL **: convert_iv: assertion `src != NULL' failed
<one for every character I type into the passphrase field>

The certificates I used to try this didn't even have their private keys encrypted, I didn't need a passphrase on hardy at all.
On hardy, everything worked flawlessly.

Any further things I can try to help debug this issue?

Dokterdok (dokterdok) wrote :

I reproduced the bug at my university with Ubuntu 8.10 (live cd) and the output looks similar to the RC.I also attached a copy of my syslog, after I reproduced the bug twice. I hope this helps.

ubuntu@ubuntu:~$ killall nm-applet; nm-applet

** (nm-applet:9811): WARNING **: No connections defined

** (nm-applet:9811): WARNING **: Invalid connection: 'NMSetting8021x' / 'identity' invalid: 2

** (nm-applet:9811): WARNING **: <WARN> applet_menu_item_activate_helper(): Invalid connection; asking for more information.

** (nm-applet:9811): CRITICAL **: convert_iv: assertion `src != NULL' failed

** (nm-applet:9811): CRITICAL **: convert_iv: assertion `src != NULL' failed

** (nm-applet:9811): CRITICAL **: convert_iv: assertion `src != NULL' failed

** (nm-applet:9811): CRITICAL **: convert_iv: assertion `src != NULL' failed

Changed in network-manager:
status: Incomplete → Confirmed
mxyzptlk (mxyzptlk) wrote :

This sounds just like bug #291242. It's also been looked over at the gnome bugzilla page (http://bugzilla.gnome.org/show_bug.cgi?id=558982), although their fix leaves me a little baffled. Basically, at bugzilla they claim that you now need to make DER instead of PEM files. I've done that, and still have the grayed-out problem, although I have no idea if I've made my DER files correctly. At least one person over there claims its working.

Kai-Uwe Widany (kwidany) wrote :

I have solved this problem for me by using a private keyfile with a password associated to it which I didn't have before. Now the button isn't grayed out and I'm able to successfully establish a connection. Maybe this is helpful for others, too.

Alexander Sack (asac) wrote :

On Wed, Oct 29, 2008 at 10:41:18AM -0000, Dokterdok wrote:
> The "Connect" button remained grayed out, clicking on it didn't work.

What is the "Connect" button?

 - Alexander

Michael Sparmann (theseven) wrote :

When trying to connect to a not yet configured network, NM asks for the certificates etc.
In the bottom right corner of the Window is the confirmation button, which will save the information provided and try to connect to the network, in German it's called "Verbinden", so "Connect" is a guess.

jasonwc (jwittlincohen) wrote :

I can confirm that encrypting the key fixes the problem. It doesn't matter whether the certificates/key are in PEM or DER format. If the key is encrypted, and the correct password is inputted, the connect button lights up and becomes usable.

However, that doesn't fix the fact that network-manager is largely useless for 802.1x. With PEAPv0/MSCHAPv2 I was able to connect about 50% of the time. The rest of the time, the freeradius debug log showed that no attempt was even made to connect. With EAP-TLS, I see the same behavior, but even when the freeradius log shows a successful connection, network manager refuses to connect and doesn't output any errors!

I am able to connect 100% of the time with either the Windows XP supplicant or Juniper's Odyssey Access client. This is clearly a network-manager issue. Hopefully, wpa-supplicant will be more reliable.

On Wed, Dec 10, 2008 at 02:25:49AM -0000, jasonwc wrote:
> I can confirm that encrypting the key fixes the problem. It doesn't
> matter whether the certificates/key are in PEM or DER format. If the key
> is encrypted, and the correct password is inputted, the connect button
> lights up and becomes usable.
>
> However, that doesn't fix the fact that network-manager is largely
> useless for 802.1x. With PEAPv0/MSCHAPv2 I was able to connect about 50%
> of the time. The rest of the time, the freeradius debug log showed that
> no attempt was even made to connect. With EAP-TLS, I see the same
> behavior, but even when the freeradius log shows a successful
> connection, network manager refuses to connect and doesn't output any
> errors!
>
> I am able to connect 100% of the time with either the Windows XP
> supplicant or Juniper's Odyssey Access client. This is clearly a
> network-manager issue. Hopefully, wpa-supplicant will be more reliable.
>

WPA-TLS is fixed in final 0.7 ... will take a bit until this lands as
a backport in intrepid though.

 - Alexander

jasonwc wrote:
> I can confirm that encrypting the key fixes the problem. It doesn't
> matter whether the certificates/key are in PEM or DER format. If the key
> is encrypted, and the correct password is inputted, the connect button
> lights up and becomes usable.
>
>
I think this is the more concrete bug 283635

Thomas Hood (jdthood) wrote :

Hi all. Does this problem still exist in Ubuntu 12.04?

Changed in network-manager (Ubuntu):
status: Confirmed → Incomplete
Andrew Schein (ato2g-andrew) wrote :

I am seeing the greyed out connect button on 12.04. In my case I believe my key is encrypted (it says "BEGIN ENCRYPTED PRIVATE KEY"). So, this is likely a different problem.

Changed in network-manager (Ubuntu):
status: Incomplete → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.