Ubuntu

Unable to connect to WPA enterprise wireless

Reported by rmcd on 2012-03-30
360
This bug affects 69 people
Affects Status Importance Assigned to Milestone
OEM Priority Project
High
James M. Leddy
Precise
High
Unassigned
OpenSSL
New
Unknown
wpa_supplicant
In Progress
Medium
openssl (Debian)
Confirmed
Unknown
openssl (Fedora)
New
Undecided
Unassigned
openssl (Ubuntu)
High
Unassigned
Precise
High
Unassigned
wpa (Ubuntu)
Medium
Unassigned
Precise
Undecided
Unassigned
wpasupplicant (Fedora)
Unknown
Unknown
wpasupplicant (Ubuntu)
High
Mathieu Trudel-Lapierre
Precise
High
Mathieu Trudel-Lapierre

Bug Description

[Impact]
Breaks 802.1x (PEAP) authentication for wireless networks using specific authentication servers and/or AP hardware. Aruba network devices specifically are known to be affected; and is a popular device type used in enterprises to secure wireless networks.

[Test Case]
This issue is hardware specific and may or may not be limited to Aruba authentication servers.
1) Attempt to connect / authenticate to a wireless, 802.1x network requiring Protected EAP (or possibly other auth mechanisms).
2) (optionally) Watch SSL traffic between the station and authentication server using wireshark/tcpdump, looking for auth failures and the extensions passed.

[Regression Potential]
Since this changes the SSL extensions and options used to connect to 802.1x wireless networks; some networks specifically configured to request or make use of the session ticket extension could be made impossible to successfully authenticate to; up to the point where multiple connection failures could lock the accounts used in highly-restricted networks. Also, there is a potential (again, due to the change in SSL options) for other networks (using specific AP hardware) that don't support the extensions used to fail authentication.

---

Using identical settings as in 11.10, I am unable to make a wpa enterprise connection using xubuntu precise beta 2. This is a Lenovo X220 with a Centrino Advanced-N 6205 wireless interface. During the attempted logon, I am not presented with a certificate to approve, although wireless instructions for OSX suggest that I should be. However, I never had to approve a certificate when connecting with 11.10 -- I just ignored the certificate screen and everything worked.

This seems like the relevant excerpt from syslog:

Mar 30 10:39:01 fin8344m2 wpa_supplicant[1116]: Trying to associate with 00:11:92:3e:79:80 (SSID='Northwestern' freq=2462 MHz)
Mar 30 10:39:01 fin8344m2 NetworkManager[848]: <info> (wlan0): supplicant interface state: scanning -> associating
Mar 30 10:39:01 fin8344m2 kernel: [ 2201.940422] wlan0: authenticated
Mar 30 10:39:01 fin8344m2 kernel: [ 2201.940974] wlan0: associate with 00:11:92:3e:79:80 (try 1)
Mar 30 10:39:01 fin8344m2 kernel: [ 2201.943165] wlan0: RX ReassocResp from 00:11:92:3e:79:80 (capab=0x431 status=0 aid=222)
Mar 30 10:39:01 fin8344m2 kernel: [ 2201.943174] wlan0: associated
Mar 30 10:39:01 fin8344m2 wpa_supplicant[1116]: Associated with 00:11:92:3e:79:80
Mar 30 10:39:01 fin8344m2 wpa_supplicant[1116]: CTRL-EVENT-EAP-STARTED EAP authentication started
Mar 30 10:39:01 fin8344m2 NetworkManager[848]: <info> (wlan0): supplicant interface state: associating -> associated
Mar 30 10:39:01 fin8344m2 wpa_supplicant[1116]: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Mar 30 10:39:01 fin8344m2 wpa_supplicant[1116]: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Mar 30 10:39:01 fin8344m2 wpa_supplicant[1116]: SSL: SSL3 alert: read (remote end reported an error):fatal:bad certificate
Mar 30 10:39:01 fin8344m2 wpa_supplicant[1116]: OpenSSL: openssl_handshake - SSL_connect error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Mar 30 10:39:01 fin8344m2 wpa_supplicant[1116]: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Mar 30 10:39:01 fin8344m2 kernel: [ 2201.969742] wlan0: deauthenticated from 00:11:92:3e:79:80 (Reason: 23)

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: network-manager 0.9.4.0-0ubuntu1
ProcVersionSignature: Ubuntu 3.2.0-20.33-generic 3.2.12
Uname: Linux 3.2.0-20-generic x86_64
ApportVersion: 2.0-0ubuntu1
Architecture: amd64
Date: Fri Mar 30 10:34:13 2012
IfupdownConfig:
 auto lo
 iface lo inet loopback
InstallationMedia: Xubuntu 12.04 LTS "Precise Pangolin" - Beta amd64 (20120328)
NetworkManager.state:
 [main]
 NetworkingEnabled=true
 WirelessEnabled=true
 WWANEnabled=true
 WimaxEnabled=true
ProcEnviron:
 LANGUAGE=en_US:en
 TERM=xterm
 LANG=en_US.UTF-8
 SHELL=/bin/bash
RfKill:
 0: phy0: Wireless LAN
  Soft blocked: no
  Hard blocked: no
SourcePackage: network-manager
UpgradeStatus: No upgrade log present (probably fresh install)
nmcli-con: Error: command ['nmcli', '-f', 'all', 'con'] failed with exit code 1: Error: Can't obtain connections: settings service is not running.

rmcd (rmcd1024) wrote :
affects: ubuntu → network-manager (Ubuntu)
jwhendy (jw-hendy) wrote :

I may have the same issue. I'm on an HP8540w EliteBook.

$ lspci
44:00.0 Network controller: Intel Corporation Centrino Ultimate-N 6300 (rev 35)

I was connecting to my corporate WPA2 network until quite recently (unsure when the issue arose, as I'm typically docked and using ethernet). I first noticed the issue this past Friday, 03/03/2012. I use wicd with the PEAP-GTC encryption setting and have not changed anything about my setup. I'm on Arch Linux, however in using wpa_supplicant manually and googling the ssl error that resulted, I got the same error posted here, so I thought I'd chime in.

Let me know if any additional information would be useful.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager (Ubuntu):
status: New → Confirmed
Simon Barber (simon-superduper) wrote :

What RADIUS server is used on your network? I am having the problem and we use Steel Belted radius here. The RADIUS server is rejecting the Client Hello message. This comes from openssl.

Simon Barber (simon-superduper) wrote :

The problem is in wpasupplicant.

affects: network-manager (Ubuntu) → wpasupplicant (Ubuntu)
jwhendy (jw-hendy) wrote :

I'm not sure where the problem is. I get an openssl certificate error, which doesn't immediately tell me that it's wpa_supplicant. My primary point of curiosity is that my logs suggest that nothing has changed in my setup whatsoever. I know I connected to the same WPA2 enterprise network on 03.18.2012, yet my wicd wpa_supplicant configs have been the same since the beginning of March.

I did note an Arch Linux update to both dhcpcd and openssl since that date, so I may try to revert and see if I can track down the issue to an updated package. There's not much noise about this issue, though, so if it's upgrade related I'm surprised more people aren't speaking up.

Simon Barber (simon-superduper) wrote :

For me everything was fine running Ubuntu 11.10, and upgrading to 12.04rc2 I suddenly see this failure. I suspect openssl, since that is the code wpa_supplicant uses to generate the TLS authentication messages. These messages are going out OK, but the RADIUS server does not like the contents.

Simon Barber (simon-superduper) wrote :

Can you capture a packet trace on the wireless interface while wpasupplicant is trying to authenticate? You'll need to run wireshark as root.

I'm seeing the exact same TLS error:

SSL: SSL3 alert: read (remote end reported an error):fatal:bad certificate

jwhendy (jw-hendy) wrote :

Could this be related? I'm going to try rolling back OpenSSL to see what happens...
-- https://bbs.archlinux.org/viewtopic.php?id=138103

Not related for me - the openssl package in Ubuntu 12.04rc2 already has the patches described at that link.

jwhendy (jw-hendy) wrote :

Got a chance to downgrade via the Arch Rollback Machine to openssl-1.0.0.h-1 and I can successfully connect to wireless again. Perhaps not the same issue... but my problem seems directly related to openssl.

Can someone try on Ubuntu just to amuse me? For what it's worth, Arch didn't have any issues downgrading to 1.0.0 from 1.0.1 so hopefully Synaptic or apt-get won't burden anyone with a ton of manual dependency futzing.

Raghav K. (raghavk) wrote :

I'm experiencing the same problem on Debian (also on a Lenovo X220), but rolling back to openssl-1.0.0.h-1 didn't fix things for me.

Raghav K. (raghavk) wrote :

Here's a packet trace of the server rejecting the hello.

Raghav K. (raghavk) wrote :

Apologies for the triple post, but I can confirm that going back to openssl-1.0.0.h-1 fixes the problem. So it does seem to be an openssl bug.

Diane Trout (diane-trout) wrote :

I went looking for alternate versions of libssl 1.0.0 in http://us.archive.ubuntu.com/ubuntu/pool/main/o/openssl/

To have any effect I needed to kill wpa_supplicant after installing the alternate version of libssl.

libssl1.0.0_1.0.0e-2ubuntu4 works for me.

Raghav K. (raghavk) on 2012-04-06
affects: wpasupplicant (Debian) → openssl (Debian)
Diane Trout (diane-trout) wrote :

I built a version of wpasupplicant_0.7.3-6ubuntu2 that works for me, by switching from openssl to gnutls.

I think wpasupplicant with openssl was offering 57 ciphers and with gnutls it was around 15. (I didn't write the numbers down and am having trouble getting it to regenerate the client hello message), so am not certain.

If wpa supplicant is building the list of ciphers from openssl for the client hello message, maybe it would also be possible disable some the rare ones? I tried some of the obvious things like -DOPENSSL_NO_RC2 -DOPENSSL_NO_DES, but later realised that was probably if you'd disabled those in openssl itself.

It looks like each cipher offered takes 2 bytes, and the failing openssl packet was 261 bytes, so you just need to get it below 255 bytes -- so remove 3 ciphers?

The patch I used to make it work, given the difficulties in getting acceptance for gnutls, I bet it'd cause other problems.

--- wpasupplicant-0.7.3/debian/config/linux 2012-03-13 16:11:24.000000000 -0700
+++ wpasupplicant-0.7.3.new/debian/config/linux 2012-04-06 13:26:03.230123515 -0700
@@ -33,5 +33,5 @@
 CONFIG_PEERKEY=y
 CONFIG_IEEE80211W=y
-CONFIG_TLS=openssl
+CONFIG_TLS=gnutls
 CONFIG_CTRL_IFACE_DBUS=y
 CONFIG_CTRL_IFACE_DBUS_NEW=y

Changed in openssl (Debian):
status: Unknown → New
rmcd (rmcd1024) wrote :

I can confirm that libssl1.0.0_1.0.0e-2ubuntu4 fixes the problem.

Diane Trout (diane-trout) wrote :

Still broken with wpasupplicant 0.7.3-6ubuntu2 & openssl 1.0.1-2ubuntu4

Diane Trout (diane-trout) wrote :

had the same non-working 261 byte client hello message that doesn't work with wpasupplicant 0.7.3-6ubuntu2 and openssl 1.0.1-4ubuntu1.

Assuming updating, and killing /sbin/wpa_supplicant was enough to get wpa supplicant to use the updated openssl

rmcd (rmcd1024) wrote :

I also found that openssl 1.0.1-4ubuntu1 did not fix the problem for me. I rebooted after the upgrade to make sure it was installed.

I hope that this bug will be assigned a high priority. Non-working wireless is a real problem, and will potentially result in bad press.

Diane Trout (diane-trout) wrote :

While we're waiting for a fix in openssl, I built a version wpasupplicant linked against gnutls and placed it in a ppa https://launchpad.net/~diane-trout/+archive/wpasupplicant-gnutls

It at least works well enough for me to connect to my companies wpa2-enterprise and my homes wpa2-psk networks.

This is confirmed to be related to openssl rather than wpasupplicant, so I'm setting up the task for it.

Changed in openssl (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Changed in wpasupplicant (Ubuntu):
status: Confirmed → Incomplete
Changed in openssl (Ubuntu):
status: Confirmed → Triaged
assignee: nobody → Canonical Foundations Team (canonical-foundations)
Raghav K. (raghavk) wrote :

Recompiling OpenSSL with these patches from upstream also seems to fix the problem: http://rt.openssl.org/Ticket/Display.html?id=2771

Steve Langasek (vorlon) on 2012-04-12
Changed in openssl (Ubuntu Precise):
assignee: Canonical Foundations Team (canonical-foundations) → Colin Watson (cjwatson)
milestone: none → precise-updates
Colin Watson (cjwatson) wrote :

@Raghav K. (comment 23): Really? The current package in Ubuntu 12.04 is built with those patches, as far as I'm aware. See the changelog entry for openssl 1.0.1-2ubuntu3.

If you can point to specific upstream patches that fix this that aren't in 1.0.1-4ubuntu1, I'd love to hear about it.

Colin Watson (cjwatson) wrote :

Could anyone affected by this bug please try openssl 1.0.1-4ubuntu2 in precise-proposed and let me know whether it fixes this?

rmcd (rmcd1024) wrote :

I am still unable to connect with openssl 1.0.1-4ubuntu2. I . It looks like the same problem as before. Here is a bit of syslog:

Apr 19 08:42:51 fin8344m2 wpa_supplicant[1120]: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Apr 19 08:42:51 fin8344m2 wpa_supplicant[1120]: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Apr 19 08:42:51 fin8344m2 wpa_supplicant[1120]: SSL: SSL3 alert: read (remote end reported an error):fatal:bad certificate
Apr 19 08:42:51 fin8344m2 wpa_supplicant[1120]: OpenSSL: openssl_handshake - SSL_connect error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Apr 19 08:42:51 fin8344m2 wpa_supplicant[1120]: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Apr 19 08:42:51 fin8344m2 kernel: [ 77.468839] wlan0: deauthenticated from 00:11:92:3e:79:80 (Reason: 23)
Apr 19 08:42:51 fin8344m2 wpa_supplicant[1120]: CTRL-EVENT-DISCONNECTED bssid=00:11:92:3e:79:80 reason=23

I rebooted after installing the new packages. To confirm that I have the correct ssl packages installed, here is an excerpt from dpkg -l:

ii libgnutls-openssl27 2.12.14-5ubuntu3 GNU TLS library - OpenSSL wrapper
ii libio-socket-ssl-perl 1.53-1 Perl module implementing object oriented interface to SSL sockets
ii libnet-ssleay-perl 1.42-1build1 Perl module for Secure Sockets Layer (SSL)
ii libssl1.0.0 1.0.1-4ubuntu2 SSL shared libraries
ii libssl1.0.0:i386 1.0.1-4ubuntu2 SSL shared libraries
ii libwavpack1 4.60.1-2 audio codec (lossy and lossless) - library
ii openssl 1.0.1-4ubuntu2 Secure Socket Layer (SSL) binary and related cryptographic tools
ii python-openssl 0.12-1ubuntu2 Python wrapper around the OpenSSL library
ii ssl-cert 1.0.28 simple debconf wrapper for OpenSSL

Colin Watson (cjwatson) wrote :

Disappointing. Thanks. Somebody should probably report this upstream for further analysis.

rmcd (rmcd1024) wrote :

Out of my depth here but I did run wireshark and this is what I get at the point of failure.

53 24.094947 IntelCor_e1:28:94 Cisco_49:62:f0 SSL 253 Client Hello
54 24.116714 Cisco_49:62:f0 IntelCor_e1:28:94 TLSv1 60 Alert (Level: Fatal, Description: Bad Certificate)
55 24.117037 IntelCor_e1:28:94 Cisco_49:62:f0 EAP 24 Response, PEAP [Palekar]
56 24.123991 Cisco_49:62:f0 IntelCor_e1:28:94 EAP 60 Failure

Diane Trout (diane-trout) wrote :

I tried today with wpasupplicant 0.7.3-6ubuntu2 and libssl1.0.0 1.0.1-4ubuntu3 and still didn't work.

I just figured out how to export a detailed packet trace with wireshark and am attaching the ClientHello and response messages from the non-working libssl1.0.0_1.01-4ubuntu3, and the working libssl1.0.0-1.0.0e-2ubuntu4 and my wpa supplicant that's using libgnutls26-2.12.14-5ubuntu3.

In preparing the dump I did renumber my mac address to end in 11:22:33 and the mac address of the access point to aa:bb:cc

The working versions seem to report their Client Hello version as ssl 3.0 and the non-working one as TLS 1.0. The SSL versions list 18 ciphers and the TLS version has 51 protocol suites.

rmcd (rmcd1024) wrote :

I don't know if libssl 1.0.1-4ubuntu5 (in precise-proposed) was possibly supposed to contain a fix, but the error persists with that version.

Ryan Whalen (qf-ryan-nr) wrote :

I've tried using Diane Trout's wpa_supplicant built mentioned above, but that did not fix the problem for me. I've been unable to access University wifi since upgrading from 11.10 to 12.04.

Scott Salley (ssalley) wrote :

Diane Trout's wpa_supplicant fixed things for me with these wireless settings:

WPA & WPA2 Enterprise
Protected EAP (PEAP)
CA certificate
PEAP version: Automatic
MSCHAPv2
username/password

Diane Trout (diane-trout) wrote :

Did you kill the wpa_supplicant process after installation? (Or reboot?)

If that doesn't work the other choice that worked for me is to install openssl 1.0.0e from 11.10 (and reinstall the default wpa_supplicant). My problem with that solution is the older version of openssl caused library problems with 12.04's curl. But you may not use curl so it might not be an issue in your case.

rmcd (rmcd1024) wrote :

Diane's wpasupplicant worked for me. Great job Diane, thanks!

Benjamin Bex (dendanny) wrote :

I also have a problem connecting to wired networks using peap (at work). Reverting openssl and libssl to 1.0.0e-2ubuntu4 resolved the problem. I suppose this is related to this bug.

OkonX (archanl) wrote :

I also have this problem--I can't connect to the wireless here at my college. The wifi here uses the same settings as what Scott Salley (ssalley) mentioned above. I first started with Fedora 16--and had this problem. So, I reformatted and installed Ubuntu 11.10; everything worked great. Then I upgraded to Ubuntu 12.04 and now I have the same problem as I had before and what everyone else has.

I am a linux n00b. Could someone please explain to me exactly how to fix this? How do I rollback what changed from 11.10 to 12.04 so I can use my college's wifi again?

Benjamin Bex (dendanny) wrote :

I will explain how I did it: revert to openssl and libssl1.0.0 version 1.0.0e-2ubuntu4

Open Terminal: type shell commands without the surrounding ""
"apt-cache showpkg openssl" will show which versions of openssl you have available on your system
If openssl is somewhere in the 'Provides:' list just do
"apt-get install openssl=1.0.0e-2ubuntu4" and "apt-get install libssl1.0.0=1.0.0e-2ubuntu4"

If you do not have the old versions in the apt-cache you can fetch them from
http://mirror01.th.ifl.net/ubuntu/pool/main/o/openssl/ (or another mirror, just an example)
You 'll need to get openssl_1.0.0e-2ubuntu4_i386.deb or the amd64 variant if your machine is 64 bit (you can check that with "uname -p" if it is 'x86_64' you need the amd64 variant)
And you 'll also need libssl1.0.0_1.0.0e-2ubuntu4_i386.deb or the amd64 variant, same rule here.

Get these two files to the affected computer with a flash drive, I got them by booting the install disk and downloading them there, then copy them to my harddisk. So you don't need two PCs but it is easier.

Go to the directory that contain the two deb files you need.
"cd /media" to go to the place where all these things are mounted
"ls" to see a list of flash drives... that are mounted
"cd nameofdrive" to go into that drive
You may need to cd your way through all the subfolders until "ls" gives you the name of the two deb files

Then you install these deb files with
"dpkg -iR ." this means install all debian packages from the folder '.'(and folder '.' is always the current folder you "cd"ed to)

Done, check "apt-cache showpkg openssl" to see the version is added

Now it is easiest to reboot, you could also kill all affected processes and restart them, but it may take you longer than a simple reboot.

This is what I did if I recall correctly.
Another option is given by diane-trout above.

OkonX (archanl) wrote :

I get the error below after doing $ sudo dpkg -iR .

(Reading database ... 291933 files and directories currently installed.)
Preparing to replace openssl 1.0.0e-2ubuntu4 (using .../openssl_1.0.0e-2ubuntu4_amd64.deb) ...
Unpacking replacement openssl ...
Preparing to replace libssl1.0.0 1.0.0e-2ubuntu4 (using .../libssl1.0.0_1.0.0e-2ubuntu4_amd64.deb) ...
Unpacking replacement libssl1.0.0 ...
dpkg: error processing libssl1.0.0 (--install):
 libssl1.0.0:amd64 1.0.0e-2ubuntu4 cannot be configured because libssl1.0.0:i386 is in a different version (1.0.1-4ubuntu5)
dpkg: dependency problems prevent configuration of openssl:
 openssl depends on libssl1.0.0 (>= 1.0.0); however:
  Package libssl1.0.0 is not configured yet.
dpkg: error processing openssl (--install):
 dependency problems - leaving unconfigured
Processing triggers for man-db ...
Errors were encountered while processing:
 libssl1.0.0
 openssl

OkonX (archanl) wrote :

Oh I see...this breaks nodejs which requires a higher version of libssl.

OkonX (archanl) wrote :

Ah, sorry for comment spam--I wish I could edit or append previous comments.

Anyhow, dendaddy's instructions worked and I can connect to the wifi. But problem still remains with other packages that require higher versions ( this leads to the package manager fussing about it in update manager and elsewhere).

Changed in wpasupplicant:
importance: Unknown → Medium
status: Unknown → Confirmed
Changed in openssl:
importance: Undecided → Unknown
status: New → Unknown
Changed in openssl:
status: Unknown → New
Changed in wpasupplicant:
status: Confirmed → In Progress
Changed in wpasupplicant (Ubuntu):
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)
Changed in wpasupplicant (Ubuntu Precise):
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)
Steve Magoun (smagoun) on 2012-06-21
Changed in oem-priority:
importance: Undecided → High
Changed in oem-priority:
assignee: nobody → James M. Leddy (jm-leddy)
status: New → In Progress
tags: added: rls-q-incomming
tags: added: rls-q-incoming
removed: rls-q-incomming
tags: added: patch
Changed in wpasupplicant (Ubuntu):
importance: Undecided → High
status: Incomplete → Triaged
Changed in wpasupplicant (Ubuntu Precise):
importance: Undecided → High
status: Incomplete → Triaged
Changed in openssl (Debian):
status: New → Confirmed
Changed in wpasupplicant (Ubuntu):
status: Triaged → In Progress
Changed in wpa (Ubuntu Precise):
status: New → Invalid
Changed in wpasupplicant (Ubuntu):
status: In Progress → Invalid
Changed in wpa (Ubuntu):
importance: Undecided → Medium
status: New → Fix Released
description: updated
tags: removed: rls-q-incoming
Changed in openssl (Ubuntu):
assignee: Colin Watson (cjwatson) → nobody
status: Triaged → Incomplete
milestone: precise-updates → none
Changed in openssl (Ubuntu Precise):
assignee: Colin Watson (cjwatson) → nobody
milestone: precise-updates → none
status: Triaged → Incomplete
tags: added: verification-needed
tags: added: verification-done
removed: verification-needed
Changed in openssl (Ubuntu):
status: Incomplete → Fix Committed
status: Fix Committed → Incomplete
Changed in wpasupplicant (Ubuntu Precise):
status: Triaged → Fix Committed
66 comments hidden view all 146 comments

Err, this is *not* in precise-proposed yet as far as I can tell. Shouldn't be marked as Fix Committed until then.

Changed in wpasupplicant (Ubuntu Precise):
status: Fix Committed → Triaged

Jeremy, what kind of settings in wpa, if any, make the connection successful for you?

Hello rmcd, or anyone else affected,

Accepted into precise-proposed. The package will build now and be available in a few hours in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in openssl (Ubuntu Precise):
status: Incomplete → Fix Committed
Changed in wpasupplicant (Ubuntu Precise):
status: Triaged → Fix Committed
tags: removed: verification-done
tags: added: verification-needed
rmcd (rmcd1024) wrote :
Download full text (3.7 KiB)

Unfortunately, the fix does not work for me. First, to be sure I'm using the correct version, 'dpkg -l | grep wpa' gives this:

ii wpagui 0.7.3-6ubuntu2.1 graphical user interface for wpa_supplicant
ii wpasupplicant 0.7.3-6ubuntu2.1 client support for WPA and WPA2 (IEEE 802.11i)

The first time I rebooted after installing from proposed, connection was successful. Every subsequent attempt failed, whether after resuming from a suspend or after a reboot. I get into an endless loop of password requests. Here is a log extract for the last attempt:

Oct 8 09:49:32 foo NetworkManager[987]: get_secret_flags: assertion `is_secret_prop (setting, secret_name, error)' failed
Oct 8 09:49:32 foo NetworkManager[987]: <info> Activation (wlan0) Stage 1 of 5 (Device Prepare) scheduled...
Oct 8 09:49:32 foo NetworkManager[987]: <info> Activation (wlan0) Stage 1 of 5 (Device Prepare) started...
Oct 8 09:49:32 foo NetworkManager[987]: <info> (wlan0): device state change: need-auth -> prepare (reason 'none') [60 40 0]
Oct 8 09:49:32 foo NetworkManager[987]: <info> Activation (wlan0) Stage 2 of 5 (Device Configure) scheduled...
Oct 8 09:49:32 foo NetworkManager[987]: <info> Activation (wlan0) Stage 1 of 5 (Device Prepare) complete.
Oct 8 09:49:32 foo NetworkManager[987]: <info> Activation (wlan0) Stage 2 of 5 (Device Configure) starting...
Oct 8 09:49:32 foo NetworkManager[987]: <info> (wlan0): device state change: prepare -> config (reason 'none') [40 50 0]
Oct 8 09:49:32 foo NetworkManager[987]: <info> Activation (wlan0/wireless): connection 'Northwestern' has security, and secrets exist. No new secrets needed.
Oct 8 09:49:32 foo NetworkManager[987]: <info> Config: added 'ssid' value 'Northwestern'
Oct 8 09:49:32 foo NetworkManager[987]: <info> Config: added 'scan_ssid' value '1'
Oct 8 09:49:32 foo NetworkManager[987]: <info> Config: added 'key_mgmt' value 'WPA-EAP'
Oct 8 09:49:32 foo NetworkManager[987]: <info> Config: added 'password' value '<omitted>'
Oct 8 09:49:32 foo NetworkManager[987]: <info> Config: added 'eap' value 'PEAP'
Oct 8 09:49:32 foo NetworkManager[987]: <info> Config: added 'fragment_size' value '1300'
Oct 8 09:49:32 foo NetworkManager[987]: <info> Config: added 'phase2' value 'auth=MSCHAPV2'
Oct 8 09:49:32 foo NetworkManager[987]: <info> Config: added 'identity' value 'xyz'
Oct 8 09:49:32 foo NetworkManager[987]: <info> Config: added 'bgscan' value 'simple:30:-45:300'
Oct 8 09:49:32 foo NetworkManager[987]: <info> Activation (wlan0) Stage 2 of 5 (Device Configure) complete.
Oct 8 09:49:32 foo NetworkManager[987]: <info> Config: set interface ap_scan to 1
Oct 8 09:49:32 foo NetworkManager[987]: <info> (wlan0): supplicant interface state: disconnected -> scanning
Oct 8 09:49:35 foo wpa_supplicant[1252]: Trying to authenticate with d8:c7:aa:bb:cc:dd (SSID='Northwestern' freq=2412 MHz)
Oct 8 09:49:35 foo kernel: [ 81.192887] wlan0: direct probe to d8:c7:aa:bb:cc:dd (try 1/3)
Oct 8 09:49:35 foo NetworkManager[987]: <info> (wlan0): supplicant interface state: scanning -> authenticating
Oct 8 09:49:35 foo ker...

Read more...

rmcd (rmcd1024) on 2012-10-08
tags: added: verification-failed
removed: verification-needed

rmcd,

Are you sure that the configuration is correct in NetworkManager, and that the device is actually allowed to connect?

This works properly for other people, it would be nice to know exactly what is missing here if anything.

This is all the more important since "status 17" is "WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA" which can mean a number of things, including "you seem to still be connected because your original session didn't time out yet, so I can't let you in twice", etc. This absolutely needs more testing before marking as failed.

tags: added: verification-needed
removed: verification-failed

Actually, 802.11-2007 defines status 17 as "Association denied because AP is unable to handle additional associated STAs" -- The API might be overloaded.

Neo (neojia) wrote :

I tried the updated wpa program and I still can't access my work wireless network.

I am using Dell XPS 13 and my company is using Aruba AP.

I saw this in the dmesg:

2985 [130380.278223] wlan0: Wrong control channel in association response: configured center-freq: 5200 hti-cfreq: 5805 hti->control_chan: 161 band: 1. Disabling HT.
2986 [130381.803188] cfg80211: All devices are disconnected, going to restore regulatory settings
2987 [130381.803203] cfg80211: Restoring regulatory settings
2988 [130381.803213] cfg80211: Calling CRDA to update world regulatory domain
2989 [130381.812512] cfg80211: Ignoring regulatory request Set by core since the driver uses its own custom regulatory domain
2990 [130381.812525] cfg80211: World regulatory domain updated:
2991 [130381.812530] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
2992 [130381.812540] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
2993 [130381.812549] cfg80211: (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
2994 [130381.812556] cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
2995 [130381.812564] cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
2996 [130381.812571] cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
2997 [130392.758524] wlan0: authenticate with d8:c7:c8:a4:ab:58 (try 1)
2998 [130392.759447] wlan0: authenticated
2999 [130392.759814] wlan0: associate with d8:c7:c8:a4:ab:58 (try 1)
3000 [130392.763081] wlan0: RX ReassocResp from d8:c7:c8:a4:ab:58 (capab=0x411 status=0 aid=12)
3001 [130392.763087] wlan0: associated
3002 [130392.763926] wlan0: Wrong control channel in association response: configured center-freq: 5200 hti-cfreq: 5805 hti->control_chan: 161 band: 1. Disabling HT.
3003 [130393.811006] cfg80211: All devices are disconnected, going to restore regulatory settings
3004 [130393.811022] cfg80211: Restoring regulatory settings
3005 [130393.811031] cfg80211: Calling CRDA to update world regulatory domain
3006 [130393.818827] cfg80211: Ignoring regulatory request Set by core since the driver uses its own custom regulatory domain
3007 [130393.818840] cfg80211: World regulatory domain updated:

rmcd (rmcd1024) wrote :

Mathieu,

First, sorry if I was premature in changing the tag, I thought I was acting as instructed.

I definitely do have permission to access the resource, and my android phone has no problem connecting. My computer did connect when I first rebooted, so I presume that serves as a test about settings. I didn't change the settings afterwards and it never connected again. I am in touch with our networking people. They are aware of the issue, but there are not many linux users and I am not knowledgeable about networking so I need assistance in asking them for help. Anything you can suggest?

What I plan to do when I have time is to install the proposed software on my bootable USB version of 12.04 and try that. I am open to other suggestions.

Neo (neojia) wrote :

Hi,

I saw a lot of people still having the connection issues after applying this updates. I don't know if this is caused by a combination of using Dell XPS 13 + Aruba AP.

I have filed a bug 1019081 to track this issue, so please speak up there if you are seeing the same problem. I assume this is causing the failed connection:

"wlan0: Wrong control channel in association response: configured center-freq: 5200 hti-cfreq: 5805 hti->control_chan: 161 band: 1. Disabling HT."

Updating to mainline kernel "http://kernel.ubuntu.com/~kernel-ppa/mainline/daily/current/linux-headers-3.6.0-999-generic_3.6.0-999.201210080405_amd64.deb", I am able to connect to my AP through WPA2 Enterprise.

Thanks,
Neo

rmcd: the tag change was fine, but this bug is special in that it affects others (people using Aruba) and seems to fix the issue properly.

I suggest asking them to check authentication logs to see what the AP or authentication server wrote when you tried to connect and did you first successful connection, then what it wrote for the following unsuccessful conenctions. It's going to be a huge hint towards what is broken there.

Neo; indeed, the "Wrong control channel" error message is a kernel issue.

Download full text (5.9 KiB)

The bug is not fixed on my network (KULeuven/Eduroam)
Dmesg log: (grepped for wlan0)

[ 37.885705] ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 103.898976] ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 182.706388] wlan0: authenticate with 00:26:99:99:93:cd (try 1)
[ 182.709876] wlan0: authenticated
[ 182.710586] wlan0: associate with 00:26:99:99:93:cd (try 1)
[ 182.718540] wlan0: RX AssocResp from 00:26:99:99:93:cd (capab=0x11 status=0 aid=8)
[ 182.718549] wlan0: associated
[ 182.724260] ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[ 236.004976] wlan0: deauthenticating from 00:26:99:99:93:cd by local choice (reason=3)
[ 5155.412467] ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 5162.798052] wlan0: authenticate with 00:3a:98:c1:28:c2 (try 1)
[ 5162.800314] wlan0: authenticated
[ 5163.016468] wlan0: associate with 00:3a:98:c1:28:c2 (try 1)
[ 5163.021561] wlan0: RX AssocResp from 00:3a:98:c1:28:c2 (capab=0x411 status=0 aid=71)
[ 5163.021567] wlan0: associated
[ 5163.025957] ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[ 5177.196392] wlan0: disassociating from 00:3a:98:c1:28:c2 by local choice (reason=3)
[ 5177.214274] wlan0: deauthenticating from 00:3a:98:c1:28:c2 by local choice (reason=3)
[ 5180.487626] wlan0: authenticate with 00:3a:98:c1:28:c2 (try 1)
[ 5180.492060] wlan0: authenticated
[ 5180.492382] wlan0: associate with 00:3a:98:c1:28:c2 (try 1)
[ 5180.497998] wlan0: RX ReassocResp from 00:3a:98:c1:28:c2 (capab=0x11 status=0 aid=71)
[ 5180.498004] wlan0: associated
[ 5182.724740] wlan0: disassociating from 00:3a:98:c1:28:c2 by local choice (reason=3)
[ 5182.749047] wlan0: deauthenticating from 00:3a:98:c1:28:c2 by local choice (reason=3)
[ 5186.024820] wlan0: authenticate with 00:26:99:99:93:c2 (try 1)
[ 5186.027693] wlan0: authenticated
[ 5186.048651] wlan0: associate with 00:26:99:99:93:c2 (try 1)
[ 5186.052456] wlan0: RX ReassocResp from 00:26:99:99:93:c2 (capab=0x411 status=0 aid=154)
[ 5186.052462] wlan0: associated
[ 5188.215355] wlan0: disassociating from 00:26:99:99:93:c2 by local choice (reason=3)
[ 5188.252204] wlan0: deauthenticating from 00:26:99:99:93:c2 by local choice (reason=3)
[ 5191.520497] wlan0: authenticate with 00:26:99:99:93:c2 (try 1)
[ 5191.525983] wlan0: authenticated
[ 5191.526382] wlan0: associate with 00:26:99:99:93:c2 (try 1)
[ 5191.533362] wlan0: RX ReassocResp from 00:26:99:99:93:c2 (capab=0x411 status=0 aid=154)
[ 5191.533368] wlan0: associated
[ 5193.732081] wlan0: disassociating from 00:26:99:99:93:c2 by local choice (reason=3)
[ 5193.750543] wlan0: deauthenticating from 00:26:99:99:93:c2 by local choice (reason=3)
[ 5197.021400] wlan0: direct probe to 00:3a:98:d5:ac:62 (try 1/3)
[ 5197.220048] wlan0: direct probe to 00:3a:98:d5:ac:62 (try 2/3)
[ 5197.420047] wlan0: direct probe to 00:3a:98:d5:ac:62 (try 3/3)
[ 5197.620040] wlan0: direct probe to 00:3a:98:d5:ac:62 timed out
[ 5205.856240] wlan0: direct probe to 00:3a:98:c1:28:cd (try 1/3)
[ 5205.857324] wlan0: direct probe responded
[ 5205.872054] wlan0: authenticate with 00:3a:98:c1:28:cd (try 1)
[ 5205.873432] wlan0: authenticated
[ 5205.873714] wlan0: associate with 00:3a:98:c1:28:cd (try 1)
[ 5205.878299] wlan0: RX Reasso...

Read more...

At another location Eduroam works just fine. (BTW: I rebooted my laptop)

Gary Lyons (gllyons) wrote :

I m also at Northwestern like rmcd but the package in precise-proposed works fine for me. The proble was first resolved for me in the package in PPA https://launchpad.net/~mathieu-tl/+archive/sru-staging ?

But I switched to the one in proposed to see if there was an issue and I can't find one. Maybe rmcd's problem is something different?

When switching versions, are you guys making sure to reboot, or at
least kill the wpa_supplicant process?

If you're not, you're still testing the version from before you
upgraded, not the new one.

Gary Lyons (gllyons) wrote :

I rebooted after installing the package from proposed and after that I tried disconnecting and reconnecting a few times to test things and it all worked.

rmcd (rmcd1024) wrote :

@nickurak: Yes, I reboot when I switch versions.

Alan Barr (alanb) wrote :

I can confirm the proposed fix works for me accessing Wifi with Enterprise security and TTL/PAP authentication.

@gllyons the proposed fix also worked for me at Northwestern.

Nailer1887 (barry-titterton) wrote :

The precise-proposed fix worked for me today at Durham University, UK. The uni uses WPA2 Enterprise with AES. Thanks to everyone who worked on the fix.

quantumkit (quantumkit) wrote :

Here in UCSD. No success. Can anyone tell me what versions of stuff you are using? I am using:
wpasupplicant : 0.7.3-6ubuntu2.1
libssl1.0.0 : 1.0.1-4ubuntu5.5
openssl : 1.0.1-4ubuntu5.5

my kernel is 3.2.0-31-generic
Thanks!

James M. Leddy (jm-leddy) wrote :

marking verification-done based on comment #125

tags: added: verification-done verification-done-precise
removed: verification-needed
Changed in oem-priority:
status: In Progress → Fix Committed
Scott Kitterman (kitterman) wrote :

For people still having problems (that had problems prior to this version), please file a new bug referencing this one. Regressions from the released version with this update should be reported here.

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package wpasupplicant - 0.7.3-6ubuntu2.1

---------------
wpasupplicant (0.7.3-6ubuntu2.1) precise-proposed; urgency=low

  * debian/patches/session-ticket.patch: disable the TLS Session Ticket
    extension to fix auth with 802.1x PEAP on some hardware. (LP: #969343)
 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 17 Sep 2012 17:08:22 -0400

Changed in wpasupplicant (Ubuntu Precise):
status: Fix Committed → Fix Released
ttosttos (ttosttos) wrote :

Fix only alleviated the situation for me. Went from no connectivity to frequent disconnects. Upgrading to kernel 3.5.0-030500-generic finally ended months of misery :-)

Nailer1887 (barry-titterton) wrote :

My enthusiasm for reporting the problem fixed (#125) was premature: the connection only worked twice, it is now only able to connect approximately once in every five attempts. The problem only persists with the network using WPA Enterprise with AES encryption, a separate network that uses WPA Enterprise with TKIP encryption works perfectly (so far). I shall look at raising another bug specifically on the AES encryption issue.

rmcd (rmcd1024) wrote :

I have an ignorant question: There is no AES choice in the configuration dialog for WPA2, so which of the encryption methods are AES? (Is PEAP the same as AES?)

Another question: My android (ICS) phone connects successfully to our wpa2 network using peap, but it automatically configured "none" for phase 2 authentication. None is not an option for 12.04 and I am selecting MSChap2. Should there be a "none" option?

Changed in oem-priority:
status: Fix Committed → Fix Released
Felix Haller (felixhaller) wrote :

I wonder this isn't fixed yet. There are many users waitin for a fix, especially students and profs, because many of them are using the "eduroam" network (mentioned some times before).

When using eduroam wifi after a while my notebook stops working like expected: I'm unable to suspend (kernel panic) and the network connection is getting slower and slower till it stops working. The whole system crashes, so it's very dangerous to connect to such a network.

I attached a config screenshot....maybe it helps...

Benjamin Kay (benkay) wrote :

Felix, this bug *has* been fixed in Ubuntu 12.04 (Precise Pangolin) and later. From your comment, it sounds like you are describing an unrelated wifi bug. This bug prevented users from connecting to certain WPA2 Enterprise networks. The bug in your comment allows you to connect to a WPA2 Enterprise network but, some time later, causes a kernel panic. This is almost certainly a kernel/driver issue and *not* a bug in wpasupplicant or openssl. If your bug hasn't already been reported, I suggest opening a new bug and providing the brand/model of your wifi card, a kernel stack trace, and the output of dmesg, if possible.

todaioan (alan-ar06) on 2012-12-27
Changed in openssl (Ubuntu):
status: Incomplete → Fix Released
1 comments hidden view all 146 comments
rmcd (rmcd1024) wrote :

@felixhaller: I share your frustration. I have what seems to be yet a different version of the bug, where in 12.04 I remain unable to connect to WPA2 Enterprise networks.

The fix for me was upgrading to 12.10. Now I can connect reliably and maintain the connection. I realize this may not be feasible for you. However, you may want to try a live CD and see if you can connect with 12.10. If 12.10 works for you and 12.04 does not, that should narrow down the possible causes of the problem.

Felix Haller (felixhaller) wrote :

I already use 12.10. I can connect to all wifi networks, there are only problems when connecting to eduroam network (wpa2 enterprise). My notebook is working just fine with the other networks (eg. my private one --> WPA2 personal).

I think I will open a new bug...thanks for all the information.

Adolfo Jayme (fitoschido) wrote :

The user todaioan seems to be vandalizing a lot of bugs. I'm reverting his change.

Changed in openssl (Ubuntu):
status: Fix Released → Incomplete
Lanoxx (lanoxx) wrote :

I am experiencing this issue on ubuntu 12.10. I am connecting to a an eduroam wireless network with WPA2 enterprise encryption and the connection fails after a few minutes. Sometimes it does not connect at all. Most of the times one of the following work arounds works but the effect is only temporary until the connection is lost again:

 * Toggle the RF Killswitch
 * Suspend and wake up again
 * killall nm-applet && nm-applet

If I can contribute anything that would help to fix this issue, please let me know.

For what it's worth, I'm having this in an up-to-date 12.04 too. Wireless works flawlessly, except when connecting to an eduroam network, in which case it times out with this repeated in the syslog:

Apr 17 12:10:49 X kernel: [ 1987.661492] rtl8192c_common: Loading firmware file rtlwifi/rtl8192cfw.bin
Apr 17 12:10:50 X wpa_supplicant[1652]: Trying to authenticate with [AP:MAC:ADDR] (SSID='eduroam' freq=2412 MHz)
Apr 17 12:10:50 X kernel: [ 1988.874687] wlan0: direct probe to [AP:MAC:ADDR] (try 1/3)
Apr 17 12:10:50 X kernel: [ 1989.074082] wlan0: direct probe to [AP:MAC:ADDR] (try 2/3)
Apr 17 12:10:51 X kernel: [ 1989.274142] wlan0: direct probe to [AP:MAC:ADDR] (try 3/3)
Apr 17 12:10:51 X kernel: [ 1989.474110] wlan0: direct probe to [AP:MAC:ADDR] timed out
Apr 17 12:10:51 X kernel: [ 1989.577031] rtl8192c_common: Loading firmware file rtlwifi/rtl8192cfw.bin

I'm not sure how to interpret the history/status of this bug - is it still alive? Please let me know if I this belongs somewhere else, or if there's any more info I can provide.

datube (datube) wrote :

We just implemented a lot Aruba (ap-105) access points and I (we) also experience this problem (as described @Impact) . While searching the www I couldn't really pinpoint what I could do as a work-around. I myself use 12.04, but the problem also exists on 13.04. I have a Thinkpad T410s. With the stock kernel (and up-to-date system) I wasn't able to connect to our wireless network, so I decided to do an install of a mainline kernel (v3.4-precise). After rebooting I was able to connect without any troubles.

Do not know if it's (still) relevant but if it is I want to provide you with any information possible to help with a solution

Pepe Lebuntu (majagray75) wrote :

I'm still having this problem. I've had it now on several different computers, including now my Lenovo X121e.

For a while, I could login to WPA2-Enterprise wifi, but now I can't: not eduroam, or any other.

Pepe Lebuntu (majagray75) wrote :

I should add, I'm using Xubuntu 12.10

While using ubuntu 12.10 (wpasupplicant 1.0-2ubuntu5 and openssl 1.0.1c-3ubuntu2) I can login to my company's wireless lan.

But which packages for 13.04 will have that fix which came with 1.0-2ubuntu5.

Finaly found that deleting the WLANs file in /etc/NetworkManager/system-connections/ solved the problem. Also http://askubuntu.com/questions/285234/cannot-connect-to-wpa2-wpa-enterprise-peap-and-mschap?answertab=votes#tab-top gave the right hint.

Displaying first 40 and last 40 comments. View all 146 comments or add a comment.