Unable to connect to WPA enterprise wireless
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OEM Priority Project |
High
|
James M. Leddy | |||
Precise |
High
|
Unassigned | |||
OpenSSL |
New
|
Unknown
|
|||
wpa_supplicant |
In Progress
|
Medium
|
|||
openssl (Fedora) |
New
|
Undecided
|
Unassigned | ||
openssl (Ubuntu) |
High
|
Unassigned | |||
Precise |
High
|
Unassigned | |||
wpa (Debian) |
Fix Released
|
Unknown
|
|||
wpa (Ubuntu) |
Medium
|
Unassigned | |||
Precise |
Undecided
|
Unassigned | |||
wpasupplicant (Fedora) |
Invalid
|
Undecided
|
|||
wpasupplicant (Ubuntu) |
High
|
Mathieu Trudel-Lapierre | |||
Precise |
High
|
Mathieu Trudel-Lapierre |
Bug Description
[Impact]
Breaks 802.1x (PEAP) authentication for wireless networks using specific authentication servers and/or AP hardware. Aruba network devices specifically are known to be affected; and is a popular device type used in enterprises to secure wireless networks.
[Test Case]
This issue is hardware specific and may or may not be limited to Aruba authentication servers.
1) Attempt to connect / authenticate to a wireless, 802.1x network requiring Protected EAP (or possibly other auth mechanisms).
2) (optionally) Watch SSL traffic between the station and authentication server using wireshark/tcpdump, looking for auth failures and the extensions passed.
[Regression Potential]
Since this changes the SSL extensions and options used to connect to 802.1x wireless networks; some networks specifically configured to request or make use of the session ticket extension could be made impossible to successfully authenticate to; up to the point where multiple connection failures could lock the accounts used in highly-restricted networks. Also, there is a potential (again, due to the change in SSL options) for other networks (using specific AP hardware) that don't support the extensions used to fail authentication.
---
Using identical settings as in 11.10, I am unable to make a wpa enterprise connection using xubuntu precise beta 2. This is a Lenovo X220 with a Centrino Advanced-N 6205 wireless interface. During the attempted logon, I am not presented with a certificate to approve, although wireless instructions for OSX suggest that I should be. However, I never had to approve a certificate when connecting with 11.10 -- I just ignored the certificate screen and everything worked.
This seems like the relevant excerpt from syslog:
Mar 30 10:39:01 fin8344m2 wpa_supplicant[
Mar 30 10:39:01 fin8344m2 NetworkManager[
Mar 30 10:39:01 fin8344m2 kernel: [ 2201.940422] wlan0: authenticated
Mar 30 10:39:01 fin8344m2 kernel: [ 2201.940974] wlan0: associate with 00:11:92:3e:79:80 (try 1)
Mar 30 10:39:01 fin8344m2 kernel: [ 2201.943165] wlan0: RX ReassocResp from 00:11:92:3e:79:80 (capab=0x431 status=0 aid=222)
Mar 30 10:39:01 fin8344m2 kernel: [ 2201.943174] wlan0: associated
Mar 30 10:39:01 fin8344m2 wpa_supplicant[
Mar 30 10:39:01 fin8344m2 wpa_supplicant[
Mar 30 10:39:01 fin8344m2 NetworkManager[
Mar 30 10:39:01 fin8344m2 wpa_supplicant[
Mar 30 10:39:01 fin8344m2 wpa_supplicant[
Mar 30 10:39:01 fin8344m2 wpa_supplicant[
Mar 30 10:39:01 fin8344m2 wpa_supplicant[
Mar 30 10:39:01 fin8344m2 wpa_supplicant[
Mar 30 10:39:01 fin8344m2 kernel: [ 2201.969742] wlan0: deauthenticated from 00:11:92:3e:79:80 (Reason: 23)
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: network-manager 0.9.4.0-0ubuntu1
ProcVersionSign
Uname: Linux 3.2.0-20-generic x86_64
ApportVersion: 2.0-0ubuntu1
Architecture: amd64
Date: Fri Mar 30 10:34:13 2012
IfupdownConfig:
auto lo
iface lo inet loopback
InstallationMedia: Xubuntu 12.04 LTS "Precise Pangolin" - Beta amd64 (20120328)
NetworkManager.
[main]
NetworkingEnab
WirelessEnable
WWANEnabled=true
WimaxEnabled=true
ProcEnviron:
LANGUAGE=en_US:en
TERM=xterm
LANG=en_US.UTF-8
SHELL=/bin/bash
RfKill:
0: phy0: Wireless LAN
Soft blocked: no
Hard blocked: no
SourcePackage: network-manager
UpgradeStatus: No upgrade log present (probably fresh install)
nmcli-con: Error: command ['nmcli', '-f', 'all', 'con'] failed with exit code 1: Error: Can't obtain connections: settings service is not running.
Created attachment 566265
with openssl-
|
#149 |
The problem is indicated by this line:
EAP-TTLS: Failed to derive key
This message means that eap_peer_
I suppose it is related to the new TLS-1.2 support in openssl-1.0.1. Perhaps the wpa_supplicant should forcibly limit the TLS version to 1.0?
Reassingning to wpa_supplicant for better insight from wpa_supplicant maintainers.
rmcd (rmcd1024) wrote : | #1 |
affects: | ubuntu → network-manager (Ubuntu) |
jwhendy (jw-hendy) wrote : | #2 |
I may have the same issue. I'm on an HP8540w EliteBook.
$ lspci
44:00.0 Network controller: Intel Corporation Centrino Ultimate-N 6300 (rev 35)
I was connecting to my corporate WPA2 network until quite recently (unsure when the issue arose, as I'm typically docked and using ethernet). I first noticed the issue this past Friday, 03/03/2012. I use wicd with the PEAP-GTC encryption setting and have not changed anything about my setup. I'm on Arch Linux, however in using wpa_supplicant manually and googling the ssl error that resulted, I got the same error posted here, so I thought I'd chime in.
Let me know if any additional information would be useful.
Launchpad Janitor (janitor) wrote : | #3 |
Status changed to 'Confirmed' because the bug affects multiple users.
Changed in network-manager (Ubuntu): | |
status: | New → Confirmed |
Simon Barber (simon-superduper) wrote : | #4 |
What RADIUS server is used on your network? I am having the problem and we use Steel Belted radius here. The RADIUS server is rejecting the Client Hello message. This comes from openssl.
Simon Barber (simon-superduper) wrote : | #5 |
The problem is in wpasupplicant.
affects: | network-manager (Ubuntu) → wpasupplicant (Ubuntu) |
jwhendy (jw-hendy) wrote : | #6 |
I'm not sure where the problem is. I get an openssl certificate error, which doesn't immediately tell me that it's wpa_supplicant. My primary point of curiosity is that my logs suggest that nothing has changed in my setup whatsoever. I know I connected to the same WPA2 enterprise network on 03.18.2012, yet my wicd wpa_supplicant configs have been the same since the beginning of March.
I did note an Arch Linux update to both dhcpcd and openssl since that date, so I may try to revert and see if I can track down the issue to an updated package. There's not much noise about this issue, though, so if it's upgrade related I'm surprised more people aren't speaking up.
Simon Barber (simon-superduper) wrote : | #7 |
For me everything was fine running Ubuntu 11.10, and upgrading to 12.04rc2 I suddenly see this failure. I suspect openssl, since that is the code wpa_supplicant uses to generate the TLS authentication messages. These messages are going out OK, but the RADIUS server does not like the contents.
Simon Barber (simon-superduper) wrote : | #8 |
Can you capture a packet trace on the wireless interface while wpasupplicant is trying to authenticate? You'll need to run wireshark as root.
I'm seeing the exact same TLS error:
SSL: SSL3 alert: read (remote end reported an error):fatal:bad certificate
jwhendy (jw-hendy) wrote : | #9 |
Could this be related? I'm going to try rolling back OpenSSL to see what happens...
-- https:/
Simon Barber (simon-superduper) wrote : | #10 |
Not related for me - the openssl package in Ubuntu 12.04rc2 already has the patches described at that link.
jwhendy (jw-hendy) wrote : | #11 |
Got a chance to downgrade via the Arch Rollback Machine to openssl-1.0.0.h-1 and I can successfully connect to wireless again. Perhaps not the same issue... but my problem seems directly related to openssl.
Can someone try on Ubuntu just to amuse me? For what it's worth, Arch didn't have any issues downgrading to 1.0.0 from 1.0.1 so hopefully Synaptic or apt-get won't burden anyone with a ton of manual dependency futzing.
Raghav K. (raghavk) wrote : | #12 |
I'm experiencing the same problem on Debian (also on a Lenovo X220), but rolling back to openssl-1.0.0.h-1 didn't fix things for me.
Raghav K. (raghavk) wrote : | #13 |
Here's a packet trace of the server rejecting the hello.
Raghav K. (raghavk) wrote : | #14 |
Apologies for the triple post, but I can confirm that going back to openssl-1.0.0.h-1 fixes the problem. So it does seem to be an openssl bug.
Diane Trout (diane-trout) wrote : | #15 |
I went looking for alternate versions of libssl 1.0.0 in http://
To have any effect I needed to kill wpa_supplicant after installing the alternate version of libssl.
libssl1.
affects: | wpasupplicant (Debian) → openssl (Debian) |
Diane Trout (diane-trout) wrote : | #16 |
I built a version of wpasupplicant_
I think wpasupplicant with openssl was offering 57 ciphers and with gnutls it was around 15. (I didn't write the numbers down and am having trouble getting it to regenerate the client hello message), so am not certain.
If wpa supplicant is building the list of ciphers from openssl for the client hello message, maybe it would also be possible disable some the rare ones? I tried some of the obvious things like -DOPENSSL_NO_RC2 -DOPENSSL_NO_DES, but later realised that was probably if you'd disabled those in openssl itself.
It looks like each cipher offered takes 2 bytes, and the failing openssl packet was 261 bytes, so you just need to get it below 255 bytes -- so remove 3 ciphers?
The patch I used to make it work, given the difficulties in getting acceptance for gnutls, I bet it'd cause other problems.
--- wpasupplicant-
+++ wpasupplicant-
@@ -33,5 +33,5 @@
CONFIG_PEERKEY=y
CONFIG_
-CONFIG_TLS=openssl
+CONFIG_TLS=gnutls
CONFIG_
CONFIG_
Changed in openssl (Debian): | |
status: | Unknown → New |
rmcd (rmcd1024) wrote : | #17 |
I can confirm that libssl1.
Diane Trout (diane-trout) wrote : | #18 |
Still broken with wpasupplicant 0.7.3-6ubuntu2 & openssl 1.0.1-2ubuntu4
Diane Trout (diane-trout) wrote : | #19 |
had the same non-working 261 byte client hello message that doesn't work with wpasupplicant 0.7.3-6ubuntu2 and openssl 1.0.1-4ubuntu1.
Assuming updating, and killing /sbin/wpa_
rmcd (rmcd1024) wrote : | #20 |
I also found that openssl 1.0.1-4ubuntu1 did not fix the problem for me. I rebooted after the upgrade to make sure it was installed.
I hope that this bug will be assigned a high priority. Non-working wireless is a real problem, and will potentially result in bad press.
Diane Trout (diane-trout) wrote : | #21 |
While we're waiting for a fix in openssl, I built a version wpasupplicant linked against gnutls and placed it in a ppa https:/
It at least works well enough for me to connect to my companies wpa2-enterprise and my homes wpa2-psk networks.
This is confirmed to be related to openssl rather than wpasupplicant, so I'm setting up the task for it.
Changed in openssl (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → High |
Changed in wpasupplicant (Ubuntu): | |
status: | Confirmed → Incomplete |
Changed in openssl (Ubuntu): | |
status: | Confirmed → Triaged |
assignee: | nobody → Canonical Foundations Team (canonical-foundations) |
Raghav K. (raghavk) wrote : | #23 |
Recompiling OpenSSL with these patches from upstream also seems to fix the problem: http://
Changed in openssl (Ubuntu Precise): | |
assignee: | Canonical Foundations Team (canonical-foundations) → Colin Watson (cjwatson) |
milestone: | none → precise-updates |
Colin Watson (cjwatson) wrote : | #24 |
@Raghav K. (comment 23): Really? The current package in Ubuntu 12.04 is built with those patches, as far as I'm aware. See the changelog entry for openssl 1.0.1-2ubuntu3.
If you can point to specific upstream patches that fix this that aren't in 1.0.1-4ubuntu1, I'd love to hear about it.
Colin Watson (cjwatson) wrote : | #25 |
Could anyone affected by this bug please try openssl 1.0.1-4ubuntu2 in precise-proposed and let me know whether it fixes this?
rmcd (rmcd1024) wrote : | #26 |
I am still unable to connect with openssl 1.0.1-4ubuntu2. I . It looks like the same problem as before. Here is a bit of syslog:
Apr 19 08:42:51 fin8344m2 wpa_supplicant[
Apr 19 08:42:51 fin8344m2 wpa_supplicant[
Apr 19 08:42:51 fin8344m2 wpa_supplicant[
Apr 19 08:42:51 fin8344m2 wpa_supplicant[
Apr 19 08:42:51 fin8344m2 wpa_supplicant[
Apr 19 08:42:51 fin8344m2 kernel: [ 77.468839] wlan0: deauthenticated from 00:11:92:3e:79:80 (Reason: 23)
Apr 19 08:42:51 fin8344m2 wpa_supplicant[
I rebooted after installing the new packages. To confirm that I have the correct ssl packages installed, here is an excerpt from dpkg -l:
ii libgnutls-openssl27 2.12.14-5ubuntu3 GNU TLS library - OpenSSL wrapper
ii libio-socket-
ii libnet-ssleay-perl 1.42-1build1 Perl module for Secure Sockets Layer (SSL)
ii libssl1.0.0 1.0.1-4ubuntu2 SSL shared libraries
ii libssl1.0.0:i386 1.0.1-4ubuntu2 SSL shared libraries
ii libwavpack1 4.60.1-2 audio codec (lossy and lossless) - library
ii openssl 1.0.1-4ubuntu2 Secure Socket Layer (SSL) binary and related cryptographic tools
ii python-openssl 0.12-1ubuntu2 Python wrapper around the OpenSSL library
ii ssl-cert 1.0.28 simple debconf wrapper for OpenSSL
Colin Watson (cjwatson) wrote : | #27 |
Disappointing. Thanks. Somebody should probably report this upstream for further analysis.
rmcd (rmcd1024) wrote : | #28 |
Out of my depth here but I did run wireshark and this is what I get at the point of failure.
53 24.094947 IntelCor_e1:28:94 Cisco_49:62:f0 SSL 253 Client Hello
54 24.116714 Cisco_49:62:f0 IntelCor_e1:28:94 TLSv1 60 Alert (Level: Fatal, Description: Bad Certificate)
55 24.117037 IntelCor_e1:28:94 Cisco_49:62:f0 EAP 24 Response, PEAP [Palekar]
56 24.123991 Cisco_49:62:f0 IntelCor_e1:28:94 EAP 60 Failure
Diane Trout (diane-trout) wrote : | #29 |
I tried today with wpasupplicant 0.7.3-6ubuntu2 and libssl1.0.0 1.0.1-4ubuntu3 and still didn't work.
I just figured out how to export a detailed packet trace with wireshark and am attaching the ClientHello and response messages from the non-working libssl1.
In preparing the dump I did renumber my mac address to end in 11:22:33 and the mac address of the access point to aa:bb:cc
The working versions seem to report their Client Hello version as ssl 3.0 and the non-working one as TLS 1.0. The SSL versions list 18 ciphers and the TLS version has 51 protocol suites.
rmcd (rmcd1024) wrote : | #30 |
I don't know if libssl 1.0.1-4ubuntu5 (in precise-proposed) was possibly supposed to contain a fix, but the error persists with that version.
Ryan Whalen (qf-ryan-nr) wrote : | #31 |
I've tried using Diane Trout's wpa_supplicant built mentioned above, but that did not fix the problem for me. I've been unable to access University wifi since upgrading from 11.10 to 12.04.
Scott Salley (ssalley) wrote : | #32 |
Diane Trout's wpa_supplicant fixed things for me with these wireless settings:
WPA & WPA2 Enterprise
Protected EAP (PEAP)
CA certificate
PEAP version: Automatic
MSCHAPv2
username/password
Diane Trout (diane-trout) wrote : | #33 |
Did you kill the wpa_supplicant process after installation? (Or reboot?)
If that doesn't work the other choice that worked for me is to install openssl 1.0.0e from 11.10 (and reinstall the default wpa_supplicant). My problem with that solution is the older version of openssl caused library problems with 12.04's curl. But you may not use curl so it might not be an issue in your case.
rmcd (rmcd1024) wrote : | #34 |
Diane's wpasupplicant worked for me. Great job Diane, thanks!
Benjamin Bex (dendanny) wrote : | #35 |
I also have a problem connecting to wired networks using peap (at work). Reverting openssl and libssl to 1.0.0e-2ubuntu4 resolved the problem. I suppose this is related to this bug.
OkonX (archanl) wrote : | #36 |
I also have this problem--I can't connect to the wireless here at my college. The wifi here uses the same settings as what Scott Salley (ssalley) mentioned above. I first started with Fedora 16--and had this problem. So, I reformatted and installed Ubuntu 11.10; everything worked great. Then I upgraded to Ubuntu 12.04 and now I have the same problem as I had before and what everyone else has.
I am a linux n00b. Could someone please explain to me exactly how to fix this? How do I rollback what changed from 11.10 to 12.04 so I can use my college's wifi again?
Benjamin Bex (dendanny) wrote : | #37 |
I will explain how I did it: revert to openssl and libssl1.0.0 version 1.0.0e-2ubuntu4
Open Terminal: type shell commands without the surrounding ""
"apt-cache showpkg openssl" will show which versions of openssl you have available on your system
If openssl is somewhere in the 'Provides:' list just do
"apt-get install openssl=
If you do not have the old versions in the apt-cache you can fetch them from
http://
You 'll need to get openssl_
And you 'll also need libssl1.
Get these two files to the affected computer with a flash drive, I got them by booting the install disk and downloading them there, then copy them to my harddisk. So you don't need two PCs but it is easier.
Go to the directory that contain the two deb files you need.
"cd /media" to go to the place where all these things are mounted
"ls" to see a list of flash drives... that are mounted
"cd nameofdrive" to go into that drive
You may need to cd your way through all the subfolders until "ls" gives you the name of the two deb files
Then you install these deb files with
"dpkg -iR ." this means install all debian packages from the folder '.'(and folder '.' is always the current folder you "cd"ed to)
Done, check "apt-cache showpkg openssl" to see the version is added
Now it is easiest to reboot, you could also kill all affected processes and restart them, but it may take you longer than a simple reboot.
This is what I did if I recall correctly.
Another option is given by diane-trout above.
OkonX (archanl) wrote : | #38 |
I get the error below after doing $ sudo dpkg -iR .
(Reading database ... 291933 files and directories currently installed.)
Preparing to replace openssl 1.0.0e-2ubuntu4 (using .../openssl_
Unpacking replacement openssl ...
Preparing to replace libssl1.0.0 1.0.0e-2ubuntu4 (using .../libssl1.
Unpacking replacement libssl1.0.0 ...
dpkg: error processing libssl1.0.0 (--install):
libssl1.0.0:amd64 1.0.0e-2ubuntu4 cannot be configured because libssl1.0.0:i386 is in a different version (1.0.1-4ubuntu5)
dpkg: dependency problems prevent configuration of openssl:
openssl depends on libssl1.0.0 (>= 1.0.0); however:
Package libssl1.0.0 is not configured yet.
dpkg: error processing openssl (--install):
dependency problems - leaving unconfigured
Processing triggers for man-db ...
Errors were encountered while processing:
libssl1.0.0
openssl
OkonX (archanl) wrote : | #39 |
Oh I see...this breaks nodejs which requires a higher version of libssl.
OkonX (archanl) wrote : | #40 |
Ah, sorry for comment spam--I wish I could edit or append previous comments.
Anyhow, dendaddy's instructions worked and I can connect to the wifi. But problem still remains with other packages that require higher versions ( this leads to the package manager fussing about it in update manager and elsewhere).
Changed in wpasupplicant: | |
importance: | Unknown → Medium |
status: | Unknown → Confirmed |
Changed in openssl: | |
importance: | Undecided → Unknown |
status: | New → Unknown |
Changed in openssl: | |
status: | Unknown → New |
Changed in wpasupplicant: | |
status: | Confirmed → In Progress |
Changed in wpasupplicant (Ubuntu): | |
assignee: | nobody → Mathieu Trudel-Lapierre (mathieu-tl) |
Changed in wpasupplicant (Ubuntu Precise): | |
assignee: | nobody → Mathieu Trudel-Lapierre (mathieu-tl) |
Changed in oem-priority: | |
importance: | Undecided → High |
Changed in oem-priority: | |
assignee: | nobody → James M. Leddy (jm-leddy) |
status: | New → In Progress |
tags: | added: rls-q-incomming |
tags: |
added: rls-q-incoming removed: rls-q-incomming |
tags: | added: patch |
Changed in wpasupplicant (Ubuntu): | |
importance: | Undecided → High |
status: | Incomplete → Triaged |
Changed in wpasupplicant (Ubuntu Precise): | |
importance: | Undecided → High |
status: | Incomplete → Triaged |
Changed in openssl (Debian): | |
status: | New → Confirmed |
Changed in wpasupplicant (Ubuntu): | |
status: | Triaged → In Progress |
Changed in wpa (Ubuntu Precise): | |
status: | New → Invalid |
Changed in wpasupplicant (Ubuntu): | |
status: | In Progress → Invalid |
Changed in wpa (Ubuntu): | |
importance: | Undecided → Medium |
status: | New → Fix Released |
description: | updated |
tags: | removed: rls-q-incoming |
Changed in openssl (Ubuntu): | |
assignee: | Colin Watson (cjwatson) → nobody |
status: | Triaged → Incomplete |
milestone: | precise-updates → none |
Changed in openssl (Ubuntu Precise): | |
assignee: | Colin Watson (cjwatson) → nobody |
milestone: | precise-updates → none |
status: | Triaged → Incomplete |
tags: | added: verification-needed |
tags: |
added: verification-done removed: verification-needed |
Changed in openssl (Ubuntu): | |
status: | Incomplete → Fix Committed |
status: | Fix Committed → Incomplete |
Changed in wpasupplicant (Ubuntu Precise): | |
status: | Triaged → Fix Committed |
Changed in wpasupplicant (Ubuntu Precise): | |
status: | Fix Committed → Triaged |
Changed in openssl (Ubuntu Precise): | |
status: | Incomplete → Fix Committed |
Changed in wpasupplicant (Ubuntu Precise): | |
status: | Triaged → Fix Committed |
tags: | removed: verification-done |
tags: | added: verification-needed |
tags: |
added: verification-failed removed: verification-needed |
tags: |
added: verification-needed removed: verification-failed |
Neo (neojia) wrote : | #113 |
I tried the updated wpa program and I still can't access my work wireless network.
I am using Dell XPS 13 and my company is using Aruba AP.
I saw this in the dmesg:
2985 [130380.278223] wlan0: Wrong control channel in association response: configured center-freq: 5200 hti-cfreq: 5805 hti->control_chan: 161 band: 1. Disabling HT.
2986 [130381.803188] cfg80211: All devices are disconnected, going to restore regulatory settings
2987 [130381.803203] cfg80211: Restoring regulatory settings
2988 [130381.803213] cfg80211: Calling CRDA to update world regulatory domain
2989 [130381.812512] cfg80211: Ignoring regulatory request Set by core since the driver uses its own custom regulatory domain
2990 [130381.812525] cfg80211: World regulatory domain updated:
2991 [130381.812530] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
2992 [130381.812540] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
2993 [130381.812549] cfg80211: (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
2994 [130381.812556] cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
2995 [130381.812564] cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
2996 [130381.812571] cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
2997 [130392.758524] wlan0: authenticate with d8:c7:c8:a4:ab:58 (try 1)
2998 [130392.759447] wlan0: authenticated
2999 [130392.759814] wlan0: associate with d8:c7:c8:a4:ab:58 (try 1)
3000 [130392.763081] wlan0: RX ReassocResp from d8:c7:c8:a4:ab:58 (capab=0x411 status=0 aid=12)
3001 [130392.763087] wlan0: associated
3002 [130392.763926] wlan0: Wrong control channel in association response: configured center-freq: 5200 hti-cfreq: 5805 hti->control_chan: 161 band: 1. Disabling HT.
3003 [130393.811006] cfg80211: All devices are disconnected, going to restore regulatory settings
3004 [130393.811022] cfg80211: Restoring regulatory settings
3005 [130393.811031] cfg80211: Calling CRDA to update world regulatory domain
3006 [130393.818827] cfg80211: Ignoring regulatory request Set by core since the driver uses its own custom regulatory domain
3007 [130393.818840] cfg80211: World regulatory domain updated:
rmcd (rmcd1024) wrote : | #114 |
Mathieu,
First, sorry if I was premature in changing the tag, I thought I was acting as instructed.
I definitely do have permission to access the resource, and my android phone has no problem connecting. My computer did connect when I first rebooted, so I presume that serves as a test about settings. I didn't change the settings afterwards and it never connected again. I am in touch with our networking people. They are aware of the issue, but there are not many linux users and I am not knowledgeable about networking so I need assistance in asking them for help. Anything you can suggest?
What I plan to do when I have time is to install the proposed software on my bootable USB version of 12.04 and try that. I am open to other suggestions.
Neo (neojia) wrote : | #115 |
Hi,
I saw a lot of people still having the connection issues after applying this updates. I don't know if this is caused by a combination of using Dell XPS 13 + Aruba AP.
I have filed a bug 1019081 to track this issue, so please speak up there if you are seeing the same problem. I assume this is causing the failed connection:
"wlan0: Wrong control channel in association response: configured center-freq: 5200 hti-cfreq: 5805 hti->control_chan: 161 band: 1. Disabling HT."
Updating to mainline kernel "http://
Thanks,
Neo
rmcd: the tag change was fine, but this bug is special in that it affects others (people using Aruba) and seems to fix the issue properly.
I suggest asking them to check authentication logs to see what the AP or authentication server wrote when you tried to connect and did you first successful connection, then what it wrote for the following unsuccessful conenctions. It's going to be a huge hint towards what is broken there.
Neo; indeed, the "Wrong control channel" error message is a kernel issue.
Lars Vierbergen (vierbergenlars-m-deactivatedaccount-deactivatedaccount-deactivatedaccount) wrote : | #117 |
The bug is not fixed on my network (KULeuven/Eduroam)
Dmesg log: (grepped for wlan0)
[ 37.885705] ADDRCONF(
[ 103.898976] ADDRCONF(
[ 182.706388] wlan0: authenticate with 00:26:99:99:93:cd (try 1)
[ 182.709876] wlan0: authenticated
[ 182.710586] wlan0: associate with 00:26:99:99:93:cd (try 1)
[ 182.718540] wlan0: RX AssocResp from 00:26:99:99:93:cd (capab=0x11 status=0 aid=8)
[ 182.718549] wlan0: associated
[ 182.724260] ADDRCONF(
[ 236.004976] wlan0: deauthenticating from 00:26:99:99:93:cd by local choice (reason=3)
[ 5155.412467] ADDRCONF(
[ 5162.798052] wlan0: authenticate with 00:3a:98:c1:28:c2 (try 1)
[ 5162.800314] wlan0: authenticated
[ 5163.016468] wlan0: associate with 00:3a:98:c1:28:c2 (try 1)
[ 5163.021561] wlan0: RX AssocResp from 00:3a:98:c1:28:c2 (capab=0x411 status=0 aid=71)
[ 5163.021567] wlan0: associated
[ 5163.025957] ADDRCONF(
[ 5177.196392] wlan0: disassociating from 00:3a:98:c1:28:c2 by local choice (reason=3)
[ 5177.214274] wlan0: deauthenticating from 00:3a:98:c1:28:c2 by local choice (reason=3)
[ 5180.487626] wlan0: authenticate with 00:3a:98:c1:28:c2 (try 1)
[ 5180.492060] wlan0: authenticated
[ 5180.492382] wlan0: associate with 00:3a:98:c1:28:c2 (try 1)
[ 5180.497998] wlan0: RX ReassocResp from 00:3a:98:c1:28:c2 (capab=0x11 status=0 aid=71)
[ 5180.498004] wlan0: associated
[ 5182.724740] wlan0: disassociating from 00:3a:98:c1:28:c2 by local choice (reason=3)
[ 5182.749047] wlan0: deauthenticating from 00:3a:98:c1:28:c2 by local choice (reason=3)
[ 5186.024820] wlan0: authenticate with 00:26:99:99:93:c2 (try 1)
[ 5186.027693] wlan0: authenticated
[ 5186.048651] wlan0: associate with 00:26:99:99:93:c2 (try 1)
[ 5186.052456] wlan0: RX ReassocResp from 00:26:99:99:93:c2 (capab=0x411 status=0 aid=154)
[ 5186.052462] wlan0: associated
[ 5188.215355] wlan0: disassociating from 00:26:99:99:93:c2 by local choice (reason=3)
[ 5188.252204] wlan0: deauthenticating from 00:26:99:99:93:c2 by local choice (reason=3)
[ 5191.520497] wlan0: authenticate with 00:26:99:99:93:c2 (try 1)
[ 5191.525983] wlan0: authenticated
[ 5191.526382] wlan0: associate with 00:26:99:99:93:c2 (try 1)
[ 5191.533362] wlan0: RX ReassocResp from 00:26:99:99:93:c2 (capab=0x411 status=0 aid=154)
[ 5191.533368] wlan0: associated
[ 5193.732081] wlan0: disassociating from 00:26:99:99:93:c2 by local choice (reason=3)
[ 5193.750543] wlan0: deauthenticating from 00:26:99:99:93:c2 by local choice (reason=3)
[ 5197.021400] wlan0: direct probe to 00:3a:98:d5:ac:62 (try 1/3)
[ 5197.220048] wlan0: direct probe to 00:3a:98:d5:ac:62 (try 2/3)
[ 5197.420047] wlan0: direct probe to 00:3a:98:d5:ac:62 (try 3/3)
[ 5197.620040] wlan0: direct probe to 00:3a:98:d5:ac:62 timed out
[ 5205.856240] wlan0: direct probe to 00:3a:98:c1:28:cd (try 1/3)
[ 5205.857324] wlan0: direct probe responded
[ 5205.872054] wlan0: authenticate with 00:3a:98:c1:28:cd (try 1)
[ 5205.873432] wlan0: authenticated
[ 5205.873714] wlan0: associate with 00:3a:98:c1:28:cd (try 1)
[ 5205.878299] wlan0: RX Reasso...
Lars Vierbergen (vierbergenlars-m-deactivatedaccount-deactivatedaccount-deactivatedaccount) wrote : | #118 |
At another location Eduroam works just fine. (BTW: I rebooted my laptop)
Gary Lyons (gllyons) wrote : | #119 |
I m also at Northwestern like rmcd but the package in precise-proposed works fine for me. The proble was first resolved for me in the package in PPA https:/
But I switched to the one in proposed to see if there was an issue and I can't find one. Maybe rmcd's problem is something different?
Jeremy Nickurak (nickurak) wrote : Re: [Bug 969343] Re: Unable to connect to WPA enterprise wireless | #120 |
When switching versions, are you guys making sure to reboot, or at
least kill the wpa_supplicant process?
If you're not, you're still testing the version from before you
upgraded, not the new one.
Gary Lyons (gllyons) wrote : | #121 |
I rebooted after installing the package from proposed and after that I tried disconnecting and reconnecting a few times to test things and it all worked.
rmcd (rmcd1024) wrote : | #122 |
@nickurak: Yes, I reboot when I switch versions.
Alan Barr (alanb) wrote : | #123 |
I can confirm the proposed fix works for me accessing Wifi with Enterprise security and TTL/PAP authentication.
Jarvis Schultz (jarvisschultz) wrote : | #124 |
@gllyons the proposed fix also worked for me at Northwestern.
Nailer1887 (barry-titterton) wrote : | #125 |
The precise-proposed fix worked for me today at Durham University, UK. The uni uses WPA2 Enterprise with AES. Thanks to everyone who worked on the fix.
quantumkit (quantumkit) wrote : | #126 |
Here in UCSD. No success. Can anyone tell me what versions of stuff you are using? I am using:
wpasupplicant : 0.7.3-6ubuntu2.1
libssl1.0.0 : 1.0.1-4ubuntu5.5
openssl : 1.0.1-4ubuntu5.5
my kernel is 3.2.0-31-generic
Thanks!
James M. Leddy (jm-leddy) wrote : | #127 |
marking verification-done based on comment #125
tags: |
added: verification-done verification-done-precise removed: verification-needed |
Changed in oem-priority: | |
status: | In Progress → Fix Committed |
Scott Kitterman (kitterman) wrote : | #128 |
For people still having problems (that had problems prior to this version), please file a new bug referencing this one. Regressions from the released version with this update should be reported here.
The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.
Launchpad Janitor (janitor) wrote : | #130 |
This bug was fixed in the package wpasupplicant - 0.7.3-6ubuntu2.1
---------------
wpasupplicant (0.7.3-6ubuntu2.1) precise-proposed; urgency=low
* debian/
extension to fix auth with 802.1x PEAP on some hardware. (LP: #969343)
-- Mathieu Trudel-Lapierre <email address hidden> Mon, 17 Sep 2012 17:08:22 -0400
Changed in wpasupplicant (Ubuntu Precise): | |
status: | Fix Committed → Fix Released |
ttosttos (ttosttos) wrote : | #131 |
Fix only alleviated the situation for me. Went from no connectivity to frequent disconnects. Upgrading to kernel 3.5.0-030500-
Nailer1887 (barry-titterton) wrote : | #132 |
My enthusiasm for reporting the problem fixed (#125) was premature: the connection only worked twice, it is now only able to connect approximately once in every five attempts. The problem only persists with the network using WPA Enterprise with AES encryption, a separate network that uses WPA Enterprise with TKIP encryption works perfectly (so far). I shall look at raising another bug specifically on the AES encryption issue.
rmcd (rmcd1024) wrote : | #133 |
I have an ignorant question: There is no AES choice in the configuration dialog for WPA2, so which of the encryption methods are AES? (Is PEAP the same as AES?)
Another question: My android (ICS) phone connects successfully to our wpa2 network using peap, but it automatically configured "none" for phase 2 authentication. None is not an option for 12.04 and I am selecting MSChap2. Should there be a "none" option?
Changed in oem-priority: | |
status: | Fix Committed → Fix Released |
Felix Haller (felixhaller) wrote : | #134 |
I wonder this isn't fixed yet. There are many users waitin for a fix, especially students and profs, because many of them are using the "eduroam" network (mentioned some times before).
When using eduroam wifi after a while my notebook stops working like expected: I'm unable to suspend (kernel panic) and the network connection is getting slower and slower till it stops working. The whole system crashes, so it's very dangerous to connect to such a network.
I attached a config screenshot....maybe it helps...
Benjamin Kay (benkay) wrote : | #135 |
Felix, this bug *has* been fixed in Ubuntu 12.04 (Precise Pangolin) and later. From your comment, it sounds like you are describing an unrelated wifi bug. This bug prevented users from connecting to certain WPA2 Enterprise networks. The bug in your comment allows you to connect to a WPA2 Enterprise network but, some time later, causes a kernel panic. This is almost certainly a kernel/driver issue and *not* a bug in wpasupplicant or openssl. If your bug hasn't already been reported, I suggest opening a new bug and providing the brand/model of your wifi card, a kernel stack trace, and the output of dmesg, if possible.
Changed in openssl (Ubuntu): | |
status: | Incomplete → Fix Released |
rmcd (rmcd1024) wrote : | #137 |
@felixhaller: I share your frustration. I have what seems to be yet a different version of the bug, where in 12.04 I remain unable to connect to WPA2 Enterprise networks.
The fix for me was upgrading to 12.10. Now I can connect reliably and maintain the connection. I realize this may not be feasible for you. However, you may want to try a live CD and see if you can connect with 12.10. If 12.10 works for you and 12.04 does not, that should narrow down the possible causes of the problem.
Felix Haller (felixhaller) wrote : | #138 |
I already use 12.10. I can connect to all wifi networks, there are only problems when connecting to eduroam network (wpa2 enterprise). My notebook is working just fine with the other networks (eg. my private one --> WPA2 personal).
I think I will open a new bug...thanks for all the information.
Adolfo Jayme (fitojb) wrote : | #139 |
The user todaioan seems to be vandalizing a lot of bugs. I'm reverting his change.
Changed in openssl (Ubuntu): | |
status: | Fix Released → Incomplete |
|
#150 |
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.
(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)
More information and reason for this action is here:
https:/
Sebastian Geiger (lanoxx) wrote : | #140 |
I am experiencing this issue on ubuntu 12.10. I am connecting to a an eduroam wireless network with WPA2 enterprise encryption and the connection fails after a few minutes. Sometimes it does not connect at all. Most of the times one of the following work arounds works but the effect is only temporary until the connection is lost again:
* Toggle the RF Killswitch
* Suspend and wake up again
* killall nm-applet && nm-applet
If I can contribute anything that would help to fix this issue, please let me know.
Jonathan Steinhart (jsteinhart) wrote : | #141 |
For what it's worth, I'm having this in an up-to-date 12.04 too. Wireless works flawlessly, except when connecting to an eduroam network, in which case it times out with this repeated in the syslog:
Apr 17 12:10:49 X kernel: [ 1987.661492] rtl8192c_common: Loading firmware file rtlwifi/
Apr 17 12:10:50 X wpa_supplicant[
Apr 17 12:10:50 X kernel: [ 1988.874687] wlan0: direct probe to [AP:MAC:ADDR] (try 1/3)
Apr 17 12:10:50 X kernel: [ 1989.074082] wlan0: direct probe to [AP:MAC:ADDR] (try 2/3)
Apr 17 12:10:51 X kernel: [ 1989.274142] wlan0: direct probe to [AP:MAC:ADDR] (try 3/3)
Apr 17 12:10:51 X kernel: [ 1989.474110] wlan0: direct probe to [AP:MAC:ADDR] timed out
Apr 17 12:10:51 X kernel: [ 1989.577031] rtl8192c_common: Loading firmware file rtlwifi/
I'm not sure how to interpret the history/status of this bug - is it still alive? Please let me know if I this belongs somewhere else, or if there's any more info I can provide.
datube (datube) wrote : | #142 |
We just implemented a lot Aruba (ap-105) access points and I (we) also experience this problem (as described @Impact) . While searching the www I couldn't really pinpoint what I could do as a work-around. I myself use 12.04, but the problem also exists on 13.04. I have a Thinkpad T410s. With the stock kernel (and up-to-date system) I wasn't able to connect to our wireless network, so I decided to do an install of a mainline kernel (v3.4-precise). After rebooting I was able to connect without any troubles.
Do not know if it's (still) relevant but if it is I want to provide you with any information possible to help with a solution
Pepe Lebuntu (majagray75) wrote : | #143 |
I'm still having this problem. I've had it now on several different computers, including now my Lenovo X121e.
For a while, I could login to WPA2-Enterprise wifi, but now I can't: not eduroam, or any other.
Pepe Lebuntu (majagray75) wrote : | #144 |
I should add, I'm using Xubuntu 12.10
Martin Bruns (martin-konahina) wrote : | #145 |
While using ubuntu 12.10 (wpasupplicant 1.0-2ubuntu5 and openssl 1.0.1c-3ubuntu2) I can login to my company's wireless lan.
But which packages for 13.04 will have that fix which came with 1.0-2ubuntu5.
Martin Bruns (martin-konahina) wrote : | #146 |
Finaly found that deleting the WLANs file in /etc/NetworkMan
Changed in openssl (Ubuntu): | |
status: | Incomplete → Invalid |
Changed in openssl (Ubuntu Precise): | |
status: | Fix Committed → Invalid |
tags: | removed: verification-done-precise |
affects: | openssl (Debian) → wpa (Debian) |
Changed in wpa (Debian): | |
status: | Confirmed → Fix Released |
|
#151 |
This message is a notice that Fedora 19 is now at end of life. Fedora
has stopped maintaining and issuing updates for Fedora 19. It is
Fedora's policy to close all bug reports from releases that are no
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.
Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 19 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
I cannot reproduce the bug with current versions. So closing this bz.
Changed in wpasupplicant (Fedora): | |
importance: | Unknown → Undecided |
status: | Unknown → Invalid |
Created attachment 566264 1.0.0g- 1.fc17. x86_64
with openssl-
Authentication in wpa_supplicant fails with openssl- 1.0.1-0. 1.beta2. fc17.x86_ 64 (security : wpa/wpa2 enterprise, authentication ttls). Here is the output of wpa_supplicant, debug enabled, with current openssl and with previous version. The authentication problem occurs just after the occurence of "no matching PMKID found"