Identity/Domain problem in PEAP

Bug #897399 reported by David L. Johnson on 2011-11-28
26
This bug affects 4 people
Affects Status Importance Assigned to Milestone
wicd
High
David Paleino

Bug Description

I'm using wicd 1.7 in an up-to-date (as of 11/28/11) debian testing; just moved to XFCE4 and wicd to avoid Gnome3.

Problem was that, while I could connect to my home (unsecured) wifi, I could not do so at the office (Lehigh University), using their WPA2-PEAP system.

No matter what I did I got a "bad passowrd" reply. Yes, my password is correct. I was using WPA2-PEAP settings.

I poked around, and found that the files in /var/lib/wicd/configurations/* (the filenames are just the bssid's of the connections) had, as the identity line:

    identity="lehigh.edu\$_IDENTITY"

that was the identity that it passed on to wpa_supplicant, so actually it was the identity, not the password, that was wrong. The server would of course just give back the bas-password reply.

I think that is a bug in the script for WPA2-PEAP in /etc/wicd/encryption/templates, which has

    identity="$_DOMAIN\$_IDENTITY"

and it seems that only the first part is translated to the domain.

In addition, I found a new template on the net, which is what finally worked for me, on http://www.backtrack-linux.org/forums/old-backtrack-4-bugs-fixes/19639-wicd-peap-mschapv2 which suggests to add a template /etc/wicd/encryption/templates/peap-mschapv2

--------------------------------
name = PEAP with MSCHAPv2
author = ElitestFX
version = 1
require identity *Identity password *Password
-----
ctrl_interface=/var/run/wpa_supplicant
network={
        ssid="$_ESSID"
        scan_ssid=$_SCAN
        key_mgmt=WPA-EAP
        eap=PEAP
        identity="$_IDENTITY"
        password="$_PASSWORD"
        phase2="auth=MSCHAPV2"
}

--------------------------------
 I actually modified it to put the phase2 command at the end, which seems a bit more reliable. Then add peap-mschapv2 to /etc/wicd/encryption/templates/active and it works.

It does seem to not work every time, but if I insist, it will connect. Maybe the template needs a bit of tweaking to be more stable.

At any rate, I think the provided templates using identity="$_DOMAIN\$_IDENTITY" are incorrect. Moreover, at least my system does not need the domain as part of the identity, so adding this might be helpful to others.

Related branches

Julien (jucor) wrote :

I confirm that I have the same problem of only $_DOMAIN being replaced.
More generally, it seems that only (all the ocurrences of) the first variable to occur will be replaced. For example
$_DOMAIN $_IDENTITY $_DOMAIN $_IDENTITY
will be replaced by
mydomain $_IDENTITY mydomain $_IDENTITY

I tried to find which part of wicd takes care of this replacement to fix it, but unfortunately failed to find it.

Julien Rabier (taziden) wrote :

Hi,

I'm also experiencing this issue. The problem is located in the ParseEncryption function of wicd/misc.py.
I'm not quite sure to know how to fix it though.

As stated by jucor, the other variables should also be replaced, that means, cur_val[n].

Julien (jucor) wrote :

Well spotted Julien!
Could'n that be done with a simple loop on the index of cur_val, wrapping lines 291 to 302?

David Paleino (dpaleino) wrote :

Wow.

Thanks everybody for the inputs. I totally missed this bug.

I'm attaching a patch, which basically wraps the right things into a for loop, as suggested by Julien (jucor) -- and reindents everything to the correct place.

I'm not yet committing this -- I'll wait for your responses first.

Thanks for all the help!

Changed in wicd:
assignee: nobody → David Paleino (dpaleino)
milestone: none → 1.7.3
importance: Undecided → High
status: New → In Progress
Julien Rabier (taziden) wrote :

Hi David,

Thanks for the quick answer and the patch !

I'll test your patch tomorrow at work and i'll update this bug report accordingly if nobody has tested it yet.

Julien

Julien Rabier (taziden) wrote :

Hi,

Good news, it's working !
Not so bad news, there is a duplicate line for the identity entry : one "untouched (identity="AD\$_IDENTITY") et one with the correct variables replaced (identity="mydomain\myusername").

Julien

Thanks for patching, David, and for testing, Julien! Sorry I can't test
right now. David, does Python have regexp-ish replacement rules that
you could use, to avoid having to deal with corner-cases and risking
forgetting some replacements? [I'm just thinking aloud, there]

On 29/10/12 09:40, Julien Rabier wrote:
> Hi,
>
> Good news, it's working !
> Not so bad news, there is a duplicate line for the identity entry : one "untouched (identity="AD\$_IDENTITY") et one with the correct variables replaced (identity="mydomain\myusername").
>
> Julien
>

--
Julien Cornebise, Ph.D.
http://www.cornebise.com/julien/

David Paleino (dpaleino) wrote :

On Mon, 29 Oct 2012 21:05:21 -0000, Julien wrote:

> Thanks for patching, David, and for testing, Julien! Sorry I can't test
> right now. David, does Python have regexp-ish replacement rules that
> you could use, to avoid having to deal with corner-cases and risking
> forgetting some replacements? [I'm just thinking aloud, there]

None that I know of, unfortunately. More or less all the solutions seem to be
the same.

The actual code shouldn't "forget" anything, since it loops over all found
$_VARIABLES, and if one of those has no value, it would just ignore the line.

Still, what intrigues me is what Julien (the other one :)) wrote, about the
duplicated lines. I'm not able to reproduce that behaviour.

I'm committing the current fix, and marking the bug has done; Julien (the other
one); if you could please check whether the "double line bug" really happens
after checking the template, and maybe using other templates too; that would be
really helpful.

--
 . ''`. Debian developer | http://wiki.debian.org/DavidPaleino
 : :' : Linuxer #334216 --|-- http://www.hanskalabs.net/
 `. `'` GPG: 1392B174 ----|---- http://deb.li/dapal
   `- 2BAB C625 4E66 E7B8 450A C3E1 E6AA 9017 1392 B174

Changed in wicd:
status: In Progress → Fix Committed
Julien Rabier (taziden) wrote :

Hi David,

I can confirm the duplicate line issue. But maybe this is because I patched against the current debian sid version of wicd : 7.2.4-4.

Shou Ya (shouya) wrote :

Hi,

This problem still exists in 2015, isn't the fix going to be accepted into the upstream code?

Shou Ya

Axel Beckert (xtaran) wrote :

I think this bug report contains two separate issues:

One is the code issue about not filling up templates correctly. This has been fixed by David in upstream and whose fix is included in current wicd packages in Debian and Ubuntu. Accordingly this issue can be considered as fixed.

The other one is the issue about the WPA-PEAP and WPA2-PEAP templates requiring (and filling in) the DOMAIN field/variable which is not always necessary. This issue is tracked in https://bugs.launchpad.net/wicd/+bug/1591489 and hence I'll track it there. (Upload to Debian Unstable to fix that issue will happen soon.)

I'm hence now closing this bug report as the code issue has been fixed a long time ago and is part of a release for quite a while now, too.

Shou Ya: I assume you refer to the second issue. Please follow #1591489 instead.

Changed in wicd:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers