Unable to connect to WPA enterprise wireless

Bug #969343 reported by rmcd
360
This bug affects 70 people
Affects Status Importance Assigned to Milestone
OEM Priority Project
Fix Released
High
James M. Leddy
Precise
Fix Released
High
Unassigned
OpenSSL
Invalid
Unknown
wpa_supplicant
In Progress
Medium
openssl (Fedora)
New
Undecided
Unassigned
openssl (Ubuntu)
Invalid
High
Unassigned
Precise
Invalid
High
Unassigned
wpa (Debian)
Fix Released
Unknown
wpa (Ubuntu)
Fix Released
Medium
Unassigned
Precise
Invalid
Undecided
Unassigned
wpasupplicant (Fedora)
Invalid
Undecided
wpasupplicant (Ubuntu)
Invalid
High
Mathieu Trudel-Lapierre
Precise
Fix Released
High
Mathieu Trudel-Lapierre

Bug Description

[Impact]
Breaks 802.1x (PEAP) authentication for wireless networks using specific authentication servers and/or AP hardware. Aruba network devices specifically are known to be affected; and is a popular device type used in enterprises to secure wireless networks.

[Test Case]
This issue is hardware specific and may or may not be limited to Aruba authentication servers.
1) Attempt to connect / authenticate to a wireless, 802.1x network requiring Protected EAP (or possibly other auth mechanisms).
2) (optionally) Watch SSL traffic between the station and authentication server using wireshark/tcpdump, looking for auth failures and the extensions passed.

[Regression Potential]
Since this changes the SSL extensions and options used to connect to 802.1x wireless networks; some networks specifically configured to request or make use of the session ticket extension could be made impossible to successfully authenticate to; up to the point where multiple connection failures could lock the accounts used in highly-restricted networks. Also, there is a potential (again, due to the change in SSL options) for other networks (using specific AP hardware) that don't support the extensions used to fail authentication.

---

Using identical settings as in 11.10, I am unable to make a wpa enterprise connection using xubuntu precise beta 2. This is a Lenovo X220 with a Centrino Advanced-N 6205 wireless interface. During the attempted logon, I am not presented with a certificate to approve, although wireless instructions for OSX suggest that I should be. However, I never had to approve a certificate when connecting with 11.10 -- I just ignored the certificate screen and everything worked.

This seems like the relevant excerpt from syslog:

Mar 30 10:39:01 fin8344m2 wpa_supplicant[1116]: Trying to associate with 00:11:92:3e:79:80 (SSID='Northwestern' freq=2462 MHz)
Mar 30 10:39:01 fin8344m2 NetworkManager[848]: <info> (wlan0): supplicant interface state: scanning -> associating
Mar 30 10:39:01 fin8344m2 kernel: [ 2201.940422] wlan0: authenticated
Mar 30 10:39:01 fin8344m2 kernel: [ 2201.940974] wlan0: associate with 00:11:92:3e:79:80 (try 1)
Mar 30 10:39:01 fin8344m2 kernel: [ 2201.943165] wlan0: RX ReassocResp from 00:11:92:3e:79:80 (capab=0x431 status=0 aid=222)
Mar 30 10:39:01 fin8344m2 kernel: [ 2201.943174] wlan0: associated
Mar 30 10:39:01 fin8344m2 wpa_supplicant[1116]: Associated with 00:11:92:3e:79:80
Mar 30 10:39:01 fin8344m2 wpa_supplicant[1116]: CTRL-EVENT-EAP-STARTED EAP authentication started
Mar 30 10:39:01 fin8344m2 NetworkManager[848]: <info> (wlan0): supplicant interface state: associating -> associated
Mar 30 10:39:01 fin8344m2 wpa_supplicant[1116]: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Mar 30 10:39:01 fin8344m2 wpa_supplicant[1116]: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Mar 30 10:39:01 fin8344m2 wpa_supplicant[1116]: SSL: SSL3 alert: read (remote end reported an error):fatal:bad certificate
Mar 30 10:39:01 fin8344m2 wpa_supplicant[1116]: OpenSSL: openssl_handshake - SSL_connect error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Mar 30 10:39:01 fin8344m2 wpa_supplicant[1116]: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Mar 30 10:39:01 fin8344m2 kernel: [ 2201.969742] wlan0: deauthenticated from 00:11:92:3e:79:80 (Reason: 23)

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: network-manager 0.9.4.0-0ubuntu1
ProcVersionSignature: Ubuntu 3.2.0-20.33-generic 3.2.12
Uname: Linux 3.2.0-20-generic x86_64
ApportVersion: 2.0-0ubuntu1
Architecture: amd64
Date: Fri Mar 30 10:34:13 2012
IfupdownConfig:
 auto lo
 iface lo inet loopback
InstallationMedia: Xubuntu 12.04 LTS "Precise Pangolin" - Beta amd64 (20120328)
NetworkManager.state:
 [main]
 NetworkingEnabled=true
 WirelessEnabled=true
 WWANEnabled=true
 WimaxEnabled=true
ProcEnviron:
 LANGUAGE=en_US:en
 TERM=xterm
 LANG=en_US.UTF-8
 SHELL=/bin/bash
RfKill:
 0: phy0: Wireless LAN
  Soft blocked: no
  Hard blocked: no
SourcePackage: network-manager
UpgradeStatus: No upgrade log present (probably fresh install)
nmcli-con: Error: command ['nmcli', '-f', 'all', 'con'] failed with exit code 1: Error: Can't obtain connections: settings service is not running.

Revision history for this message
In , Fabrice (fabrice-redhat-bugs) wrote :

Created attachment 566264
with openssl-1.0.0g-1.fc17.x86_64

Authentication in wpa_supplicant fails with openssl-1.0.1-0.1.beta2.fc17.x86_64 (security : wpa/wpa2 enterprise, authentication ttls). Here is the output of wpa_supplicant, debug enabled, with current openssl and with previous version. The authentication problem occurs just after the occurence of "no matching PMKID found"

Revision history for this message
In , Fabrice (fabrice-redhat-bugs) wrote :

Created attachment 566265
with openssl-1.0.1-0.1.beta2.fc17.x86_64

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

The problem is indicated by this line:
EAP-TTLS: Failed to derive key

This message means that eap_peer_tls_derive_key() function failed. I'd need more low level debugging output to find out which function called from OpenSSL library fails or behaves differently.

I suppose it is related to the new TLS-1.2 support in openssl-1.0.1. Perhaps the wpa_supplicant should forcibly limit the TLS version to 1.0?

Reassingning to wpa_supplicant for better insight from wpa_supplicant maintainers.

147 comments hidden view all 152 comments
Revision history for this message
rmcd (rmcd1024) wrote :
affects: ubuntu → network-manager (Ubuntu)
Revision history for this message
jwhendy (jw-hendy) wrote :

I may have the same issue. I'm on an HP8540w EliteBook.

$ lspci
44:00.0 Network controller: Intel Corporation Centrino Ultimate-N 6300 (rev 35)

I was connecting to my corporate WPA2 network until quite recently (unsure when the issue arose, as I'm typically docked and using ethernet). I first noticed the issue this past Friday, 03/03/2012. I use wicd with the PEAP-GTC encryption setting and have not changed anything about my setup. I'm on Arch Linux, however in using wpa_supplicant manually and googling the ssl error that resulted, I got the same error posted here, so I thought I'd chime in.

Let me know if any additional information would be useful.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager (Ubuntu):
status: New → Confirmed
Revision history for this message
Simon Barber (simon-superduper) wrote :

What RADIUS server is used on your network? I am having the problem and we use Steel Belted radius here. The RADIUS server is rejecting the Client Hello message. This comes from openssl.

Revision history for this message
Simon Barber (simon-superduper) wrote :

The problem is in wpasupplicant.

affects: network-manager (Ubuntu) → wpasupplicant (Ubuntu)
Revision history for this message
jwhendy (jw-hendy) wrote :

I'm not sure where the problem is. I get an openssl certificate error, which doesn't immediately tell me that it's wpa_supplicant. My primary point of curiosity is that my logs suggest that nothing has changed in my setup whatsoever. I know I connected to the same WPA2 enterprise network on 03.18.2012, yet my wicd wpa_supplicant configs have been the same since the beginning of March.

I did note an Arch Linux update to both dhcpcd and openssl since that date, so I may try to revert and see if I can track down the issue to an updated package. There's not much noise about this issue, though, so if it's upgrade related I'm surprised more people aren't speaking up.

Revision history for this message
Simon Barber (simon-superduper) wrote :

For me everything was fine running Ubuntu 11.10, and upgrading to 12.04rc2 I suddenly see this failure. I suspect openssl, since that is the code wpa_supplicant uses to generate the TLS authentication messages. These messages are going out OK, but the RADIUS server does not like the contents.

Revision history for this message
Simon Barber (simon-superduper) wrote :

Can you capture a packet trace on the wireless interface while wpasupplicant is trying to authenticate? You'll need to run wireshark as root.

I'm seeing the exact same TLS error:

SSL: SSL3 alert: read (remote end reported an error):fatal:bad certificate

Revision history for this message
jwhendy (jw-hendy) wrote :

Could this be related? I'm going to try rolling back OpenSSL to see what happens...
-- https://bbs.archlinux.org/viewtopic.php?id=138103

Revision history for this message
Simon Barber (simon-superduper) wrote :

Not related for me - the openssl package in Ubuntu 12.04rc2 already has the patches described at that link.

Revision history for this message
jwhendy (jw-hendy) wrote :

Got a chance to downgrade via the Arch Rollback Machine to openssl-1.0.0.h-1 and I can successfully connect to wireless again. Perhaps not the same issue... but my problem seems directly related to openssl.

Can someone try on Ubuntu just to amuse me? For what it's worth, Arch didn't have any issues downgrading to 1.0.0 from 1.0.1 so hopefully Synaptic or apt-get won't burden anyone with a ton of manual dependency futzing.

Revision history for this message
Raghav K. (raghavk) wrote :

I'm experiencing the same problem on Debian (also on a Lenovo X220), but rolling back to openssl-1.0.0.h-1 didn't fix things for me.

Revision history for this message
Raghav K. (raghavk) wrote :

Here's a packet trace of the server rejecting the hello.

Revision history for this message
Raghav K. (raghavk) wrote :

Apologies for the triple post, but I can confirm that going back to openssl-1.0.0.h-1 fixes the problem. So it does seem to be an openssl bug.

Revision history for this message
Diane Trout (diane-trout) wrote :

I went looking for alternate versions of libssl 1.0.0 in http://us.archive.ubuntu.com/ubuntu/pool/main/o/openssl/

To have any effect I needed to kill wpa_supplicant after installing the alternate version of libssl.

libssl1.0.0_1.0.0e-2ubuntu4 works for me.

Raghav K. (raghavk)
affects: wpasupplicant (Debian) → openssl (Debian)
Revision history for this message
Diane Trout (diane-trout) wrote :

I built a version of wpasupplicant_0.7.3-6ubuntu2 that works for me, by switching from openssl to gnutls.

I think wpasupplicant with openssl was offering 57 ciphers and with gnutls it was around 15. (I didn't write the numbers down and am having trouble getting it to regenerate the client hello message), so am not certain.

If wpa supplicant is building the list of ciphers from openssl for the client hello message, maybe it would also be possible disable some the rare ones? I tried some of the obvious things like -DOPENSSL_NO_RC2 -DOPENSSL_NO_DES, but later realised that was probably if you'd disabled those in openssl itself.

It looks like each cipher offered takes 2 bytes, and the failing openssl packet was 261 bytes, so you just need to get it below 255 bytes -- so remove 3 ciphers?

The patch I used to make it work, given the difficulties in getting acceptance for gnutls, I bet it'd cause other problems.

--- wpasupplicant-0.7.3/debian/config/linux 2012-03-13 16:11:24.000000000 -0700
+++ wpasupplicant-0.7.3.new/debian/config/linux 2012-04-06 13:26:03.230123515 -0700
@@ -33,5 +33,5 @@
 CONFIG_PEERKEY=y
 CONFIG_IEEE80211W=y
-CONFIG_TLS=openssl
+CONFIG_TLS=gnutls
 CONFIG_CTRL_IFACE_DBUS=y
 CONFIG_CTRL_IFACE_DBUS_NEW=y

Changed in openssl (Debian):
status: Unknown → New
Revision history for this message
rmcd (rmcd1024) wrote :

I can confirm that libssl1.0.0_1.0.0e-2ubuntu4 fixes the problem.

Revision history for this message
Diane Trout (diane-trout) wrote :

Still broken with wpasupplicant 0.7.3-6ubuntu2 & openssl 1.0.1-2ubuntu4

Revision history for this message
Diane Trout (diane-trout) wrote :

had the same non-working 261 byte client hello message that doesn't work with wpasupplicant 0.7.3-6ubuntu2 and openssl 1.0.1-4ubuntu1.

Assuming updating, and killing /sbin/wpa_supplicant was enough to get wpa supplicant to use the updated openssl

Revision history for this message
rmcd (rmcd1024) wrote :

I also found that openssl 1.0.1-4ubuntu1 did not fix the problem for me. I rebooted after the upgrade to make sure it was installed.

I hope that this bug will be assigned a high priority. Non-working wireless is a real problem, and will potentially result in bad press.

Revision history for this message
Diane Trout (diane-trout) wrote :

While we're waiting for a fix in openssl, I built a version wpasupplicant linked against gnutls and placed it in a ppa https://launchpad.net/~diane-trout/+archive/wpasupplicant-gnutls

It at least works well enough for me to connect to my companies wpa2-enterprise and my homes wpa2-psk networks.

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

This is confirmed to be related to openssl rather than wpasupplicant, so I'm setting up the task for it.

Changed in openssl (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Changed in wpasupplicant (Ubuntu):
status: Confirmed → Incomplete
Changed in openssl (Ubuntu):
status: Confirmed → Triaged
assignee: nobody → Canonical Foundations Team (canonical-foundations)
Revision history for this message
Raghav K. (raghavk) wrote :

Recompiling OpenSSL with these patches from upstream also seems to fix the problem: http://rt.openssl.org/Ticket/Display.html?id=2771

Steve Langasek (vorlon)
Changed in openssl (Ubuntu Precise):
assignee: Canonical Foundations Team (canonical-foundations) → Colin Watson (cjwatson)
milestone: none → precise-updates
Revision history for this message
Colin Watson (cjwatson) wrote :

@Raghav K. (comment 23): Really? The current package in Ubuntu 12.04 is built with those patches, as far as I'm aware. See the changelog entry for openssl 1.0.1-2ubuntu3.

If you can point to specific upstream patches that fix this that aren't in 1.0.1-4ubuntu1, I'd love to hear about it.

Revision history for this message
Colin Watson (cjwatson) wrote :

Could anyone affected by this bug please try openssl 1.0.1-4ubuntu2 in precise-proposed and let me know whether it fixes this?

Revision history for this message
rmcd (rmcd1024) wrote :

I am still unable to connect with openssl 1.0.1-4ubuntu2. I . It looks like the same problem as before. Here is a bit of syslog:

Apr 19 08:42:51 fin8344m2 wpa_supplicant[1120]: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Apr 19 08:42:51 fin8344m2 wpa_supplicant[1120]: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Apr 19 08:42:51 fin8344m2 wpa_supplicant[1120]: SSL: SSL3 alert: read (remote end reported an error):fatal:bad certificate
Apr 19 08:42:51 fin8344m2 wpa_supplicant[1120]: OpenSSL: openssl_handshake - SSL_connect error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Apr 19 08:42:51 fin8344m2 wpa_supplicant[1120]: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Apr 19 08:42:51 fin8344m2 kernel: [ 77.468839] wlan0: deauthenticated from 00:11:92:3e:79:80 (Reason: 23)
Apr 19 08:42:51 fin8344m2 wpa_supplicant[1120]: CTRL-EVENT-DISCONNECTED bssid=00:11:92:3e:79:80 reason=23

I rebooted after installing the new packages. To confirm that I have the correct ssl packages installed, here is an excerpt from dpkg -l:

ii libgnutls-openssl27 2.12.14-5ubuntu3 GNU TLS library - OpenSSL wrapper
ii libio-socket-ssl-perl 1.53-1 Perl module implementing object oriented interface to SSL sockets
ii libnet-ssleay-perl 1.42-1build1 Perl module for Secure Sockets Layer (SSL)
ii libssl1.0.0 1.0.1-4ubuntu2 SSL shared libraries
ii libssl1.0.0:i386 1.0.1-4ubuntu2 SSL shared libraries
ii libwavpack1 4.60.1-2 audio codec (lossy and lossless) - library
ii openssl 1.0.1-4ubuntu2 Secure Socket Layer (SSL) binary and related cryptographic tools
ii python-openssl 0.12-1ubuntu2 Python wrapper around the OpenSSL library
ii ssl-cert 1.0.28 simple debconf wrapper for OpenSSL

Revision history for this message
Colin Watson (cjwatson) wrote :

Disappointing. Thanks. Somebody should probably report this upstream for further analysis.

Revision history for this message
rmcd (rmcd1024) wrote :

Out of my depth here but I did run wireshark and this is what I get at the point of failure.

53 24.094947 IntelCor_e1:28:94 Cisco_49:62:f0 SSL 253 Client Hello
54 24.116714 Cisco_49:62:f0 IntelCor_e1:28:94 TLSv1 60 Alert (Level: Fatal, Description: Bad Certificate)
55 24.117037 IntelCor_e1:28:94 Cisco_49:62:f0 EAP 24 Response, PEAP [Palekar]
56 24.123991 Cisco_49:62:f0 IntelCor_e1:28:94 EAP 60 Failure

Revision history for this message
Diane Trout (diane-trout) wrote :

I tried today with wpasupplicant 0.7.3-6ubuntu2 and libssl1.0.0 1.0.1-4ubuntu3 and still didn't work.

I just figured out how to export a detailed packet trace with wireshark and am attaching the ClientHello and response messages from the non-working libssl1.0.0_1.01-4ubuntu3, and the working libssl1.0.0-1.0.0e-2ubuntu4 and my wpa supplicant that's using libgnutls26-2.12.14-5ubuntu3.

In preparing the dump I did renumber my mac address to end in 11:22:33 and the mac address of the access point to aa:bb:cc

The working versions seem to report their Client Hello version as ssl 3.0 and the non-working one as TLS 1.0. The SSL versions list 18 ciphers and the TLS version has 51 protocol suites.

Revision history for this message
rmcd (rmcd1024) wrote :

I don't know if libssl 1.0.1-4ubuntu5 (in precise-proposed) was possibly supposed to contain a fix, but the error persists with that version.

Revision history for this message
Ryan Whalen (qf-ryan-nr) wrote :

I've tried using Diane Trout's wpa_supplicant built mentioned above, but that did not fix the problem for me. I've been unable to access University wifi since upgrading from 11.10 to 12.04.

Revision history for this message
Scott Salley (ssalley) wrote :

Diane Trout's wpa_supplicant fixed things for me with these wireless settings:

WPA & WPA2 Enterprise
Protected EAP (PEAP)
CA certificate
PEAP version: Automatic
MSCHAPv2
username/password

Revision history for this message
Diane Trout (diane-trout) wrote :

Did you kill the wpa_supplicant process after installation? (Or reboot?)

If that doesn't work the other choice that worked for me is to install openssl 1.0.0e from 11.10 (and reinstall the default wpa_supplicant). My problem with that solution is the older version of openssl caused library problems with 12.04's curl. But you may not use curl so it might not be an issue in your case.

Revision history for this message
rmcd (rmcd1024) wrote :

Diane's wpasupplicant worked for me. Great job Diane, thanks!

Revision history for this message
Benjamin Bex (dendanny) wrote :

I also have a problem connecting to wired networks using peap (at work). Reverting openssl and libssl to 1.0.0e-2ubuntu4 resolved the problem. I suppose this is related to this bug.

Revision history for this message
OkonX (archanl) wrote :

I also have this problem--I can't connect to the wireless here at my college. The wifi here uses the same settings as what Scott Salley (ssalley) mentioned above. I first started with Fedora 16--and had this problem. So, I reformatted and installed Ubuntu 11.10; everything worked great. Then I upgraded to Ubuntu 12.04 and now I have the same problem as I had before and what everyone else has.

I am a linux n00b. Could someone please explain to me exactly how to fix this? How do I rollback what changed from 11.10 to 12.04 so I can use my college's wifi again?

Revision history for this message
Benjamin Bex (dendanny) wrote :

I will explain how I did it: revert to openssl and libssl1.0.0 version 1.0.0e-2ubuntu4

Open Terminal: type shell commands without the surrounding ""
"apt-cache showpkg openssl" will show which versions of openssl you have available on your system
If openssl is somewhere in the 'Provides:' list just do
"apt-get install openssl=1.0.0e-2ubuntu4" and "apt-get install libssl1.0.0=1.0.0e-2ubuntu4"

If you do not have the old versions in the apt-cache you can fetch them from
http://mirror01.th.ifl.net/ubuntu/pool/main/o/openssl/ (or another mirror, just an example)
You 'll need to get openssl_1.0.0e-2ubuntu4_i386.deb or the amd64 variant if your machine is 64 bit (you can check that with "uname -p" if it is 'x86_64' you need the amd64 variant)
And you 'll also need libssl1.0.0_1.0.0e-2ubuntu4_i386.deb or the amd64 variant, same rule here.

Get these two files to the affected computer with a flash drive, I got them by booting the install disk and downloading them there, then copy them to my harddisk. So you don't need two PCs but it is easier.

Go to the directory that contain the two deb files you need.
"cd /media" to go to the place where all these things are mounted
"ls" to see a list of flash drives... that are mounted
"cd nameofdrive" to go into that drive
You may need to cd your way through all the subfolders until "ls" gives you the name of the two deb files

Then you install these deb files with
"dpkg -iR ." this means install all debian packages from the folder '.'(and folder '.' is always the current folder you "cd"ed to)

Done, check "apt-cache showpkg openssl" to see the version is added

Now it is easiest to reboot, you could also kill all affected processes and restart them, but it may take you longer than a simple reboot.

This is what I did if I recall correctly.
Another option is given by diane-trout above.

Revision history for this message
OkonX (archanl) wrote :

I get the error below after doing $ sudo dpkg -iR .

(Reading database ... 291933 files and directories currently installed.)
Preparing to replace openssl 1.0.0e-2ubuntu4 (using .../openssl_1.0.0e-2ubuntu4_amd64.deb) ...
Unpacking replacement openssl ...
Preparing to replace libssl1.0.0 1.0.0e-2ubuntu4 (using .../libssl1.0.0_1.0.0e-2ubuntu4_amd64.deb) ...
Unpacking replacement libssl1.0.0 ...
dpkg: error processing libssl1.0.0 (--install):
 libssl1.0.0:amd64 1.0.0e-2ubuntu4 cannot be configured because libssl1.0.0:i386 is in a different version (1.0.1-4ubuntu5)
dpkg: dependency problems prevent configuration of openssl:
 openssl depends on libssl1.0.0 (>= 1.0.0); however:
  Package libssl1.0.0 is not configured yet.
dpkg: error processing openssl (--install):
 dependency problems - leaving unconfigured
Processing triggers for man-db ...
Errors were encountered while processing:
 libssl1.0.0
 openssl

Revision history for this message
OkonX (archanl) wrote :

Oh I see...this breaks nodejs which requires a higher version of libssl.

Revision history for this message
OkonX (archanl) wrote :

Ah, sorry for comment spam--I wish I could edit or append previous comments.

Anyhow, dendaddy's instructions worked and I can connect to the wifi. But problem still remains with other packages that require higher versions ( this leads to the package manager fussing about it in update manager and elsewhere).

Changed in wpasupplicant:
importance: Unknown → Medium
status: Unknown → Confirmed
Changed in openssl:
importance: Undecided → Unknown
status: New → Unknown
Changed in openssl:
status: Unknown → New
Changed in wpasupplicant:
status: Confirmed → In Progress
Changed in wpasupplicant (Ubuntu):
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)
Changed in wpasupplicant (Ubuntu Precise):
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)
Steve Magoun (smagoun)
Changed in oem-priority:
importance: Undecided → High
Changed in oem-priority:
assignee: nobody → James M. Leddy (jm-leddy)
status: New → In Progress
tags: added: rls-q-incomming
tags: added: rls-q-incoming
removed: rls-q-incomming
tags: added: patch
Changed in wpasupplicant (Ubuntu):
importance: Undecided → High
status: Incomplete → Triaged
Changed in wpasupplicant (Ubuntu Precise):
importance: Undecided → High
status: Incomplete → Triaged
Changed in openssl (Debian):
status: New → Confirmed
Changed in wpasupplicant (Ubuntu):
status: Triaged → In Progress
Changed in wpa (Ubuntu Precise):
status: New → Invalid
Changed in wpasupplicant (Ubuntu):
status: In Progress → Invalid
Changed in wpa (Ubuntu):
importance: Undecided → Medium
status: New → Fix Released
description: updated
tags: removed: rls-q-incoming
Changed in openssl (Ubuntu):
assignee: Colin Watson (cjwatson) → nobody
status: Triaged → Incomplete
milestone: precise-updates → none
Changed in openssl (Ubuntu Precise):
assignee: Colin Watson (cjwatson) → nobody
milestone: precise-updates → none
status: Triaged → Incomplete
tags: added: verification-needed
tags: added: verification-done
removed: verification-needed
Changed in openssl (Ubuntu):
status: Incomplete → Fix Committed
status: Fix Committed → Incomplete
Changed in wpasupplicant (Ubuntu Precise):
status: Triaged → Fix Committed
Changed in wpasupplicant (Ubuntu Precise):
status: Fix Committed → Triaged
Changed in openssl (Ubuntu Precise):
status: Incomplete → Fix Committed
Changed in wpasupplicant (Ubuntu Precise):
status: Triaged → Fix Committed
tags: removed: verification-done
tags: added: verification-needed
rmcd (rmcd1024)
tags: added: verification-failed
removed: verification-needed
tags: added: verification-needed
removed: verification-failed
72 comments hidden view all 152 comments
Revision history for this message
Neo (neojia) wrote :

I tried the updated wpa program and I still can't access my work wireless network.

I am using Dell XPS 13 and my company is using Aruba AP.

I saw this in the dmesg:

2985 [130380.278223] wlan0: Wrong control channel in association response: configured center-freq: 5200 hti-cfreq: 5805 hti->control_chan: 161 band: 1. Disabling HT.
2986 [130381.803188] cfg80211: All devices are disconnected, going to restore regulatory settings
2987 [130381.803203] cfg80211: Restoring regulatory settings
2988 [130381.803213] cfg80211: Calling CRDA to update world regulatory domain
2989 [130381.812512] cfg80211: Ignoring regulatory request Set by core since the driver uses its own custom regulatory domain
2990 [130381.812525] cfg80211: World regulatory domain updated:
2991 [130381.812530] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
2992 [130381.812540] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
2993 [130381.812549] cfg80211: (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
2994 [130381.812556] cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
2995 [130381.812564] cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
2996 [130381.812571] cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
2997 [130392.758524] wlan0: authenticate with d8:c7:c8:a4:ab:58 (try 1)
2998 [130392.759447] wlan0: authenticated
2999 [130392.759814] wlan0: associate with d8:c7:c8:a4:ab:58 (try 1)
3000 [130392.763081] wlan0: RX ReassocResp from d8:c7:c8:a4:ab:58 (capab=0x411 status=0 aid=12)
3001 [130392.763087] wlan0: associated
3002 [130392.763926] wlan0: Wrong control channel in association response: configured center-freq: 5200 hti-cfreq: 5805 hti->control_chan: 161 band: 1. Disabling HT.
3003 [130393.811006] cfg80211: All devices are disconnected, going to restore regulatory settings
3004 [130393.811022] cfg80211: Restoring regulatory settings
3005 [130393.811031] cfg80211: Calling CRDA to update world regulatory domain
3006 [130393.818827] cfg80211: Ignoring regulatory request Set by core since the driver uses its own custom regulatory domain
3007 [130393.818840] cfg80211: World regulatory domain updated:

Revision history for this message
rmcd (rmcd1024) wrote :

Mathieu,

First, sorry if I was premature in changing the tag, I thought I was acting as instructed.

I definitely do have permission to access the resource, and my android phone has no problem connecting. My computer did connect when I first rebooted, so I presume that serves as a test about settings. I didn't change the settings afterwards and it never connected again. I am in touch with our networking people. They are aware of the issue, but there are not many linux users and I am not knowledgeable about networking so I need assistance in asking them for help. Anything you can suggest?

What I plan to do when I have time is to install the proposed software on my bootable USB version of 12.04 and try that. I am open to other suggestions.

Revision history for this message
Neo (neojia) wrote :

Hi,

I saw a lot of people still having the connection issues after applying this updates. I don't know if this is caused by a combination of using Dell XPS 13 + Aruba AP.

I have filed a bug 1019081 to track this issue, so please speak up there if you are seeing the same problem. I assume this is causing the failed connection:

"wlan0: Wrong control channel in association response: configured center-freq: 5200 hti-cfreq: 5805 hti->control_chan: 161 band: 1. Disabling HT."

Updating to mainline kernel "http://kernel.ubuntu.com/~kernel-ppa/mainline/daily/current/linux-headers-3.6.0-999-generic_3.6.0-999.201210080405_amd64.deb", I am able to connect to my AP through WPA2 Enterprise.

Thanks,
Neo

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

rmcd: the tag change was fine, but this bug is special in that it affects others (people using Aruba) and seems to fix the issue properly.

I suggest asking them to check authentication logs to see what the AP or authentication server wrote when you tried to connect and did you first successful connection, then what it wrote for the following unsuccessful conenctions. It's going to be a huge hint towards what is broken there.

Neo; indeed, the "Wrong control channel" error message is a kernel issue.

Revision history for this message
Lars Vierbergen (vierbergenlars-m-deactivatedaccount-deactivatedaccount-deactivatedaccount) wrote :
Download full text (5.9 KiB)

The bug is not fixed on my network (KULeuven/Eduroam)
Dmesg log: (grepped for wlan0)

[ 37.885705] ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 103.898976] ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 182.706388] wlan0: authenticate with 00:26:99:99:93:cd (try 1)
[ 182.709876] wlan0: authenticated
[ 182.710586] wlan0: associate with 00:26:99:99:93:cd (try 1)
[ 182.718540] wlan0: RX AssocResp from 00:26:99:99:93:cd (capab=0x11 status=0 aid=8)
[ 182.718549] wlan0: associated
[ 182.724260] ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[ 236.004976] wlan0: deauthenticating from 00:26:99:99:93:cd by local choice (reason=3)
[ 5155.412467] ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 5162.798052] wlan0: authenticate with 00:3a:98:c1:28:c2 (try 1)
[ 5162.800314] wlan0: authenticated
[ 5163.016468] wlan0: associate with 00:3a:98:c1:28:c2 (try 1)
[ 5163.021561] wlan0: RX AssocResp from 00:3a:98:c1:28:c2 (capab=0x411 status=0 aid=71)
[ 5163.021567] wlan0: associated
[ 5163.025957] ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[ 5177.196392] wlan0: disassociating from 00:3a:98:c1:28:c2 by local choice (reason=3)
[ 5177.214274] wlan0: deauthenticating from 00:3a:98:c1:28:c2 by local choice (reason=3)
[ 5180.487626] wlan0: authenticate with 00:3a:98:c1:28:c2 (try 1)
[ 5180.492060] wlan0: authenticated
[ 5180.492382] wlan0: associate with 00:3a:98:c1:28:c2 (try 1)
[ 5180.497998] wlan0: RX ReassocResp from 00:3a:98:c1:28:c2 (capab=0x11 status=0 aid=71)
[ 5180.498004] wlan0: associated
[ 5182.724740] wlan0: disassociating from 00:3a:98:c1:28:c2 by local choice (reason=3)
[ 5182.749047] wlan0: deauthenticating from 00:3a:98:c1:28:c2 by local choice (reason=3)
[ 5186.024820] wlan0: authenticate with 00:26:99:99:93:c2 (try 1)
[ 5186.027693] wlan0: authenticated
[ 5186.048651] wlan0: associate with 00:26:99:99:93:c2 (try 1)
[ 5186.052456] wlan0: RX ReassocResp from 00:26:99:99:93:c2 (capab=0x411 status=0 aid=154)
[ 5186.052462] wlan0: associated
[ 5188.215355] wlan0: disassociating from 00:26:99:99:93:c2 by local choice (reason=3)
[ 5188.252204] wlan0: deauthenticating from 00:26:99:99:93:c2 by local choice (reason=3)
[ 5191.520497] wlan0: authenticate with 00:26:99:99:93:c2 (try 1)
[ 5191.525983] wlan0: authenticated
[ 5191.526382] wlan0: associate with 00:26:99:99:93:c2 (try 1)
[ 5191.533362] wlan0: RX ReassocResp from 00:26:99:99:93:c2 (capab=0x411 status=0 aid=154)
[ 5191.533368] wlan0: associated
[ 5193.732081] wlan0: disassociating from 00:26:99:99:93:c2 by local choice (reason=3)
[ 5193.750543] wlan0: deauthenticating from 00:26:99:99:93:c2 by local choice (reason=3)
[ 5197.021400] wlan0: direct probe to 00:3a:98:d5:ac:62 (try 1/3)
[ 5197.220048] wlan0: direct probe to 00:3a:98:d5:ac:62 (try 2/3)
[ 5197.420047] wlan0: direct probe to 00:3a:98:d5:ac:62 (try 3/3)
[ 5197.620040] wlan0: direct probe to 00:3a:98:d5:ac:62 timed out
[ 5205.856240] wlan0: direct probe to 00:3a:98:c1:28:cd (try 1/3)
[ 5205.857324] wlan0: direct probe responded
[ 5205.872054] wlan0: authenticate with 00:3a:98:c1:28:cd (try 1)
[ 5205.873432] wlan0: authenticated
[ 5205.873714] wlan0: associate with 00:3a:98:c1:28:cd (try 1)
[ 5205.878299] wlan0: RX Reasso...

Read more...

Revision history for this message
Lars Vierbergen (vierbergenlars-m-deactivatedaccount-deactivatedaccount-deactivatedaccount) wrote :

At another location Eduroam works just fine. (BTW: I rebooted my laptop)

Revision history for this message
Gary Lyons (gllyons) wrote :

I m also at Northwestern like rmcd but the package in precise-proposed works fine for me. The proble was first resolved for me in the package in PPA https://launchpad.net/~mathieu-tl/+archive/sru-staging ?

But I switched to the one in proposed to see if there was an issue and I can't find one. Maybe rmcd's problem is something different?

Revision history for this message
Jeremy Nickurak (nickurak) wrote : Re: [Bug 969343] Re: Unable to connect to WPA enterprise wireless

When switching versions, are you guys making sure to reboot, or at
least kill the wpa_supplicant process?

If you're not, you're still testing the version from before you
upgraded, not the new one.

Revision history for this message
Gary Lyons (gllyons) wrote :

I rebooted after installing the package from proposed and after that I tried disconnecting and reconnecting a few times to test things and it all worked.

Revision history for this message
rmcd (rmcd1024) wrote :

@nickurak: Yes, I reboot when I switch versions.

Revision history for this message
Alan Barr (alanb) wrote :

I can confirm the proposed fix works for me accessing Wifi with Enterprise security and TTL/PAP authentication.

Revision history for this message
Jarvis Schultz (jarvisschultz) wrote :

@gllyons the proposed fix also worked for me at Northwestern.

Revision history for this message
Nailer1887 (barry-titterton) wrote :

The precise-proposed fix worked for me today at Durham University, UK. The uni uses WPA2 Enterprise with AES. Thanks to everyone who worked on the fix.

Revision history for this message
quantumkit (quantumkit) wrote :

Here in UCSD. No success. Can anyone tell me what versions of stuff you are using? I am using:
wpasupplicant : 0.7.3-6ubuntu2.1
libssl1.0.0 : 1.0.1-4ubuntu5.5
openssl : 1.0.1-4ubuntu5.5

my kernel is 3.2.0-31-generic
Thanks!

Revision history for this message
James M. Leddy (jm-leddy) wrote :

marking verification-done based on comment #125

tags: added: verification-done verification-done-precise
removed: verification-needed
Changed in oem-priority:
status: In Progress → Fix Committed
Revision history for this message
Scott Kitterman (kitterman) wrote :

For people still having problems (that had problems prior to this version), please file a new bug referencing this one. Regressions from the released version with this update should be reported here.

Revision history for this message
Scott Kitterman (kitterman) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package wpasupplicant - 0.7.3-6ubuntu2.1

---------------
wpasupplicant (0.7.3-6ubuntu2.1) precise-proposed; urgency=low

  * debian/patches/session-ticket.patch: disable the TLS Session Ticket
    extension to fix auth with 802.1x PEAP on some hardware. (LP: #969343)
 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 17 Sep 2012 17:08:22 -0400

Changed in wpasupplicant (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
ttosttos (ttosttos) wrote :

Fix only alleviated the situation for me. Went from no connectivity to frequent disconnects. Upgrading to kernel 3.5.0-030500-generic finally ended months of misery :-)

Revision history for this message
Nailer1887 (barry-titterton) wrote :

My enthusiasm for reporting the problem fixed (#125) was premature: the connection only worked twice, it is now only able to connect approximately once in every five attempts. The problem only persists with the network using WPA Enterprise with AES encryption, a separate network that uses WPA Enterprise with TKIP encryption works perfectly (so far). I shall look at raising another bug specifically on the AES encryption issue.

Revision history for this message
rmcd (rmcd1024) wrote :

I have an ignorant question: There is no AES choice in the configuration dialog for WPA2, so which of the encryption methods are AES? (Is PEAP the same as AES?)

Another question: My android (ICS) phone connects successfully to our wpa2 network using peap, but it automatically configured "none" for phase 2 authentication. None is not an option for 12.04 and I am selecting MSChap2. Should there be a "none" option?

Changed in oem-priority:
status: Fix Committed → Fix Released
Revision history for this message
Felix Haller (felixhaller) wrote :

I wonder this isn't fixed yet. There are many users waitin for a fix, especially students and profs, because many of them are using the "eduroam" network (mentioned some times before).

When using eduroam wifi after a while my notebook stops working like expected: I'm unable to suspend (kernel panic) and the network connection is getting slower and slower till it stops working. The whole system crashes, so it's very dangerous to connect to such a network.

I attached a config screenshot....maybe it helps...

Revision history for this message
Benjamin Kay (benkay) wrote :

Felix, this bug *has* been fixed in Ubuntu 12.04 (Precise Pangolin) and later. From your comment, it sounds like you are describing an unrelated wifi bug. This bug prevented users from connecting to certain WPA2 Enterprise networks. The bug in your comment allows you to connect to a WPA2 Enterprise network but, some time later, causes a kernel panic. This is almost certainly a kernel/driver issue and *not* a bug in wpasupplicant or openssl. If your bug hasn't already been reported, I suggest opening a new bug and providing the brand/model of your wifi card, a kernel stack trace, and the output of dmesg, if possible.

todaioan (alan-ar06)
Changed in openssl (Ubuntu):
status: Incomplete → Fix Released
1 comments hidden view all 152 comments
Revision history for this message
rmcd (rmcd1024) wrote :

@felixhaller: I share your frustration. I have what seems to be yet a different version of the bug, where in 12.04 I remain unable to connect to WPA2 Enterprise networks.

The fix for me was upgrading to 12.10. Now I can connect reliably and maintain the connection. I realize this may not be feasible for you. However, you may want to try a live CD and see if you can connect with 12.10. If 12.10 works for you and 12.04 does not, that should narrow down the possible causes of the problem.

Revision history for this message
Felix Haller (felixhaller) wrote :

I already use 12.10. I can connect to all wifi networks, there are only problems when connecting to eduroam network (wpa2 enterprise). My notebook is working just fine with the other networks (eg. my private one --> WPA2 personal).

I think I will open a new bug...thanks for all the information.

Revision history for this message
Adolfo Jayme Barrientos (fitojb) wrote :

The user todaioan seems to be vandalizing a lot of bugs. I'm reverting his change.

Changed in openssl (Ubuntu):
status: Fix Released → Incomplete
10 comments hidden view all 152 comments
Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19

9 comments hidden view all 152 comments
Revision history for this message
Sebastian Geiger (lanoxx) wrote :

I am experiencing this issue on ubuntu 12.10. I am connecting to a an eduroam wireless network with WPA2 enterprise encryption and the connection fails after a few minutes. Sometimes it does not connect at all. Most of the times one of the following work arounds works but the effect is only temporary until the connection is lost again:

 * Toggle the RF Killswitch
 * Suspend and wake up again
 * killall nm-applet && nm-applet

If I can contribute anything that would help to fix this issue, please let me know.

Revision history for this message
Jonathan Steinhart (jsteinhart) wrote :

For what it's worth, I'm having this in an up-to-date 12.04 too. Wireless works flawlessly, except when connecting to an eduroam network, in which case it times out with this repeated in the syslog:

Apr 17 12:10:49 X kernel: [ 1987.661492] rtl8192c_common: Loading firmware file rtlwifi/rtl8192cfw.bin
Apr 17 12:10:50 X wpa_supplicant[1652]: Trying to authenticate with [AP:MAC:ADDR] (SSID='eduroam' freq=2412 MHz)
Apr 17 12:10:50 X kernel: [ 1988.874687] wlan0: direct probe to [AP:MAC:ADDR] (try 1/3)
Apr 17 12:10:50 X kernel: [ 1989.074082] wlan0: direct probe to [AP:MAC:ADDR] (try 2/3)
Apr 17 12:10:51 X kernel: [ 1989.274142] wlan0: direct probe to [AP:MAC:ADDR] (try 3/3)
Apr 17 12:10:51 X kernel: [ 1989.474110] wlan0: direct probe to [AP:MAC:ADDR] timed out
Apr 17 12:10:51 X kernel: [ 1989.577031] rtl8192c_common: Loading firmware file rtlwifi/rtl8192cfw.bin

I'm not sure how to interpret the history/status of this bug - is it still alive? Please let me know if I this belongs somewhere else, or if there's any more info I can provide.

Revision history for this message
datube (datube) wrote :

We just implemented a lot Aruba (ap-105) access points and I (we) also experience this problem (as described @Impact) . While searching the www I couldn't really pinpoint what I could do as a work-around. I myself use 12.04, but the problem also exists on 13.04. I have a Thinkpad T410s. With the stock kernel (and up-to-date system) I wasn't able to connect to our wireless network, so I decided to do an install of a mainline kernel (v3.4-precise). After rebooting I was able to connect without any troubles.

Do not know if it's (still) relevant but if it is I want to provide you with any information possible to help with a solution

Revision history for this message
Pepe Lebuntu (majagray75) wrote :

I'm still having this problem. I've had it now on several different computers, including now my Lenovo X121e.

For a while, I could login to WPA2-Enterprise wifi, but now I can't: not eduroam, or any other.

Revision history for this message
Pepe Lebuntu (majagray75) wrote :

I should add, I'm using Xubuntu 12.10

Revision history for this message
Martin Bruns (martin-konahina) wrote :

While using ubuntu 12.10 (wpasupplicant 1.0-2ubuntu5 and openssl 1.0.1c-3ubuntu2) I can login to my company's wireless lan.

But which packages for 13.04 will have that fix which came with 1.0-2ubuntu5.

Revision history for this message
Martin Bruns (martin-konahina) wrote :

Finaly found that deleting the WLANs file in /etc/NetworkManager/system-connections/ solved the problem. Also http://askubuntu.com/questions/285234/cannot-connect-to-wpa2-wpa-enterprise-peap-and-mschap?answertab=votes#tab-top gave the right hint.

Mathew Hodson (mhodson)
Changed in openssl (Ubuntu):
status: Incomplete → Invalid
Changed in openssl (Ubuntu Precise):
status: Fix Committed → Invalid
Mathew Hodson (mhodson)
tags: removed: verification-done-precise
Mathew Hodson (mhodson)
affects: openssl (Debian) → wpa (Debian)
Changed in wpa (Debian):
status: Confirmed → Fix Released
4 comments hidden view all 152 comments
Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

This message is a notice that Fedora 19 is now at end of life. Fedora
has stopped maintaining and issuing updates for Fedora 19. It is
Fedora's policy to close all bug reports from releases that are no
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 19 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Revision history for this message
In , Fabrice (fabrice-redhat-bugs) wrote :

I cannot reproduce the bug with current versions. So closing this bz.

Changed in wpasupplicant (Fedora):
importance: Unknown → Undecided
status: Unknown → Invalid
Changed in openssl:
status: New → Invalid
Displaying first 40 and last 40 comments. View all 152 comments or add a comment.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.