Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[NM] Problems with Eduroam style wireless network
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Cyberwizzard
Apprentice
Apprentice


Joined: 02 Apr 2004
Posts: 244
Location: Norway

PostPosted: Fri Oct 01, 2010 8:00 am    Post subject: [NM] Problems with Eduroam style wireless network Reply with quote

At my current location they are using a wifi network called eduroam. This means a WPA2 Enterprise network with TTLS using a system certificate with outer authentication and PAP inner authentication.

This works fine when I edit my wpa_supplicant.conf file and start everything by hand. But I'd rather use the new KDE4 NM applet.

But every time it connects to the network using the applet, after 2 or 3 seconds it disconnects. The log below is showing what I mean, the only difference I can spot is the 'fragment_size' parameter (which shouldnt be there as its supposed to be automatic) and the key_mgmt which is called "WPA-EAP IEEE8021X" in my wpa_supplicant.conf.

Edit: modifying the key_mgmt value to match the NM one did not break anything.
Edit 2: the ca_path keys seem to be breaking things...

Code:
Oct  1 09:44:12 cyberxps NetworkManager: <info>  Activation (wlan0) Stage 1 of 5 (Device Prepare) scheduled...
Oct  1 09:44:12 cyberxps NetworkManager: <info>  Activation (wlan0) Stage 1 of 5 (Device Prepare) started...
Oct  1 09:44:12 cyberxps NetworkManager: <info>  (wlan0): device state change: 6 -> 4 (reason 0)
Oct  1 09:44:12 cyberxps NetworkManager: <info>  Activation (wlan0) Stage 2 of 5 (Device Configure) scheduled...
Oct  1 09:44:12 cyberxps NetworkManager: <info>  Activation (wlan0) Stage 1 of 5 (Device Prepare) complete.
Oct  1 09:44:12 cyberxps NetworkManager: <info>  Activation (wlan0) Stage 2 of 5 (Device Configure) starting...
Oct  1 09:44:12 cyberxps NetworkManager: <info>  (wlan0): device state change: 4 -> 5 (reason 0)
Oct  1 09:44:12 cyberxps NetworkManager: <info>  Activation (wlan0/wireless): connection 'eduroam' has security, and secrets exist.  No new secrets needed.
Oct  1 09:44:12 cyberxps NetworkManager: <info>  Config: added 'ssid' value 'eduroam'
Oct  1 09:44:12 cyberxps NetworkManager: <info>  Config: added 'scan_ssid' value '1'
Oct  1 09:44:12 cyberxps NetworkManager: <info>  Config: added 'key_mgmt' value 'WPA-EAP'
Oct  1 09:44:12 cyberxps NetworkManager: <info>  Config: added 'password' value '<omitted>'
Oct  1 09:44:12 cyberxps NetworkManager: <info>  Config: added 'eap' value 'TTLS'
Oct  1 09:44:12 cyberxps NetworkManager: <info>  Config: added 'fragment_size' value '1300'
Oct  1 09:44:12 cyberxps NetworkManager: <info>  Config: added 'ca_path' value '/etc/ssl/certs'
Oct  1 09:44:12 cyberxps NetworkManager: <info>  Config: added 'ca_path2' value '/etc/ssl/certs'
Oct  1 09:44:12 cyberxps NetworkManager: <info>  Config: added 'identity' value 'sXXXXXXX@utwente.nl'
Oct  1 09:44:12 cyberxps NetworkManager: <info>  Config: added 'anonymous_identity' value 'sXXXXXXX@utwente.nl'
Oct  1 09:44:12 cyberxps NetworkManager: <info>  Activation (wlan0) Stage 2 of 5 (Device Configure) complete.
Oct  1 09:44:12 cyberxps NetworkManager: <info>  Config: set interface ap_scan to 1
Oct  1 09:44:12 cyberxps NetworkManager: <info>  (wlan0): supplicant connection state:  disconnected -> scanning
Oct  1 09:44:14 cyberxps NetworkManager: <info>  (wlan0): supplicant connection state:  scanning -> associating
Oct  1 09:44:14 cyberxps kernel: wlan0: authenticate with 00:07:0e:15:a7:41 (try 1)
Oct  1 09:44:14 cyberxps kernel: wlan0: authenticated
Oct  1 09:44:14 cyberxps kernel: wlan0: associate with 00:07:0e:15:a7:41 (try 1)
Oct  1 09:44:14 cyberxps kernel: wlan0: RX AssocResp from 00:07:0e:15:a7:41 (capab=0x431 status=0 aid=26)
Oct  1 09:44:14 cyberxps kernel: wlan0: associated
Oct  1 09:44:14 cyberxps kernel: cfg80211: Calling CRDA for country: NL
Oct  1 09:44:14 cyberxps NetworkManager: <info>  (wlan0): supplicant connection state:  associating -> associated
Oct  1 09:44:14 cyberxps kernel: cfg80211: Current regulatory domain updated by AP to: NL
Oct  1 09:44:14 cyberxps kernel: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
Oct  1 09:44:14 cyberxps kernel: (2402000 KHz - 2482000 KHz @ 40000 KHz), (N/A, 2000 mBm)
Oct  1 09:44:38 cyberxps NetworkManager: <info>  Activation (wlan0/wireless): association took too long.
Oct  1 09:44:38 cyberxps NetworkManager: <info>  (wlan0): device state change: 5 -> 6 (reason 0)
Oct  1 09:44:38 cyberxps NetworkManager: <info>  Activation (wlan0/wireless): asking for new secrets
Oct  1 09:44:38 cyberxps kernel: wlan0: deauthenticating from 00:07:0e:15:a7:41 by local choice (reason=3)

_________________
More ramblings of a linux junky...
Back to top
View user's profile Send private message
Cyberwizzard
Apprentice
Apprentice


Joined: 02 Apr 2004
Posts: 244
Location: Norway

PostPosted: Fri Oct 01, 2010 8:16 am    Post subject: Reply with quote

After adding the 'ca_cert' and 'ca_cert2' keys I suddenly get this:
Code:
TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 2 for '/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root'
CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=2 subject='/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root' err='self signed certificate in certificate chain'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
CTRL-EVENT-EAP-FAILURE EAP authentication failed


So when they are specified, the certificate chain becomes invalid... But now the key question: which certificate fails the tests? It is probably the key at "depth 2"... which is?....

Edit: log from a working login:
Code:
CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root'
CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root'
CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/O=Cybertrust Inc/CN=Cybertrust SureServer Standard Validation CA'
CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=NL/ST=OV/L=Enschede/O=University of Twente/OU=ICTS/emailAddress=radius-certificate@utwente.nl/CN=radius.utwente.nl'


I inspected the GTE_CyberTrust_Global_Root certificate on my system which is valid until 2018. The 2nd certificate I can't seem to find, just like the 3rd. I expect them to be downloaded or something but is there a location on the system where I can view them to find out if they are expired?

Edit: similar problems are easily found in Google, however nobody seems to have the solution. For example this bug in Ubuntu seems to be the exact issue I'm seeing.

Edit 2: the ca_cert and ca_cert2 settings seems to be meant to point to the CA used for the chain. But how is wpa_supplicant intending to verify the CA certificate itself? It seems that that is the actual failure here... Is ca_cert the correct parameter since I was providing a certificate for the connection rather than a chain file?

On a related note: I tried every CA bundle on my system as ca_cert parameter and none of them work. I have no clue how to keep wpa_supplicant happy...
_________________
More ramblings of a linux junky...
Back to top
View user's profile Send private message
Cyberwizzard
Apprentice
Apprentice


Joined: 02 Apr 2004
Posts: 244
Location: Norway

PostPosted: Wed Oct 06, 2010 12:08 pm    Post subject: Reply with quote

It seems that the 'ca_cert' option enables server validation. Without it, the network is set up without security checks and the client just sends the passwords...

Since the root CA is valid and OpenSSL keeps breaking over it, I started looking at the source. It seems that wpa_suppplicant has support for both OpenSSL and GnuTLS but it prefers the first. After countless debugging sessions and bug hunts on my system itself, I decided to recompile OpenSSL with all options - which did nothing.

Then I removed the 'ssl' use flag from wpa_supplicant and recompiled it. Suddenly everything came to life and looking through the logs I can see that GnuTLS accepted the root CA just fine.

Now, is this a bug in wpa_supplicant or OpenSSL? I am inclined to point a finger to the latter but I'm not sure...
_________________
More ramblings of a linux junky...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum