Bug#848982: wpasupplicant fails to connect to WPA Enterprise network with 2.6-2

[Daniel Reichelt]

I'm suffering the very same problem than the OP with my employer's WiFi
network.


> If I downgrade libssl1.0.2 to 1.0.2j-1 then I can connect to the
> WPA-EAP network without problem.

Good catch downgrading openssl! I can confirm the WiFi connection to
work up to libssl1.0.2-4 [1], so I guess the fix for #736687 is to blame
for this [2]:

 * Mark RC4 and 3DES as weak which removes them from the SSL/TLS
protocol (Closes: #736687).



As a *dirty* workaround, I

- re-upgraded to libssl1.0.2ll-2/stretch
- renamed /sbin/wpa_supplicant and put a wrapper script in its place
- which sets LD_LIBRARY_PATH to a location containing libssl.so.1.0.2
from [1] and then starts the renamed wpa_supplicant binary with the
original command-line parameters.



HTH,

Daniel



[1]
http://snapshot.debian.org/package/openssl1.0/1.0.2j-4/#libssl1.0.2_1.0.2j-4

[2]
https://anonscm.debian.org/viewvc/pkg-openssl/openssl/branches/openssl1.0/debian/patches/Mark-3DES-and-RC4-ciphers-as-weak.patch?revision=865=markup=log



signature.asc
Description: OpenPGP digital signature

Bug#848982: wpasupplicant fails to connect to WPA Enterprise network with 2.6-2

[陳侃如]

Package: wpasupplicant
Version: 2:2.4-1
Followup-For: Bug #848982

If I downgrade libssl1.0.2 to 1.0.2j-1 then I can connect to the
WPA-EAP network without problem.

I can't find other 1.0.2j version on snapshot.debian.org so I can't
test them.

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.10.0 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages wpasupplicant depends on:
ii  adduser   3.115
ii  libc6 2.24-9
ii  libdbus-1-3   1.10.16-1
ii  libnl-3-200   3.2.27-1+b1
ii  libnl-genl-3-200  3.2.27-1+b1
ii  libpcsclite1  1.8.20-1
ii  libreadline7  7.0-2
ii  libssl1.0.2   1.0.2j-1
ii  lsb-base  9.20161125

wpasupplicant recommends no packages.

Versions of packages wpasupplicant suggests:
pn  libengine-pkcs11-openssl  
pn  wpagui

-- no debconf information

Bug#848982: [pkg-wpa-devel] Bug#848982: wpasupplicant fails to connect to WPA Enterprise network with 2.6-2

[Kan-Ru Chen]

I'm also using network manager and have a Qualcomm Atheros QCA6174 (Dell
XPS 9360) and cannot connect to PEAP network recently.

I've tried downgrading wpasupplicant, network-manager and even linux
kernel but none of them fixes the problem.

>From log and code it looks like network-manager already send all
uppercase auth=MSCHAPV2 to wpasupplicant.

My unsuccessful logs look like:

Jan 17 11:45:26 foo wpa_supplicant[1025]: wlp58s0: SME: Trying to
authenticate with 78:19:f7:75:6f:81 (SSID='Baz' freq=5320 MHz)
Jan 17 11:45:26 foo kernel: [ 1220.206224] wlp58s0: authenticate with
78:19:f7:75:6f:81
Jan 17 11:45:26 foo kernel: [ 1220.251155] wlp58s0: send auth to
78:19:f7:75:6f:81 (try 1/3)
Jan 17 11:45:26 foo kernel: [ 1220.251862] wlp58s0: authenticated
Jan 17 11:45:26 foo wpa_supplicant[1025]: wlp58s0: Trying to associate
with 78:19:f7:75:6f:81 (SSID='Baz' freq=5320 MHz)
Jan 17 11:45:26 foo NetworkManager[650]:   [1484624726.9616]
device (wlp58s0): supplicant interface state: scanning -> authenticating
Jan 17 11:45:26 foo kernel: [ 1220.259636] wlp58s0: associate with
78:19:f7:75:6f:81 (try 1/3)
Jan 17 11:45:26 foo kernel: [ 1220.260877] wlp58s0: RX AssocResp from
78:19:f7:75:6f:81 (capab=0x511 status=0 aid=8)
Jan 17 11:45:26 foo kernel: [ 1220.263589] wlp58s0: associated
Jan 17 11:45:26 foo wpa_supplicant[1025]: wlp58s0: Associated with
78:19:f7:75:6f:81
Jan 17 11:45:26 foo wpa_supplicant[1025]: wlp58s0:
CTRL-EVENT-EAP-STARTED EAP authentication started
Jan 17 11:45:26 foo wpa_supplicant[1025]: wlp58s0:
CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Jan 17 11:45:26 foo wpa_supplicant[1025]: wlp58s0:
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Jan 17 11:45:26 foo wpa_supplicant[1025]: wlp58s0: CTRL-EVENT-EAP-METHOD
EAP vendor 0 method 25 (PEAP) selected
Jan 17 11:45:26 foo wpa_supplicant[1025]: wlp58s0:
CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=TW
Jan 17 11:45:26 foo kernel: [ 1220.272467] wlp58s0: deauthenticated from
78:19:f7:75:6f:81 (Reason: 1=UNSPECIFIED)
Jan 17 11:45:26 foo kernel: [ 1220.272842] ath: EEPROM regdomain: 0x809e
Jan 17 11:45:26 foo kernel: [ 1220.272843] ath: EEPROM indicates we
should expect a country code
Jan 17 11:45:26 foo kernel: [ 1220.272844] ath: doing EEPROM
country->regdmn map search
Jan 17 11:45:26 foo kernel: [ 1220.272844] ath: country maps to regdmn
code: 0x50
Jan 17 11:45:26 foo kernel: [ 1220.272845] ath: Country alpha2 being
used: TW
Jan 17 11:45:26 foo kernel: [ 1220.272845] ath: Regpair used: 0x50
Jan 17 11:45:26 foo kernel: [ 1220.272846] ath: regdomain 0x809e
dynamically updated by country IE
Jan 17 11:45:27 foo wpa_supplicant[1025]: wlp58s0:
CTRL-EVENT-DISCONNECTED bssid=78:19:f7:75:6f:81 reason=1
Jan 17 11:45:27 foo wpa_supplicant[1025]: wlp58s0:
CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
Jan 17 11:45:27 foo NetworkManager[650]:   [1484624727.0250]
device (wlp58s0): supplicant interface state: authenticating ->
associating
Jan 17 11:45:27 foo NetworkManager[650]:   [1484624727.0265]
device (wlp58s0): supplicant interface state: associating -> associated
Jan 17 11:45:27 foo NetworkManager[650]:   [1484624727.0269]
sup-iface[0x558eaae0aa20,wlp58s0]: connection disconnected (reason 1)
Jan 17 11:45:27 foo NetworkManager[650]:   [1484624727.0269]
device (wlp58s0): supplicant interface state: associated -> disconnected
Jan 17 11:45:27 foo wpa_supplicant[1025]: wlp58s0:
CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=TW
Jan 17 11:45:27 foo NetworkManager[650]:   [1484624727.1257]
device (wlp58s0): supplicant interface state: disconnected -> scanning

Boot with a Ubuntu 16.04 live cd with proper firmware can connect to the
network successfully. I only has this live cd handy but I can test with
Debian later.

Kanru

Bug#848982: [pkg-wpa-devel] Bug#848982: wpasupplicant fails to connect to WPA Enterprise network with 2.6-2

[Andrew Shadura]

On 12 January 2017 at 20:25, Axel Beckert  wrote:
>> Dec 21 15:33:42 green wpa_supplicant[696]: EAP-MSCHAPV2: workaround, ignore 
>> invalid ms_len 46 (len 50)
>> Dec 21 15:33:42 green wpa_supplicant[696]: EAP-MSCHAPV2: Authentication 
>> succeeded
>
> In the old log, there's mentioning of MSCHAPV2, but in the new log,
> there's no more mentioning of MSCHAPV2.
>
> Could this be related to https://bugs.launchpad.net/wicd/+bug/1656061
> in wicd where someone said that
>
>   phase2="auth=MSCHAPv2"
>
> no more works and that the correct syntax is
>
>   phase2="auth=MSCHAPV2"
>
> with a capital "V".
>
> Can you check if you have a lower-case "v" in your WPA configuration,
> too?

I wonder, if it's that problem indeed, could we have it patched to
accept the old syntax temporarily while issuing a warning?

-- 
Cheers,
  Andrew

Bug#848982: wpasupplicant fails to connect to WPA Enterprise network with 2.6-2

[Axel Beckert]

Hi,

Matan Peled wrote:
> I'm using network manager and have a Qualcomm Atheros QCA6174 adapter
> using the ath10k_pci driver.
> 
> After upgrading to 2.6-2, I am no longer able to connect to a WPA
> Enterprise secured network, while it worked fine with 2.5-2+v2.4-3.
> 
> When it works fine on 2.5-2+v2.4-3, I see in daemon.log:
[…]
> Dec 21 15:33:42 green wpa_supplicant[696]: EAP-MSCHAPV2: Invalid header: 
> len=68 ms_len=64
> Dec 21 15:33:42 green wpa_supplicant[696]: EAP-MSCHAPV2: workaround, ignore 
> invalid ms_len 64 (len 68)
> Dec 21 15:33:42 green wpa_supplicant[696]: EAP-MSCHAPV2: Invalid header: 
> len=50 ms_len=46
> Dec 21 15:33:42 green wpa_supplicant[696]: EAP-MSCHAPV2: workaround, ignore 
> invalid ms_len 46 (len 50)
> Dec 21 15:33:42 green wpa_supplicant[696]: EAP-MSCHAPV2: Authentication 
> succeeded

In the old log, there's mentioning of MSCHAPV2, but in the new log,
there's no more mentioning of MSCHAPV2.

Could this be related to https://bugs.launchpad.net/wicd/+bug/1656061
in wicd where someone said that

  phase2="auth=MSCHAPv2"

no more works and that the correct syntax is

  phase2="auth=MSCHAPV2"

with a capital "V".

Can you check if you have a lower-case "v" in your WPA configuration,
too?

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Bug#848982: wpasupplicant fails to connect to WPA Enterprise network with 2.6-2

[Matan Peled]

Package: wpasupplicant
Version: 2.6-2
Severity: important

Dear Maintainer,

I'm using network manager and have a Qualcomm Atheros QCA6174 adapter
using the ath10k_pci driver.

After upgrading to 2.6-2, I am no longer able to connect to a WPA
Enterprise secured network, while it worked fine with 2.5-2+v2.4-3.

When it works fine on 2.5-2+v2.4-3, I see in daemon.log:

Dec 21 15:33:37 green wpa_supplicant[696]: wlp1s0: SME: Trying to authenticate 
with 3c:8a:b0:fa:ec:41 (SSID='CS_WiFi' freq=5320 MHz)
Dec 21 15:33:41 green wpa_supplicant[696]: wlp1s0: SME: Trying to authenticate 
with 3c:8a:b0:f9:61:01 (SSID='CS_WiFi' freq=5200 MHz)
Dec 21 15:33:42 green wpa_supplicant[696]: wlp1s0: Trying to associate with 
3c:8a:b0:f9:61:01 (SSID='CS_WiFi' freq=5200 MHz)
Dec 21 15:33:42 green wpa_supplicant[696]: wlp1s0: Associated with 
3c:8a:b0:f9:61:01
Dec 21 15:33:42 green wpa_supplicant[696]: wlp1s0: CTRL-EVENT-EAP-STARTED EAP 
authentication started
Dec 21 15:33:42 green wpa_supplicant[696]: wlp1s0: 
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Dec 21 15:33:42 green wpa_supplicant[696]: wlp1s0: CTRL-EVENT-EAP-METHOD EAP 
vendor 0 method 25 (PEAP) selected
Dec 21 15:33:42 green wpa_supplicant[696]: wlp1s0: CTRL-EVENT-EAP-PEER-CERT 
depth=0 subject='/CN=eap.auto.configed.certificate/unstructuredName=Certificate 
created by auto-config. Please obtain a real one.' 
hash=19642d3c7816dc34b023f17c3eb44584fda8be12c50d2c14598883f13c086945
Dec 21 15:33:42 green wpa_supplicant[696]: wlp1s0: CTRL-EVENT-EAP-PEER-CERT 
depth=0 subject='/CN=eap.auto.configed.certificate/unstructuredName=Certificate 
created by auto-config. Please obtain a real one.' 
hash=19642d3c7816dc34b023f17c3eb44584fda8be12c50d2c14598883f13c086945
Dec 21 15:33:42 green wpa_supplicant[696]: p2p-dev-wlp1s0: 
CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=IL
Dec 21 15:33:42 green wpa_supplicant[696]: EAP-MSCHAPV2: Invalid header: len=68 
ms_len=64
Dec 21 15:33:42 green wpa_supplicant[696]: EAP-MSCHAPV2: workaround, ignore 
invalid ms_len 64 (len 68)
Dec 21 15:33:42 green wpa_supplicant[696]: EAP-MSCHAPV2: Invalid header: len=50 
ms_len=46
Dec 21 15:33:42 green wpa_supplicant[696]: EAP-MSCHAPV2: workaround, ignore 
invalid ms_len 46 (len 50)
Dec 21 15:33:42 green wpa_supplicant[696]: EAP-MSCHAPV2: Authentication 
succeeded
Dec 21 15:33:42 green wpa_supplicant[696]: EAP-TLV: TLV Result - Success - 
EAP-TLV/Phase2 Completed
Dec 21 15:33:42 green wpa_supplicant[696]: wlp1s0: CTRL-EVENT-EAP-SUCCESS EAP 
authentication completed successfully
Dec 21 15:33:42 green wpa_supplicant[696]: nl80211: Unexpected encryption 
algorithm 5
Dec 21 15:33:42 green wpa_supplicant[696]: wlp1s0: WPA: Key negotiation 
completed with 3c:8a:b0:f9:61:01 [PTK=CCMP GTK=CCMP]
Dec 21 15:33:42 green wpa_supplicant[696]: wlp1s0: CTRL-EVENT-CONNECTED - 
Connection to 3c:8a:b0:f9:61:01 completed [id=0 id_str=]

When it does not work, with 2.6-2, I see many more attempts:

Dec 21 15:29:11 green wpa_supplicant[685]: wlp1s0: Trying to associate with 
3c:8a:b0:fc:72:80 (SSID='CS_WiFi' freq=2412 MHz)
Dec 21 15:29:11 green wpa_supplicant[685]: wlp1s0: Associated with 
3c:8a:b0:fc:72:80
Dec 21 15:29:11 green wpa_supplicant[685]: wlp1s0: CTRL-EVENT-EAP-STARTED EAP 
authentication started
Dec 21 15:29:11 green wpa_supplicant[685]: wlp1s0: 
CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Dec 21 15:29:11 green wpa_supplicant[685]: wlp1s0: CTRL-EVENT-REGDOM-CHANGE 
init=COUNTRY_IE type=COUNTRY alpha2=IL
Dec 21 15:29:27 green wpa_supplicant[685]: wlp1s0: CTRL-EVENT-DISCONNECTED 
bssid=3c:8a:b0:fc:72:80 reason=3 locally_generated=1
Dec 21 15:29:27 green wpa_supplicant[685]: wlp1s0: CTRL-EVENT-REGDOM-CHANGE 
init=CORE type=WORLD
Dec 21 15:29:28 green wpa_supplicant[685]: wlp1s0: CTRL-EVENT-REGDOM-CHANGE 
init=BEACON_HINT type=UNKNOWN
Dec 21 15:29:28 green wpa_supplicant[685]: wlp1s0: CTRL-EVENT-REGDOM-CHANGE 
init=BEACON_HINT type=UNKNOWN
Dec 21 15:29:28 green wpa_supplicant[685]: wlp1s0: CTRL-EVENT-REGDOM-CHANGE 
init=BEACON_HINT type=UNKNOWN
Dec 21 15:29:32 green wpa_supplicant[685]: wlp1s0: SME: Trying to authenticate 
with 3c:8a:b0:fc:72:80 (SSID='CS_WiFi' freq=2412 MHz)
Dec 21 15:29:36 green wpa_supplicant[685]: wlp1s0: SME: Trying to authenticate 
with 3c:8a:b0:f9:61:01 (SSID='CS_WiFi' freq=5200 MHz)
Dec 21 15:29:36 green wpa_supplicant[685]: wlp1s0: Trying to associate with 
3c:8a:b0:f9:61:01 (SSID='CS_WiFi' freq=5200 MHz)
Dec 21 15:29:36 green wpa_supplicant[685]: wlp1s0: Associated with 
3c:8a:b0:f9:61:01
Dec 21 15:29:36 green wpa_supplicant[685]: wlp1s0: CTRL-EVENT-EAP-STARTED EAP 
authentication started
Dec 21 15:29:36 green wpa_supplicant[685]: wlp1s0: 
CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Dec 21 15:29:36 green wpa_supplicant[685]: wlp1s0: 
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Dec 21 15:29:36 green wpa_supplicant[685]: wlp1s0: CTRL-EVENT-EAP-METHOD EAP 
vendor 0 method 25 (PEAP) selected
Dec 21 15:29:36 green wpa_supplicant[685]: wlp1s0: CTRL-EVENT-REGDOM-CHANGE