FS#51358 - [wpa_supplicant] The old bug: breaks WPA2 Enterprise PEAP MSCHAPv2 connection
Attached to Project:
Arch Linux
Opened by alleut (alleut) - Thursday, 13 October 2016, 09:52 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Friday, 18 November 2016, 20:46 GMT
Opened by alleut (alleut) - Thursday, 13 October 2016, 09:52 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Friday, 18 November 2016, 20:46 GMT
|
Details
Description:
The same bug persists: impossible to connect to a WPA2 Enterprise with 1:1.26-1. Old 1:2.3-1 works fine Old ticket on the problem: https://bugs.archlinux.org/task/47320 |
This task depends upon
Closed by Bartłomiej Piotrowski (Barthalion)
Friday, 18 November 2016, 20:46 GMT
Reason for closing: Not a bug
Friday, 18 November 2016, 20:46 GMT
Reason for closing: Not a bug
http://lists.infradead.org/pipermail/hostap/2016-October/036460.html
Also, the old bugs are not related to this new one. Here, firing wpa_supplicant by hand you get this:
wlp6s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp6s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp6s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
TLS: Unsupported Phase2 EAP method 'MSCHAPv2'
wlp6s0: EAP: Failed to initialize EAP method: vendor 0 method 25 (PEAP)
wlp6s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Downgrading to 1:2.5-3 solves this, temporarily at least. Do we need to be suscribed to post on upstream ml?
'phase2="auth=EAP-MSCHAPv2"'
(which worked before) to
'phase2="auth=MSCHAPV2"'
But the newest version which is in staging, wpa_supplicant 1:2.6-2, doesn't work for me with this new setting.
Not sure this is related, but after upgrading from wpa_supplicant 1:2.5-3 => 1:2.6-2 (or 1:2.6-1), I cannot connect to eduroam anymore:.
ssid="eduroam"
scan_ssid=1
key_mgmt=WPA-EAP
eap=TTLS
anonymous_identity="XXXXXXXXXXXXXXX"
# adjust the following CA line as required to match your filename
ca_cert="/etc/ssl/certs/AddTrust_External_Root.pem"
phase2="auth=MD5"
# in the following line, replace <username> with your University Remote Access account username, without angle brackets
# Remote access account is described at http://www.oucs.ox.ac.uk/network/remote/
# (not your SSO). Append @OX.AC.UK after your username so
# that eduroam knowns the authentication home site
identity="XXXXXXXXXXXXXXXXXX"
# in the following line, replace <password> with your University Remote Access account password, without angle brackets
password="XXXXXXXXXXX"
Shall I open a new bug?
You're using "auth=MD5", which needs to be "autheap=MD5" as it's an EAP-only mechanism. (For comparison, PAP is non-EAP, and MSCHAPV2 can be either EAP-based or not.)
Or for that matter, skip the phase2= setting entirely and accept the server's default of MSCHAPV2. (That's what happened with 2.5 anyway, and it's what http://help.it.ox.ac.uk/network/wireless/services/eduroam/generic/index recommends. It's pretty rare for a network to be using EAP-MD5, really.)
Thanks. Working fine now.