Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#60473 - [netctl] wpa_supplicant uses macaddress as identity if anonymous identity is empty string
Attached to Project:
Arch Linux
Opened by XenGi (xengi) - Thursday, 18 October 2018, 11:51 GMT
Last edited by Jouke Witteveen (jouke) - Tuesday, 12 February 2019, 16:20 GMT
Opened by XenGi (xengi) - Thursday, 18 October 2018, 11:51 GMT
Last edited by Jouke Witteveen (jouke) - Tuesday, 12 February 2019, 16:20 GMT
|
DetailsDescription:
I've used several Thinkpads with Intel wifi cards and I had this problem with most of them but I'm focusing on my current one as I can't reproduce the behavior with another one right now. To reproduce you need a WPA Enterprise secured wifi network and probably a intel card using the iwlwifi driver. I only tested with networks that use PEAP and MSCHAPV2, so maybe this is related. I debugged the problem with the help of the debug log on a aruba wifi ap and found out what happens that way. I'm not sure what causes the problem. Somewhere on the way something is confused by the empty string in the anonymous_identity setting and puts the mac address of the adapter in the identity field. The generated file /run/netctl/wpa_supplicant-wlp59s0.conf still holds the line with the empty string. So I suspect wpa_supplicant or wpa_actiond to be the problem as I'm not sure how these tools play together. Additional info: $ lspci 3b:00.0 Network controller: Intel Corporation Wireless 8265 / 8275 (rev 78) * package version(s) $ pacman -Q netctl wpa_actiond wpa_supplicant netctl 1.18-1 wpa_actiond 1.4-3 wpa_supplicant 1:2.6-12 * config and/or log files etc. $ cat /etc/netctl/wlp59s0-someconfig Description='some description' Interface=wlp59s0 Connection=wireless Security=wpa-configsection IP=dhcp WPAConfigSection=( 'ssid="#somewifiwithhash"' 'key_mgmt=WPA-EAP' 'eap=PEAP' 'anonymous_identity=""' 'identity="user.name"' 'password="supersecretpassword"' 'ca_cert="/etc/ssl/certs/somecert.pem"' 'priority=1' 'phase2="auth=MSCHAPV2"' ) Steps to reproduce: - Create a wifi network with WPA enterprise that uses PEAP and MSCHAPV2 - Make sure to set debug levels on the wifi AP to see whats going on - Set anonymous_identity="" in the netctl config - Set identity, password and all other config entries to the correct values - Try to connect - In the dmesg log on the wifi client you will see the following messages: [522653.449626] wlp59s0: authenticate with de:ad:be:ef:a8:eb [522653.461426] wlp59s0: send auth to de:ad:be:ef:a8:eb (try 1/3) [522653.468728] wlp59s0: authenticated [522653.470875] wlp59s0: associate with de:ad:be:ef:a8:eb (try 1/3) [522653.475588] wlp59s0: RX AssocResp from de:ad:be:ef:a8:eb (capab=0x1411 status=0 aid=5) [522653.478952] wlp59s0: associated [522653.529347] wlp59s0: Limiting TX power to 30 (30 - 0) dBm as advertised by de:ad:be:ef:a8:eb [522656.506611] wlp59s0: deauthenticating from de:ad:be:ef:a8:eb by local choice (Reason: 3=DEAUTH_LEAVING) [522657.870837] wlp59s0: authenticate with de:ad:be:ef:d2:9c [522657.883910] wlp59s0: send auth to de:ad:be:ef:d2:9c (try 1/3) [522657.886664] wlp59s0: authenticated [522657.887536] wlp59s0: associate with de:ad:be:ef:d2:9c (try 1/3) [522657.891418] wlp59s0: RX AssocResp from de:ad:be:ef:d2:9c (capab=0x1411 status=0 aid=19) [522657.893827] wlp59s0: associated [522657.917486] wlp59s0: Limiting TX power to 23 (23 - 0) dBm as advertised by de:ad:be:ef:d2:9c [522706.565304] wlp59s0: deauthenticating from de:ad:be:ef:d2:9c by local choice (Reason: 3=DEAUTH_LEAVING) - This indicates wrong credentials - In the log on the wifi AP you will see that the client is trying to login using it's own mac address as the username - The radius server will correctly deny the authentication attempt - Now change the anonymous_identity="" in the netctl config to a non-empty string or remove the line completely - Restart netctl-auto@wlp59s0 to reload the profiles - Try to connect to the wifi network again - In the log on the wifi AP you will see that the client is now using the correct identity string from the config to authenticate - The wifi client will connect successfully |
This task depends upon
$ pacman -Q linux
linux 4.18.14.arch1-1
If there is a bug, it is most likely a bug with wpa_supplicant and not with netctl. Can you get correct behavior from wpa_supplicant without using netctl? In that case, we would indeed need to fix something with netctl.
I also checked the generated wpa_supplicant config file and in there is also the string 'anonymous_identity=""' so I suspect the bug being in wpa_supplicant.
I checked with a minimal wpa_supplicant config with the same results. Here is the config:
ctrl_interface=/run/wpa_supplicant
update_config=1
network={
ssid="#somewifiname"
key_mgmt=WPA-EAP
eap=PEAP
identity="someusername"
anonymous_identity=""
password="supersecurepassword"
ca_cert="/etc/ssl/certs/SOMECERT.pem"
priority=1
phase2="auth=MSCHAPV2"
}
And the output:
$ sudo wpa_supplicant -i wlp59s0 -c wpa_supplicant.conf
Successfully initialized wpa_supplicant
wlp59s0: SME: Trying to authenticate with 12:34:56:f8:8b:1b (SSID='#somewifiname' freq=5500 MHz)
wlp59s0: Trying to associate with 12:34:56:f8:8b:1b (SSID='#somewifiname' freq=5500 MHz)
wlp59s0: Associated with 12:34:56:f8:8b:1b
wlp59s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp59s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp59s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
wlp59s0: Authentication with 12:34:56:f8:8b:1b timed out.
wlp59s0: CTRL-EVENT-DISCONNECTED bssid=12:34:56:f8:8b:1b reason=3 locally_generated=1
wlp59s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="#somewifiname" auth_failures=1 duration=10 reason=AUTH_FAILED
wlp59s0: CTRL-EVENT-SSID-REENABLED id=0 ssid="#somewifiname"
wlp59s0: SME: Trying to authenticate with 12:34:56:56:cc:29 (SSID='#somewifiname' freq=5240 MHz)
wlp59s0: Trying to associate with 12:34:56:56:cc:29 (SSID='#somewifiname' freq=5240 MHz)
wlp59s0: Associated with 12:34:56:56:cc:29
wlp59s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp59s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp59s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
wlp59s0: Authentication with 12:34:56:56:cc:29 timed out.
wlp59s0: CTRL-EVENT-DISCONNECTED bssid=12:34:56:56:cc:29 reason=3 locally_generated=1
wlp59s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="#somewifiname" auth_failures=2 duration=23 reason=AUTH_FAILED
^Cnl80211: Failed to open /proc/sys/net/ipv4/conf/p2p-dev-wlp59s0/drop_unicast_in_l2_multicast: No such file or directory
nl80211: Failed to set IPv4 unicast in multicast filter
nl80211: Failed to open /proc/sys/net/ipv4/conf/p2p-dev-wlp59s0/drop_unicast_in_l2_multicast: No such file or directory
nl80211: Failed to set IPv4 unicast in multicast filter
nl80211: deinit ifname=p2p-dev-wlp59s0 disabled_11b_rates=0
p2p-dev-wlp59s0: CTRL-EVENT-TERMINATING
So for me this looks like a bug in wpa_supplicant. I don't know how to continue from here. Should I file a bug with there tracker if they have one?
Good luck!
I'll ask on the wpa_supplicant ML. Thx for your help so far!