Bug 209728

Summary: knetworkmanager fails to connect to enterprise networks with TLS/certificates
Product: [Unmaintained] Network Management Reporter: Lars Scheiter <lars.scheiter>
Component: WirelessAssignee: Will Stephenson <wstephenson>
Status: RESOLVED DUPLICATE    
Severity: normal CC: alberto.quattrinili, cordlandwehr, dietrichmathias, ilia-kats, sven.burmeister, wolf.behrenhoff
Priority: NOR    
Version: 0.9   
Target Milestone: ---   
Platform: Ubuntu   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Lars Scheiter 2009-10-07 11:15:30 UTC
Version:           SVN (using KDE 4.3.1)
OS:                Linux
Installed from:    Ubuntu Packages

Our company uses WPA2 Enterprise WLAN security via TLS with user certificates. Currently i am unable to connect to this network. 
This problem persists on KDE 4.3.2 (but was present in all recent KDE4 versions), i even tried SVN ;)

Theres also one difference between svn and release versions, all release versions to not remember the settings i made, when i select our network it always displays a blank new configure dialog with WPA2 Passphrase instead of WPA2 Enterprise with TLS dialog.

I dont know if this is related: the configured CA is always "deconfigured" and the, previously unchecked, "use System CA certs" is checked again.

Please feel free to contact me if i can assist in tracking this one down.
Comment 1 S. Burmeister 2009-10-14 22:21:25 UTC
There are two things to consider. First, try with a clean config, e.g. a new test-user, yet that's more in regard to knm not saving settings.

Regarding the certificate, check what /var/log/wpa_supplicant tells you while knm tries to connect. NM cannot handle certificate chains for example and you might have to install certificates to /etc/ssl/certs.
Comment 2 Andreas Cord-Landwehr 2009-10-27 11:12:59 UTC
I'm experience exactly the same. My version is nertwork-manager-kde version is 1:0.8~svn1029786-1 (installed in Debian Testing/Unstable). Although nm-applet works fine. I get the following output in /var/log/syslog on connection try:

Oct 27 10:53:30 sooner wpa_supplicant[2918]: CTRL-EVENT-SCAN-RESULTS
Oct 27 10:53:30 sooner wpa_supplicant[2918]: Trying to associate with 00:24:c4:d2:d8:11 (SSID='eduroam' freq=2462 MHz)
Oct 27 10:53:30 sooner wpa_supplicant[2918]: Association request to the driver failed
Oct 27 10:53:30 sooner NetworkManager: <info>  (wlan0): supplicant connection state:  scanning -> associating
Oct 27 10:53:30 sooner kernel: [18714.064595] wlan0: authenticate with AP 00:24:c4:d2:d8:11
Oct 27 10:53:30 sooner kernel: [18714.202051] wlan0: authenticated
Oct 27 10:53:30 sooner kernel: [18714.202058] wlan0: associate with AP 00:24:c4:d2:d8:11
Oct 27 10:53:30 sooner kernel: [18714.211121] wlan0: RX AssocResp from 00:24:c4:d2:d8:11 (capab=0x431 status=0 aid=6)
Oct 27 10:53:30 sooner kernel: [18714.211127] wlan0: associated
Oct 27 10:53:30 sooner wpa_supplicant[2918]: Associated with 00:24:c4:d2:d8:11
Oct 27 10:53:30 sooner NetworkManager: <info>  (wlan0): supplicant connection state:  associating -> associated
Oct 27 10:53:30 sooner wpa_supplicant[2918]: CTRL-EVENT-EAP-STARTED EAP authentication started
Oct 27 10:53:30 sooner wpa_supplicant[2918]: OpenSSL: pending error: error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error
Oct 27 10:53:30 sooner wpa_supplicant[2918]: OpenSSL: pending error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
Oct 27 10:53:30 sooner wpa_supplicant[2918]: OpenSSL: pending error: error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
Oct 27 10:53:30 sooner wpa_supplicant[2918]: OpenSSL: pending error: error:140CA00D:SSL routines:SSL_use_PrivateKey_ASN1:ASN1 lib
Oct 27 10:53:30 sooner wpa_supplicant[2918]: OpenSSL: pending error: error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error
Oct 27 10:53:30 sooner wpa_supplicant[2918]: OpenSSL: pending error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
Oct 27 10:53:30 sooner wpa_supplicant[2918]: OpenSSL: pending error: error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
Oct 27 10:53:30 sooner wpa_supplicant[2918]: OpenSSL: pending error: error:140CA00D:SSL routines:SSL_use_PrivateKey_ASN1:ASN1 lib
Oct 27 10:53:30 sooner wpa_supplicant[2918]: OpenSSL: pending error: error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error
Oct 27 10:53:30 sooner wpa_supplicant[2918]: OpenSSL: pending error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
Oct 27 10:53:30 sooner wpa_supplicant[2918]: OpenSSL: pending error: error:140CD00D:SSL routines:SSL_use_RSAPrivateKey_ASN1:ASN1 lib
Oct 27 10:53:30 sooner wpa_supplicant[2918]: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
Oct 27 10:53:30 sooner wpa_supplicant[2918]: OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reas
on(0)
Oct 27 10:53:30 sooner wpa_supplicant[2918]: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
Oct 27 10:53:30 sooner NetworkManager: <info>  (wlan0): supplicant connection state:  associated -> 4-way handshake


On the other side: when using nm-applet the output looks like this:
Oct 27 10:53:30 sooner dhclient:
Oct 27 10:53:30 sooner NetworkManager: <info>  DHCP: device wlan0 state changed normal exit -> preinit
Oct 27 10:53:30 sooner dhclient: Listening on LPF/wlan0/00:1b:77:8f:73:44
Oct 27 10:53:30 sooner dhclient: Sending on   LPF/wlan0/00:1b:77:8f:73:44
Oct 27 10:53:30 sooner dhclient: Sending on   Socket/fallback
Oct 27 10:53:32 sooner dhclient: DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 4
Oct 27 10:53:36 sooner dhclient: DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 11
Oct 27 10:53:36 sooner dhclient: DHCPOFFER from 131.234.48.1
Oct 27 10:53:36 sooner dhclient: DHCPREQUEST on wlan0 to 255.255.255.255 port 67
Oct 27 10:53:36 sooner dhclient: DHCPACK from 131.234.48.1
Oct 27 10:53:36 sooner dhclient: bound to 131.234.52.236 -- renewal in 460 seconds.
Oct 27 10:53:36 sooner NetworkManager: <info>  DHCP: device wlan0 state changed preinit -> bound
Oct 27 10:53:36 sooner NetworkManager: <info>  Activation (wlan0) Stage 4 of 5 (IP Configure Get) scheduled...
Oct 27 10:53:36 sooner NetworkManager: <info>  Activation (wlan0) Stage 4 of 5 (IP Configure Get) started...
Oct 27 10:53:36 sooner NetworkManager: <info>    address 131.234.52.236
Oct 27 10:53:36 sooner NetworkManager: <info>    prefix 21 (255.255.248.0)
Oct 27 10:53:36 sooner NetworkManager: <info>    gateway 131.234.48.1
Oct 27 10:53:36 sooner NetworkManager: <info>    nameserver '131.234.137.23'
Oct 27 10:53:36 sooner NetworkManager: <info>    nameserver '131.234.137.24'
Oct 27 10:53:36 sooner NetworkManager: <info>    domain name 'uni-paderborn.de'
Oct 27 10:53:36 sooner NetworkManager: <info>  Activation (wlan0) Stage 5 of 5 (IP Configure Commit) scheduled...
Oct 27 10:53:36 sooner NetworkManager: <info>  Activation (wlan0) Stage 4 of 5 (IP Configure Get) complete.
Oct 27 10:53:36 sooner NetworkManager: <info>  Activation (wlan0) Stage 5 of 5 (IP Configure Commit) started...
Oct 27 10:53:36 sooner avahi-daemon[1813]: Joining mDNS multicast group on interface wlan0.IPv4 with address 131.234.52.236.
Oct 27 10:53:36 sooner avahi-daemon[1813]: New relevant interface wlan0.IPv4 for mDNS.
Oct 27 10:53:36 sooner avahi-daemon[1813]: Registering new address record for 131.234.52.236 on wlan0.IPv4.
Oct 27 10:53:37 sooner NetworkManager: <info>  (wlan0): device state change: 7 -> 8
Oct 27 10:53:37 sooner NetworkManager: <debug> [1256637217.075008] periodic_update(): Roamed from BSSID 00:24:C4:D2:D2:FE (eduroam) to 00:24:C4:D2:D8:11 (eduroam)
Oct 27 10:53:37 sooner NetworkManager: <info>  Policy set 'Auto eduroam' (wlan0) as default for routing and DNS.
Oct 27 10:53:37 sooner NetworkManager: <info>  Activation (wlan0) successful, device activated.
Oct 27 10:53:37 sooner NetworkManager: <info>  Activation (wlan0) Stage 5 of 5 (IP Configure Commit) complete.
Comment 3 S. Burmeister 2009-10-27 11:23:23 UTC
Failed to read possible Application Data error:00000000:lib

Hints towards having some wrong password or username used for authentication. You could remove the old connection and start a new one. Whatever package version is included in openSUSE 11.2 does work for eduroam with certificate (not chain) and TTLS.

You can use http://userbase.kde.org/NetworkManagement#It.27s_All_KDE.27s_Fault.21 to debug as well.
Comment 4 Alberto Quattrini Li 2009-10-29 22:49:00 UTC
Also for me is the same. I have debian (unstable) as OS with knetwork-manager version 0.7~~svn941706-2. When I try to fill the information about EAP for a WPA Enterprise encryption, in particular "private secret key", "private keyfile" and CA Certificate, network manager doesn't store this information in the config file (~/.kde/share/config/knetworkmanagerrc) and indeed when I retry to edit the connection, the informations fields, stated before, are blank. If someone can say me which variables are associated to these fields (e.g. Value_ca-path for ca certificate path; I don't know if it is correct), I can try to add them manually in the config file and see what happen. Furthermore if I choose EAP-TLS as method, in the method phase 2 it's shown no method available ("none"), and I can't choose MSchapv2, although in the config file it is reported ("Value_phase2-auth=<string>mschapv2</string>\n
")
Comment 5 S. Burmeister 2009-10-30 09:15:34 UTC
(In reply to comment #4)
> Also for me is the same. I have debian (unstable) as OS with knetwork-manager
> version 0.7~~svn941706-2.

svn941706 is way too old. svn1040608 is a current revision.

And just in case, do not use the plasmoid but the "normal" knetworkmanager which is shown in the systray.
Comment 6 Alberto Quattrini Li 2009-11-13 23:41:19 UTC
I have the last version in svn repo, and the issue is partially solved. It still cannot save CA certificate (it automatically checks "Use System CA Certs"). Private key and Private Key password now are saved. However now there isn't any field regarding "anonymous identity", while previously there was it in the information about EAP for a WPA Enterprise encryption, and I need this field to connect to my campus network (don't know if network manager manage identity and anonymous identity as same).
Comment 7 Wolf Behrenhoff 2010-02-11 15:57:47 UTC
This problem still exists, also in 4.4.0 (using Kubuntu packages), I just tried it today after upgrading KDE. I can connect to the Eduroam network using Gnome's nm-applet but it does not work with KDE's knetworkmanager. For WPA PSK networks, knetworkmanager just works fine. I would really appreciate a fix.
Comment 8 Mathias Dietrich 2010-08-23 17:18:41 UTC
This problem still exists in 4.5. (Kubuntu 10.04). Gnome's network manager works with WPA-Enterprise TLS or PEAP. 

If I create an connection for WPA-Enterprise TLS, I can fill all fields at the configuration but after this I cannot use the created configuration although it is displayed.

Configuration also works for WPA-Enterpise PEAP but it fails at the connecting attemps.

Seems like something must be wrong.
Comment 9 S. Burmeister 2010-08-23 17:24:34 UTC
Is this bug a dup of bug 209673?
Comment 10 Mathias Dietrich 2010-08-23 17:44:06 UTC
Yes it seems like it is same as bug 235541 and 209673.

Thanks for the hint.
Comment 11 Wolf Behrenhoff 2010-08-23 17:58:54 UTC
Yes, seems to be the same bug. At least for me the workaround described in bug 209673 works.
Comment 12 xrx 2010-10-24 10:15:30 UTC
the same issue is still in kde 4.5.2
Comment 13 Ilia Kats 2011-05-05 16:02:44 UTC

*** This bug has been marked as a duplicate of bug 209673 ***