After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 648171 - impossible to connect to WPA2 wifi networks, from either Network panel or gnome-shell
impossible to connect to WPA2 wifi networks, from either Network panel or gno...
Status: RESOLVED FIXED
Product: gnome-shell
Classification: Core
Component: network-indicator
3.0.x
Other Linux
: Normal critical
: ---
Assigned To: gnome-shell-maint
gnome-shell-maint
: 647114 (view as bug list)
Depends on: 646210 648174
Blocks: GnomeShell301
 
 
Reported: 2011-04-19 05:17 UTC by Frederic Crozat
Modified: 2011-05-04 15:19 UTC
See Also:
GNOME target: 3.0
GNOME version: ---


Attachments
Fix handling of AP security flags and enhance for 802.1x (3.16 KB, patch)
2011-05-03 17:29 UTC, Dan Williams
reviewed Details | Review
Call out to nm-applet to do the 802.1x dirty work (3.42 KB, patch)
2011-05-03 18:31 UTC, Dan Williams
accepted-commit_now Details | Review

Description Frederic Crozat 2011-04-19 05:17:13 UTC
+++ This bug was initially created as a clone of Bug #646210 +++

When trying to connect to WPA2 networks (either WPA2-AES or WPA2-PEAP), I get "Device activation failed: (32) Failed to determine AP security" on stdout and can't configure it.

this is with NM 0.8.997 + all f15 patches from git, on openSUSE live image
Comment 1 Dan Williams 2011-04-19 06:12:16 UTC
The applet has a new D-Bus method, "ConnectTo8021xNetwork" which takes the arguments "oo" (device object path, AP object path) and will show the UI if that AP is a WPA 802.1x capable AP, and then call NM's AddAndActivate method.

The indicator should do the following things before calling that method:

1) make sure to only call it for 802.1x capable APs
2) make sure to only call it for APs that have no existing connections that could be used with that AP (ConnectTo8021xNetwork does no dupe checking)

To figure out whether an AP is a WPA 802.1x capable AP, do this:

if (   (nm_access_point_get_wpa_flags (ap) & NM_802_11_AP_SEC_KEY_MGMT_802_1X)
    || (nm_access_point_get_rsn_flags (ap) & NM_802_11_AP_SEC_KEY_MGMT_802_1X)) {

note that this doesn't take into account Dynamic WEP APs, which are APs that use WEP encryption but use 802.1x for authentication.  These APs are harder to identify, because they exactly the same as a WEP key (ie non-802.1x access point).  These configurations are fortunately rare, and I'd feel comfortable about requiring the user of a Dynamic WEP network to visit the control center panel once to set up the network using the "Options..." button.  I don't think we need to handle connecting to Dynamic WEP networks automatically using the Dialog Of Doom from the indicator, given that we cannot distinguish between Dynamic WEP and standard WEP key/passphrase.

If nobody gets to the shell before I get up tomorrow, I'll do a quick patch.
Comment 2 Dan Winship 2011-04-19 14:14:41 UTC
(In reply to comment #1)
> If nobody gets to the shell before I get up tomorrow, I'll do a quick patch.

Yeah, I wouldn't be able to test it now anyway, so...
Comment 3 Giovanni Campagna 2011-04-21 15:11:04 UTC
(In reply to comment #1)
> The applet has a new D-Bus method, "ConnectTo8021xNetwork" which takes the
> arguments "oo" (device object path, AP object path) and will show the UI if
> that AP is a WPA 802.1x capable AP, and then call NM's AddAndActivate method.
> 
> The indicator should do the following things before calling that method:
> 
> 1) make sure to only call it for 802.1x capable APs
> 2) make sure to only call it for APs that have no existing connections that
> could be used with that AP (ConnectTo8021xNetwork does no dupe checking)

Why is this needed? Can't NetworkManager just Do The Right Thing: fill the security settings with the most secure possible configuration (unless a security setting is already present), and then call out to the secret agent?
Comment 4 Dan Williams 2011-05-03 17:28:47 UTC
(In reply to comment #3)
> (In reply to comment #1)
> > The applet has a new D-Bus method, "ConnectTo8021xNetwork" which takes the
> > arguments "oo" (device object path, AP object path) and will show the UI if
> > that AP is a WPA 802.1x capable AP, and then call NM's AddAndActivate method.
> > 
> > The indicator should do the following things before calling that method:
> > 
> > 1) make sure to only call it for 802.1x capable APs
> > 2) make sure to only call it for APs that have no existing connections that
> > could be used with that AP (ConnectTo8021xNetwork does no dupe checking)
> 
> Why is this needed? Can't NetworkManager just Do The Right Thing: fill the
> security settings with the most secure possible configuration (unless a
> security setting is already present), and then call out to the secret agent?

Because at the moment, the secret agents are for *secrets* only, and before you try to connect (for the moment at least) you need to know what EAP methods the RADIUS server behind the AP supports, and you need to know things like username, password, certificates, PEAP version, etc for the RADIUS server, and none of that is broadcast in the AP's beacon at all, since it has nothing to do with WiFi.  The Access Point just says "hey, when you connect you need to authenticate with EAP" but it says nothing about *how* to authenticate, and in many instances the user simply has to know what the configuration is, it's not something we can autodetect at all.

There are ways to make this better in the future, like connecting to the AP initially and retrieving the default EAP method that the RADIUS server says it wants, then asking the user for the details of those, but that's still a ways off and we need supplicant changes to expose that sort of information to NM in the first place.  Until then, the user just has to fill out the Dialog of Doom.
Comment 5 Dan Williams 2011-05-03 17:29:51 UTC
Created attachment 187136 [details] [review]
Fix handling of AP security flags and enhance for 802.1x
Comment 6 Giovanni Campagna 2011-05-03 17:37:57 UTC
Review of attachment 187136 [details] [review]:

You're the one who knows what all those flags mean, so I can only comment on code, and I can't find anything wrong with it.

::: js/ui/status/network.js
@@ +1136,3 @@
         let wpa_flags = accessPoint.wpa_flags;
         let rsn_flags = accessPoint.rsn_flags;
+        let type = NM80211ApSecurityFlags.UNKNOWN;

NMAccessPointSecurity.UNKNOWN
(doesn't make much difference because it is 0 anyway)
Comment 7 Giovanni Campagna 2011-05-03 17:47:55 UTC
(In reply to comment #4)
> (In reply to comment #3)
> [...]
> 
> Because at the moment, the secret agents are for *secrets* only, and before you
> try to connect (for the moment at least) you need to know what EAP methods the
> RADIUS server behind the AP supports, and you need to know things like
> username, password, certificates, PEAP version, etc for the RADIUS server, and
> none of that is broadcast in the AP's beacon at all, since it has nothing to do
> with WiFi.  The Access Point just says "hey, when you connect you need to
> authenticate with EAP" but it says nothing about *how* to authenticate, and in
> many instances the user simply has to know what the configuration is, it's not
> something we can autodetect at all.
> 
> There are ways to make this better in the future, like connecting to the AP
> initially and retrieving the default EAP method that the RADIUS server says it
> wants, then asking the user for the details of those, but that's still a ways
> off and we need supplicant changes to expose that sort of information to NM in
> the first place.  Until then, the user just has to fill out the Dialog of Doom.

Understood. But in any case, ConnectTo8021xNetwork is too late for 3.0.1, and for 3.2 we've planned integrated network dialogs (pending missing designs), which should remove the need for calling nm-applet.
Comment 8 Owen Taylor 2011-05-03 18:02:20 UTC
(In reply to comment #7)
> (In reply to comment #4)
> > (In reply to comment #3)
> > [...]
> > 
> > Because at the moment, the secret agents are for *secrets* only, and before you
> > try to connect (for the moment at least) you need to know what EAP methods the
> > RADIUS server behind the AP supports, and you need to know things like
> > username, password, certificates, PEAP version, etc for the RADIUS server, and
> > none of that is broadcast in the AP's beacon at all, since it has nothing to do
> > with WiFi.  The Access Point just says "hey, when you connect you need to
> > authenticate with EAP" but it says nothing about *how* to authenticate, and in
> > many instances the user simply has to know what the configuration is, it's not
> > something we can autodetect at all.
> > 
> > There are ways to make this better in the future, like connecting to the AP
> > initially and retrieving the default EAP method that the RADIUS server says it
> > wants, then asking the user for the details of those, but that's still a ways
> > off and we need supplicant changes to expose that sort of information to NM in
> > the first place.  Until then, the user just has to fill out the Dialog of Doom.
> 
> Understood. But in any case, ConnectTo8021xNetwork is too late for 3.0.1, and
> for 3.2 we've planned integrated network dialogs (pending missing designs),
> which should remove the need for calling nm-applet.

There is actually a GNOME 3.0.2 scheduled; while this isn't really along the lines of things I've wanted for 3.0.x, it's pretty critical (maybe I'm a little biased because we use WPA Enterprise internally here at Red Hat), and I'd like to see if we can get something in the 3-0 branch for this... I'll look at patching the Fedora packages in any case, and it doesn't really make sense to say that I'd put a patch in Fedora but it's too risky for upstream.
Comment 9 Dan Williams 2011-05-03 18:31:37 UTC
Created attachment 187142 [details] [review]
Call out to nm-applet to do the 802.1x dirty work
Comment 10 Dan Williams 2011-05-03 19:37:44 UTC
*** Bug 647114 has been marked as a duplicate of this bug. ***
Comment 11 Giovanni Campagna 2011-05-04 13:18:28 UTC
Review of attachment 187142 [details] [review]:

From the point of view of implementation, it is perfect, and I think it can go in, at least in master.
Comment 12 Dan Williams 2011-05-04 15:19:07 UTC
ae0652d13fc2d7caa3d64f2b87d174253cae5901