GNOME Bugzilla – Bug 768489
m_applet can't configure TTLS+MSCHAPv2 authentication
Last modified: 2016-12-21 16:30:45 UTC
I can't connect to the company WLAN in my office with nm_applet using the settings "Authentication: Tunneled TLS" and "Inner Authentication: MSCHAPV2" (which are offered to the user as defaults for this connection by the applet). I analyzed this using manual configuration and found the following behaviour of the Wifi access point: eap=TTLS, phase2="autheap=MSCHAPV2": NO eap=TTLS, phase2="auth=MSCHAPV2": YES eap=PEAP, phase2="auth=MSCHAPV2": YES In other words, "phase2=autheap" was causing the trouble. Thus one workaround in this specific case is to use PEAP. With TTLS, the following workaround is possible using nmcli: nmcli con modify Novell 802-1x.phase2-auth mschapv2 nmcli con modify Novell 802-1x.phase2-autheap "" systemctl restart NetworkManager # (not sure why this is necessary) Now the connection can be started. This configuration can't be applied using nm_applet. The user can only select TTLS + MSCHAPV2 in the applet, and if he does so, the applet will set "phase2-autheap", not "phase2-auth". In general, nm_applet always sets "phase2-autheap" if possible: /* If the outer EAP method (TLS, TTLS, PEAP, etc) allows inner/phase2 * EAP methods (which only TTLS allows) *and* the inner/phase2 method * supports being an inner EAP method, then set PHASE2_AUTHEAP. */ See https://github.com/GNOME/network-manager-applet/commit/2294732eb608fad0ad65e315e1495094c0c9f34c This behavior of nm_applet seems to be wrong, as wpa_supplicant, NetworkManager itself, and nmcli all support "auth=MSCHAPV2" as inner method for TTLS. The spec on https://tools.ietf.org/html/rfc5281#page-26 also doesn't seem to forbid "plain" MSCHAPV2 (as opposed to MSCHAPV2 inside EAP) as tunneled authentication protocol.
With TTLS, both auth=MSCHAPV2 and autheap=MSCHAPV2 are valid – one is raw, the other is EAP-based. The problem is that not all auth servers are properly configured to accept both... I've noticed people having problems with autheap= on IRC as well. So perhaps nm-applet should offer both "MSCHAPv2" and "EAP-MSCHAPv2" options for TTLS, to cope with misconfigured RADIUS servers? (PEAP supports *only* EAP-based inner mechanisms, so auth=MSCHAPV2 always means EAP-MSCHAPV2, and autheap= doesn't exist.) Everything above also applies to "MSCHAP"(v1), too.
(In reply to Mantas Mikulėnas (grawity) from comment #1) > Everything above also applies to "MSCHAP"(v1), too. Ah, I got that wrong – I thought autheap=MSCHAP exists, but it doesn't. Disregard.
(In reply to Mantas Mikulėnas (grawity) from comment #1) > With TTLS, both auth=MSCHAPV2 and autheap=MSCHAPV2 are valid – one is raw, > the other is EAP-based. The problem is that not all auth servers are > properly configured to accept both... > > I've noticed people having problems with autheap= on IRC as well. So perhaps > nm-applet should offer both "MSCHAPv2" and "EAP-MSCHAPv2" options for TTLS, > to cope with misconfigured RADIUS servers? Yes, I think so. nm-applet should offer both of those two options, in case users like the reporter need it.
Created attachment 340662 [details] [review] Add support for TTLS/MSCHAPV2 This bug should be a regression due to commit 2294732eb608fad0ad65e315e1495094c0c9f34c. This patch add support for TTLS/MSCHAPV2. It splits MSCHAPV2 and EAP-MSCHAPV2 as separate options in the inner authentication methods combobox.
This is looking good, but I won't be able to retest in the near future because I won't be in the office (where I had this problem) for some time to come.
(In reply to Jonathan Kang from comment #4) > Created attachment 340662 [details] [review] [review] > Add support for TTLS/MSCHAPV2 > > This bug should be a regression due to commit > 2294732eb608fad0ad65e315e1495094c0c9f34c. This patch add support for > TTLS/MSCHAPV2. It splits MSCHAPV2 and EAP-MSCHAPV2 as separate options in > the inner authentication methods combobox. This is the link to the previous commit: https://git.gnome.org/browse/network-manager-applet/commit/?id=2294732eb608fad0ad65e315e1495094c0c9f34c
Do we review patches here on bugzilla? Or I have to create a PR on github? Thanks.
(In reply to Jonathan Kang from comment #4) > Created attachment 340662 [details] [review] [review] > Add support for TTLS/MSCHAPV2 lgtm (In reply to Jonathan Kang from comment #7) > Do we review patches here on bugzilla? Or I have to create a PR on github? This is the right place, just went unnoticed. Thanks for the bump.
So, any other things to be done till the patch got pushed to master?
The patch changes the meaning of the "MSCHAPv2" label in the GUI, that referred to EAP-MSCHAPv2 before but now means MSCHAPv2 without EAP. I think this is potentially confusing to users as probably there are guides and tutorials that explain to select "MSCHAPv2" for specific network configurations requiring EAP. Maybe we should have: "MSCHAPv2" "MSCHAPv2 (no EAP)" to preserve the old meanining of "MSCHAPv2"? The rest looks good to me.
Created attachment 341861 [details] [review] add support for TTLS/MSCHAPV2 Patch updated. Options changed to "MSCHAPv2" and "MSCHAPv2 (no EAP)".
(In reply to Jonathan Kang from comment #11) > Created attachment 341861 [details] [review] [review] > add support for TTLS/MSCHAPV2 > > Patch updated. Options changed to "MSCHAPv2" and "MSCHAPv2 (no EAP)". LGTM
LGTM
Applied, thanks! https://git.gnome.org/browse/network-manager-applet/commit/?id=3f4f8d5f25f35da86e2acab341ce277c41982c5f