Bug 794988 – Bionic Beaver Gnome 3.28.0 not able to connect to WPA-Enterprise EAP-TLS

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 794988 - Bionic Beaver Gnome 3.28.0 not able to connect to WPA-Enterprise EAP-TLS


Summary:	Bionic Beaver Gnome 3.28.0 not able to connect to WPA-Enterprise EAP-TLS


Status:	RESOLVED OBSOLETE

Product:	gnome-control-center
Classification:	Core
Component:	Network
Version:	3.28.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	Control-Center Maintainers
QA Contact:	Control-Center Maintainers

URL:
Whiteboard:	triaged

Depends on:
Blocks:

Reported:	2018-04-04 20:01 UTC by kitsab
Modified:	2021-06-09 16:27 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Tail -n 200 of appearence from syslog (65.17 KB, text/plain) 2018-04-04 20:01 UTC, kitsab	Details
Tail -n200 of kern.log during appearance (58.92 KB, text/plain) 2018-04-04 20:02 UTC, kitsab	Details
New syslog extract with Network Manager tracing active (318.32 KB, text/plain) 2018-04-13 20:09 UTC, kitsab	Details

Description kitsab 2018-04-04 20:01:20 UTC

Created attachment 370530 [details]
Tail -n 200 of appearence from syslog

Hello,

since update to Bionic Beaver I can't connect to my WPA2-Entertrise EAP TLS network. Running Freeradius 2.29 on a DDWRT router. 
In 16.04 it worked, in the dual boot Windows 10 environment it is still working with the same certificates.
It is a hidden network, adding it by "connect to a hidden network" entering SSID, UserID, ca.pem as CA cert, user cert xxx.p12 file and user certificate password.
Tried a lot not getting it working. The password entry dialog for the network is always popping up upon connection trials. The password is for sure the correct one, checked it very often.
If I'm able to I'll attach a syslog and kern.log of error occurense.

Maybe the bug reporting tool reported a wrong package, eventually the wpa-supplicant package is causing this issue (not sure).

Thanks for investigation and inputs.

Best regards

Kitsab

Comment 1 kitsab 2018-04-04 20:02:20 UTC

Created attachment 370531 [details]
Tail -n200 of kern.log during appearance

Comment 2 kitsab 2018-04-04 20:10:49 UTC

Excuse me for multiple posts I don't find an edit function.

Bug report on Ubuntu launchpad (they requested me to log this bug here):

https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1761003

Comment 3 Benjamin Berg 2018-04-04 20:19:13 UTC

Could you try setting things up using e.g. nm-connection-editor or nmcli?

I am unable to tell right now whether it is just a configuration problem (e.g. password prompting failing) or elsewhere in the stack.

Comment 4 kitsab 2018-04-04 21:56:46 UTC

Hello,

thank you for your suggestions, I tried around with nmcli the whole evening:

bastik@Basti0:~$ nmcli con del bastiknet
Connection 'bastiknet' (377fb1fc-fee3-4fd8-a947-c0e05bae589f) successfully deleted.

bastik@Basti0:~$ nmcli connection add type wifi con-name "bastiknet" ifname wlan0 ssid "bastiknet" -- \wifi-sec.key-mgmt wpa-eap 802-1x.eap tls 802-1x.identity "BastikAsusROG" 802-1x.ca-cert ~/.cert/ca.pem 802-1x.client-cert ~/.cert/BastikAsusROG-cert.p12 802-1x.private-key-password "MYPASSWORD" 802-1x.private-key ~/.cert/BastikAsusROG-cert.p12
Connection 'bastiknet' (437a806f-5917-4859-b696-5ece95dda10c) successfully added.

bastik@Basti0:~$ nmcli con up bastiknet --ask
Passwords or encryption keys are required to access the wireless network 'bastiknet'.
Identity (802-1x.identity): BastikAsusROG
Passwords or encryption keys are required to access the wireless network 'bastiknet'.
Private key password (802-1x.private-key-password): 
Passwords or encryption keys are required to access the wireless network 'bastiknet'.
Identity (802-1x.identity): BastikAsusROG
Passwords or encryption keys are required to access the wireless network 'bastiknet'.
Private key password (802-1x.private-key-password): 
Error: Connection activation failed: Secrets were required, but not provided

bastik@Basti0:~$ 

I'm not really sure what file belongs in the last part of the network configuration command "802-1x.private-key ~/.cert/BastikAsusROG-cert.p12"

I've got BastikAsusROG-cert.p12, BastikAsusROG-cert.pem, BastikAsusROG-key.pem, BastikAsusROG-req.pem, ca.cnf, ca.der, ca.key, ca.pem

I tried all, a few directly put errors during network config creation, the others just won't let me connect always keep asking for username and password, after successfull network config creation.


syslog in failire case:



Apr  4 23:51:39 Basti0 NetworkManager[1035]: <info>  [1522878699.9920] device (wlan0): Activation: starting connection 'bastiknet' (437a806f-5917-4859-b696-5ece95dda10c)
Apr  4 23:51:39 Basti0 NetworkManager[1035]: <info>  [1522878699.9921] audit: op="connection-activate" uuid="437a806f-5917-4859-b696-5ece95dda10c" name="bastiknet" pid=32729 uid=1000 re
sult="success"
Apr  4 23:51:39 Basti0 NetworkManager[1035]: <info>  [1522878699.9923] device (wlan0): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'managed')
Apr  4 23:51:39 Basti0 NetworkManager[1035]: <info>  [1522878699.9925] manager: NetworkManager state is now CONNECTING
Apr  4 23:51:39 Basti0 NetworkManager[1035]: <info>  [1522878699.9932] device (wlan0): state change: prepare -> config (reason 'none', sys-iface-state: 'managed')
Apr  4 23:51:39 Basti0 NetworkManager[1035]: <info>  [1522878699.9934] device (wlan0): Activation: (wifi) access point 'bastiknet' has security, but secrets are required.
Apr  4 23:51:39 Basti0 NetworkManager[1035]: <info>  [1522878699.9934] device (wlan0): state change: config -> need-auth (reason 'none', sys-iface-state: 'managed')
Apr  4 23:51:44 Basti0 docky.desktop[31310]: [31799:31832:0404/235144.113497:ERROR:connection_factory_impl.cc(379)] Failed to connect to MCS endpoint with error -106
Apr  4 23:51:46 Basti0 NetworkManager[1035]: <info>  [1522878706.1956] settings-connection[0x5610d9756440,437a806f-5917-4859-b696-5ece95dda10c]: write: successfully commited (keyfile: u
pdate /etc/NetworkManager/system-connections/bastiknet (437a806f-5917-4859-b696-5ece95dda10c,"bastiknet"))
Apr  4 23:51:46 Basti0 NetworkManager[1035]: <info>  [1522878706.1960] device (wlan0): state change: need-auth -> prepare (reason 'none', sys-iface-state: 'managed')
Apr  4 23:51:46 Basti0 NetworkManager[1035]: <info>  [1522878706.2047] device (wlan0): state change: prepare -> config (reason 'none', sys-iface-state: 'managed')
Apr  4 23:51:46 Basti0 NetworkManager[1035]: <info>  [1522878706.2065] device (wlan0): Activation: (wifi) access point 'bastiknet' has security, but secrets are required.
Apr  4 23:51:46 Basti0 NetworkManager[1035]: <info>  [1522878706.2065] device (wlan0): state change: config -> need-auth (reason 'none', sys-iface-state: 'managed')
Apr  4 23:51:53 Basti0 NetworkManager[1035]: <info>  [1522878713.4833] settings-connection[0x5610d9756440,437a806f-5917-4859-b696-5ece95dda10c]: write: successfully commited (keyfile: u
pdate /etc/NetworkManager/system-connections/bastiknet (437a806f-5917-4859-b696-5ece95dda10c,"bastiknet"))
Apr  4 23:51:53 Basti0 NetworkManager[1035]: <info>  [1522878713.4839] device (wlan0): state change: need-auth -> prepare (reason 'none', sys-iface-state: 'managed')
Apr  4 23:51:53 Basti0 NetworkManager[1035]: <info>  [1522878713.4907] device (wlan0): state change: prepare -> config (reason 'none', sys-iface-state: 'managed')
Apr  4 23:51:53 Basti0 NetworkManager[1035]: <info>  [1522878713.4923] device (wlan0): Activation: (wifi) access point 'bastiknet' has security, but secrets are required.
Apr  4 23:51:53 Basti0 NetworkManager[1035]: <info>  [1522878713.4924] device (wlan0): state change: config -> need-auth (reason 'none', sys-iface-state: 'managed')
Apr  4 23:52:01 Basti0 NetworkManager[1035]: <info>  [1522878721.1026] settings-connection[0x5610d9756440,437a806f-5917-4859-b696-5ece95dda10c]: write: successfully commited (keyfile: u
pdate /etc/NetworkManager/system-connections/bastiknet (437a806f-5917-4859-b696-5ece95dda10c,"bastiknet"))
Apr  4 23:52:01 Basti0 NetworkManager[1035]: <info>  [1522878721.1031] device (wlan0): state change: need-auth -> prepare (reason 'none', sys-iface-state: 'managed')
Apr  4 23:52:01 Basti0 NetworkManager[1035]: <info>  [1522878721.1121] device (wlan0): state change: prepare -> config (reason 'none', sys-iface-state: 'managed')
Apr  4 23:52:01 Basti0 NetworkManager[1035]: <info>  [1522878721.1143] device (wlan0): Activation: (wifi) access point 'bastiknet' has security, but secrets are required.
Apr  4 23:52:01 Basti0 NetworkManager[1035]: <info>  [1522878721.1143] device (wlan0): state change: config -> failed (reason 'no-secrets', sys-iface-state: 'managed')
Apr  4 23:52:01 Basti0 NetworkManager[1035]: <info>  [1522878721.1145] manager: NetworkManager state is now DISCONNECTED
Apr  4 23:52:01 Basti0 NetworkManager[1035]: <warn>  [1522878721.1150] device (wlan0): Activation: failed for connection 'bastiknet'
Apr  4 23:52:01 Basti0 NetworkManager[1035]: <info>  [1522878721.1154] device (wlan0): state change: failed -> disconnected (reason 'none', sys-iface-state: 'managed')
Apr  4 23:52:01 Basti0 gnome-shell[1619]: An active wireless connection, in infrastructure mode, involves no access point?
Apr  4 23:52:01 Basti0 kernel: [ 8317.811890] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
Apr  4 23:52:01 Basti0 gnome-shell[1619]: An active wireless connection, in infrastructure mode, involves no access point?
Apr  4 23:52:01 Basti0 gnome-shell[31077]: An active wireless connection, in infrastructure mode, involves no access point?
Apr  4 23:52:03 Basti0 gnome-shell[31077]: Object Shell.GenericContainer (0x55db822d9850), has been already finalized. Impossible to get any property from it.

Comment 5 kitsab 2018-04-04 22:00:19 UTC

Sorry, forgot one thing to tell:
All other systems are able to connect with ca.pem and the user *.p12 file, here (nmcli, gnome-config-manager etc) I'm asked to put in a third file, I suggest I must use *.p12 file twice.

Comment 6 Jonathan Kang 2018-04-13 07:39:59 UTC

Please attach a logfile of NetworkManager with level=TRACE logging enabled. See https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/contrib/fedora/rpm/NetworkManager.conf

Thanks.

Comment 7 kitsab 2018-04-13 20:03:24 UTC

Hello,

I performed the following steps:

sudo nmcli general logging level TRACE domains ALL

sudo truncate -s 0 /var/log/syslog

nmcli connection delete bastiknet

nmcli connection add type wifi con-name "bastiknet" ifname wlan0 ssid "bastiknet" -- \wifi-sec.key-mgmt wpa-eap 802-1x.eap tls 802-1x.identity "BastikAsusROG" 802-1x.ca-cert ~/.cert/ca.pem 802-1x.client-cert ~/.cert/BastikAsusROG-cert.p12 802-1x.private-key-password "MYPASSWORD" 802-1x.private-key ~/.cert/BastikAsusROG-cert.p12

nmcli con up bastiknet --ask

Enter my connection password on connection attempt.

Result:

"Fehler: Aktivierung der Verbindung ist gescheitert: Geheimdaten waren erforderlich, wurden aber nicht angegeben"

Means: Error activation of the connection has failed, secret data were successfull, but were not provided.

New syslog extract will be added.

Best regards

Bastian

Comment 8 kitsab 2018-04-13 20:09:48 UTC

Created attachment 370903 [details]
New syslog extract with Network Manager tracing active

Comment 9 André Klapper 2021-06-09 16:27:15 UTC

GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org.
As part of that, we are mass-closing older open tickets in bugzilla.gnome.org
which have not seen updates for a longer time (resources are unfortunately
quite limited so not every ticket can get handled).

If you can still reproduce the situation described in this ticket in a recent
and supported software version, then please follow
  https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines
and create a new bug report at
  https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues/

Thank you for your understanding and your help.