Summary: | net-wireless/wpa_supplicant-2.4-r1 - unable to establish connection to a WPA2-Enterprise network | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Milan Beneš <milan> |
Component: | Current packages | Assignee: | Gentoo Linux bug wranglers <bug-wranglers> |
Status: | RESOLVED INVALID | ||
Severity: | critical | CC: | alexander, milan |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Milan Beneš
2015-04-28 21:11:24 UTC
Probably related to this change (disable SSLv2 and SSLv3 by default): http://w1.fi/cgit/hostap/commit/?id=35efa2479ff19c3f13e69dc50d2708ce79a99beb If switching to the old behaviour (phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1") doesn't help, please run wpa_supplicant in debug mode and attach the output. I use EAP-TTLS with MSCHAPv2 and it works fine. Hello Alexander, it seems that you are right. I'm using Aruba IAP 105 with an internal radius server. I also have an instance of FreeRadius configured on a home server, but I'm primarily using the embedded radius server in the AP. When I reconfigure the AP to use my other radius server, everything works fine. Unfortunately the bug is present in both the most recent version of ArubaOS as well as the LTS one. I will have to file a bug there. Hello, I have received updated firmware from my AP vendor, specifically designed to address this issue, but the error persists. I managed to find a similar bug report (http://lists.shmoo.com/pipermail/hostap/2015-April/032685.html and http://lists.shmoo.com/pipermail/hostap/2015-May/032736.html) on the HostAP mailing list. It seems, that the problem lies in wrong MPPE key being generated while using TLS 1.2. TLS 1.2 support was introduced in FreeRadius 2.2.6. I'm using the stable 2.2.5 on my dedicated server, so I'm unaffected by this. The bug is fixed in FreeRadius 3.0.8. Please see the Freeradius changelog, specifically the 3.0.8 version and bugfix concerning MPPE and TLS 1.2 (http://freeradius.org/press/index.html). I have also tested versions 2.2.6 and 2.2.7 and both are affected. (In reply to Alexander Tsoy from comment #1) > Probably related to this change (disable SSLv2 and SSLv3 by default): > http://w1.fi/cgit/hostap/commit/?id=35efa2479ff19c3f13e69dc50d2708ce79a99beb BTW, my comment is not entirely correct. The above change does not disable SSLv2 and SSLv3, it just enabled TLS 1.1 and 1.2. If I'm not mistaken, this bug was misdiagnosed and is, in fact, VALID. I experienced the same issue on my corporate network, which is not using FreeRadius. Rolling back to wpa_supplicant-2.2-r1 (which was the stable one prior to ~2.4) resolves the issue. (Yes, I'm aware there are known security issues with that one, but the issue in _this_ bug is separate.) Arch Linux devs determined this as well (along with another problem) and rolled back to 2.3 as a result [1]. [1] https://projects.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/wpa_supplicant&id=7562b98bd83fe5bce43e6952e0e922e7791e18b5 |