Bug 417

Summary: Support WEP with 802.1x EAP PEAP
Product: [Maemo Official Platform] Connectivity Reporter: zac.luzader
Component: WiFiAssignee: Quim Gil <quim.gil>
Status: RESOLVED WONTFIX QA Contact: wifi-bugs
Severity: enhancement    
Priority: Low CC: aejohannesen, alexander.lash, andre_klapper, bay_dmts, brettcclark, crashanddie, dimicool, eric-mab, ersin.akinci, ewerness, gorlik, javier_marcos, jps.sousa, justin, maemo, nslacum, patrik.flykt, pfaieta, public, quim.gil, stephen, vpuente
Version: 4.1 (4.2008.23-14)Keywords: enhancement-it2005, ITOS2007HE-garage
Target Milestone: ---   
Hardware: N810   
OS: All   

Description zac.luzader (reporter) 2006-02-20 17:20:28 UTC
It seems that more than a few university wireless nets use PEAP over WEP but
this combination is not supported. I can't speak for all universities obviously,
but in my instance the nokia 770 seem to already have all the features
neccessary, they just aren't supported in combination:

WEP, EAP, PEAP, EAP-MSCHAPv2, Server certificate validation, Equifax root
certificate (specific to my case)

You can see the configuration guide for our network here:
http://wireless.wvu.edu/config.asp

This problem has been reported elsewhere, but doesn't have a home here on bugzilla:
http://www.internettablettalk.com/forums/showthread.php?t=703
http://maemo.org/maemowiki/ImprovementIdeas

I hope that filing it here will bring attention to this matter, since although
its an enhancement to many, for us on networks we can't use, it's very frustrating.

My firmware: 3.2005.51-13
Comment 1 Eric Smith 2006-03-07 03:28:42 UTC
Same problem here connecting to our corporate network, which requires a
certificate.  In the Connection setup: WPA EAP MSCHAPv2 window, there is a
"Select certificate" menu, but the only entry is "None", even though I
successfully imported a certificate and indicated that it was allowed to be used
for everything.

Running version 3.2005.51-13
Comment 2 zac.luzader (reporter) 2006-04-23 05:04:41 UTC
I don't believe that Eric Smith is experiencing the same problem. My problem is
that there is no way to do the "key is provided for me automatically", as
windows calls it, which is in reality 802.1x, in combination with WEP. If I
select WEP in the connection manager, then the program assumes I have the key,
which of course I do not. If I select WPA PEAP then I am prompted for username
and password which is used in 802.1x, but WPA is not WEP, so it doesn't work.

The pages describing how to configure a system have changed, and there is one
about linux now. I have been able to get a windows xp laptop to run on the
system (so its not as if im trying the wrong username or something), but I do
not have access to a laptop with linux so I cannot test the info on the linux page.

XP:
http://oit.wvu.edu/wireless/configXP.html
Linux:
http://www.libraries.wvu.edu/systems/faqs/cgi-bin/faqs.pl?LinuxWireless.html

I don't have a clue how Maemo does 802.1x when in WPA, its clearly internal to
the connectivity applet (I guess), so I don't know how to trick it into doing it
with WEP. I thought about using wpa_supplicant, but at best that would be a
duct-tape solution.

This hasn't recieved much (any) attention yet, so I hope the 2006 software
edition will support this.

My firmware: 5.2006.13-7
Comment 3 Maemo QA (deprecated) 2006-05-08 18:13:19 UTC
Claiming ownership.
Comment 4 Maemo QA (deprecated) 2006-05-08 18:15:52 UTC
Marking as an enhancement, will be forwarded to upstream maintainer ASAP.
Comment 5 Stanislaw Skowronek 2006-05-13 03:06:07 UTC
EAP-TTLS support would be welcome. As an interesting sidenote, I have fired up
WPA Supplicant in such an environment, and it froze the kernel somewhere after
AP scan (yes! froze the kernel!).
Comment 6 Stanislaw Skowronek 2006-05-13 07:12:40 UTC
I have done some debugging :D

Apparently, the (closed source) Conexant driver cannot perform a scan with a
specified SSID.  SIOCSIWSCAN with a filled-in SSID field causes the driver to
freeze the kernel, apparently.
Comment 7 Maemo QA (deprecated) 2006-05-22 14:25:20 UTC
Feature request has been forwarded to upstream maintainer.
Comment 8 Maemo QA (deprecated) 2006-08-03 16:56:52 UTC
Re-assign
Comment 9 zbowling 2007-05-14 20:37:12 UTC
any update on the status of this bug?
Comment 10 Quim Gil nokia 2007-07-05 13:42:36 UTC
Picking this one.
Comment 11 zac.luzader (reporter) 2007-09-25 02:18:57 UTC
This is no longer a concern to me as the university has overhauled wireless
access. The new system is hybrid:
- http authenticated unencrypted access
- WPA PEAP authenticated encrypted access
The latter I have working with my 770 with the latest OS 2006. The former
almost certainly works as well.

In short: I am no longer interested and can no longer test anything related to
this bug. Close it, don't, whatever.
Comment 12 Alexander Baron Lash 2007-09-25 02:41:45 UTC
I am still interested, as my company uses this mechanism and is not likely to
change. Please advise as to how I can assist.
Comment 13 ersin.akinci 2007-10-01 22:06:03 UTC
This is a problem for me, too.  Our campus uses WPA PEAP w/ MSCHAPv2 and an
Equifax certificate, which is already preloaded on the 770 but doesn't show up
in the menu.  Isn't there at least some annoying way to do this over the
command prompt?
Comment 15 Don Allingham 2008-01-06 01:39:58 UTC
I have been able to get this to work. It is not straight forward, but it will
work.

Get your certificate from your system administrator. Import it using the
"Certificate Manager" under Settings -> Control panel.

You cannot use the "Select Connection" option from the wifi icon to setup your
connection, because it does not allow you to set up the advanced settings.
Instead, go to Connection manager under the Settings menu. Once this comes up,
select Tools -> Connectivity Settings. The Connectivity dialog box will come
up. Select the "Connections" button.

Select the "New" button to create a new connection. On the first page, provide
the connection with a name. It probably makes sense to use the same name as the
name of the access point, but it does not have to match.  Select "WLAN" as
connection type. The click "Next".

When it offers to scan for available WLAN networks, accept "Yes".  Select your
access point.

On the next page, make sure that the Security Method is "WPA with EAP". Click
on "Next"

On the following page, select the EAP type of "PEAP". Click on "Next"

On the next page, keep the certificate at "None". You have already imported
your certificate, and it will be found automagically when you attempt to
connect to the access point. Set the EAP Method to "EAP MSCHAPv2". Click on
"Next".

On the next page, enter your username and password, then click "Next".

On the final screen, click the "Advanced" button.

Click on the EAP tab, and select "Use manual user name", and re-enter your
username in the "Manual user name" field.  For some reason, this step seems to
be required to connect to the access point. Click "OK"

Click on "Finish"

Exit out of the Connectivity Manager.

From the Wifi Icon, you can now select your access point, using the connection
name you originally supplied. You will probably get a warning about your
certificate, but you will connect.
Comment 16 Derek Anderson 2008-01-07 16:20:38 UTC
(In reply to comment #15)

i've followed your procedure (here @ utdallas), but how did you get around it
asking you for a WEP key?
Comment 17 Alexander Baron Lash 2008-01-09 02:42:26 UTC
(In reply to comment #15)

When I follow your procedure, I'm prompted for a WEP key after scanning and
selecting my AP.

If I do not scan, and enter the SSID manually, I'm prompted for a WEP key when
attempting to connect via Select Connection.

I've tried a few tweaks (hidden/not-hidden, caps/no-caps, different AP/profile
name, same AP/profile name) but get the same result every time.
Comment 18 jp2035 2008-01-22 19:40:18 UTC
I have this same issue.  When I configure a laptop to our network the box 'WEP
key is provided automatically' is checked, however, my Nokia N800 will not
allow me to make that setting and always prompts me for a WEP when connecting. 
Any updates to this issue?
Comment 19 João Pedro Santos de Sousa 2008-02-07 12:08:36 UTC
HARDWARE/SOFTWARE VERSION: N810 - OS2008 (2.2007.50-2)

INTRODUCTION: The eduroam program is an worldwide educational wireless roaming
iniciative that combines the wireless connections available at univerties and
educational institutions troughout the world, currently all over europe and
also asia, on a huge roaming network. As an example a student or investigator
from an university of Portugal may use the wireless connection while visiting
an university in Finland, and vice-versa. 

Tipically this wireless connections rely on WPA-TKIP-EAP-PEAP-MASCHAPv2 or
WPA-TKIP-EAP-TTLS-PAP. More info at http://www.eduroam.org.

So you see this has an huge user impact as all university users (students,
investigators and professores) require this type of corporate connection to
work, study and roam within academic institutions.

I currently work at the Comunications and Informatics Center at the University
of Aveiro, Portugal. We can connect several systems, either desktops or mobile
devices, Windows XP/Vista, Linux, MacOSX, WindowsMobile/PPC or Symbian.

STEPS TO REPRODUCE THE PROBLEM:

We use an WPA-TKIP-EAP-PEAP-MASCHAPv2 connection, based on Cisco Access Points
and MS Internet Authentication Service RADIUS with PEAP/MS-CHAPv2 over WPA1
(TKIP) with named user authentication.

Requirements:

SSID: eduroam
SSID hidden?: no
Network Authentication: WPA
Data encryption: TKIP
EAP Type: PEAP
Trust Root Certification Authority: GTE Cyber Trust Global Root
Authentication Protocol: MS-CHAPv2

Username: xxxxxx@ua.pt
Password: xxxxxxx

Searching for available networks and connecting to the eduroam network will
result on an user prompt. Entering the user/password will result on an
"Authentication Failed" error. Looking at our RADIUS logs we get:

User NqZFzn2N7Q7$xToGa3uDmm was denied access.
Fully-Qualified-User-Name = <undetermined>
...

The username is completely garbled and fails.

If we first setup the eduroam connection using the Connection Manager Wizard
and then search and connect we simply get an "Authentication Failed" error and
nothing even gets to the RADIUS service. I've tried several setup options, no
username, no password, manual user name, always the same result.

REPRODUCIBILITY: always

Please help, this seems to be an old issue since 2005 OS versions still
unresolved, it has an huge user impact, no users (student or otherwise) can
connect to their universities wireless networks.

This seems to be a problem with the wireless client, like the 802.1x/EAP
comunication isn't properly handled. I've checked the following bugs reported,
but no working solution was provided:

https://bugs.maemo.org/show_bug.cgi?id=327
https://bugs.maemo.org/show_bug.cgi?id=1017
https://bugs.maemo.org/show_bug.cgi?id=1635

Thank you.
Comment 20 João Pedro Santos de Sousa 2008-02-21 16:31:10 UTC
My above report still aplies to OS2008 (2.2007.51-3) on N810, unfortunally.
Comment 21 Derek Anderson 2008-02-21 17:08:02 UTC
recommend changing the severity to "Major", based on severity guideline "major
loss of function".  (ie, lack of WIFI on probably the majority of US and
international academic institutions)

don't understand why this was ever changed to an enh.
Comment 22 Brett 2008-04-22 20:34:50 UTC
This is a show-stopper.. when in the world will it be fixed?!
Comment 23 Andrzej Zaborowski 2008-05-21 10:52:01 UTC
I just managed to connect to EDUROAM with PEAP (typing on the n810 now) using
similar procedure to this described at
http://www.eduroam.cz/doku.php?id=cs:uzivatel:sw:maemo . So it works and is
just extremely tricky to figure out - I already have a class here for two
months once a week.
Comment 24 Andre Klapper maemo.org 2008-06-23 13:54:15 UTC
*** Bug 950 has been marked as a duplicate of this bug. ***
Comment 25 Andre Klapper maemo.org 2008-06-23 13:55:42 UTC
(In reply to comment #23)
> I just managed to connect to EDUROAM with PEAP (typing on the n810 now) using
> similar procedure to this described at
> http://www.eduroam.cz/doku.php?id=cs:uzivatel:sw:maemo . So it works and is
> just extremely tricky to figure out

Andrzej, what does "similar" mean? Please share your wisdom with us here,
because for me the eduroam.cz description itself didn't help! :-)
Comment 26 Valentin Puente 2008-07-31 14:46:00 UTC
4.20008.23-14 is still with the same problem. Please help here... there's a lot
of European Universities using this configuration (eduroam), and under the
current conditions the device is useless. This is urgent!
Comment 27 Andre Klapper maemo.org 2008-07-31 15:01:31 UTC
Valentin: Please use the "Vote" feature instead. Also see comment 23.
Comment 28 maemo 2008-08-05 16:00:21 UTC
Ok... I had the same issue at the university WLAN (ETH Zurich), using 802.1x
authentification.


What I did was the following:

1. I imported the GlobalCert SureServer EDU Root-Certificate by downloading it
from the following URL: http://secure.globalsign.net/cacert/sureserverEDU.crt
saving it on a memory card and then importing it on the N800 using the
Certificate Manager, "trusting" it for WLAN access. I do not know whether this
step was necessary (I guess not, actually), but for people having problems,
maybe it's worth a try.

2. I followed the instructions on comment #23 - the "manual username" thing in
the advanced settings seemed to be the key.
However, after adding the connection in the Connection Wizard I had to
*restart* my N800 in order for the university access point to be recognized as
a "favorite" connection! Until I did this connecting to the AP just popped up
the WPA authentication window.

This worked, even though it is kind of inconvenient. Btw, all the testing was
done on an N800 with the latest OS2008.
Comment 29 Andre Klapper maemo.org 2008-08-25 13:33:02 UTC
I consider supporting this as an enhancement just like bug 1017, hence changing
the severity. This does NOT mean that this bug is less "valid" or whatever,
just to avoid misunderstandings.
Comment 30 Patrik Flykt nokia 2008-10-28 14:18:43 UTC
By reading this bug I see that comments 15, 23 and 28 were solving the problem
with a manual username set for WLANs with WPA EAP security. It seems to me that
setting the manual username would fix the problem in comment 19.

The summary for this bug is about WPA 802.1x key exchange. It is not supported
by the device and thus this bug is correctly marked as an enhancement.
Comment 31 Quim Gil nokia 2008-11-03 08:07:53 UTC
Asking about the possibility to support this feature. Will report here when I
get an answer.
Comment 32 Quim Gil nokia 2008-11-03 12:39:36 UTC
Same answer as to Bug 1635

Productize and support officially this feature is a complex task. It is not
planned for Fremantle and at this point it's not even clear to have it
supported in Harmattan.

We do understand the implications it has but there are other priorities that
need to be addressed first in the Connectivity area. I set the priority to
"low" just top reflect that.

Feel free to keep voting and "campaigning" for this feature. As said there is
still a chance to have it in Harmattan, although (to be clear) there is no
guarantee that more votes will bring it in. It's just to have more direct
feedback on the need and status of this functionality.

Thank you for your understanding.
Comment 33 bay_dmts 2008-11-12 02:33:12 UTC
(In reply to comment #32)
> Same answer as to Bug 1635
> 
> Productize and support officially this feature is a complex task. It is not
> planned for Fremantle and at this point it's not even clear to have it
> supported in Harmattan.
> 
> We do understand the implications it has but there are other priorities that
> need to be addressed first in the Connectivity area. I set the priority to
> "low" just top reflect that.
> 
> Feel free to keep voting and "campaigning" for this feature. As said there is
> still a chance to have it in Harmattan, although (to be clear) there is no
> guarantee that more votes will bring it in. It's just to have more direct
> feedback on the need and status of this functionality.
> 
> Thank you for your understanding.
> 
So there is no way I can use my tablet to connect to 802.1x WEP network?
Comment 34 timeless 2009-01-18 15:46:11 UTC
*** Bug 327 has been marked as a duplicate of this bug. ***
Comment 35 Allan E. Johannesen 2009-01-18 16:19:51 UTC
I wish I'd kept the version number, but the 810 as delivered accepted my
university's user certificate in the user space, but when I updated the
software the same user cert gets deposited in the "authorities" area.  I wasn't
experiencing bugs, but I stupidly figured I'd update the device in order to
have the "best" software.  I'm kicking myself.

I'm glad to see that this is being worked on and that it's not just something I
somehow did to myself.
Comment 36 Quim Gil nokia 2009-03-10 22:54:11 UTC
(In reply to comment #32)
> Same answer as to Bug 1635
> 
> Productize and support officially this feature is a complex task. It is not
> planned for Fremantle and at this point it's not even clear to have it
> supported in Harmattan.

Now this has been clarified in the roadmap. While Maemo does plan to offer
support for EAP-TTLS+PAP (Bug 1635), supporting WEP with 802.1x EAP PEAP would
imply much deeper changes in the current connectivity framework and we think
it's not worth doing it for this specific protocol. 

Therefore this is a WONTFIX.
Comment 37 Sebastiaan Lauwers 2010-02-03 11:26:55 UTC
Hi guys, would it be possible to update this? I'd like to reopen the bug, and
see if Nokia's decision could change on this topic considering it has been
nearly a year since it was last assessed.

I would especially want to argue that a lot of corporate environments still
actively use LEAP-based technologies, and limiting this would definitely hurt
the adoption of the N900 or other platforms based on Maemo in said
environments. Systems leveraging AAA protocols would definitely be a great
benefit for Maemo as a whole.

Thoughts?
Comment 38 Sebastiaan Lauwers 2010-02-04 03:17:40 UTC
(In reply to comment #37)
> I would especially want to argue that a lot of corporate environments still
> actively use LEAP-based technologies

Apologies, I got confused with WPA EAP-TLS, which appears to be supported.
Please ignore my useless ranting.
Comment 39 pfaieta 2010-02-14 20:04:02 UTC
I've done some tinkering with this, and my phone on the latest firmware seems
to work with a 10-char hex key using WEP. Doesn't seem to want to stay
connected with anything less than that.
Comment 40 Gabriele Gorla 2010-02-17 05:10:21 UTC
I was able to get 802.11x + dynamic WEP working on both 770 and N810 using
wpa_supplicant.
see http://penguintown.net/~gorlik/n770.html for details
Comment 41 pfaieta 2010-02-17 05:31:42 UTC
Seems to be working better with recent update :D
Comment 42 Naterator 2010-02-17 21:49:38 UTC
Well This is a show stopper for me, WPA 802.1x key exchange a wontfix...  Wow
nokia kicked me on this one. Didnt they advertise WPA.. Hmm... so now i need to
decide what to use my n900 internet tablet for as i cant use the internet where
i really need to use the internet... Thinking of my n95 and my e90 right about
now.. Hmm also my friends android.

Yesterdays update.. did not seem to fix this at all for me.