maemo.org Bugzilla – Full Text Bug Listing
|Summary:||Support WEP with 802.1x EAP PEAP|
|Product:||[Maemo Official Platform] Connectivity||Reporter:||zac.luzader|
|Component:||WiFi||Assignee:||Quim Gil <quim.gil>|
|Status:||RESOLVED WONTFIX||QA Contact:||wifi-bugs|
|Priority:||Low||CC:||aejohannesen, alexander.lash, andre_klapper, bay_dmts, brettcclark, crashanddie, dimicool, eric-mab, ersin.akinci, ewerness, gorlik, javier_marcos, jps.sousa, justin, maemo, nslacum, patrik.flykt, pfaieta, public, quim.gil, stephen, vpuente|
|Version:||4.1 (4.2008.23-14)||Keywords:||enhancement-it2005, ITOS2007HE-garage|
It seems that more than a few university wireless nets use PEAP over WEP but this combination is not supported. I can't speak for all universities obviously, but in my instance the nokia 770 seem to already have all the features neccessary, they just aren't supported in combination: WEP, EAP, PEAP, EAP-MSCHAPv2, Server certificate validation, Equifax root certificate (specific to my case) You can see the configuration guide for our network here: http://wireless.wvu.edu/config.asp This problem has been reported elsewhere, but doesn't have a home here on bugzilla: http://www.internettablettalk.com/forums/showthread.php?t=703 http://maemo.org/maemowiki/ImprovementIdeas I hope that filing it here will bring attention to this matter, since although its an enhancement to many, for us on networks we can't use, it's very frustrating. My firmware: 3.2005.51-13
Same problem here connecting to our corporate network, which requires a certificate. In the Connection setup: WPA EAP MSCHAPv2 window, there is a "Select certificate" menu, but the only entry is "None", even though I successfully imported a certificate and indicated that it was allowed to be used for everything. Running version 3.2005.51-13
I don't believe that Eric Smith is experiencing the same problem. My problem is that there is no way to do the "key is provided for me automatically", as windows calls it, which is in reality 802.1x, in combination with WEP. If I select WEP in the connection manager, then the program assumes I have the key, which of course I do not. If I select WPA PEAP then I am prompted for username and password which is used in 802.1x, but WPA is not WEP, so it doesn't work. The pages describing how to configure a system have changed, and there is one about linux now. I have been able to get a windows xp laptop to run on the system (so its not as if im trying the wrong username or something), but I do not have access to a laptop with linux so I cannot test the info on the linux page. XP: http://oit.wvu.edu/wireless/configXP.html Linux: http://www.libraries.wvu.edu/systems/faqs/cgi-bin/faqs.pl?LinuxWireless.html I don't have a clue how Maemo does 802.1x when in WPA, its clearly internal to the connectivity applet (I guess), so I don't know how to trick it into doing it with WEP. I thought about using wpa_supplicant, but at best that would be a duct-tape solution. This hasn't recieved much (any) attention yet, so I hope the 2006 software edition will support this. My firmware: 5.2006.13-7
Marking as an enhancement, will be forwarded to upstream maintainer ASAP.
EAP-TTLS support would be welcome. As an interesting sidenote, I have fired up WPA Supplicant in such an environment, and it froze the kernel somewhere after AP scan (yes! froze the kernel!).
I have done some debugging :D Apparently, the (closed source) Conexant driver cannot perform a scan with a specified SSID. SIOCSIWSCAN with a filled-in SSID field causes the driver to freeze the kernel, apparently.
Feature request has been forwarded to upstream maintainer.
any update on the status of this bug?
Picking this one.
This is no longer a concern to me as the university has overhauled wireless access. The new system is hybrid: - http authenticated unencrypted access - WPA PEAP authenticated encrypted access The latter I have working with my 770 with the latest OS 2006. The former almost certainly works as well. In short: I am no longer interested and can no longer test anything related to this bug. Close it, don't, whatever.
I am still interested, as my company uses this mechanism and is not likely to change. Please advise as to how I can assist.
This is a problem for me, too. Our campus uses WPA PEAP w/ MSCHAPv2 and an Equifax certificate, which is already preloaded on the 770 but doesn't show up in the menu. Isn't there at least some annoying way to do this over the command prompt?
I have been able to get this to work. It is not straight forward, but it will work. Get your certificate from your system administrator. Import it using the "Certificate Manager" under Settings -> Control panel. You cannot use the "Select Connection" option from the wifi icon to setup your connection, because it does not allow you to set up the advanced settings. Instead, go to Connection manager under the Settings menu. Once this comes up, select Tools -> Connectivity Settings. The Connectivity dialog box will come up. Select the "Connections" button. Select the "New" button to create a new connection. On the first page, provide the connection with a name. It probably makes sense to use the same name as the name of the access point, but it does not have to match. Select "WLAN" as connection type. The click "Next". When it offers to scan for available WLAN networks, accept "Yes". Select your access point. On the next page, make sure that the Security Method is "WPA with EAP". Click on "Next" On the following page, select the EAP type of "PEAP". Click on "Next" On the next page, keep the certificate at "None". You have already imported your certificate, and it will be found automagically when you attempt to connect to the access point. Set the EAP Method to "EAP MSCHAPv2". Click on "Next". On the next page, enter your username and password, then click "Next". On the final screen, click the "Advanced" button. Click on the EAP tab, and select "Use manual user name", and re-enter your username in the "Manual user name" field. For some reason, this step seems to be required to connect to the access point. Click "OK" Click on "Finish" Exit out of the Connectivity Manager. From the Wifi Icon, you can now select your access point, using the connection name you originally supplied. You will probably get a warning about your certificate, but you will connect.
(In reply to comment #15) i've followed your procedure (here @ utdallas), but how did you get around it asking you for a WEP key?
(In reply to comment #15) When I follow your procedure, I'm prompted for a WEP key after scanning and selecting my AP. If I do not scan, and enter the SSID manually, I'm prompted for a WEP key when attempting to connect via Select Connection. I've tried a few tweaks (hidden/not-hidden, caps/no-caps, different AP/profile name, same AP/profile name) but get the same result every time.
I have this same issue. When I configure a laptop to our network the box 'WEP key is provided automatically' is checked, however, my Nokia N800 will not allow me to make that setting and always prompts me for a WEP when connecting. Any updates to this issue?
HARDWARE/SOFTWARE VERSION: N810 - OS2008 (2.2007.50-2) INTRODUCTION: The eduroam program is an worldwide educational wireless roaming iniciative that combines the wireless connections available at univerties and educational institutions troughout the world, currently all over europe and also asia, on a huge roaming network. As an example a student or investigator from an university of Portugal may use the wireless connection while visiting an university in Finland, and vice-versa. Tipically this wireless connections rely on WPA-TKIP-EAP-PEAP-MASCHAPv2 or WPA-TKIP-EAP-TTLS-PAP. More info at http://www.eduroam.org. So you see this has an huge user impact as all university users (students, investigators and professores) require this type of corporate connection to work, study and roam within academic institutions. I currently work at the Comunications and Informatics Center at the University of Aveiro, Portugal. We can connect several systems, either desktops or mobile devices, Windows XP/Vista, Linux, MacOSX, WindowsMobile/PPC or Symbian. STEPS TO REPRODUCE THE PROBLEM: We use an WPA-TKIP-EAP-PEAP-MASCHAPv2 connection, based on Cisco Access Points and MS Internet Authentication Service RADIUS with PEAP/MS-CHAPv2 over WPA1 (TKIP) with named user authentication. Requirements: SSID: eduroam SSID hidden?: no Network Authentication: WPA Data encryption: TKIP EAP Type: PEAP Trust Root Certification Authority: GTE Cyber Trust Global Root Authentication Protocol: MS-CHAPv2 Username: firstname.lastname@example.org Password: xxxxxxx Searching for available networks and connecting to the eduroam network will result on an user prompt. Entering the user/password will result on an "Authentication Failed" error. Looking at our RADIUS logs we get: User NqZFzn2N7Q7$xToGa3uDmm was denied access. Fully-Qualified-User-Name = <undetermined> ... The username is completely garbled and fails. If we first setup the eduroam connection using the Connection Manager Wizard and then search and connect we simply get an "Authentication Failed" error and nothing even gets to the RADIUS service. I've tried several setup options, no username, no password, manual user name, always the same result. REPRODUCIBILITY: always Please help, this seems to be an old issue since 2005 OS versions still unresolved, it has an huge user impact, no users (student or otherwise) can connect to their universities wireless networks. This seems to be a problem with the wireless client, like the 802.1x/EAP comunication isn't properly handled. I've checked the following bugs reported, but no working solution was provided: https://bugs.maemo.org/show_bug.cgi?id=327 https://bugs.maemo.org/show_bug.cgi?id=1017 https://bugs.maemo.org/show_bug.cgi?id=1635 Thank you.
My above report still aplies to OS2008 (2.2007.51-3) on N810, unfortunally.
recommend changing the severity to "Major", based on severity guideline "major loss of function". (ie, lack of WIFI on probably the majority of US and international academic institutions) don't understand why this was ever changed to an enh.
This is a show-stopper.. when in the world will it be fixed?!
I just managed to connect to EDUROAM with PEAP (typing on the n810 now) using similar procedure to this described at http://www.eduroam.cz/doku.php?id=cs:uzivatel:sw:maemo . So it works and is just extremely tricky to figure out - I already have a class here for two months once a week.
*** Bug 950 has been marked as a duplicate of this bug. ***
(In reply to comment #23) > I just managed to connect to EDUROAM with PEAP (typing on the n810 now) using > similar procedure to this described at > http://www.eduroam.cz/doku.php?id=cs:uzivatel:sw:maemo . So it works and is > just extremely tricky to figure out Andrzej, what does "similar" mean? Please share your wisdom with us here, because for me the eduroam.cz description itself didn't help! :-)
4.20008.23-14 is still with the same problem. Please help here... there's a lot of European Universities using this configuration (eduroam), and under the current conditions the device is useless. This is urgent!
Valentin: Please use the "Vote" feature instead. Also see comment 23.
Ok... I had the same issue at the university WLAN (ETH Zurich), using 802.1x authentification. What I did was the following: 1. I imported the GlobalCert SureServer EDU Root-Certificate by downloading it from the following URL: http://secure.globalsign.net/cacert/sureserverEDU.crt saving it on a memory card and then importing it on the N800 using the Certificate Manager, "trusting" it for WLAN access. I do not know whether this step was necessary (I guess not, actually), but for people having problems, maybe it's worth a try. 2. I followed the instructions on comment #23 - the "manual username" thing in the advanced settings seemed to be the key. However, after adding the connection in the Connection Wizard I had to *restart* my N800 in order for the university access point to be recognized as a "favorite" connection! Until I did this connecting to the AP just popped up the WPA authentication window. This worked, even though it is kind of inconvenient. Btw, all the testing was done on an N800 with the latest OS2008.
I consider supporting this as an enhancement just like bug 1017, hence changing the severity. This does NOT mean that this bug is less "valid" or whatever, just to avoid misunderstandings.
By reading this bug I see that comments 15, 23 and 28 were solving the problem with a manual username set for WLANs with WPA EAP security. It seems to me that setting the manual username would fix the problem in comment 19. The summary for this bug is about WPA 802.1x key exchange. It is not supported by the device and thus this bug is correctly marked as an enhancement.
Asking about the possibility to support this feature. Will report here when I get an answer.
Same answer as to Bug 1635 Productize and support officially this feature is a complex task. It is not planned for Fremantle and at this point it's not even clear to have it supported in Harmattan. We do understand the implications it has but there are other priorities that need to be addressed first in the Connectivity area. I set the priority to "low" just top reflect that. Feel free to keep voting and "campaigning" for this feature. As said there is still a chance to have it in Harmattan, although (to be clear) there is no guarantee that more votes will bring it in. It's just to have more direct feedback on the need and status of this functionality. Thank you for your understanding.
(In reply to comment #32) > Same answer as to Bug 1635 > > Productize and support officially this feature is a complex task. It is not > planned for Fremantle and at this point it's not even clear to have it > supported in Harmattan. > > We do understand the implications it has but there are other priorities that > need to be addressed first in the Connectivity area. I set the priority to > "low" just top reflect that. > > Feel free to keep voting and "campaigning" for this feature. As said there is > still a chance to have it in Harmattan, although (to be clear) there is no > guarantee that more votes will bring it in. It's just to have more direct > feedback on the need and status of this functionality. > > Thank you for your understanding. > So there is no way I can use my tablet to connect to 802.1x WEP network?
*** Bug 327 has been marked as a duplicate of this bug. ***
I wish I'd kept the version number, but the 810 as delivered accepted my university's user certificate in the user space, but when I updated the software the same user cert gets deposited in the "authorities" area. I wasn't experiencing bugs, but I stupidly figured I'd update the device in order to have the "best" software. I'm kicking myself. I'm glad to see that this is being worked on and that it's not just something I somehow did to myself.
(In reply to comment #32) > Same answer as to Bug 1635 > > Productize and support officially this feature is a complex task. It is not > planned for Fremantle and at this point it's not even clear to have it > supported in Harmattan. Now this has been clarified in the roadmap. While Maemo does plan to offer support for EAP-TTLS+PAP (Bug 1635), supporting WEP with 802.1x EAP PEAP would imply much deeper changes in the current connectivity framework and we think it's not worth doing it for this specific protocol. Therefore this is a WONTFIX.
Hi guys, would it be possible to update this? I'd like to reopen the bug, and see if Nokia's decision could change on this topic considering it has been nearly a year since it was last assessed. I would especially want to argue that a lot of corporate environments still actively use LEAP-based technologies, and limiting this would definitely hurt the adoption of the N900 or other platforms based on Maemo in said environments. Systems leveraging AAA protocols would definitely be a great benefit for Maemo as a whole. Thoughts?
(In reply to comment #37) > I would especially want to argue that a lot of corporate environments still > actively use LEAP-based technologies Apologies, I got confused with WPA EAP-TLS, which appears to be supported. Please ignore my useless ranting.
I've done some tinkering with this, and my phone on the latest firmware seems to work with a 10-char hex key using WEP. Doesn't seem to want to stay connected with anything less than that.
I was able to get 802.11x + dynamic WEP working on both 770 and N810 using wpa_supplicant. see http://penguintown.net/~gorlik/n770.html for details
Seems to be working better with recent update :D
Well This is a show stopper for me, WPA 802.1x key exchange a wontfix... Wow nokia kicked me on this one. Didnt they advertise WPA.. Hmm... so now i need to decide what to use my n900 internet tablet for as i cant use the internet where i really need to use the internet... Thinking of my n95 and my e90 right about now.. Hmm also my friends android. Yesterdays update.. did not seem to fix this at all for me.