Bug 1017 - need 802.1X/PEAPv0/MS-CHAPv2 and/or 802.1X/EAP-TTLS/MS-CHAPv2
: need 802.1X/PEAPv0/MS-CHAPv2 and/or 802.1X/EAP-TTLS/MS-CHAPv2
Status: RESOLVED WORKSFORME
Product: Connectivity
WiFi
: unspecified
: All Debian
: Medium enhancement with 30 votes (vote)
: ---
Assigned To: unassigned
: wifi-bugs
:
:
:
:
  Show dependency tree
 
Reported: 2007-02-03 19:18 UTC by Devin Akin
Modified: 2009-01-03 10:20 UTC (History)
21 users (show)

See Also:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description Devin Akin (reporter) 2007-02-03 19:18:15 UTC
Currently, the Wi-Fi connectivity is limited to WPA-Personal and WPA2-Personal
using passphrases.  In order for this device to be completely useful in a
corporate environment, we need 802.1X/PEAPv0/MS-CHAPv2 and/or
802.1X/EAP-TTLS/MS-CHAPv2.  Either of these tunneled EAP types will do nicely. 
I have requested that Juniper Networks begin supporting the N800 with their
Odyssey Client software, but I haven't heard anything yet.  Thanks!
Comment 1 Derek Chew 2007-03-29 12:49:20 UTC
Please add CISCO LEAP Support
Comment 2 Ryan Pavlik 2007-06-10 21:13:10 UTC
I need WEP MS-PEAP: Instructions for the details of my installation are at
http://www.snc.edu/compserv/handouts/#network - the Win XP SP2 instructions are
probably the clearest.
Comment 3 R Daley 2007-08-30 19:24:16 UTC
I second the need for CISCO LEAP
Thanks
Comment 4 Rainer Dorsch 2007-09-14 13:14:45 UTC
CISCO LEAP or EAP TLS would be helpful within the company I am working for.
Comment 5 Nick 2007-09-14 21:17:19 UTC
Cisco Leap please!
Comment 6 brushedtooth 2007-09-16 08:18:26 UTC
Need CISCO LEAP, and WEP +PEAP.
Comment 7 galvatrons 2007-10-24 19:25:08 UTC
Need CISCO LEAP
Comment 8 Carl Blesius 2007-11-03 03:38:34 UTC
Would like to test using this for applications we are building in the hospital
I work in, but we use LEAP so this device is not useful yet.

I found this on the web (source:
http://lists.maemo.org/pipermail//maemo-developers/2006-August/005222.html )

<blockquote>
> - LEAP support.  I'm not sure if Cisco allows anyone to know about LEAP, 
> especially in an open platform.  But, it'd be nice to be able to log on to 
> Cisco wireless.

This has been long supported by wpa_supplicant (no thanks to Cisco
though). Unfortunately, the Nokia IAP software is closed-source and I
don't know if it's related to wpa_supplicant at all. You might have some
luck with wpa_supplicant but unless the proprietary WLAN driver supports
the latest WE extensions or the prism54 wpa_supplicant driver you're
likely out of luck.
</blockquote>

Is this true?
Comment 9 smalleraperture 2007-11-05 19:24:39 UTC
I agree that Cisco LEAP support would greatly expand the potential uses within
a corporate environment.
Comment 10 dan.dahlberg 2007-11-10 07:52:45 UTC
Since more IT Security Specialists are moving to this type of encryption, it
will have to be done in the future. Why not start now? :)

I support this effort.
Comment 11 Jayson Cote 2007-12-04 19:04:04 UTC
I am also desperately in need of Cisco LEAP connectivity...this is a must for
any type of corporate use...we are using CKIP/LEAP authentication and without
it, this device is for the most part useless to me.
Comment 12 Joshua Layne 2007-12-19 01:06:21 UTC
N810 running OS2008(1.2007.42-19)

I finally got some time to work with the RADIUS administrator and troubleshoot
this. In the end, I was able to get authenticated, but there are some definite
bugs in the wireless connection manager, because I shouldn't have had this much
trouble. Our network (to briefly re-summarize):
Cisco LWAPs (Light-Weight Access Points) (1131 and 1242)
Cisco Wireless Controllers (WISM blades for Cisco 6500 chassis)
MS Internet Authentication Service RADIUS with PEAP/MS-CHAPv2 over WPA1 (TKIP)
and WPA2(CCMP) with named user authentication.

The setup that worked:
---
WLAN :)
---
Network Name (SSID): blah
Network is hidden: checked (and true)
Network Mode: Infrastructure Security Method: WPA with EAP
---
EAP type: PEAP
--- Select Certificate: None (we don't use client certs)
EAP method: EAP MSCHAPv2 --- User name: WHATEVER (doesn't matter as it doesn't
seem to actually use this field)
Password: password
Prompt for password: UNCHECKED
---
Advanced:EAP
-
Use Manual user name: checked
Manual user name: username
Require Client Authentication: unchecked
---

Ok, so this looks pretty normal, except for a few things: 1) if you don't enter
the manual username in the advanced properties, it sends totally garbled
credentials which (obviously) fail authentication and the log shows the EAP
type as undetermined:
---
User qQVHj2kwcIhtnSA6QhmpIm was denied access.
Fully-Qualified-User-Name = OBFUSCATED\qQVHj2kwcIhtnSA6QhmpIm
NAS-IP-Address = OBFUSCATED
NAS-Identifier = OBFUSCATED
Called-Station-Identifier = OBFUSCATED
Calling-Station-Identifier = OBFUSCATED
Client-Friendly-Name = OBFUSCATED
Client-IP-Address = OBFUSCATED
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider =
Windows Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 8
Reason = The specified user account does not exist.
---
2) if you select prompt for password AND you have manual user name checked AND
you have an entry for the manual username, you will get a password prompt,
which will fail and nothing will even make it to the RADIUS logs... 

Basically: as far as I can tell, the username field is not used in the main
configuration tab, only the 'manual user name' is used in the advanced
settings. Secondarily, the 'prompt for password' option does does not seem to
authenticate properly, as it didn't even show in the RADIUS logs.

So I guess the result is mixed - _I_ have my issue fixed (and hopefully these
steps help somebody else), but this doesn't seem to be proper behavior on the
part of the wireless configuration manager.
Comment 13 Janne Ylälehto nokia 2007-12-20 15:15:15 UTC
(In reply to comment #12)
>
> Ok, so this looks pretty normal, except for a few things: 1) if you don't enter
> the manual username in the advanced properties, it sends totally garbled
> credentials which (obviously) fail authentication and the log shows the EAP
> type as undetermined

I would prefer the word random over garbled. Our supplicant sends random
identity when no manual username has been set. This is more secure since the
identity is not exposed. It seems that MS Radius server does not like the
random identity but the user needs to put manual username to make it work. I am
not aware of any other Radius server having problems with a random identity.

>
> 2) if you select prompt for password AND you have manual user name checked AND
> you have an entry for the manual username, you will get a password prompt,
> which will fail and nothing will even make it to the RADIUS logs... 
> 
> Basically: as far as I can tell, the username field is not used in the main
> configuration tab, only the 'manual user name' is used in the advanced
> settings. Secondarily, the 'prompt for password' option does does not seem to
> authenticate properly, as it didn't even show in the RADIUS logs.

The username is used in the inner EAP phase (MSCHAPv2) and the 'manual user
name' or the random identity in the outer phase (PEAP). I just tested against
Freeradius server and I could make all setting combinations work so I couldn't
reproduce the problem. It could be related to your network setup (different AP
and Radius server). Can you try to get air sniffer logs or tcpdump of the
authentication?
Comment 14 Nuno Faria 2008-01-05 20:34:04 UTC
(In reply to comment #13)

I have a problem similar to Joshua's, except that in my case, setting a manual
username did not work.

It's not easys for me to access the AP logs, but I will try.

I am using v.2.2007.50-2. A full description of my settings was sent to the
user's mailling list:

http://lists.maemo.org/pipermail//maemo-users/2008-January/008610.html

> (In reply to comment #12)
> >
> > Ok, so this looks pretty normal, except for a few things: 1) if you don't enter
> > the manual username in the advanced properties, it sends totally garbled
> > credentials which (obviously) fail authentication and the log shows the EAP
> > type as undetermined
> 
> I would prefer the word random over garbled. Our supplicant sends random
> identity when no manual username has been set. This is more secure since the
> identity is not exposed. It seems that MS Radius server does not like the
> random identity but the user needs to put manual username to make it work. I am
> not aware of any other Radius server having problems with a random identity.
> 
> >
> > 2) if you select prompt for password AND you have manual user name checked AND
> > you have an entry for the manual username, you will get a password prompt,
> > which will fail and nothing will even make it to the RADIUS logs... 
> > 
> > Basically: as far as I can tell, the username field is not used in the main
> > configuration tab, only the 'manual user name' is used in the advanced
> > settings. Secondarily, the 'prompt for password' option does does not seem to
> > authenticate properly, as it didn't even show in the RADIUS logs.
> 
> The username is used in the inner EAP phase (MSCHAPv2) and the 'manual user
> name' or the random identity in the outer phase (PEAP). I just tested against
> Freeradius server and I could make all setting combinations work so I couldn't
> reproduce the problem. It could be related to your network setup (different AP
> and Radius server). Can you try to get air sniffer logs or tcpdump of the
> authentication?
>
Comment 15 Janne Ylälehto nokia 2008-01-07 08:57:12 UTC
(In reply to comment #14)
> I have a problem similar to Joshua's, except that in my case, setting a manual
> username did not work.
> 
> It's not easys for me to access the AP logs, but I will try.
> 
> I am using v.2.2007.50-2. A full description of my settings was sent to the
> user's mailling list:
> 
> http://lists.maemo.org/pipermail//maemo-users/2008-January/008610.html

Your problem looks a bit different. For some reason, N810 does not detect your
network as WPA network but tries to use WEP encryption since it detects that
the network has some kind of protection but no WPA. My experience with Cisco
APs is quite limited but I remember that this kind of situation can happen if
you dont't set the "Key Management" to "Mandatory" and tick "WPA" in Cisco AP
settings. In my Cisco 1200 this setting is in Security -> SSID Manager page.
Remember to select the correct SSID in that page.
Comment 16 Kosta 2008-01-11 02:28:15 UTC
(In reply to comment #15)
> (In reply to comment #14)
> > I have a problem similar to Joshua's, except that in my case, setting a manual
> > username did not work.
> > 
> > It's not easys for me to access the AP logs, but I will try.
> > 
> > I am using v.2.2007.50-2. A full description of my settings was sent to the
> > user's mailling list:
> > 
> > http://lists.maemo.org/pipermail//maemo-users/2008-January/008610.html
> 
> Your problem looks a bit different. For some reason, N810 does not detect your
> network as WPA network but tries to use WEP encryption since it detects that
> the network has some kind of protection but no WPA. My experience with Cisco
> APs is quite limited but I remember that this kind of situation can happen if
> you dont't set the "Key Management" to "Mandatory" and tick "WPA" in Cisco AP
> settings. In my Cisco 1200 this setting is in Security -> SSID Manager page.
> Remember to select the correct SSID in that page.
> 

It looks like this problem is not so uncommon.
I have the same situation with my corp wireless network. 
Network manager cannot recognize it as WPA and asks for the WEP key.

I have no control for the Cisco AP settings, unfortunately...
Officially corp supports Odyssey Client on the XP platform only.

But Wpa_supplicant on the ubuntu laptop works just fine...

Environment: N800 with OS2008.
Comment 17 João Pedro Santos de Sousa 2008-02-07 12:15:01 UTC
HARDWARE/SOFTWARE VERSION: N810 - OS2008 (2.2007.50-2)

INTRODUCTION: The eduroam program is an worldwide educational wireless roaming
iniciative that combines the wireless connections available at univerties and
educational institutions troughout the world, currently all over europe and
also asia, on a huge roaming network. As an example a student or investigator
from an university of Portugal may use the wireless connection while visiting
an university in Finland, and vice-versa. 

Tipically this wireless connections rely on WPA-TKIP-EAP-PEAP-MASCHAPv2 or
WPA-TKIP-EAP-TTLS-PAP. More info at http://www.eduroam.org.

So you see this has an huge user impact as all university users (students,
investigators and professores) require this type of corporate connection to
work, study and roam within academic institutions.

I currently work at the Comunications and Informatics Center at the University
of Aveiro, Portugal. We can connect several systems, either desktops or mobile
devices, Windows XP/Vista, Linux, MacOSX, WindowsMobile/PPC or Symbian.

STEPS TO REPRODUCE THE PROBLEM:

We use an WPA-TKIP-EAP-PEAP-MASCHAPv2 connection, based on Cisco Access Points
and MS Internet Authentication Service RADIUS with PEAP/MS-CHAPv2 over WPA1
(TKIP) with named user authentication.

Requirements:

SSID: eduroam
SSID hidden?: no
Network Authentication: WPA
Data encryption: TKIP
EAP Type: PEAP
Trust Root Certification Authority: GTE Cyber Trust Global Root
Authentication Protocol: MS-CHAPv2

Username: xxxxxx@ua.pt
Password: xxxxxxx

Searching for available networks and connecting to the eduroam network will
result on an user prompt. Entering the user/password will result on an
"Authentication Failed" error. Looking at our RADIUS logs we get:

User NqZFzn2N7Q7$xToGa3uDmm was denied access.
Fully-Qualified-User-Name = <undetermined>
...

The username is completely garbled and fails.

If we first setup the eduroam connection using the Connection Manager Wizard
and then search and connect we simply get an "Authentication Failed" error and
nothing even gets to the RADIUS service. I've tried several setup options, no
username, no password, manual user name, always the same result.

REPRODUCIBILITY: always

Please help, this seems to be an old issue since 2005 OS versions still
unresolved, it has an huge user impact, no users (student or otherwise) can
connect to their universities wireless networks.

This seems to be a problem with the wireless client, like the 802.1x/EAP
comunication isn't properly handled. I've checked the following bugs reported,
but no working solution was provided:

https://bugs.maemo.org/show_bug.cgi?id=327
https://bugs.maemo.org/show_bug.cgi?id=417
https://bugs.maemo.org/show_bug.cgi?id=1635

Thank you.
Comment 18 João Pedro Santos de Sousa 2008-02-21 16:34:56 UTC
My above report still aplies to OS2008 (2.2007.51-3) on N810, unfortunally.
Comment 19 Andrew 2008-03-25 03:30:26 UTC
I can confirm this bug/limitation renders wireless access from my n810 useless
as well.
Our radius server supports TTLS/PAP/MSCHAPv2 and PEAP/MSCHAPv2 however I cannot
connect using the latest OS2008 wireless client as the username sent to the
radius server is garbled and does not match that supplied.

I'm using an Apple Airport Extreme (wireless N) AP with freeradius 1.1.7 (on
Fedora 8) as the radius backend.  Works beautifully for clients on multiple
platforms with the exception of my n810.
Comment 20 jeff 2008-06-26 23:12:22 UTC
I need Cisco LEAP or EAP-FAST for my corporate Network.  Would love to see this
added.
Comment 21 TheShadow 2008-07-26 20:25:26 UTC
Please support for WPA2 Enterprise.  It is a must have for corporate
environments.
Comment 22 Bill McGonigle 2008-08-15 01:12:52 UTC
OK, having read through all the comments here I'm trying to get a handle on
what the actual work involved is.  I don't know much about how WPA/WPA2 works,
so this comment should only be construed as intended to stimulate discussion.

It sounds like the path of least resistance is to get wpa_supplicant supported
under maemo as that enables reuse of a large existing corpus of work.  As I
understand it, that means the cx3110x driver needs to support the WE18
extensions, and this patch provides that:

  https://garage.maemo.org/pipermail/cx3110x-devel/2007-November/000005.html

and other community patches fix other problems and add performance:

  https://garage.maemo.org/pipermail/cx3110x-devel/2008-April/000038.html

Now then, that's not merely sufficient as the existing Nokia IAP doesn't know
how to work with wpa_supplicant, so there's no GUI for the user to use (.conf
required), and Nokia IAP won't know there's a connection.  Nokia IAP is closed
source so Nokia has to want to make this work.  A workaround is to create a
dummy network device:

  http://www.internettablettalk.com/forums/showthread.php?p=194608

While there may be benefits to a complete rewrite of Nokia IAP, I suspect that
pitching Nokia on supporting wpa_supplicant is the more expedient path.  The
business case should be simple:  the n810 isn't useful to enterprise users
without WPA2 support.  In a former life I wrote wireless tablet applications
for large institutions and the n810 would be such a great device for vendors to
sell into, e.g. medical, but no WPA2 makes it a non-starter.  Some of these
vendors might very well buy a hundred or a thousand devices at a time.  I don't
know what kind of numbers make things interesting to Nokia.

Now, I'm assuming there's no additional work to be done in the closed-source
umac.ko driver, but I don't know that.  Getting work done there appears to be
difficult:

  http://www.gossamer-threads.com/lists/maemo/developers/31238#31238

though there is at least the start of an effort to replace umac.ko:

  http://article.gmane.org/gmane.linux.kernel.wireless.general/11997

I also don't know what progress has been made, if any, in Diablo.  My n810
doesn't appear to have wpa_supplicant on it with Diablo.  How many of the above
patches have been checked in to the official branch, I'm not sure, I haven't
perused the SVN.

So, those are a few links and what I've learned in a couple hours of
researching.  If anybody can correct, add to, or expand on what I've written,
please do so.
Comment 23 Patrik Flykt nokia 2008-08-25 16:03:31 UTC
(In reply to comment #19)
> I can confirm this bug/limitation renders wireless access from my n810 useless
> as well. Our radius server supports TTLS/PAP/MSCHAPv2 and PEAP/MSCHAPv2
> however I cannot connect using the latest OS2008 wireless client as the
> username sent to the radius server is garbled and does not match that
> supplied.

So this bug is actually about the random identity? Does anyone know which
radius servers are affected and/or can anyone confirm that Freeradius works?
The authentication methods supported in version 4.1 seem to be sufficient, as
the following ones are provided according to the UI:
- WPA with EAP using PEAP-MSCHAPv2
- WPA with EAP using TTLS with EAP MSCHAPv2
- WPA with EAP using MSCHAPv2

Please file a new bug for Cisco LEAP requests.
Comment 24 Daniel Would 2008-09-01 00:46:36 UTC
(In reply to comment #23)
> (In reply to comment #19)
> > I can confirm this bug/limitation renders wireless access from my n810 useless
> > as well. Our radius server supports TTLS/PAP/MSCHAPv2 and PEAP/MSCHAPv2
> > however I cannot connect using the latest OS2008 wireless client as the
> > username sent to the radius server is garbled and does not match that
> > supplied.
> 
> So this bug is actually about the random identity? Does anyone know which
> radius servers are affected and/or can anyone confirm that Freeradius works?
> The authentication methods supported in version 4.1 seem to be sufficient, as
> the following ones are provided according to the UI:
> - WPA with EAP using PEAP-MSCHAPv2
> - WPA with EAP using TTLS with EAP MSCHAPv2
> - WPA with EAP using MSCHAPv2
> 
> Please file a new bug for Cisco LEAP requests.
> 

- new bug raised https://bugs.maemo.org/show_bug.cgi?id=3655 for the LEAP
support request
Comment 25 Patrik Flykt nokia 2008-10-28 14:26:04 UTC
(In reply to comment #24)
> > - WPA with EAP using PEAP-MSCHAPv2

This works according to comments in bug #417. The trick is to set the "manual
username" on the EAP tab of the saved WLAN network. I suppose the other two
cases would work as well, somebody could verify the TTLS setup mentioned in the
summary.

> - new bug raised https://bugs.maemo.org/show_bug.cgi?id=3655 for the LEAP
> support request

Thanks.

Could we start thinking of closing this bug sometime soon if the TTLS setup is
verified to work?
Comment 26 Andre Klapper maemo.org 2008-10-30 21:50:55 UTC
According to bug 1635 comment 20, for WPA-TKIP-EAP-PEAP-MASCHAPv2 there's a
workaround described at http://www.valeriovalerio.org/?p=182

Feedback welcome (if it's not 10, but 2 people saying "works for me", let's not
get this too noisy ;-)
Comment 27 Quim Gil nokia 2008-11-03 08:24:39 UTC
This enhancement request is taking a slot in the Top 10. Feedback is welcome to
determine whether it can be resolved or there is indeed a pending enhancement
request.

Thanks!
Comment 28 Quim Gil nokia 2008-11-10 08:58:46 UTC
No additional feedback received in a week. Resolving as worksforme, please
reopen if you disagree.
Comment 29 Delphine Pessoa 2008-11-25 18:01:44 UTC
I'm trying to connect to eduroam in my University (which is not the same). 

Mine does not need certificate and does not work with the above solutions. 
On the paper on how to configure it, they say,  
for windows: WPA-TKIP-EAP-PEAP 
for Ubunto: TTLS-TKIP(Default)-PAP 

I am running on OS2007...
Comment 30 Ed Sternin 2008-12-05 01:30:31 UTC
<a href="https://bugs.maemo.org/show_bug.cgi?id=1017#c12">Comment #12</a>
suggests a set-up on the Radius that uses... "WPA1 (TKIP) and WPA2(CCMP)"

I have run into a very similar problem associated with a restriction to 
WPA2 (AES) installed on our Radius server in July.  All other encryptions being
considered "crackable" by our system admins, they have disabled all but AES
encryption.  At which point N800/OS2008 (all versions) stopped authenticating.

This is possibly a different bug, so I opened up a new bug report,
   https://bugs.maemo.org/show_bug.cgi?id=3914
where I provide additional details, but it may well be that these two are
related, even though this one is currently "RESOLVED".

Mine is not an issue of certificates, as a different error shows up if I do not
have our (privately signed) certificate imported.
Comment 31 thedeathofsanity 2009-01-03 10:20:50 UTC
There are still a lot of us out here waiting for LEAP authentication with bated
Breath.  I wanted to use my n810 for work and play.  Ironically I can VPN and
do all I need at work but cannot use the the device at the office without LEAP.
 We need a bug just for Leap I guess.