Bug 1635 - (int-150522) Eduroam (EAP-TTLS+PAP) WiFi auth
(int-150522)
: Eduroam (EAP-TTLS+PAP) WiFi auth
Status: RESOLVED FIXED
Product: Connectivity
WiFi
: 5.0/(2.2009.51-1)
: All Maemo
: Medium normal with 84 votes (vote)
: 5.0/(10.2010.19-1)
Assigned To: unassigned
: wifi-bugs
: http://www.eduroam.org/
:
:
: 3867
  Show dependency tree
 
Reported: 2007-07-09 19:49 UTC by Volker Braun
Modified: 2015-12-23 09:15 UTC (History)
69 users (show)

See Also:


Attachments
osso-wlan-security with PAP support for Fremantle (206.35 KB, application/octet-stream)
2009-12-04 12:35 UTC, Janne Ylälehto
Details
A small QT application to enable PAP GUI (12.75 KB, application/octet-stream)
2010-05-25 13:28 UTC, Janne Ylälehto
Details
syslog_extract (41.28 KB, text/plain)
2010-05-27 16:15 UTC, cadeddu
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description Volker Braun (reporter) 2007-07-09 19:49:02 UTC
Many universities use EAP-TTLS + PAP as authentication scheme for their
wireless network (including mine). Moreover, there are attempts to standardize
this across universities to allow visitors from other institutions. For
academic users, EAP-TTLS+PAP is by far the most important wireless network
type. Currently, the N800 offers no way to access such a network. 

Since EAP-TTLS + mschapv2 is already supported, it seems like it would be
rather easy to add PAP as another inner authentication mechanism. But the
relevant software parts are not open-sourced, so this would have to be done by
somebody from nokia.
Comment 1 jynusx 2007-12-13 15:28:29 UTC
This bug still applys to OS 2008.
Comment 2 Andre Klapper maemo.org 2008-01-14 17:04:16 UTC
same here, i cannot use the n810 in the entire university network. :-(
Comment 3 Thomas Perl 2008-01-19 19:51:25 UTC
I would also love to see this supported :)
Comment 4 Tilman Vogel 2008-01-23 15:04:33 UTC
Our institute also uses EAP-TTLS/PAP. I'd be happy if I could use it!
Comment 5 Jake Kunnari 2008-02-07 10:42:40 UTC
*** Bug 2902 has been marked as a duplicate of this bug. ***
Comment 6 João Pedro Santos de Sousa 2008-02-07 11:50:43 UTC
HARDWARE/SOFTWARE VERSION: N810 - OS2008 (2.2007.50-2)

INTRODUCTION: The eduroam program is an worldwide educational wireless roaming
iniciative that combines the wireless connections available at univerties and
educational institutions troughout the world, currently all over europe and
also asia, on a huge roaming network. As an example a student or investigator
from an university of Portugal may use the wireless connection while visiting
an university in Finland, and vice-versa. 

Tipically this wireless connections rely on WPA-TKIP-EAP-PEAP-MASCHAPv2 or
WPA-TKIP-EAP-TTLS-PAP. More info at http://www.eduroam.org.

So you see this has an huge user impact as all university users (students,
investigators and professores) require this type of corporate connection to
work, study and roam within academic institutions.

I currently work at the Comunications and Informatics Center at the University
of Aveiro, Portugal. We can connect several systems, either desktops or mobile
devices, Windows XP/Vista, Linux, MacOSX, WindowsMobile/PPC or Symbian.

STEPS TO REPRODUCE THE PROBLEM:

We use an WPA-TKIP-EAP-PEAP-MASCHAPv2 connection, based on Cisco Access Points
and MS Internet Authentication Service RADIUS with PEAP/MS-CHAPv2 over WPA1
(TKIP) with named user authentication.

Requirements:

SSID: eduroam
SSID hidden?: no
Network Authentication: WPA
Data encryption: TKIP
EAP Type: PEAP
Trust Root Certification Authority: GTE Cyber Trust Global Root
Authentication Protocol: MS-CHAPv2

Username: xxxxxx@ua.pt
Password: xxxxxxx

Searching for available networks and connecting to the eduroam network will
result on an user prompt. Entering the user/password will result on an
"Authentication Failed" error. Looking at our RADIUS logs we get:

User NqZFzn2N7Q7$xToGa3uDmm was denied access.
Fully-Qualified-User-Name = <undetermined>
...

The username is completely garbled and fails.

If we first setup the eduroam connection using the Connection Manager Wizard
and then search and connect we simply get an "Authentication Failed" error and
nothing even gets to the RADIUS service. I've tried several setup options, no
username, no password, manual user name, always the same result.

REPRODUCIBILITY: always

Please help, this seems to be an old issue since 2005 OS versions still
unresolved, it has an huge user impact, no users (student or otherwise) can
connect to their universities wireless networks.

This seems to be a problem with the wireless client, like the 802.1x/EAP
comunication isn't properly handled. I've checked the following bugs reported,
but no working solution was provided:

https://bugs.maemo.org/show_bug.cgi?id=327
https://bugs.maemo.org/show_bug.cgi?id=417
https://bugs.maemo.org/show_bug.cgi?id=1017

Thank you.
Comment 7 Tilman Vogel 2008-02-07 12:00:08 UTC
(In reply to comment #6)

I think you should open a separate bug report because this one is about
implementing EAP-TTLS+PAP. You are reporting that PEAP+MS-CHAPv2 is not working
correctly for you. This seems a different issue to me.

Anyway, thanks for pointing out the widespread use of both of these
authentication protocols!
Comment 8 João Pedro Santos de Sousa 2008-02-07 15:26:16 UTC
(In reply to comment #7)
> 
> I think you should open a separate bug report because this one is about
> implementing EAP-TTLS+PAP. You are reporting that PEAP+MS-CHAPv2 is not working correctly for you. This seems a different issue to me.

I did. It was marked as a duplicate of bug 1635. Anyway I do feel that they are
related to the same issue, that is the wireless client not handling correctly
the 802.1x/EAP protocols. In fact you may check the other bugs I've mentioned,
they all seem related.

https://bugs.maemo.org/show_bug.cgi?id=2902
Comment 9 João Pedro Santos de Sousa 2008-02-21 16:39:12 UTC
My above report still applies to OS2008 (2.2007.51-3) on N810, unfortunately.
Comment 10 Francisco 2008-03-02 03:16:10 UTC
The School of the Art Institute of Chicago uses this system as well.  Please
add PAP to the 2nd phase of TTLS EAP.
Comment 11 Michiel Scholten 2008-03-04 16:39:32 UTC
I would like to chime in on this issue, as my university [Vrije Universiteit,
VU, in Amsterdam] uses EAP-TTLS + PAP in its campus-wide network too. I think a
lot of students [and maybe corporate users] will be helped by supporting this
scheme.

Thanks a lot for the already nice software stack!
Comment 12 d_n_lamont 2008-04-05 22:32:37 UTC
This is a major problem for me and several of my co-workers
my university's setup: 
Network SSID: WIRELESS-UNIVERSITY
Security Type: WPA-Enterprise
Encryption Type: TKIP
Authentication Method: PEAP, EAP-MSCHAPv2

no possible authentication with N810.
Comment 13 Tobias Wolter 2008-04-25 15:10:27 UTC
University of Cologne uses the same setup for the DFN Roaming scheme, so
probably most other German universities, too.
Comment 14 Evili del Rio 2008-06-10 10:12:59 UTC
The Spanish National Research Council (CSIC) also uses EAP-TTLS/PAP for
eduroam. It would be nice to have such an option.
Comment 15 Andre Klapper maemo.org 2008-06-13 17:16:56 UTC
http://www.eduroam.cz/doku.php?id=cs:uzivatel:sw:maemo describes a workaround
how to connect to Eduroam (the text is in czech, but the screenshots are in
english). Unfortunately it did not work out for me, but maybe it is helpful for
others.
Comment 16 Michiel Scholten 2008-06-13 18:29:32 UTC
Re #15: That looks like what I tried at my university [Vrije Universiteit in
Amsterdam], but it didn't work. The IT department says they received some
hash-like text instead of my username and password, and as far as they
understood it, that was because of some weirdness/bug in the Nokia wifi stack
[wpa?].
Comment 17 Valentin Puente 2008-07-31 17:55:18 UTC
Exactly the same configuration and problem in my University ( with 4.1 Diablo).
Please solve this ASAP... We are using Cisco Aironet 1100 as APs. Could be
related to the problem.

> This is a major problem for me and several of my co-workers
> my university's setup: 
> Network SSID: WIRELESS-UNIVERSITY
> Security Type: WPA-Enterprise
> Encryption Type: TKIP
> Authentication Method: PEAP, EAP-MSCHAPv2
> 
> no possible authentication with N810. 
>
Comment 18 Andre Klapper maemo.org 2008-08-21 13:43:12 UTC
*** Bug 3617 has been marked as a duplicate of this bug. ***
Comment 19 Fuad 2008-10-07 01:12:02 UTC
I'm also missing connection due to this authentication method. As described,
EPA-TTLS+PAP authentication is used in our university in Montreal Canada,
Concordia University. This authentication is required not only for the free
connection but the paid as well. If possible, can this be upgraded ASAP.
Comment 20 Valério Valério maemo.org 2008-10-29 21:06:50 UTC
This still a bug ?

I can connect to my University eduroam network(University of Évora,Portugal ->
EAP-TTLS PAP) without any problem.

I made a little tutorial here: http://www.valeriovalerio.org/?p=182
Please try the procedure and give some feedback here.
Comment 21 Valério Valério maemo.org 2008-10-29 22:49:06 UTC
Sorry I provide wrong information in my last comment, my university eduroam is
based in WPA-TKIP-EAP-PEAP-MASCHAPv2 and not in WPA-TKIP-EAP-TTLS-PAP.
Comment 22 Quim Gil nokia 2008-11-03 12:38:44 UTC
Productize and support officially this feature is a complex task. It is not
planned for Fremantle and at this point it's not even clear to have it
supported in Harmattan.

We do understand the implications it has but there are other priorities that
need to be addressed first in the Connectivity area. I set the priority to
"low" just top reflect that.

Feel free to keep voting and "campaigning" for this feature. As said there is
still a chance to have it in Harmattan, although (to be clear) there is no
guarantee that more votes will bring it in. It's just to have more direct
feedback on the need and status of this functionality.

Thank you for your understanding.
Comment 23 nomikon 2008-11-27 16:36:19 UTC
(In reply to comment #22)
> 
> I set the priority to "low" just top reflect that.

If the messages above telling you that "many universities use EAP-TTLS + PAP as
authentication scheme" (and "many" here do really mean "many"), is almost sure
you'll see Nokia tablets being rapidly outpaced by new devices, such as Apple
iPod Touch, more friendly with the needs of this range of users and nicely
priced, as well.

For the users, it's so easy as getting such a new device. For you, providers,
it's so hard as trying to convince those same users for trusting you again.
Comment 24 doyouknowz 2008-12-18 17:21:39 UTC
(In reply to comment #23)
> (In reply to comment #22)
> > 
> > I set the priority to "low" just top reflect that.
> 
> If the messages above telling you that "many universities use EAP-TTLS + PAP as
> authentication scheme" (and "many" here do really mean "many"), is almost sure
> you'll see Nokia tablets being rapidly outpaced by new devices, such as Apple
> iPod Touch, more friendly with the needs of this range of users and nicely
> priced, as well.
> 
> For the users, it's so easy as getting such a new device. For you, providers,
> it's so hard as trying to convince those same users for trusting you again.
> 

Agreed.  PAP support is very important, and my university's network uses
TTLS-PAP.  The iPhone has it, why can't the n800?
Comment 25 Quim Gil nokia 2008-12-19 13:29:19 UTC
What is your opinion about

http://www.oucs.ox.ac.uk/network/wireless/services/eduroam/nokia_810/
http://www.oucs.ox.ac.uk/network/wireless/services/eduroam/nokia_770/

I'm not in an Eduroam network so I can't check.
Comment 26 Valério Valério maemo.org 2008-12-19 13:44:27 UTC
(In reply to comment #25)
> What is your opinion about
> 
> http://www.oucs.ox.ac.uk/network/wireless/services/eduroam/nokia_810/
> http://www.oucs.ox.ac.uk/network/wireless/services/eduroam/nokia_770/
> 
> I'm not in an Eduroam network so I can't check.
> 

The n810 tutorial works for me without any problem in a couple of university's
in Portugal ( WPA-TKIP-EAP-PEAP-MASCHAPv2).
Comment 27 Volker Braun (reporter) 2008-12-19 13:51:42 UTC
(In reply to comment #25)

Apparently Oxford is running an eduroam setup that allows for EAP-PEAP/MSCHAPv2
authentification. We know that this is supported. 

The problem is that eduroam also allows EAP-TTLS/PAP setups, and those are not
supported. Some universities chose to only implement this authentification
method.
Comment 28 Thomas Perl 2008-12-19 14:08:28 UTC
(In reply to comment #27)
> (In reply to comment #25)
> The problem is that eduroam also allows EAP-TTLS/PAP setups, and those are not
> supported. Some universities chose to only implement this authentification
> method.

As an example, the Vienna University of Technology also only supports "802.1x,
WEP128, PEAP, TTLS":

http://www.zid.tuwien.ac.at/kom/tunet/wlan/eduroam_english/
Comment 29 Quim Gil nokia 2008-12-19 14:15:04 UTC
(In reply to comment #27)
> The problem is that eduroam also allows EAP-TTLS/PAP setups, and those are not
> supported. Some universities chose to only implement this authentification
> method.

Ah, yes. Now I remember. Sorry, this is not my domain of expertise.

Well, a difference with the iPhone (or Windows Mobile devices) might be that
Apple/Mac OS X and Microsoft/MS Windows desktops (with a long history of
presence and business with university campuses) support such protocol so I
guess the infrastructure and the agreements needed to provide such feature are
officially are in place. This is *my own personal* assumption. As said I'm not
the expert in the area.

No Nokia platform seems to support this protocol as for now. Some links I've
found:

http://discussions.europe.nokia.com/discussions/board/message?board.id=communicators&thread.id=26322
http://discussion.forum.nokia.com/forum/showthread.php?t=98362
http://www.petitiononline.com/NokiaPAP/petition.html

So it doesn't look like a trivial task. As said, in Maemo there needs to be
some changes in the Connectivity framework before attempting to implement such
feature. These changes are being developed in Fremantle and Harmattan and this
is why this feature has to wait.

Sorry for not having a better answer. Now this feature is in the top 10 in the
Bug Jar and I can tell you Maemo product managers are reminded about it every
week.
Comment 30 ep41 2009-01-12 21:00:33 UTC
The University of St Andrews uses eduroam (EAP-TTLS+PAP). Most UK universities
do. Eduroam is becoming an international standard. Please support it!
Comment 31 Thomas Perl 2009-01-20 15:08:26 UTC
I don't know the details how this works, but is it a software thing? If so,
would it work with some Debian/Ubuntu-based "distro" like debian-chroot or Mer
(e.g. running network-manager and the necessary daemons inside debian-chroot on
top of Maemo)? Eduroam authentication works on Ubuntu on my laptop with
network-manager, but I have no clue what really makes it working ;)

Could be that it depends on some things in the kernel/wifi driver or even on
the hardware. Maybe someone familiar with these technologies can enlighten us?

This should provide answers to "what's to do to get it working" and "why it's
not working".
Comment 32 Javier S. Pedro 2009-02-16 16:48:58 UTC
(In reply to comment #31)
> I don't know the details how this works, but is it a software thing? If so,
> would it work with some Debian/Ubuntu-based "distro" like debian-chroot or Mer
> (e.g. running network-manager and the necessary daemons inside debian-chroot on
> top of Maemo)? Eduroam authentication works on Ubuntu on my laptop with
> network-manager, but I have no clue what really makes it working ;)

Well, it might indeed work with wpa_supplicant, but then you'll need the
open-source wifi driver, and I'm pretty sure the builtin network/connectivity
manager will stop working, so no way.

Source for osso-wlan-security is needed.
C'mon, PAP isn't THAT hard. wpa_supplicant does it in less than 100 LOCs.

This needs to be well announced, so that no student buys a tablet only to find
out it does not connect to neither his workplace nor campus network. Pretty
hard to find a buyer right now! :(
Comment 33 Quim Gil nokia 2009-03-02 08:46:15 UTC
Some news here. 

We are willing to have this feature implemented but it is not in our committed
plans yet.

What could happen:

- In Fremantle we enable the platform to allow this type of network. There is
no UI or official instructions coming from us but the community or a third
party could do it.

- In Harmattan it gets official support.

Thoughts?

Something that would help would be figures of the implementation of this
network nowadays. Is there anywhere a lis of universities using it? Having a
hint would be good. If there is no official information, a wiki page with real
examples of networks affecting Maemo users would help.
Comment 34 Fernando Agullo-Rueda 2009-03-02 11:08:38 UTC
You can find a map and a list of institutions using the Eduraom network here:

http://www.eduroam.org/

In my case I am affected because I cannot connect to the wireless networks
of the Spanish Research Council (CSIC) (http://www.csic.es/)
nor the Autonomous University of Madrid (http://www.uam.es/).
Details on how to connect to the latter are given here:
http://www.uam.es/servicios/ti/servicios/wifi/eduroam-en.html

I hope you find this information helpful.


(In reply to comment #33)
> Some news here. 
> 
> We are willing to have this feature implemented but it is not in our committed
> plans yet.
> 
> What could happen:
> 
> - In Fremantle we enable the platform to allow this type of network. There is
> no UI or official instructions coming from us but the community or a third
> party could do it.
> 
> - In Harmattan it gets official support.
> 
> Thoughts?
> 
> Something that would help would be figures of the implementation of this
> network nowadays. Is there anywhere a lis of universities using it? Having a
> hint would be good. If there is no official information, a wiki page with real
> examples of networks affecting Maemo users would help.
>
Comment 35 Thomas Perl 2009-03-02 11:41:31 UTC
(In reply to comment #33)
> What could happen:
> 
> - In Fremantle we enable the platform to allow this type of network. There is
> no UI or official instructions coming from us but the community or a third
> party could do it.

Does this mean the bits and pieces are there to do it, there is just no UI
support? (so e.g. using command-line tools I could connect to such a network
without a problem) This would be very welcome!

Would this also mean that the "enabling components" are open source, so
"Fremantle on N8x0" projects like Mer could enable N8x0 users to connect to
Eduroam networks that used the specific authentication scheme that currently
does not work?

> - In Harmattan it gets official support.
> 
> Thoughts?
> 
> Something that would help would be figures of the implementation of this
> network nowadays. Is there anywhere a lis of universities using it? Having a
> hint would be good. If there is no official information, a wiki page with real
> examples of networks affecting Maemo users would help.

As the previous poster already mentioned, http://www.eduroam.org/?p=europe
provides a map of Europe with links to specific contries and from there you can
find lists of Universities. Some examples:

Austria: http://www.aco.net/eduroam.html?&L=1
Italy: http://www.eduroam.it/mappa.php
Germany: http://www.eduroam.de/
France: http://www.eduroam.fr/en/
Spain: http://www.eduroam.es/mapa.es.php
Finland: http://www.csc.fi/hallinto/funet/palvelut/yhd/eduroam/kaytto

I don't have statistics on the Internet Tablet user base, but I could imagine
there are quite a few users in research and academia.

That said, there might be other private or company networks that use the said
authentication scheme and are not Eduroam-related, but still profit from the
change by starting to work where it did not work before.
Comment 36 Andre Klapper maemo.org 2009-03-02 11:51:01 UTC
(In reply to comment #35)

...or Czech Republic:
http://www.eduroam.cz/doku.php?id=en:pripojene_organizace#connected_locations

On a personal note, both my universities are using Eduroam and I've been unable
to connect to their networks by using my N810. Been quite a negative surprise,
and I can imagine quite well that I wasn't the only person.
Comment 37 Fernando Agullo-Rueda 2009-03-02 12:08:48 UTC
(In reply to comment #33)

> 
> Something that would help would be figures of the implementation of this
> network nowadays. Is there anywhere a lis of universities using it? Having a
> hint would be good. If there is no official information, a wiki page with real
> examples of networks affecting Maemo users would help.
> 

As already mentioned it not only universities that use Eduroam. An example of a
public agency using Eduraom with EAP-TTLS is the largest research organization
of Spain, the Spanish Resarch Council (CSIC). I guess there are similar cases
in other countries, which other people can indicate.
Comment 38 ep41 2009-03-02 20:47:49 UTC
Hello All,
Here are some comments:

> We are willing to have this feature implemented but it is not in our committed
> plans yet.
>
> What could happen:
>
> - In Fremantle we enable the platform to allow this type of network. There is
> no UI or official instructions coming from us but the community or a third
> party could do it.

As far as I understand (correct me if I am wrong)
Fremantle will not run on the N8xx series because of the new UI,
leaving the N8xx a crippled device with proprietary drivers that cannot be
upgraded or supported by the LINUX community. 

 As far as I know Eduroam is becoming the standard for theJanet academic
network in the UK See:

http://www.ja.net/services/authentication-and-authorisation/janet-roaming/participating-organisations-map.html

I do not know about the rest of Europe but the same standard is
adopted in the US too. The university of Michigan now uses
EAP-TTLS+PAP, (another place where I cannot connect any more).
This is not a minor issue.  It renders the device unusable to the very
community that finds it appealing. What do you do with an internet
tablet if it cannot connect to internet? Nokia will lose against other
Linux UMPCs which are increasingly used in universities (and use
standard Linux distros).

Cheers
Ettore Pedretti

>
> - In Harmattan it gets official support.
>
> Thoughts?
>
> Something that would help would be figures of the implementation of this
> network nowadays. Is there anywhere a lis of universities using it? Having a
> hint would be good. If there is no official information, a wiki page with real
> examples of networks affecting Maemo users would help.
Comment 39 Andre Klapper maemo.org 2009-03-02 21:18:07 UTC
(In reply to comment #38)

Ettore, for future reference please remove unneeded quote lines.

> As far as I understand (correct me if I am wrong)
> Fremantle will not run on the N8xx series because of the new UI,

That's currently not true & has been discussed before.
There's good community efforts done (with some help and support of Nokia) to
make sure that there will be a Fremantle version for the N8x0 - see "Mer",
though it is not an "official" version provided by Nokia.

Discussing it here is definitely out of scope for this bug report.
Comment 40 Andre Klapper maemo.org 2009-03-26 18:49:52 UTC
*** Bug 3117 has been marked as a duplicate of this bug. ***
Comment 41 Francisco Athens 2009-04-04 03:13:19 UTC
would be nice to install wpa_supplicant, NetworkManager, nm-applet and patched
cx driver from application manager as a workaround in Diablo even?
Comment 42 Ben Klein 2009-04-23 15:33:45 UTC
I'm very disappointed that N810 currently doesn't support EAP-TTLS with PAP
inner auth. I'm impressed with it and in fact I'm using it right now on a
WPA-PSK network, but I got the N810 as a wifi-based browser for use at uni, and
uni (RMIT University Melbourne) use PAP inner auth. I've been looking for a
workaround and the most promising thing I've found is 
http://maemo.org/community/maemo-developers/libicd-network-wpa/?org_openpsa_qbpager_net_nemein_discussion_posts_page=1#d3a31796073a11deb00be161c0e713fa13fa
but I have no idea how to use it or if it even solves the problem.

This might not be a high priority for Nokia, but for me it's an essential
feature.
Without PAP inner-auth support, I cannot get the use out of my N810 that I
purchased it for :(

So if anyone has a working workaround I'd really appreciate it :)
Comment 43 Javier S. Pedro 2009-04-23 16:10:23 UTC
(In reply to comment #42)
> I've been looking for a
> workaround and the most promising thing I've found is 
> http://maemo.org/community/maemo-developers/libicd-network-wpa/?org_openpsa_qbpager_net_nemein_discussion_posts_page=1#d3a31796073a11deb00be161c0e713fa13fa
> but I have no idea how to use it or if it even solves the problem.

I wrote that. It is usable (I am using it daily), but far from perfect (fixed
to PSM always on, slow intra-ESS roaming, no GUI configuration; at least
autoconnecting works). Main problem is that it has a load of dependencies:
modified cx3110x, modified wlancond, modified wpa_supplicant, and that my
development process goes like: "build v.1, go to campus, roam around, hope it
doesn't crash, test, go home, analyze results, build v.2, go to campus..."
since I can't really test roaming at home.

Whenever I get some free time I will publish a few bits of documentation on
ITT., but don't really count on that.
Comment 44 johndoe32102002 2009-04-27 08:48:25 UTC
I cannot believe this has not been implemented in the original N810 Maemo
software upon marketing the device.  I wish all developers the best of speed
and luck in patching this!
Comment 45 Bruno Caminada 2009-06-23 22:08:34 UTC
This also happens here in Brazil at Unicamp. We use EAP-TTLS + PAP and as a
result, I can't use my N800 there, which was exactly why I bought it, making it
completely useless to me.

Please consider raising this bugs priority.
Comment 46 Quim Gil nokia 2009-06-24 09:27:43 UTC
This is no specific answer, but it's worth updating with some collateral
information:

EAP-TTLS+PAP now supported in S60
http://discussion.forum.nokia.com/forum/showpost.php?p=605403&postcount=133

Intel and Nokia are pleased to jointly launch the ConnMan project
http://connman.net/blogs/holtmann/2009/announcing-connmannet

"ConnMan is licensed under GPLv2, and provides a daemon for managing internet
connections within Linux devices. ConnMan is a fully modular system that can be
extended, through plug-ins, to support all kinds of wired or wireless
technologies. Configuration methods, like DHCP and domain name resolving, are
implemented using plug-ins as well. The plug-in approach allows for easy
adaption and modification for various use cases."
Comment 47 Quim Gil nokia 2009-06-26 13:50:07 UTC
(In reply to comment #22)
> It is not
> planned for Fremantle and at this point it's not even clear to have it
> supported in Harmattan.

Planned for Harmattan.
Comment 48 Ben Klein 2009-06-26 16:19:26 UTC
Good news for us! Will Harmattan be available for N8xx?
Comment 49 Andre Klapper maemo.org 2009-07-01 14:16:10 UTC
(In reply to comment #48)
> Good news for us! Will Harmattan be available for N8xx?

See for example http://talk.maemo.org/showthread.php?p=279460 .
Comment 50 Olivier Mengué 2009-08-11 12:16:16 UTC
Thanks to this bug I could not use my N800 tablet at YAPC::EU::2009, the
european conference for Perl developers. The conference was at the university
of science of Lisbon and wifi auth used EAP-TLS+PAP.

The tablet is a very useful tool at Open Source developers conferences to view
schedules, to chat trough IRC or GTalk, and to browse the web to view
references given by the presenter.

Planned for Harmatan means available in one year at least on user devices,
isn't it? And probably never on N800?
Comment 51 Andre Klapper maemo.org 2009-08-11 13:06:47 UTC
(In reply to comment #50)
> Planned for Harmatan means available in one year at least on user devices,
> isn't it? And probably never on N800?

Please see the comment directly before your comment.
Comment 52 Nick Leppänen Larsson 2009-09-23 20:43:49 UTC
(In reply to comment #33)
> What could happen:
> 
> - In Fremantle we enable the platform to allow this type of network. There is
> no UI or official instructions coming from us but the community or a third
> party could do it.
> 
> - In Harmattan it gets official support.

As it's now planned for Harmattan, does the above hold or will the platform for
it not be in Fremantle?
Comment 53 Lucas Maneos 2009-10-14 15:20:06 UTC
Posted to the maemo-developers mailing list (thread starting at
<http://lists.maemo.org/pipermail/maemo-developers/2009-October/021317.html>):

> It's in advanced settings, called "manual user name". To me, it
> worked as user at host.name and not as DOMAIN\user , in both fields.

The "manual user name" setting is also available in Diablo, reports on whether
that works welcome :-)
Comment 54 Javier S. Pedro 2009-10-14 15:31:35 UTC
(In reply to comment #53)
> Posted to the maemo-developers mailing list (thread starting at
> <http://lists.maemo.org/pipermail/maemo-developers/2009-October/021317.html>):
> 
> > It's in advanced settings, called "manual user name". To me, it
> > worked as user at host.name and not as DOMAIN\user , in both fields.
> 
> The "manual user name" setting is also available in Diablo, reports on whether
> that works welcome :-)

Not related to this bug report at all, as the poster clearly says "MSCHAPv2",
which is supported out of the box.
Comment 55 trip 2009-10-16 12:15:47 UTC
(In reply to comment #52)
> (In reply to comment #33)
> > What could happen:
> > 
> > - In Fremantle we enable the platform to allow this type of network. There is
> > no UI or official instructions coming from us but the community or a third
> > party could do it.
> > 
> > - In Harmattan it gets official support.
> 
> As it's now planned for Harmattan, does the above hold or will the platform for
> it not be in Fremantle?
> 

Is there an update on this? It would be a shame if this will not be available
at least as an update to Fremantle and the N900. My department (TU Munich,
Computer Science) moved to EAP-TTLS + PAP now, too (was last one to move).
Comment 56 Andre Klapper maemo.org 2009-10-19 13:52:23 UTC
(In reply to comment #55)
> Is there an update on this?

Current status is described here.
Comment 57 Friedrich Norspe 2009-10-21 04:51:53 UTC
(In reply to comment #56)
> (In reply to comment #55)
> > Is there an update on this?
> 
> Current status is described here.
> 

Where? I don't understand?

I also bought my internet tablet to become a better student, and since
yesterday I know:
I need an EAP-TTLS + PAP solution :(
Comment 58 Andre Klapper maemo.org 2009-10-21 16:50:25 UTC
(In reply to comment #57)
> Where? I don't understand?

This bug report is in open state, hence it is not fixed yet.
The Target Milestone is set to Harmattan (Maemo6).

Feel free to vote for this bug.
Comment 59 simonbroenner 2009-11-30 11:49:51 UTC
Well, my desire for the N900 just plummeted from 10/10 to about -2...

My university also uses Eduroam, but I'm not quite sure what authentication,
because two methods are listed: PEAP and EAP-MSCHAP v2 (screenshot:
http://i302.photobucket.com/albums/nn108/bemymonkey/eduroam.png). Which one's
actually in use? Both? Is this one of the encryption types that _should_ work
on the Nxxx?

Even if this does happen to be one of the encryption types that works, I'm
still not sure I'd still buy an N900 - what if the university decides to switch
encryption methods? :|
Comment 60 Ville Reijonen 2009-11-30 14:40:37 UTC
> because two methods are listed: PEAP and EAP-MSCHAP v2

PEAP + MSCHAPv2 should work just fine, unless there is something weird with
your sites hardware and setup. I made a wiki page, because this just seems to
pop up again and again.. http://wiki.maemo.org/PEAP%2BMSCHAPv2
Comment 61 simonbroenner 2009-11-30 14:51:55 UTC
(In reply to comment #60)
> > because two methods are listed: PEAP and EAP-MSCHAP v2
> 
> PEAP + MSCHAPv2 should work just fine, unless there is something weird with
> your sites hardware and setup. I made a wiki page, because this just seems to
> pop up again and again.. http://wiki.maemo.org/PEAP%2BMSCHAPv2
> 

Looks good, thank you. Guess I'll just have to try it out, and then hope that
my university doesn't decide to switch...

Does anyone know how quickly it would be possible to implement a third-party
fix? Would it be a matter of days after Nokia "enables" the core parts (as I
understand it the third party would only have to add a GUI for the newly
enabled features)? Or would it be more complicated and take longer?
Comment 62 Javier S. Pedro 2009-11-30 15:30:24 UTC
(In reply to comment #61)
>  
> Looks good, thank you. Guess I'll just have to try it out, and then hope that
> my university doesn't decide to switch...

You're being a bit paranoid, really.

> Does anyone know how quickly it would be possible to implement a third-party
> fix? Would it be a matter of days after Nokia "enables" the core parts (as I
> understand it the third party would only have to add a GUI for the newly
> enabled features)? Or would it be more complicated and take longer?

There have been no new "core parts" AFAIK. Either way I have a fix for it (see
above) but it's missing a GUI and forward porting to N900.
Comment 63 Janne Ylälehto nokia 2009-12-04 12:35:24 UTC
Created an attachment (id=1665) [details]
osso-wlan-security with PAP support

Here is osso-wlan-security package compiled with PAP support. Since there is no
GUI support this is just for the people who are really ready to play with the
device and desparately want this to work.

To use TTLS/PAP, you need to create TTLS/Mschapv2 IAP first from the GUI and
save username and password. Then you need to manually change from the IAP
settings in Gconf setting called "PEAP_tunneled_eap_type" to 98. Something like
this is needed: gconftool-2 --set --type int
'/system/osso/connectivity/IAP/<your just made IAP id
here>/PEAP_tunneled_eap_type' '98'

This package hasn't seen the regular testing and verification yet so I'm
interested to hear if this works for you or not. Please comment.
Comment 64 Quim Gil nokia 2009-12-07 08:15:41 UTC
Javier/Janne, it looks like you have all the pieces in place to find a good
solution for Maemo 5! Looking forward to the next steps. Thank you for your
work.
Comment 65 Janne Ylälehto nokia 2009-12-08 10:01:58 UTC
(From update of attachment 1665 [details])
The attached package is only for Fremantle.
Comment 66 Thomas Perl 2009-12-08 20:12:27 UTC
(In reply to comment #65)
> (From update of attachment 1665 [details] [details])
> The attached package is only for Fremantle.

Sorry for going a bit offtopic here, but do you think that you can add support
for 802.1x authentication as well?

According to my University's website
(http://www.zid.tuwien.ac.at/en/kom/tunet/wlan/eduroam/), what is needed is
802.1x, WPA2/AES oder WPA/TKIP, PEAP (MSCHAPv2), TTLS.
Comment 67 Javier S. Pedro 2009-12-08 21:48:24 UTC
(In reply to comment #66)
> Sorry for going a bit offtopic here, but do you think that you can add support
> for 802.1x authentication as well?

The tablets already support 802.1x authentication -- it's mandatory for
eduroam.


I've already installed Janne's package (thank you!). Seems to work fine with
WPA-PSK AES network, will be able to test PAP tomorrow.

Is the GUI for this planned? AFAIU, it will be harder to create a GUI that
"competes" with the WLAN_INFRA network type than my original plan of creating a
GUI for my libicd-network-wpa's different network type (WLAN_WPA).
Comment 68 Javier S. Pedro 2009-12-09 11:37:09 UTC
(In reply to comment #67)
> I've already installed Janne's package (thank you!). Seems to work fine with
> WPA-PSK AES network, will be able to test PAP tomorrow.

Associated and authenticated: it works! :)

Will spend rest of day connected and see what happens (battery-life wise and
the like).

Again, thank you Janne! I would have never imagined I would need to do so much
less work to get the N900 online.
Comment 69 Javier S. Pedro 2009-12-09 11:55:15 UTC
Unfortunately, it disconnected after a while.


[ 5357.431427] wl1251: firmware booted (Rev 6.0.4.156)
[ 5358.160888] wlan0: authenticate with AP 00:19:a9:a5:ef:61
[ 5358.164337] wlan0: authenticated
[ 5358.164367] wlan0: associate with AP 00:19:a9:a5:ef:61
[ 5358.353179] wlan0: associate with AP 00:19:a9:a5:ef:61
[ 5358.357696] wlan0: RX AssocResp from 00:19:a9:a5:ef:61 (capab=0x31 status=0
aid=21)
[ 5358.357727] wlan0: associated
(no messages for a while, everything works)
[ 5555.488586] wlan0 direct probe responded
[ 5555.488677] wlan0: authenticate with AP 00:19:a9:a5:ef:61
[ 5555.495269] wlan0: authenticated
[ 5555.495330] wlan0: associate with AP 00:19:a9:a5:ef:61
[ 5555.502441] wlan0: RX ReassocResp from 00:19:a9:a5:ef:61 (capab=0x431
status=0 aid=21)
[ 5555.502471] wlan0: associated
[ 5562.717376] wlan0: deauthenticating by local choice (reason=3)
[ 5562.971069] wl1251: down
[ 5563.751678] wl1251: 154 tx blocks at 0x3b788, 35 rx blocks at 0x3a780
[ 5563.767303] wl1251: firmware booted (Rev 6.0.4.156)
[ 5565.432891] wl1251: down
[ 6164.323272] wl1251: 154 tx blocks at 0x3b788, 35 rx blocks at 0x3a780
[ 6164.338897] wl1251: firmware booted (Rev 6.0.4.156)
[ 6165.887847] wl1251: down
Comment 70 Janne Ylälehto nokia 2009-12-10 14:58:27 UTC
(In reply to comment #69)
> Unfortunately, it disconnected after a while.

Thanks for testing. Does this happen always?
Comment 71 Javier S. Pedro 2009-12-10 18:34:00 UTC
(In reply to comment #70)
> (In reply to comment #69)
> > Unfortunately, it disconnected after a while.
> 
> Thanks for testing. Does this happen always?
> 

Curiously enough it seems to be happening less and less. Yesterday it happened
a total of 3 times between 10:00 and 14:00, spaced irregularly (unfortunately I
don't really know when it gets disconnected until I notice that I've been not
getting mail). That afternoon it happened once between 15 and 16, then went
stable from 16 to 21. This morning it happened once at 11:00 (I actually saw
this one, it had been like 30 minutes connected), then has been stable so far.
No roaming.

I cannot guess a pattern. It does not seem related to my own activity on the
device, and considering it tends to happen more in the mornings my wild guess
is network activity from other peers? (since on mornings network is more
active)


Note also that autoconnect does NOT work, and I can reproduce it:  even after
10 minutes, it does not autoconnect. An app requesting a connection does not
cause it to autoconnect to Eduroam even when it's the only IAP available.
Tapping on the "Internet connection" status bar item and then choosing Eduroam
works.

Maybe-useful: this is a hidden SSID.
Comment 72 Kamil Erhard 2009-12-10 19:29:12 UTC
I used it during the last three days (at TU Darmstadt) and it worked pretty
well.
It disconnects occasionally but never during active usage.
It then falls back to my 3G connections, so i never really notice the
disconnection.
Autoconnect doesn't work for me neither and our SSID is not hidden.
Comment 73 Janne Ylälehto nokia 2009-12-11 11:47:45 UTC
(In reply to comment #71)
> (In reply to comment #70)
> > (In reply to comment #69)
> > > Unfortunately, it disconnected after a while.
> > 
> > Thanks for testing. Does this happen always?
> > 
> Curiously enough it seems to be happening less and less.

Thanks, my guess is that those disconnects have nothing to do with TTLS/PAP
authentication but something that would happen with any authentication method.

> Note also that autoconnect does NOT work, and I can reproduce it:  even after
> 10 minutes, it does not autoconnect. An app requesting a connection does not
> cause it to autoconnect to Eduroam even when it's the only IAP available.

Autoconnect to WPA-EAP SSIDs does not work unfortunately. There might be even
open bug about it.
Comment 74 Lucas Maneos 2009-12-11 12:59:27 UTC
(In reply to comment #73)
> Autoconnect to WPA-EAP SSIDs does not work unfortunately. There might be even
> open bug about it.

Bug 3399.
Comment 75 Yahya 2009-12-20 14:10:09 UTC
(In reply to comment #22)

Just want to mention that it's not only universities that need this feature. I
work at a Fortune 100 corp with over 80 thousand employees and EAP-TTLS-PAP is
used throughout the organization.
Comment 76 Tom 2010-01-04 15:32:56 UTC
Is there likely to be gui support for this? Eduroam is a rather large network
for not to happen. PAP is used at all the of major Australian universities, so
this feature is desperately needed!

I'll be able to provide some extra feedback performance wise of the patch in
the next few days
Comment 77 Jono 2010-01-06 00:07:21 UTC
I want to access to eduram network at cardiff university, and it looks as
though there is a way using Janne's patch above, but i dont have the linux know
how to get that working. Are nokia likely to take this feature seriously and
add it any time soon?
Comment 78 Andre Klapper maemo.org 2010-01-06 00:17:49 UTC
(In reply to comment #77)
> add it any time soon?

Note that currently the Target Milestone here is set to Maemo6.
Comment 79 Jono 2010-01-06 04:39:33 UTC
(In reply to comment #78)
> (In reply to comment #77)
> > add it any time soon?
> 
> Note that currently the Target Milestone here is set to Maemo6.
> 

ah ok, Harmattan is maemo 6? looks like i better get used to the terminal!! im
scared to brick my baby. Is anyone likely to write a completly automated script
based on something like Jannes fix? 

I want n900 to be THE iPhone killer but little things like this are going to
hold it back. its a big shame the platform is amazin
Comment 80 Jono 2010-01-06 05:14:08 UTC
> 
> To use TTLS/PAP, you need to create TTLS/Mschapv2 IAP first from the GUI and
> save username and password. Then you need to manually change from the IAP
> settings in Gconf setting called "PEAP_tunneled_eap_type" to 98. Something like
> this is needed: gconftool-2 --set --type int
> '/system/osso/connectivity/IAP/<your just made IAP id
> here>/PEAP_tunneled_eap_type' '98'
> 


ok, i set up the TTLS with Mschapv2 and user name password, run the command 

gconftool-2 --set --type int
'/system/osso/connectivity/IAP/eduroam/PEAP_tunneled_eap_type' '98'

in terminal with no errors, and then went and took the red pill to install your
.deb file from memory card using the app manager, but it returns the error
"unable to update 'osso-wlan-security'. incomaptible application package."

im running n900 1.2009.42-11.203.2

Am i doing something seriously wrong? I hate being a newb lol
Comment 81 Tom 2010-01-13 08:09:16 UTC
It works here on my end.

Jono, you need to install the package with dpkg -i
osso-wlan-security_2.0.34.1_armel.deb as root. Configure the IAP for mschapv2,
then you need to use gconftool to find your iap address. Something like
gconftool-2 --all-dirs /system/osso/connectivity/IAP will list the addresses.

Then you need to filter through them and find which the one which corresponds
to eduroam: gconftool-2 -a
/system/osso/connectivity/IAP/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

for each of them

then change the "PEAP_tunneled)_eap_type" to 98 for the corresponding iap like
so:
gconftool-2 --set --type int
'/system/osso/connectivity/IAP/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/PEAP_tunneled_eap_type'
'98'

where xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx is your iap address

connect and voila

tom
Comment 82 kristijan 2010-01-15 09:02:47 UTC
the package "osso-wlan-security" has been updated in new firmware:
http://repository.maemo.org/stable/5.0/Changelog_1.2009.42-11_vs_2.2009.51-1.txt
with no PAP support :/
Comment 83 Michael Papile 2010-01-15 22:15:50 UTC
(In reply to comment #82)
> the package "osso-wlan-security" has been updated in new firmware:
> http://repository.maemo.org/stable/5.0/Changelog_1.2009.42-11_vs_2.2009.51-1.txt
> with no PAP support :/
> 
Yes also now when I installed the patched version with PAP, it does not work at
all anymore.  If Janne could update us with another version with the PAP patch,
it would be helpful.
Comment 84 Jono 2010-01-15 23:24:26 UTC
The patch breaks my wifi completly under new firmware 2.2009.51
Comment 85 dmitrid 2010-01-16 04:41:12 UTC
(In reply to comment #84)
> The patch breaks my wifi completly under new firmware 2.2009.51

The same story for me. Can somone upload here original osso-wlan-security from
2.2009.51 firmare? May be it helps to avoid from re-flashing device anew.
Comment 86 dmitrid 2010-01-17 01:32:01 UTC
(In reply to comment #85)
> (In reply to comment #84)
> > The patch breaks my wifi completly under new firmware 2.2009.51
> The same story for me. Can somone upload here original osso-wlan-security from
> 2.2009.51 firmare? May be it helps to avoid from re-flashing device anew.

It's solved. N900 identified itself that osso-wlan-security is out of date and
suggested to fix Maemo 5. That repaired my device.
Comment 87 Tom 2010-01-17 12:08:41 UTC
I've emailed Janne, hopefully we'll have a patch with pap support.

In the meantime, keep voting for this bug!

btw: a simple apt-get install osso-wlan-security upgraded from the non working
pap-patched package
Comment 88 Tom 2010-01-19 14:58:50 UTC
I emailed Janne, he's on vacation until the start of feb and wont be able to
make an upgraded package until then. So I guess we're going to have to sit
tight!

Tom
Comment 89 Ramon 2010-01-21 15:53:51 UTC
(In reply to comment #63)
> Created an attachment (id=1665) [details] [details]
> osso-wlan-security with PAP support
> 
I've got an n810/Diablo and I see the patch is for Fremantle. Any chance to
test the patch with Diablo? PAP support is also required at my university,
Valladolid (Spain) for Eduroam. 
In fact, I've got a colleague (strong Linux supporter) that was interested in
my n810 and immediately asked about the Eduroam support. 
Thanks for discussing this bug. 

Ramón
Comment 90 Ray 2010-01-23 11:37:29 UTC
Any chance the updated patch gets included with the next firmware release for
Maemo5?
Comment 91 Andre Klapper maemo.org 2010-01-28 01:59:51 UTC
As on popular demand from general public, this has been fixed in package
osso-wlan-security 2.0.38+0m5
which is part of the internal build version
2010.01-6
(2010 is the year, and the number after is the week.)

Note: There is no User Interface implementation to support this, but now it is
at least possible. This was tested only by using gconftool to setup the IAP.

A future public update released with the year/week later than this internal
build version will include the fix. (This is not always already the next public
update.)
Please verify that this new version fixes the bug by marking this bug report as
VERIFIED after the public update has been released and if you have some time.

To answer popular followup questions:
 * Nokia does not announce release dates of public updates in advance.
 * There is currently no access to these internal, non-public build versions.
   A Brainstorm proposal to change this exists at
http://maemo.org/community/brainstorm/view/undelayed_bugfix_releases_for_nokia_open_source_packages-002/
Comment 92 Janne Ylälehto nokia 2010-02-02 12:29:50 UTC
(From update of attachment 1665 [details])
This version is now obsolete since it does not work with later firmware
versions. Fixed version should be in the next public update.
Comment 93 Peter Jriffin 2010-02-17 09:43:35 UTC
No Eduroam in 3.2010.02-8 version

:( :( :(
Comment 94 shinydoofy 2010-02-17 09:49:05 UTC
(In reply to comment #93)
> No Eduroam in 3.2010.02-8 version
Try going over your settings once more? :/

Somehow I had been affected by this bug as well, being that my university uses
WPA2 and PEAP/MSCHAPv2. I couldn't seem to log in (deauthenticating by local
choice, reason 3) before updating to the latest version. So as of yesterday
morning's update, I can finally get online on campus without using my 3G
connection. Thanks for fixing this!
Comment 95 pfoh 2010-02-17 14:51:13 UTC
(In reply to comment #94)
> (In reply to comment #93)
> > No Eduroam in 3.2010.02-8 version
> Try going over your settings once more? :/
> 
> Somehow I had been affected by this bug as well, being that my university uses
> WPA2 and PEAP/MSCHAPv2. I couldn't seem to log in (deauthenticating by local
> choice, reason 3) before updating to the latest version. So as of yesterday
> morning's update, I can finally get online on campus without using my 3G
> connection. Thanks for fixing this!
> 

Your experience is unrelated to this bug as MSCHAPv2 has been supported even
before this last release.  This bug still seems to be an issue.  At least there
is no UI option to use PAP.  What confuses me is that Andre stated, "Note:
There is no User Interface implementation to support this, but now it is at
least possible. This was tested only by using gconftool to setup the IAP." 
Does this mean that there will never be a UI option to use PAP?

In any case, I tried with gconftool and get an "Authentication failed" message.
It seems as though this is still an issue, can anyone confirm?
Comment 96 Janne Ylälehto nokia 2010-02-17 14:58:27 UTC
(In reply to comment #95)
> In any case, I tried with gconftool and get an "Authentication failed" message.
> It seems as though this is still an issue, can anyone confirm? 

I believe the fix is still in the queue and the target is the next major
update.
Comment 97 Andre Klapper maemo.org 2010-03-15 20:52:24 UTC
Setting explicit PR1.2 milestone (so it's clearer in which public release the
fix will be available to users).

Sorry for the bugmail noise (you can filter on this message).
Comment 98 Peter Jriffin 2010-05-03 23:27:54 UTC
Is it normal wait 3 months or more for this kind of update???

I'm very dissapointed with maemo and Nokia.
Comment 99 kristijan 2010-05-04 00:05:55 UTC
(In reply to comment #98)
> Is it normal wait 3 months or more for this kind of update???
> 
> I'm very dissapointed with maemo and Nokia.
> 

i have on my n900 leaked pr 1.2 and Eduroam is not working,
it is 10.2010.12-9, so AFTER 

"which is part of the internal build version 2010.01-6"

leaked pr is not good, or the problem is not resolved?
Comment 100 Kamil Erhard 2010-05-04 08:17:31 UTC
it works for me with (leaked) pr1.2.
but i still get occasional disconnections after some idle time.
Comment 101 kristijan 2010-05-04 09:06:41 UTC
(In reply to comment #100)
> it works for me with (leaked) pr1.2.
> but i still get occasional disconnections after some idle time.
> 

how did you configure eduroam? anything special? 
i have the cert install, and i can see it under settings cert, but i can choose
it in wlan settings!
Comment 102 Kamil Erhard 2010-05-04 11:57:34 UTC
certificate selection still doesn't work for me, but i could always connect
without one (bug 3867).

i still had the configured connection i had setup with the info in #63.
it didn't work with pr1.1, but now does work.
i will try tomorrow if it works with a new auto configured connection.
Comment 103 Andre Klapper maemo.org 2010-05-04 13:26:39 UTC
Kamil, Kristijan: Please move to talk.maemo.org for discussion or help getting
this to work. Here in Bugzilla it just creates bugmail for everybody and is the
wrong place. Thanks a lot!
Comment 104 Eric Fraga 2010-05-04 13:49:02 UTC
I am confused.  I have read all the comments but seem to have missed how this
issue has been resolved/fixed?  I have a Nokia N810 and our eduroam connections
require PAP with certificate.  Can somebody please advise as to where the
solution has been presented?

Thanks.
Comment 105 Andre Klapper maemo.org 2010-05-04 14:12:33 UTC
(In reply to comment #104)
> I have a Nokia N810

This issue has been FIXED in an internal Maemo5 version (=N900). Unfortunately
this is a WONTFIX for Maemo4 (=N810).
For your interest the Mer project aims to provide a community backport of
Maemo5 for 770/N8x0 devices. See http://wiki.maemo.org/Mer for more
information.
Comment 106 Tristan Henderson 2010-05-25 12:35:04 UTC
I have upgraded to PR1.2 and followed the gconftool instructions but am unable
to connect to our Eduroam (EAP-TTLS + PAP) network. I receive an
"Authentication Failed" message. Any help on how to debug this would be greatly
appreciated.
Comment 107 Janne Ylälehto nokia 2010-05-25 13:28:21 UTC
Created an attachment (id=2734) [details]
A small QT application to enable PAP GUI

This might help someone else. I wrote a small QT application to enable a hidden
PAP GUI support in PR1.2. Just launch the application and tap "Allow TTLS/PAP".

After enabling PAP in GUI one does not need to use gconftool to make PAP
internet access points. I tested this with the official PR1.2 image and it
seemed to work when making the connection through the control panel but not
when tapping the "Internet connection" from the main view.
Comment 108 Tristan Henderson 2010-05-25 15:06:16 UTC
(In reply to comment #107)
Thanks! That worked fine. I must have made a mistake with the gconftool
commands. I still can't choose a certificate, but will comment on the correct
bug.
Comment 109 Thomas Bahn 2010-05-25 15:57:13 UTC
(In reply to comment #108)
> (In reply to comment #107)
> Thanks! That worked fine. I must have made a mistake with the gconftool
> commands. I still can't choose a certificate, but will comment on the correct
> bug.
> 

Thanks a lot!

In reply to Tristan Henderson's comment i can tell you that the certificate box
on the fourth step in the wizard (that is were you select EAP-PAP) can be leave
as 'none'. It is only used for user authentication, not for verifying the
server (CA).

I have read this here -> https://bugs.maemo.org/show_bug.cgi?id=327#c16

I can't verify this because i don't have school this time ;)
Hope that helps ;)

sorry if my english is bad... i am learing it for years now ;)(In reply to
comment #108)
> (In reply to comment #107)
> Thanks! That worked fine. I must have made a mistake with the gconftool
> commands. I still can't choose a certificate, but will comment on the correct
> bug.
>
Comment 110 cadeddu 2010-05-27 10:00:56 UTC
after upgrading w/ pr1.2 and enabling pap authentication w/ the gui as reported
few post ago I still receive authentication error.I've tried to edit old
connection and to delete/create new one but still nothing. I'm the only one?
Comment 111 Lucas Nussbaum 2010-05-27 12:06:09 UTC
cadeddu: it works for me. Have you tried connecting from another machine?
Comment 112 cadeddu 2010-05-27 12:48:04 UTC
(In reply to comment #111)
> cadeddu: it works for me. Have you tried connecting from another machine?
> 

I've tried from the laptop and works with no problems. I've no others n900 for
testing. :) Also tried reboot/disconnect/rain-dance but still no way
Comment 113 Janne Ylälehto nokia 2010-05-27 13:35:09 UTC
(In reply to comment #112)
> (In reply to comment #111)
> > cadeddu: it works for me. Have you tried connecting from another machine?
> > 
> 
> I've tried from the laptop and works with no problems. I've no others n900 for
> testing. :) Also tried reboot/disconnect/rain-dance but still no way
> 

It would really help if you could provide a syslog with wlancond debug info.

http://wiki.maemo.org/Documentation/devtools/maemo5/syslog

and run "gconftool-2 --set --type int
'/system/osso/connectivity/IAP/wlancond_debug_level' '2'" and after that reboot
to make wlancond print debug information to syslog.
Comment 114 Luis Llana 2010-05-27 15:32:23 UTC
Hello,
  I am still having problems with eduroam at my institution. I have attached
the part of the syslog that I think it is relevant. It says somthing about a
certificate. In my PC (with debian) I did not need to introduce a certificate.
Instead the insitution gave me an "anonymous identity" that I have not been
able to introduce in the N900 (pr1.2).



May 27 14:19:46 Nokia-N900 wlancond[1158]: Setting SSID: eduroam
May 27 14:19:46 Nokia-N900 kernel: [ 4211.073425] wlan0: authenticate with AP
00:11:88:82:88:e4
May 27 14:19:46 Nokia-N900 kernel: [ 4211.076721] wlan0: authenticated
May 27 14:19:46 Nokia-N900 kernel: [ 4211.076782] wlan0: associate with AP
00:11:88:82:88:e4
May 27 14:19:46 Nokia-N900 kernel: [ 4211.085357] wlan0: RX AssocResp from
00:11:88:82:88:e4 (capab=0x431 status=0 aid=3)
May 27 14:19:46 Nokia-N900 kernel: [ 4211.085388] wlan0: associated
May 27 14:19:46 Nokia-N900 wlancond[1158]: SIOCGIWAP: 00:11:88:82:88:e4
May 27 14:19:46 Nokia-N900 EAP[1821]: certman_main.cpp(174): ERROR Invalid
certificate '/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification
Authority'
May 27 14:19:46 Nokia-N900 EAP[1821]: certman_main.cpp(174): ERROR Invalid
certificate '/C=US/O=GeoTrust Inc./OU=(c) 2007 GeoTrust Inc. - For authorized
use only/CN=GeoTrust Primary Certification Authority - G2'
May 27 14:19:47 Nokia-N900 EAP[1821]: certman_main.cpp(174): ERROR Invalid
certificate '/C=ES/ST=BARCELONA/L=BARCELONA/O=IPS Seguridad
CA/OU=Certificaciones/CN=IPS SERVIDORES/emailAddress=ips@mail.ips.es'
May 27 14:19:47 Nokia-N900 EAP[1821]: certman_main.cpp(174): ERROR Invalid
certificate '/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=COMODO ECC Certification Authority'
May 27 14:19:47 Nokia-N900 EAP[1821]: certman_main.cpp(174): ERROR Invalid
certificate '/C=US/O=thawte, Inc./OU=(c) 2007 thawte, Inc. - For authorized use
only/CN=thawte Primary Root CA - G2'
May 27 14:19:47 Nokia-N900 EAP[1821]: certman_main.cpp(174): ERROR Invalid
certificate '/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2007
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
Certification Authority - G4'
May 27 14:19:47 Nokia-N900 cellular: csd[776]: ISI_SMS .986177>
ind_reg_status(): Net registration (ind) status:1 rc:0
May 27 14:19:47 Nokia-N900 cellular: csd[776]: ISI_SMS .987398> set_timeout():
Timeout 2221 s event type:-1
May 27 14:19:48 Nokia-N900 EAP[1821]: certman_main.cpp(828): ERROR
'certman.wifi-ca' does not exists
May 27 14:19:48 Nokia-N900 wlancond[1158]: Wlancond state change, old_state:
WLAN_INITIALIZED_FOR_CONNECTION, new_state: WLAN_NO_ADDRESS
May 27 14:19:48 Nokia-N900 wlancond[1158]: Received
Phone.Net.registration_status_change
May 27 14:19:48 Nokia-N900 wlancond[1158]: Handled csd signal, country:214
May 27 14:19:48 Nokia-N900 icd2 0.87+fremantle9+0m5[1210]: connecting iap
0x42af0 in state ICD_IAP_STATE_LINK_POST_UP: interface is 'wlan0'
May 27 14:19:48 Nokia-N900 wlancond[1158]: SIOCGIWAP: 00:00:00:00:00:00
May 27 14:19:48 Nokia-N900 kernel: [ 4213.192993] wlan0: deauthenticated
May 27 14:19:48 Nokia-N900 wlancond[1158]: Key clearing failed
May 27 14:19:48 Nokia-N900 wlancond[1158]: Setting BSSID 00:00:00:00:00:00
May 27 14:19:48 Nokia-N900 wlancond[1158]: Setting SSID: 
May 27 14:19:48 Nokia-N900 wlancond[1158]: Setting IE, len:22
May 27 14:19:48 Nokia-N900 wlancond[1158]: Trying to find a new connection
May 27 14:19:48 Nokia-N900 wlancond[1158]: Found entry to be decreased:
00:11:88:82:88:e4
May 27 14:19:48 Nokia-N900 wlancond[1158]: Wlancond state change, old_state:
WLAN_NO_ADDRESS, new_state: WLAN_INITIALIZED_FOR_CONNECTION
May 27 14:19:48 Nokia-N900 wlancond[1158]: Found AP: 00:11:88:82:88:e4
May 27 14:19:48 Nokia-N900 wlancond[1158]: Best connection: -99 (old -99)
May 27 14:19:48 Nokia-N900 wlancond[1158]: Found AP: 00:11:88:82:88:54
May 27 14:19:48 Nokia-N900 wlancond[1158]: Best connection: -87 (old -99)
May 27 14:19:48 Nokia-N900 wlancond[1158]: Starting to associate
May 27 14:19:48 Nokia-N900 wlancond[1158]: AES selected for unicast
May 27 14:19:48 Nokia-N900 wlancond[1158]: TKIP Selected for multicast
May 27 14:19:48 Nokia-N900 wlancond[1158]: No cached pmksa found from eapd
May 27 14:19:48 Nokia-N900 wlancond[1158]: Setting IE, len:22
May 27 14:19:48 Nokia-N900 wlancond[1158]: Setting channel: 11
May 27 14:19:48 Nokia-N900 wlancond[1158]: Setting BSSID 00:11:88:82:88:54
May 27 14:19:48 Nokia-N900 wlancond[1158]: Setting SSID: eduroam
May 27 14:19:48 Nokia-N900 wlancond[1158]: Scan results ready -- not requested
May 27 14:19:48 Nokia-N900 kernel: [ 4213.758148] wlan0: authenticate with AP
00:11:88:82:88:54
May 27 14:19:48 Nokia-N900 kernel: [ 4213.762054] wlan0: authenticated
May 27 14:19:48 Nokia-N900 kernel: [ 4213.762115] wlan0: associate with AP
00:11:88:82:88:54
May 27 14:19:48 Nokia-N900 kernel: [ 4213.767822] wlan0: RX AssocResp from
00:11:88:82:88:54 (capab=0x431 status=0 aid=1)
May 27 14:19:48 Nokia-N900 kernel: [ 4213.767852] wlan0: associated
May 27 14:19:48 Nokia-N900 wlancond[1158]: SIOCGIWAP: 00:11:88:82:88:54
May 27 14:19:49 Nokia-N900 wlancond[1158]: Wlancond state change, old_state:
WLAN_INITIALIZED_FOR_CONNECTION, new_state: WLAN_NO_ADDRESS
May 27 14:19:49 Nokia-N900 EAP[1821]: certman_main.cpp(174): ERROR Invalid
certificate '/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification
Authority'
May 27 14:19:49 Nokia-N900 EAP[1821]: certman_main.cpp(174): ERROR Invalid
certificate '/C=US/O=GeoTrust Inc./OU=(c) 2007 GeoTrust Inc. - For authorized
use only/CN=GeoTrust Primary Certification Authority - G2'
May 27 14:19:50 Nokia-N900 kernel: [ 4214.869689] wlan0: roaming signal from
driver, sending LOWSIGNAL
May 27 14:19:50 Nokia-N900 wlancond[1158]: Low signal
May 27 14:19:50 Nokia-N900 EAP[1821]: certman_main.cpp(174): ERROR Invalid
certificate '/C=ES/ST=BARCELONA/L=BARCELONA/O=IPS Seguridad
CA/OU=Certificaciones/CN=IPS SERVIDORES/emailAddress=ips@mail.ips.es'
May 27 14:19:50 Nokia-N900 EAP[1821]: certman_main.cpp(174): ERROR Invalid
certificate '/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=COMODO ECC Certification Authority'
May 27 14:19:50 Nokia-N900 EAP[1821]: certman_main.cpp(174): ERROR Invalid
certificate '/C=US/O=thawte, Inc./OU=(c) 2007 thawte, Inc. - For authorized use
only/CN=thawte Primary Root CA - G2'
May 27 14:19:50 Nokia-N900 EAP[1821]: certman_main.cpp(174): ERROR Invalid
certificate '/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2007
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
Certification Authority - G4'
May 27 14:19:50 Nokia-N900 EAP[1821]: certman_main.cpp(828): ERROR
'certman.wifi-ca' does not exists
May 27 14:19:56 Nokia-N900 wlancond[1158]: Received
com.nokia.wlancond.request.disassociate
May 27 14:19:56 Nokia-N900 wlancond[1158]: Received disassociate
May 27 14:19:56 Nokia-N900 wlancond[1158]: Disassociating
May 27 14:19:56 Nokia-N900 kernel: [ 4220.869232] wlan0: disassociating by
local choice (reason=3)
May 27 14:19:56 Nokia-N900 wlancond[1158]: Wlancond state change, old_state:
WLAN_NO_ADDRESS, new_state: WLAN_INITIALIZED_FOR_CONNECTION
May 27 14:19:56 Nokia-N900 wlancond[1158]: Disassociated, trying to find a new
connection
May 27 14:19:56 Nokia-N900 wlancond[1158]: Wlancond scan change, old_state:
SCAN_IDLE, new_state: SCANNING
Comment 115 cadeddu 2010-05-27 16:15:53 UTC
Created an attachment (id=2760) [details]
syslog_extract
Comment 116 cadeddu 2010-05-27 16:16:55 UTC
I've attached part of the syslog as requested. hope is enought. Thanks!
Comment 117 Juhani Mäkelä nokia 2010-05-27 16:58:07 UTC
(In reply to comment #114)
The certificate errors are caused by various reasons:
- IPS SERVIDORES/emailAddress=ips@mail.ips.es expired 2009-12-29
- RSA Data Security, Inc., OU=Secure Server Certification Authority expired
2010-01-07

These
- GeoTrust Primary Certification Authority - G2 
- COMODO Certification Authority
- thawte Primary Root CA - G2 
- VeriSign Class 3 Public Primary Certification Authority - G4
...use a signature algorithm our old openssl 0.9.8g doesn't understand.

If you check in your PC with the Mozilla browser's "Edit" -> "Preferences" ->
"Advanced" -> "Encryption" -> "View certificates" -> "Your certificates" ->
"View" -> "Details" your certificate's trust chain, and it ends up to some of
the four latter, then that's the reason of your problem and the only way to
make it work is to patch OpenSSL, sorry! (I can provide you the patch if you
are game.)
Comment 118 Luis Llana 2010-05-27 17:30:52 UTC
>  (I can provide you the patch if you are game.)
> 
That would be nice.

Luis.
Comment 119 cadeddu 2010-05-27 19:12:20 UTC
(In reply to comment #117)
> (In reply to comment #114)
> The certificate errors are caused by various reasons:
> - IPS SERVIDORES/emailAddress=ips@mail.ips.es expired 2009-12-29
> - RSA Data Security, Inc., OU=Secure Server Certification Authority expired
> 2010-01-07
> 
> These
> - GeoTrust Primary Certification Authority - G2 
> - COMODO Certification Authority
> - thawte Primary Root CA - G2 
> - VeriSign Class 3 Public Primary Certification Authority - G4
> ...use a signature algorithm our old openssl 0.9.8g doesn't understand.
> 
> If you check in your PC with the Mozilla browser's "Edit" -> "Preferences" ->
> "Advanced" -> "Encryption" -> "View certificates" -> "Your certificates" ->
> "View" -> "Details" your certificate's trust chain, and it ends up to some of
> the four latter, 

the list in mine "your certificates" is empty. I'm not sure I have understood
what the issue is.. could you explain better, please? what's going on?
Cannot I simply delete the certificates?

>(I can provide you the patch if you are game.)
help please :) 
what are pro&cons of this patch? your tone is kind of scary...
again, 
thanks
Comment 120 Andre Klapper maemo.org 2010-05-27 19:18:10 UTC
(In reply to comment #119)
> what are pro&cons of this patch? your tone is kind of scary...

That probably just meant: If you have some tech background and are willing to
compile in Scratchbox. If not, it's nothing for you. :)
Comment 121 Juhani Mäkelä nokia 2010-05-28 09:45:05 UTC
(In reply to comment #120)
> That probably just meant: If you have some tech background and are willing to
> compile in Scratchbox. If not, it's nothing for you. :)

Yes, that was exactly what I ment, thanks Andre! The patch is a backport from
openssl-0.9.8g-16 to openssl-0.9.8g-15:

openssl-0.9.8g-15$ git diff crypto/x509/x509_vfy.c
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 9a62ebc..86ee58e 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -982,7 +982,11 @@ static int internal_verify(X509_STORE_CTX *ctx)
        while (n >= 0)
                {
                ctx->error_depth=n;
-               if (!xs->valid)
+
+               /* Skip signature check for self signed certificates. It
+                * doesn't add any security and just wastes time.
+                */
+               if (!xs->valid && xs != xi)
                        {
                        if ((pkey=X509_get_pubkey(xi)) == NULL)
                                {

The comment is from the original OpenSSL developers and I believe it's true.
This enables the four root certificates (GeoTrust G2, COMODO, thawte G2 or
Verisign G4) that use the ecdsa-with-SHA384 signature algorithm. To apply you
need to setup the scratchbox, get source by  "apt-get source openssl", make the
change and build with "dpkg-buildpackage -rfakeroot". The binary package to be
installed is libssl0.9.8_0.9.8g-15_armel.deb.

This is quite a lot of work, so it might make sense to make sure that it's
worthwhile. I assumed you were using EAP-TLS or EAP-PEAP with a client
certificate and thought that by looking who signed it you could assume that the
access points sertificates are signed by the same authority. But obviously you
don't have a client certificate. (Well, the browser is anyway the wrong place
to look for if you are using the certificate for WLAN authentication. Silly
me!)

So what's the right way to find out who signed the access point certificate,
then? I honestly don't know. Maybe your best bet is just to ask your network
maintainer whether their certificates are signed by any of these four
problematic roots.

However, I really don't think that's actually the problem, as the WLAN should
give you an option to connect even if the access point certificate cannot be
verified. If this is not the case, I would guess the root cause lies elsewhere.
Comment 122 Jeffery MacEachern 2010-06-05 01:49:40 UTC
We have a bunch of N900s at my university, which uses TTLS+PAP, and this fix
works for the most part.  However, as it sounds like other people may have
experienced, it only authenticates if I edit a pre-existing Connection to match
the configuration I need; if I try to connect through the status menu button
with identical parameters, it fails authentication every time.
I don't like to speculate on bug reports, but I'm wondering if the two methods
of configuration (via Settings and via the status menu) are using common code,
or - if not - if the latter could be botching the inputted data somehow.  (I'd
check, but the UI for this isn't FOSS, is it?)  It seems a bit odd that
entering identical data would cause two different results, consistently.
Comment 123 Jeffery MacEachern 2010-06-05 01:55:20 UTC
Oops, I forgot to mention that it also doesn't seem to auto-connect, whether
starting from a cell connection or no connection at all.  I'm not sure if this
is related, or a separate bug.
Comment 124 John Veness 2010-06-05 18:49:16 UTC
(In reply to comment #123)
> Oops, I forgot to mention that it also doesn't seem to auto-connect, whether
> starting from a cell connection or no connection at all.  I'm not sure if this
> is related, or a separate bug.

Not auto-connecting in that situation is Bug 3399.
Comment 125 Andre Klapper maemo.org 2010-08-23 22:14:17 UTC
For your interest,

support for PAP method has been added to the Fremantle User Interface by fixing
the packages
* connui-internet (2.69) 
* connui-wlan (2.45)
which are part of the **internal** build version
2010.26-6
(Note: 2010 is the year, and the number after is the week.)

A future public update released with the year/week later than 2010/26 will
include the fix.

(Note to myself: int-153541)
Comment 126 Angus Frinc 2010-10-25 18:39:18 UTC
(In reply to comment #125)
> support for PAP method has been added to the Fremantle User Interface by fixing
> the packages
> * connui-internet (2.69) 
> * connui-wlan (2.45)
> which are part of the **internal** build version
> 
> A future public update released with the year/week later than 2010/26 will
> include the fix.

With PR 1.3 (2010/43), still no PAP method…
Comment 127 Andre Klapper maemo.org 2010-12-13 14:24:58 UTC
*** Bug 11683 has been marked as a duplicate of this bug. ***
Comment 128 domlyons 2010-12-17 02:48:21 UTC
@125 & @126

I can confirm that it isn't working in the current (public) release :-(

Maybe it has been fixed but not been ported to the public release?
Comment 129 Rick 2011-02-15 18:05:20 UTC
I have n900 1.3 and I can't get a TTLS PAP network to work...

I've installed and enabled the wlantool EAP PAP... manually configured the
network and nothing... when I click on it it asks for a WEP key... How do I
solve this?

Please urgent!
Comment 130 Rick 2011-02-15 18:07:16 UTC
I have n900 1.3 and I can't get a TTLS PAP network to work...

I've installed and enabled the wlantool EAP PAP... manually configured the
network and nothing... when I click on it it asks for a WEP key... How do I
solve this?

Please urgent!
Comment 131 Andre Klapper maemo.org 2011-02-15 18:15:30 UTC
This is not a general discussion forum. For configuration issues please ask in
a forum (like http://talk.maemo.org). Thanks for your understanding!
Comment 132 Pali Rohár 2015-12-23 09:15:08 UTC
To enable EAP-TTLS/PAP auth type just call this command:
$ gconftool -s -t boolean /system/osso/connectivity/ui/pap_enabled true

After that PAP type will be visible in Internet Connections dialog.