(In reply to comment #0)
> IPS SERVIDORES certificate is valid until December 29, 2009. 

Just checking, were you connecting successfully before that date?  The 9" gap
between the certman error and EAP failure looks suspicious and may indicate
that the authentication failure is caused by something else.

Huh, I thought I had already responded to this but apparently not. 

Anyway, I've still been trying to dig deeper to figure out what's going on.
Looking through the osso-wlan source, I found the logging setting for wlancond
( gconftool-2 -s --type=int /system/osso/connectivity/IAP/wlancond_debug_level
2 ) but that didn't get me an answer. Is there a similar setting for icd2 that
I could use to gather more information?

Comment 3 ext-jason.rudd@nokia.com 2010-01-21 14:45:45 UTC

It is possible to enable more icd2 logging, but this will tell you nothing
about the EAP exchange. The security code is Nokia internal only, and needs to
be recompiled to enable logging.

With regard to the issue you are seeing, I am assuming you have multiple
certificates installed on your N900, one of which being IPS SERVIDORES which
has expired. However this is not the certificate you expect to use with the
connection you are trying to make. Is my understanding correct?

Could you provide a walk through of the menus and options you are selecting so
that I might try to recreate the problem locally?

I've finished working with out IT; I did have a configuration mistake, but I've
resolved that and I'm still unable to connect. AP logs show my N900 associating
with the SSID, but report no errors/failure at all.

Access point is a Cisco 1142 LWAP. 

Settings:
Network name (SSID): <name of network>
Network is hidden: unchecked
Network mode: Infrastructure
Security method: WPA with EAP.

EAP type: TLS

Select certificate: <user certificate>. (User certificate is signed by our
self-signed server certificate, which is imported and seems to work correctly)

When I attempt to connect, the status bar connection symbol blinks for ~3
seconds, then I'm prompted for my certificate password (even if I try to turn
off the password for the certificate- then it just accepts a blank password).
Immediately after entering the password, the "Authentication failed" message
box pops up.

Oh, I forgot two things.
I don't have any of the advanced options set for the connection (No proxy,
auto-retrieve IP/DNS, 100mW transmission power, WPA2-only is unchecked, power
saving On (Maximum), Use manual user name is unchecked, and require client
authentication is unchecked. I've tried variations on the manual user name and
client authentication settings, with no effect.

As far as the IPS SERVIDORES certificate you are correct, it is one of the many
certification authorities installed by default. I do not expect it to be used.

I'm seeing a similar error in IBM UK. Recent certificates issued by IBM appear
not to work with the N900 (though older ones do strangely!). (A number of my
colleagues with different certificates and their own devices have seen the same
symptoms as me)

The error as I see it in syslog (AP/ESSID anonymised slightly) is:
Feb  1 20:56:56 Nokia-N900-42-11 wlancond[1091]: Scan issued
Feb  1 20:56:57 Nokia-N900-42-11 wlancond[1091]: Scan results ready -- scan
active
Feb  1 20:56:57 Nokia-N900-42-11 wlancond[1091]: Starting to associate
Feb  1 20:56:57 Nokia-N900-42-11 wlancond[1091]: Setting BSSID
00:1b:90:74:xx:xx
Feb  1 20:56:57 Nokia-N900-42-11 wlancond[1091]: Setting SSID: IBM
Feb  1 20:56:57 Nokia-N900-42-11 kernel: [122837.421722] wlan0: authenticate
with AP 00:1b:90:74:xx:xx
Feb  1 20:56:57 Nokia-N900-42-11 kernel: [122837.425170] wlan0: authenticated
Feb  1 20:56:57 Nokia-N900-42-11 kernel: [122837.425231] wlan0: associate with
AP 00:1b:90:74:xx:xx
Feb  1 20:56:57 Nokia-N900-42-11 kernel: [122837.429077] wlan0: RX AssocResp
from 00:1b:90:74:xx:xx (capab=0x431 status=0 aid=1)
Feb  1 20:56:57 Nokia-N900-42-11 kernel: [122837.429229] wlan0: associated
Feb  1 20:56:57 Nokia-N900-42-11 wlancond[1091]: SIOCGIWAP: 00:1b:90:74:f5:40
Feb  1 20:56:57 Nokia-N900-42-11 icd2 0.87+fremantle4+0m5[1151]: connecting iap
0x40a40 in state ICD_IAP_STATE_LINK_POST_UP: interface is 'wlan0'
Feb  1 20:56:58 Nokia-N900-42-11 EAP[1402]: certman_main.cpp(174): ERROR
Invalid certificate '/C=ES/ST=BARCELONA/L=BARCELONA/O=IPS Seguridad
CA/OU=Certificaciones/CN=IPS SERVIDORES/emailAddress=ips@mail.ips.es'
Feb  1 20:56:59 Nokia-N900-42-11 EAP[1402]: certman_main.cpp(259): ERROR
/C=US/O=International Business Machines Corporation/OU=VeriSign Trust
Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/OU=Class 2
Managed PKI Individual Subscriber CA/CN=IBM Certification Authority G2
verification fails
Feb  1 20:57:15 Nokia-N900-42-11 wlancond[1091]: SIOCGIWAP: 00:00:00:00:00:00
Feb  1 20:57:15 Nokia-N900-42-11 kernel: [122854.799102] wlan0: deauthenticated
Feb  1 20:57:15 Nokia-N900-42-11 wlancond[1091]: Key clearing failed

*** This bug has been confirmed by popular vote. ***

Comment 8 Andre Klapper 2010-02-02 12:50:50 UTC

...and this still happens in 2.2009.51-1, right?

(In reply to comment #8)
> ...and this still happens in 2.2009.51-1, right?

Yep. I'm using 2.2009.51-1.203.2

(In reply to comment #8)
> ...and this still happens in 2.2009.51-1, right?
> 

I've updated and I'm still unable to connect.

I think the summary has been updated incorrectly.
I'm (syslog in comment #6) certainly using EAP-TLS not WPA-EAP-PEAP MSCHAPv2
and I think the original reporter is too (see his correction in comment #4)

Unless I here screams of disagreement (or someone changes it first, I'll update
the summary.

Well, I've recently connected to a local Wi-Fi operator and found out that
there's completely no way to log in on PEAP on the N900.
My notebook connects to the network ok both on PEAP and on EAP-TLS.

I tried all possible combinations on the N900 (with certificate being valid and
installed), but all in wain. It's just "Error connecting to the network. Try
again?" and that's all.

Both PEAP-EAP and EAP-TLS don't work on the N900 with 2.2009.51/1  f/w

the exact error message is "Network connection error. Try again?"

(In reply to comment #13)
> the exact error message is "Network connection error. Try again?"

I get "Authentication failed. Try again?".  In my case EAP-TLS was working
perfect, but then I made the mistake of renewing my certificate (needed simpler
password..). After that the connection is failing in authentication, about 3-5s
later after entering the password.

I have some colleagues that are unable to login to the same network using their
N900s so I've installed syslog to figure out what's different.

First I note that I DO still get the "ERROR" about the IPS certificates, but
what I do NOT get is anything similar to
eb  1 20:56:59 Nokia-N900-42-11 EAP[1402]: certman_main.cpp(259): ERROR
/C=US/O=International Business Machines Corporation/OU=VeriSign Trust
Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/OU=Class 2
Managed PKI Individual Subscriber CA/CN=IBM Certification Authority G2
verification fails

So presumably this may well be the real cause.

Might be worth getting a full debug log with wpa_supplicant using "-d -d -d -d
-d -d" etc to see if the same errors occur - maybe there is an certificate
error but maemo's validation is tighter?

A colleague of mine who has a EAP-TLS certificate that works fine also  has the
error about the expired certificate in his syslog so that error is /not/ fatal.

Is there some way to get more detailed logging out of the N900, the only line
in the log that seems related is:
Feb  1 20:56:59 Nokia-N900-42-11 EAP[1402]: certman_main.cpp(259): ERROR
/C=US/O=International Business Machines Corporation/OU=VeriSign Trust
Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/OU=Class 2
Managed PKI Individual Subscriber CA/CN=IBM Certification Authority G2
verification fails

and I'd like to see a lot more detailed info.

(In reply to comment #16)

> Is there some way to get more detailed logging out of the N900, the only line
> in the log that seems related is:

As Jon mentioned we really need a way to get this additional debug information.

For example on fedora I can run wpa_supplicant with multiple "-d" flags to get
quite extensive information about the EAP exchange. This has been very valuable
in the past in debugging wireless connectivity issues.

We have a group of skilled people who hopefully can make some progress on
understanding why this issue is occuring but really need some way to get that
additional information.

I think I saw some reference to a gconf setting a while ago, but can't find
anything interesting in the gconf db right now. Whether it's gconf, kernel
module parameters etc surely there's a way?

EAP is complicated, but for those of us using the N900 in enterprise
environments we usually have relatively little control over the infrastructure.
in my case a user choice between LEAP and EAP-TLS/certs. LEAP isn't too secure
and has rather proprietry origins, but is still used and is relatively simple.
EAP-TLS is arguably preferred, but we need a solid robust & debuggable
implementation.

Or, ok, now I have the "Authentication failed. Try again?"

What I did:
Installed the certificate through Cert Manager.
Reboot.

Choose the tls-protected network.
Then choose PEAP and press save
Then select the certificate and authentication MSCHAP2 and press save
enter your login and password for the WPA network and press save
enter the correct cert password. 
enter correct cert password again
enter correct cert password again
get the "Authentication failed. Try again?" error

Comment 19 ext-jason.rudd@nokia.com 2010-02-11 09:58:59 UTC

This is being investigated internally, we believe the problem is in the
certificate manager not the EAPD.

(In reply to comment #19)
> This is being investigated internally, we believe the problem is in the
> certificate manager not the EAPD.

By the way, the new maemo update (3.2010.02-8) does not seem to resolve this
issue yet.  Where is that log entry that somebody mentioned..would like to
verify I get the same.

My digital certificate just expired. I've received a new one signed by a
different certification authority (the same one that fails for many IBM users).

I've made no other sw changes and have been on PR 1.1.1 (generic) before and 
after

As expected, I can no longer connect :-( The same .p12 certificate works with
"NetworkManager" under Fedora 12 x86_64 just fine.

This is a significant issue for quite a few people - connectivity is
fundamental. Is there any news on resolution? Any workarounds possible (that
don't require certificate changes)

(In reply to comment #21)

> As expected, I can no longer connect :-( The same .p12 certificate works with
> "NetworkManager" under Fedora 12 x86_64 just fine.

I've also taken a detailed debug log with "wpa_supplicant" on the fedora system
to check for any strange warnings/errors which might indicate any kind of
problem, but it's all looking very clean - no cert issues I can see.

Here's the output from syslog on my N900

Mar  8 12:55:45 Nokia-N900-42-11 kernel: [ 8473.152893] wlan0: authenticate
with AP 00:1b:90:74:34:40
Mar  8 12:55:45 Nokia-N900-42-11 kernel: [ 8473.157745] wlan0: authenticated
Mar  8 12:55:45 Nokia-N900-42-11 kernel: [ 8473.157775] wlan0: associate with
AP 00:1b:90:74:34:40
Mar  8 12:55:45 Nokia-N900-42-11 kernel: [ 8473.163391] wlan0: RX AssocResp
from 00:1b:90:74:34:40 (capab=0x431 status=0 ai
d=1)
Mar  8 12:55:45 Nokia-N900-42-11 kernel: [ 8473.163452] wlan0: associated
Mar  8 12:55:46 Nokia-N900-42-11 EAP[2182]: certman_main.cpp(174): ERROR
Invalid certificate '/C=ES/ST=BARCELONA/L=BARCELON
A/O=IPS Seguridad CA/OU=Certificaciones/CN=IPS
SERVIDORES/emailAddress=ips@mail.ips.es'
Mar  8 12:55:46 Nokia-N900-42-11 EAP[2182]: certman_main.cpp(259): ERROR
/C=US/O=International Business Machines Corporatio
n/OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa
(c)03/OU=Class 2 OnSite Individual Subscriber C
A/CN=IBM Certification Authority verification fails
Mar  8 12:55:53 Nokia-N900-42-11 kernel: [ 8481.439575] wlan0: disassociating
by local choice (reason=3)
Mar  8 12:55:53 Nokia-N900-42-11 kernel: [ 8481.442871] wlan0: deauthenticated


The key line appears to be:

Mar  8 12:55:46 Nokia-N900-42-11 EAP[2182]: certman_main.cpp(259): ERROR
/C=US/O=International Business Machines Corporation/OU=VeriSign Trust
Network/OU=Terms of use at https://www.verisign.com/rpa (c)03/OU=Class 2 OnSite
Individual Subscriber CA/CN=IBM Certification Authority verification fails

These errors occur even if the option to validate is not selected in the GUI

I went back and re-did the check on linux using wpa_supplicant, this time using
JUST the .p12 file and did actually note that a couple of additional certs were
being loaded from the .p12 in addition to my user cert

TLS: Got private key from PKCS12
TLS: additional certificate from PKCS12: subject='/C=US/O=International
Business Machines Corporation/OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)09/OU=Class 2 Managed PKI Individual Subscriber
CA/CN=IBM Certification Authority G2'
TLS: additional certificate from PKCS12: subject='/C=US/O=VeriSign,
Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use
only/CN=VeriSign Class 2 Public Primary Certification Authority - G3'
OpenSSL: Reading PKCS#12 file --> OK

Having said that both do now appear in my phone's certificate manager, so
perhaps this piece is working fine, in which case where is the problem...

Today I tried connecting DIRECTLY from the N900 by using a port of
wpa_supplicant as found here ->
http://talk.maemo.org/showthread.php?t=36220&highlight=icd

Using the following wpa_supplicant configuration file saved as /etc/wpa2.conf

ctrl_interface=/var/run/wpa_supplicant
# 1 - here, 0=driver, 2=driver++
ap_scan=1
#ctrl_interface_group=wheel
# may need to be 1
eapol_version=1
fast_reauth=1

network={
        #proto=WPA
        ssid="myssid"
        scan_ssid=1
        key_mgmt=WPA-EAP
        #key_mgmt=WPA-EAP IEEE8021X NONE
        #key_mgmt=IEEE8021X
        pairwise=CCMP TKIP
        #pairwise=TKIP
        #group=WEP104
        group=CCMP TKIP
        #group=CCMP TKIP WEP104 WEP40
        eap=TLS
        identity="myuserid@mydomain.com"
        private_key="/home/user/mycert.p12"
        private_key_passwd="mypassword"
        eapol_flags=3
        priority=100
}

I was able to run (as root)
cd /home/opt/maemo/usr/sbin
wpa_supplicant -B -c/etc/wpa2.conf -Iwlan0
optionally -- for gui run "./wpa_gui"

I was authenticated very quickly, and was then able to get a dhcp address with
udhcpc -iwlan0

At this point I could not resolve names -- resolv.conf was not updated, but
this is something I can set manually or tweak in the dhcpc configuration.

This suggests to me the base libraries are fine. It also provides a path for
affected users to workaround, although a little more effort is needed on
streamlining the configuration & making it possible to run as a user rather
than root, and also tweaking the dhcp configuration. Finally I'm not sure of
the "safe" way to do this without breaking 3G data & connection switching.

Hope this helps provide some additional data to ensure the real cause of this
defect is isolated.

Meantime any additional debug options for the OOTB nokia stack welcome -- this
problam would affect most maemo users at my large company.

FAO Jason @ Nokia -- Are you able to reproduce this problem and/or have enough
to definately pin down the issue.

If not is there any way us "in the field" seeing the problem can gather any
additional info you need -- perfectly happy to install debug code, tweak
configuration, trash device, try recommended workarounds etc to help get this
issue identified & ultimately resolved

Comment 26 ext-jason.rudd@nokia.com 2010-03-18 15:57:24 UTC

The issue in certman has been addressed and will be released in PR1.2. 

Release procedure prevents me from releasing by any other means.



(In reply to comment #25)
> FAO Jason @ Nokia -- Are you able to reproduce this problem and/or have enough
> to definately pin down the issue.
> 
> If not is there any way us "in the field" seeing the problem can gather any
> additional info you need -- perfectly happy to install debug code, tweak
> configuration, trash device, try recommended workarounds etc to help get this
> issue identified & ultimately resolved
>

Thats made my day. Thanks for the update.

Good to hear that the solution has been found.

Slightly concerned though as it would appear from readng various N900 related
sites that the UK has not had PR1.1.1 (I think) made available to it.   Will we
actually get PR1.2 when it is released.

Comment 29 ext-jason.rudd@nokia.com 2010-03-19 10:47:29 UTC

@Ian, I was initially quite surprised to learn this. However, I have just
learnt that PR 1.1.1 is awaiting "operator" approval in the UK.

(In reply to comment #29)
> @Ian, I was initially quite surprised to learn this. However, I have just
> learnt that PR 1.1.1 is awaiting "operator" approval in the UK.
> 

UK operators are always the slowest with getting updates out. If they have even
begun to look at the release, they are probably customising the software with
the usual low quality marketing, which will no doubt render the phone useless. 

Rest assured, someone has found a solution:
http://talk.maemo.org/showthread.php?t=47735

This will update to PR 1.1.1 and hopefully PR 1.2 when it arrives.

(In reply to comment #29)
> @Ian, I was initially quite surprised to learn this. However, I have just
> learnt that PR 1.1.1 is awaiting "operator" approval in the UK.
> 
Thanks for the explanation.  This is slightly annoying though as I bought my
N900 directly from Nokia with no operator customisation.   I am therefore being
made to "suffer" by a UK operator(s) that I have no relationship with :-(

Well, here in Finland we are no better - the current level listed on the N900
support site is 2.2009.51.1. I'm tempted to wait for the official release,
hoping it wouldnt take too many extra days anymore. By the way, got the news of
the first update from a fried of mine, and had to google and download it
manually then. The second update (the above one) made itself known with the
animated icon on status bar. Hopefully this next ones works that way too...so
far there's not been any other update message within my app selection.

Comment 33 Andre Klapper 2010-03-25 14:54:51 UTC

Let's keep this on-topic. :-)
For the UK firmware issue please see either bug 6878 or bug 7896.

(In reply to comment #26)
> The issue in certman has been addressed and will be released in PR1.2. 

Sweet. There was one other issue I commented on in #4, where you are prompted
for a certificate password even if you have removed the password protection
from the certificate. Has this also been fixed, or should I open a new bug for
that?

I have PR 1.3 (10.2020.19-1) and it seems this bug hasn't been fixed. I also
have connection problems with the corporate WiFi.

When trying connect (PEAP + MSCHAPv2) I get a bunch of errors in the N900
syslog:

Oct 29 11:23:25 Nokia-N900-51-1 EAP[4392]: certman_main.cpp(174): ERROR Invalid
certificate '/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification
Authority'
Oct 29 11:23:25 Nokia-N900-51-1 EAP[4392]: certman_main.cpp(174): ERROR Invalid
certificate '/C=WW/O=beTRUSTed/CN=beTRUSTed Root CAs/CN=beTRUSTed Root CA'
Oct 29 11:23:25 Nokia-N900-51-1 EAP[4392]: certman_main.cpp(174): ERROR Invalid
certificate '/C=ES/ST=BARCELONA/L=BARCELONA/O=IPS Seguridad
CA/OU=Certificaciones/CN=IPS SERVIDORES/emailAddress=ips@mail.ips.es'
Oct 29 11:23:25 Nokia-N900-51-1 EAP[4392]: certman_main.cpp(259): ERROR
/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)00/CN=VeriSign Time Stamping Authority CA
verification fails
Oct 29 11:23:32 Nokia-N900-51-1 EAP[4392]: EAP 2.0.39+0m5 quitting.

EAP type: PEAP
Select certificate: none
EAP method: EAP MSCHAPv2
plus Username/Passwort

It works from on my Ubuntu 10.10 laptop, iPhone and on the latest Android but
not from N900.

sorry, my version is 10.2010.19-1

Ok, maybe I found the error on my N900, it still had a old WiFi config with the
same SID as the new equipment has. I just removed all old coroprate WiFi
settings and restarted by using this solution:
http://talk.maemo.org/showthread.php?t=63497&highlight=mschapv2

The certificate errors are still in the syslog, but the connection will be
established.