# [NM] Problems with Eduroam style wireless network

## Cyberwizzard

At my current location they are using a wifi network called eduroam. This means a WPA2 Enterprise network with TTLS using a system certificate with outer authentication and PAP inner authentication.

This works fine when I edit my wpa_supplicant.conf file and start everything by hand. But I'd rather use the new KDE4 NM applet.

But every time it connects to the network using the applet, after 2 or 3 seconds it disconnects. The log below is showing what I mean, the only difference I can spot is the 'fragment_size' parameter (which shouldnt be there as its supposed to be automatic) and the key_mgmt which is called "WPA-EAP IEEE8021X" in my wpa_supplicant.conf.

Edit: modifying the key_mgmt value to match the NM one did not break anything.

Edit 2: the ca_path keys seem to be breaking things...

```
Oct  1 09:44:12 cyberxps NetworkManager: <info>  Activation (wlan0) Stage 1 of 5 (Device Prepare) scheduled...

Oct  1 09:44:12 cyberxps NetworkManager: <info>  Activation (wlan0) Stage 1 of 5 (Device Prepare) started...

Oct  1 09:44:12 cyberxps NetworkManager: <info>  (wlan0): device state change: 6 -> 4 (reason 0)

Oct  1 09:44:12 cyberxps NetworkManager: <info>  Activation (wlan0) Stage 2 of 5 (Device Configure) scheduled...

Oct  1 09:44:12 cyberxps NetworkManager: <info>  Activation (wlan0) Stage 1 of 5 (Device Prepare) complete.

Oct  1 09:44:12 cyberxps NetworkManager: <info>  Activation (wlan0) Stage 2 of 5 (Device Configure) starting...

Oct  1 09:44:12 cyberxps NetworkManager: <info>  (wlan0): device state change: 4 -> 5 (reason 0)

Oct  1 09:44:12 cyberxps NetworkManager: <info>  Activation (wlan0/wireless): connection 'eduroam' has security, and secrets exist.  No new secrets needed.

Oct  1 09:44:12 cyberxps NetworkManager: <info>  Config: added 'ssid' value 'eduroam'

Oct  1 09:44:12 cyberxps NetworkManager: <info>  Config: added 'scan_ssid' value '1'

Oct  1 09:44:12 cyberxps NetworkManager: <info>  Config: added 'key_mgmt' value 'WPA-EAP'

Oct  1 09:44:12 cyberxps NetworkManager: <info>  Config: added 'password' value '<omitted>'

Oct  1 09:44:12 cyberxps NetworkManager: <info>  Config: added 'eap' value 'TTLS'

Oct  1 09:44:12 cyberxps NetworkManager: <info>  Config: added 'fragment_size' value '1300'

Oct  1 09:44:12 cyberxps NetworkManager: <info>  Config: added 'ca_path' value '/etc/ssl/certs'

Oct  1 09:44:12 cyberxps NetworkManager: <info>  Config: added 'ca_path2' value '/etc/ssl/certs'

Oct  1 09:44:12 cyberxps NetworkManager: <info>  Config: added 'identity' value 'sXXXXXXX@utwente.nl'

Oct  1 09:44:12 cyberxps NetworkManager: <info>  Config: added 'anonymous_identity' value 'sXXXXXXX@utwente.nl'

Oct  1 09:44:12 cyberxps NetworkManager: <info>  Activation (wlan0) Stage 2 of 5 (Device Configure) complete.

Oct  1 09:44:12 cyberxps NetworkManager: <info>  Config: set interface ap_scan to 1

Oct  1 09:44:12 cyberxps NetworkManager: <info>  (wlan0): supplicant connection state:  disconnected -> scanning

Oct  1 09:44:14 cyberxps NetworkManager: <info>  (wlan0): supplicant connection state:  scanning -> associating

Oct  1 09:44:14 cyberxps kernel: wlan0: authenticate with 00:07:0e:15:a7:41 (try 1)

Oct  1 09:44:14 cyberxps kernel: wlan0: authenticated

Oct  1 09:44:14 cyberxps kernel: wlan0: associate with 00:07:0e:15:a7:41 (try 1)

Oct  1 09:44:14 cyberxps kernel: wlan0: RX AssocResp from 00:07:0e:15:a7:41 (capab=0x431 status=0 aid=26)

Oct  1 09:44:14 cyberxps kernel: wlan0: associated

Oct  1 09:44:14 cyberxps kernel: cfg80211: Calling CRDA for country: NL

Oct  1 09:44:14 cyberxps NetworkManager: <info>  (wlan0): supplicant connection state:  associating -> associated

Oct  1 09:44:14 cyberxps kernel: cfg80211: Current regulatory domain updated by AP to: NL

Oct  1 09:44:14 cyberxps kernel: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)

Oct  1 09:44:14 cyberxps kernel: (2402000 KHz - 2482000 KHz @ 40000 KHz), (N/A, 2000 mBm)

Oct  1 09:44:38 cyberxps NetworkManager: <info>  Activation (wlan0/wireless): association took too long.

Oct  1 09:44:38 cyberxps NetworkManager: <info>  (wlan0): device state change: 5 -> 6 (reason 0)

Oct  1 09:44:38 cyberxps NetworkManager: <info>  Activation (wlan0/wireless): asking for new secrets

Oct  1 09:44:38 cyberxps kernel: wlan0: deauthenticating from 00:07:0e:15:a7:41 by local choice (reason=3)
```

----------

## Cyberwizzard

After adding the 'ca_cert' and 'ca_cert2' keys I suddenly get this:

```
TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 2 for '/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root'

CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=2 subject='/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root' err='self signed certificate in certificate chain'

SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA

OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

CTRL-EVENT-EAP-FAILURE EAP authentication failed
```

So when they are specified, the certificate chain becomes invalid... But now the key question: which certificate fails the tests? It is probably the key at "depth 2"... which is?....

Edit: log from a working login:

```
CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root'

CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root'

CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/O=Cybertrust Inc/CN=Cybertrust SureServer Standard Validation CA'

CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=NL/ST=OV/L=Enschede/O=University of Twente/OU=ICTS/emailAddress=radius-certificate@utwente.nl/CN=radius.utwente.nl'
```

I inspected the GTE_CyberTrust_Global_Root certificate on my system which is valid until 2018. The 2nd certificate I can't seem to find, just like the 3rd. I expect them to be downloaded or something but is there a location on the system where I can view them to find out if they are expired?

Edit: similar problems are easily found in Google, however nobody seems to have the solution. For example this bug in Ubuntu seems to be the exact issue I'm seeing.

Edit 2: the ca_cert and ca_cert2 settings seems to be meant to point to the CA used for the chain. But how is wpa_supplicant intending to verify the CA certificate itself? It seems that that is the actual failure here... Is ca_cert the correct parameter since I was providing a certificate for the connection rather than a chain file?

On a related note: I tried every CA bundle on my system as ca_cert parameter and none of them work. I have no clue how to keep wpa_supplicant happy...

----------

## Cyberwizzard

It seems that the 'ca_cert' option enables server validation. Without it, the network is set up without security checks and the client just sends the passwords...

Since the root CA is valid and OpenSSL keeps breaking over it, I started looking at the source. It seems that wpa_suppplicant has support for both OpenSSL and GnuTLS but it prefers the first. After countless debugging sessions and bug hunts on my system itself, I decided to recompile OpenSSL with all options - which did nothing.

Then I removed the 'ssl' use flag from wpa_supplicant and recompiled it. Suddenly everything came to life and looking through the logs I can see that GnuTLS accepted the root CA just fine.

Now, is this a bug in wpa_supplicant or OpenSSL? I am inclined to point a finger to the latter but I'm not sure...

----------

