Bug ID | 987897 |
---|---|
Summary | nm_applet can't configure TTLS+MSCHAPv2 authentication |
Classification | openSUSE |
Product | openSUSE Tumbleweed |
Version | Current |
Hardware | x86-64 |
OS | SUSE Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | GNOME |
Assignee | bnc-team-gnome@forge.provo.novell.com |
Reporter | martin.wilck@suse.com |
QA Contact | qa-bugs@suse.de |
Found By | --- |
Blocker | --- |
I can't connect to the "Novell" WLAN in the N�rnberg office with nm_applet using the settings "Authentication: Tunneled TLS" and "Inner Authentication: MSCHAPV2". I analyzed this using manual configuration and found the following behaviour of the Wifi access point: eap=TTLS, phase2="autheap=MSCHAPV2": NO eap=TTLS, phase2="auth=MSCHAPV2": YES eap=PEAP, phase2="auth=MSCHAPV2": YES In other words "the autheap" phase2 protocol was causing the trouble. Thus one workaround is to use PEAP. If using TTLS, the following workaround is possible using nmcli: nmcli con modify Novell 802-1x.phase2-auth mschapv2 nmcli con modify Novell 802-1x.phase2-autheap "" systemctl restart NetworkManager # (not sure why this is necessary) Now the connection can be started. This configuration can't be applied using nm_applet. The user can ony select TTLS + MSCHAPV2 in the applet, and if he does so, the applet will set "phase2-autheap", not "phase2-auth". In general, nm_applet always sets "phase2-autheap" if possible: /* If the outer EAP method (TLS, TTLS, PEAP, etc) allows inner/phase2 * EAP methods (which only TTLS allows) *and* the inner/phase2 method * supports being an inner EAP method, then set PHASE2_AUTHEAP. */ See https://github.com/GNOME/network-manager-applet/commit/2294732eb608fad0ad65e315e1495094c0c9f34c This behavior of nm_applet seems to be wrong, as wpa_supplicant, NetworkManager itself, and nmcli all support "auth=MSCHAPV2" as inner method for TTLS.