Bug ID 987897
Summary nm_applet can't configure TTLS+MSCHAPv2 authentication
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware x86-64
OS SUSE Other
Status NEW
Severity Normal
Priority P5 - None
Component GNOME
Assignee bnc-team-gnome@forge.provo.novell.com
Reporter martin.wilck@suse.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

I can't connect to the "Novell" WLAN in the N�rnberg office with nm_applet
using the settings "Authentication: Tunneled TLS" and "Inner Authentication:
MSCHAPV2".

I analyzed this using manual configuration and found the following behaviour of
the Wifi access point:

   eap=TTLS, phase2="autheap=MSCHAPV2": NO
   eap=TTLS, phase2="auth=MSCHAPV2": YES
   eap=PEAP, phase2="auth=MSCHAPV2": YES

In other words "the autheap" phase2 protocol was causing the trouble.

Thus one workaround is to use PEAP. If using TTLS, the following workaround is
possible using nmcli:

nmcli con modify  Novell 802-1x.phase2-auth mschapv2
nmcli con modify  Novell 802-1x.phase2-autheap ""
systemctl restart NetworkManager # (not sure why this is necessary)

Now the connection can be started.

This configuration can't be applied using nm_applet. The user can ony select
TTLS + MSCHAPV2 in the applet, and if he does so, the applet will set
"phase2-autheap", not "phase2-auth". In general, nm_applet always sets
"phase2-autheap" if possible:

/* If the outer EAP method (TLS, TTLS, PEAP, etc) allows inner/phase2
 * EAP methods (which only TTLS allows) *and* the inner/phase2 method
 * supports being an inner EAP method, then set PHASE2_AUTHEAP. */

See
https://github.com/GNOME/network-manager-applet/commit/2294732eb608fad0ad65e315e1495094c0c9f34c

This behavior of nm_applet seems to be wrong, as wpa_supplicant, NetworkManager
itself, and nmcli all support "auth=MSCHAPV2" as inner method for TTLS.

You are receiving this mail because: