Bug 611024

Summary: Can't connect to network using WPA2-EAP
Product: [openSUSE] openSUSE 11.3 Reporter: Andrew Jorgensen <ajorgensen>
Component: NetworkAssignee: E-mail List <bnc-team-screening>
Status: RESOLVED DUPLICATE QA Contact: E-mail List <qa-bugs>
Severity: Critical    
Priority: P5 - None    
Version: Milestone 7   
Target Milestone: ---   
Hardware: i686   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Fix fallback from failed PMKSA caching into full EAP authentication

Description Andrew Jorgensen 2010-06-02 16:09:59 UTC 
Found this while testing milestone 7 here at work (Novell Provo Campus): When I try to connect to the "Novell" network using PEAP / MSCHAPv2:

WPA: Failed to get master session key from EAPOL state machines
WPA: Key handshake aborted

It fails in this way several times and then sometimes will connect eventually but usually times will not.

This system uses the ath5k driver.
Comment 1 Andrew Jorgensen 2010-06-02 16:59:50 UTC 
Just tried on another box, this one using iwl3945, with the same result (except that I have not as yet been able to make it connect at all).

It should be noted that the settings (PEAP / MSCHAPv2) where gleaned from an authenticated windows host, so they are known to be correct.

Fedora 13 also connects correctly.  It has wpa_supplicant 0.6.8.  The latest stable version right now is 0.6.10.  11.2 had 0.6.9.  11.3 has 0.7.1 (a development version).  We may want to revert to 0.6.10?  It does seem a bad idea to use a development version of a security tool.

I manually installed the wpa_supplicant from 11.2 and was able to connect immediately.  Please consider reverting to the stable version of wpa_supplicant for 11.3.
Comment 2 Andrew Jorgensen 2010-06-02 17:35:41 UTC 
Scratch 0.6.10, it fails in the same way.  The last version that works is 0.6.9.  I'll have a look at the changes and see if I can't determine what went wrong but I am not expert in this area (not even close).  If someone at SUSE is a wpa_supplicant hacker I would really appreciate some help.
Comment 3 Andrew Jorgensen 2010-06-02 17:36:58 UTC 
Another thing I'm noticing that happens sometimes is that wpa_supplicant will actually connect but somehow NM doesn't see that it succeeded.  There may be some communications problems there.
Comment 4 Andrew Jorgensen 2010-06-02 18:16:44 UTC 
Created attachment 366481 [details]
Fix fallback from failed PMKSA caching into full EAP authentication

Pulled this out of the wpa_supplicant git tree (post 0.6.10, on the 0.6 branch).  With this patch I connect every time without fail.  I'm sure there's a similar patch on the 0.7 branch.
Comment 5 Andrew Jorgensen 2010-06-02 18:39:40 UTC 
Ah, duplicate, and already patched in the "hardware" project.

*** This bug has been marked as a duplicate of bug 601501 ***