Unable to connect to ieee8021x using PEAP w/MSCHAPv2 secured network

[Kelet]

Hello,

When trying to connect to my university's IEEE 802.1x encrypted wireless network, which uses PEAP with MSCHAPv2, clicking connect doesn't do anything. I'd expect that it gives a dialog box asking for a username and password. From some cursory googling, ConnMan seems to support this.

[andrew-bibb]

This sounds very similar to an error somebody else reported. I'm in the dark here as I don't have access to that type of network, so if you could try a couple of things for me to try and track it down I'd appreciate it.

First make sure you are not connected, and then start the program with the -l switch (cmst -l) and then try to connect. What happens when you press 'connect' is that CMST sends the connect message to connman. If connman does not have enough information to make the connection it sends a request back for it. As far as I know I've implemented handling for all of the requests listed in the API. The -l switch will log the request from connman in "/tmp/cmst/input_request.log" If you could try and do a connect, then see if the log file exists (it will only exist if connman made a request for information) and if it does post the contents here.

Since there is no dialog at all coming up I'm thinking we are not going to find the log, but I'd like to try that first. Then I'd like to try it from the command line. My apologies if you know how to do this, I'm writing out the commands just in case.

First type : connmanctl [return] this will put you into connman interactive mode, the prompt will change to connmanctl>

Then type: scan wifi [return] Then: services [return]

That should give you a list of available wifi services.

Next type: agent on [return]

Then type: connect [the name of your wifi service] [return]

To end type: quit [return]

The name of the wifi service should be really long, this is an example from where I am now: wifi_00183906a454_426962624e65742d576972656c657373_managed_psk

If the connection succeeds I'd be very interested in what information connman asks of you. If it does not work there may not be much I can do. All my program does is interface with connman, all of the heavy lifting is done by the connman daemon. If we can't get a connection using their command line interface we may be done.

[Kelet]

Thanks, your mini-tutorial saved me some time. I've actually taken refuge from the usual suspects and have only recently landed on ConnMan (& cmst) as a prospective solution to my connection woes.

Here is my session:

$ connmanctl

connmanctl> scan wifi
Scan completed for wifi

connmanctl> services
   UCF_Guest            wifi_001f3a9d7505_5543465f4775657374_managed_none
   UCF_WPA2             wifi_001f3a9d7505_5543465f57504132_managed_ieee8021x

connmanctl> agent on
Agent registered

connmanctl> connect wifi_001f3a9d7505_5543465f57504132_managed_ieee8021x
Error /net/connman/service/wifi_001f3a9d7505_5543465f57504132_managed_ieee8021x: Invalid arguments

connmanctl> connect wifi_001f3a9d7505_5543465f4775657374_managed_none
Connected wifi_001f3a9d7505_5543465f4775657374_managed_none

As you can see, the network in question gives me Invalid arguments, whereas the unsecured guest network works fine. Unfortunately, it seems to be related to this issue. It is marked as resolved, but the resolution is that it's the user's responsibility to solve the problem. Universities, at least in my experiences in the United States, typically use PEAP with MSCHAPv2 on their secured networks. It's a shame so many connection tools make it a hassle for so many to connect to their university's network. But I realize you can't do much about it as it is primarily a ConnMan issue.

With that, cmst could become more usable by having an interface for editing the configuration file for a network or connection similar to other related tools. This would create an easier path to getting this type of network up and running.

[WhyNotHugo]

PEAP w/MSCHAPv2 is just one variation of 802.1X. 802.1X is rather common in corporate and university environments. I've kept NM installed as a fallback which is a pain, because some programs asume there's no network if NM is installed but not running (boo!).

My mobile phone uses connman as well, and doesn't have the UI knobs either. The solution is to create a configuration file, and then use the UI to connect, and that works. This did not work on cmst. :(

Most routers can host this type of networks, you'll need to set up RADIUS, and 802.1X (often labeled "WPA-Enterprise", though no actual spec seems to reference this name) on it.

I can provide detailed logs about other stuff as well if you like/don't have the resources for that.

If you really want and can't get a test environment, I can set up some old router with 802.1X (with PEAP), and an unused laptop sitting next to it, and grant you SSH to it. The only downsides are: (a) latency (b) I only have a PPC extra laptop, so it'd probably be Debian.

[andrew-bibb]

I will definitely take the help on this. We've discovered a new issue with peer to peer connections (didn't even know what they were until this morning) and we need to get that ironed out. As soon as that is done I'll move over to this one. I should at least have it so the precanned configuration file should work. The canned configuration file seems to be the solution of the moment from the connman documents.

[andrew-bibb]

Almost this exact same question about not being able to connect was asked on the connman mailing list today. Waiting to see what the response is, may be able to short circuit the whole process.

Possibly related: I'm about ready (may be two or three days away) from activating the service editor. If that editor won't help with this problem at least it will be out of my way so I can concentrate on this item.

[andrew-bibb]

I'm back with some more time to look at this. I think I finally know what needs to be done, and I'm going to start a provisioning file editor. I will need some assistance in testing, but that is a ways off.

I looked at my router to see if I could set it to require the 2 stage authentication, but it is not supported. Just 4 variations of PSK in it.

[andrew-bibb]

I know it has taken a while, but I just merged a branch for the provisioning editor into master. The provisioning editor should allow you to create, read, edit, delete and save config files to /var/lib/connman.

The editor also has two Eduroam templates built in that can be used as seeds. One is the short template shipped with newer versions of Connman, the other is the longer version from the Arch Linux Connman Wiki.

The editor is hidden by default, to show the control button go to the Preferences tab and check the new "Advanced Controls" box. The Provisioning editor button will then appear in the lower left corner by the "Whats This" button.

Sorry it has taken so long, but this was a major piece of work. If anybody is still following this and wants to try it out I'd appreciate it. I need to update the manual page and add a ton of help text, but other than that everything should work.

I needed to do a complete overhaul of the file and directory structure to implement this, so if you try it out do so a clean directory. Very few of the files are where they used to be.

[andrew-bibb]

The provisioning editor is included in the 14.11.18 release, so I'm going to close this issue now.