EAP-TLV: Earlier failure - force failed Phase 2

Jouni Malinen j at w1.fi
Mon Jan 4 15:29:55 PST 2016 

On Mon, Jan 04, 2016 at 02:46:43PM -0800, Adam Jacobs wrote:
> My laptop runs Ubuntu, and when I reproduced the error, it was invoking wpa_supplicant via NetworkManager.  Of course, to test disabling TLS1.2, I had to shut off NetworkManager and invoke wpa_supplicant manually.
> 
> What I've now discovered is that if I invoke wpa_supplicant manually, everything works fine even if I DON'T disable TLS1.2.

You might want to try to test this with NetworkManager and just
increasing debug verbosity for wpa_supplicant, e.g., by killing the
existing wpa_supplicant process and starting another one with something
like "-dddtu -f /tmp/wpas.log" on the command line.

> My config looks like this:
> 
> network={
>   ssid="Mocana-SECURE"
>   key_mgmt=WPA-EAP
>   eap=PEAP
>   identity="ajacobs"
>   password="**********"
>   phase2="auth=MSCHAPV2"
>   ca_cert="/usr/local/etc/MocanaRoot.pem"
> }

Based on couple of logs that Dan pointed me to, the only real
differences to that with NM would be addition of fragment_size=1300 (or
something around that value) and proactive_key_caching=1. I don't know
how either of these would cause the issue, but well, I guess it is worth
trying these (or that debugging mechanism with NM mentioned above). In
any case, I don't think I can do much more without the issue being
reproduced with verbose debugging enabled in wpa_supplicant.

> So it must be something about the way NetworkManager is calling/managing NetworkSupplicant that causes this failure.  Unfortunately I don't know of any way to debug that further, and as I've shown wpa_supplicant to be working properly it is probably no longer the domain of this group, Still, I'm happy to take suggestions if anyone has any ideas for debugging further.

NM should not be able to configure wpa_supplicant in a way that causes
this type of interop issues, so I'd interpret that a bit differently: at
least one configuration of wpa_supplicant works, but something else in
the configuration or timing or whatever makes this fail in some other
cases.

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list