NetworkManager enterprise encryption (Eduroam style) works again

fedora-logo-bubble
NetworkManager was recently updated in Fedora 8. The newest version now works well again with a specific but widely used enterprise encryption method.

One of the major regressions in Fedora 8 was that the new NetworkManager was not working with a specific encryption method used by the European Eduroam (wlan) project. This network uses a certificate based TKIP-TTLS-PAP encryption system to allow or deny access to wireless university networks across Europe and is therefore at home at almost all larger universities in Europe (and Australia, btw.).

The proper solution to handle that situation was to configure wpa_supplicant manually or to run other tools or home-made scripts.

Two days ago, after more than two months, an update of libnl required a rebuild of NetworkManager and libdhcp as well. And with these updates, the login works again without any further problem.

It is not entirely clear why the bug is now fixed but it looks like the libnl package had some serious problems which might have caused the problem. I hope that NetworkManager soon reaches a state were all promised 0.7-features are available – and where I have a KDE gui to configure them :)

While the issue is solved the bug itself raises some valid questions: If the bug hit all Eduroam users, which are mostly students or academic people which have a high percentage of Linux users, why did so few people care? Is it because most European users don’t use Fedora but Opensuse, Mandriva or Ubuntu which all did not ship that specific NetwokManager version?
Or did the system work for most people and failed only for some odd reason for me and a couple of others? Strange in any case.

About these ads

13 thoughts on “NetworkManager enterprise encryption (Eduroam style) works again

  1. I am a student from Dresden using the eduroam network.
    But I am using arch Linux and will keep using their networkscripts until they release the nm0.7 with an useful kde-gui. but it seems to me the knetworkmanager development has stalled, the last commit was 4 weeks ago =(
    Really to bad, as the NM changes for 0.7 look sooooo promising =/

  2. My university uses a certicate based system as well, but with dynamic WEP keys and EAP-TLS authentification.

    To connect i have to use wpa_supplicant, that is nothing more but making the conf-file and calling it. Meanwhile, i can connect with KNetworkManager, provided wpa_supplicant was started manually and is running in the background.

    This was not always the case. In the earlier times of KNetworkManager, i wrote a boot script for wpa_supplicant and used it for any network, since it was not possible to connect via knw. It was kind of pedestrian, but worked.

    As it does now, with the system icon telling me the current connectivity status. Of course, i would be happier to do everything with knw, but i am satisfied sufficiently. Further, i am neither familiar with c++ nor network auth methods.

    This is my excuse :D

  3. Karsten, is arch using NM 0.6.x or its own scripts? And as Kevin pointed out, knetworkmanager for NM 0.7 is in development, but that development takes place in another directory.

    blizzz, have you reported this behaviour in a bug report? I thought WEP/EAP-TLS is well supported in NM. Or is it just knm which is missing the configuration option?

  4. Tried with OpenSUSE 10.3 before and nothing worked. I even had issues in my home network.
    I’m now using Ubuntu Gutsy and nm 0.65. Nothing works. But the home net is fine.

  5. Ohhh, sorry I didn’t knew he was using a new directory for knm 0.7, I am deeply sorry for my false statement and looking forward to it =)

    Arch Linux has a basic network system which is soon to be extended and replaced by this one:
    http://wiki.archlinux.org/index.php/Network_Profiles, but basicly it stays very simple and you have to modify the profiles per hand and text editor, keeping to the KISS principles of Arch
    But you can use NM of course, and I plan to as soon as .7 hits due to different static ips everywhere I go, except eduroam.

  6. I’m from Dresden too but use Kubuntu Gutsy. With the updated packages eduroam works … somehow fine.

    There seam to be some problems with roaming, so using KNetworkManager I get asked again and again for the login information after several tries (3 – 8 <- this is no joke) – it works.

  7. Martin, Gutsy uses the old NM of the 0.6.x series afaik, so there should be no problems at all!

    Karsten, thx for the detailed answer.

    zdzichu/blizzz, my current NM system has an option to activate dynamic WEP:

    NetworkManager: <info>  Config: added 'ssid' value 'PGWLAN'
    NetworkManager: <info>  Config: added 'key_mgmt' value 'IEEE8021X'
    NetworkManager: <info>  Config: added 'password' value '<omitted>'
    NetworkManager: <info>  Config: added 'eap' value 'PEAP'
    NetworkManager: <info>  Config: added 'phase1' value 'peapver=0'
    NetworkManager: <info>  Config: added 'phase2' value 'auth=MSCHAPV2'
    NetworkManager: <info>  Config: added 'identity' value 'username'
    

    Instead of PEAP you can also use LEAP or TLS, its all available in NetworkManager. Technically, it should work.

  8. Just verified it at our university (Maribor, Slovenia), and it works, finally! Yay!

    liquidat: You’ve mentioned that there have been only a few reports and complaints about this issue.

    Well, I’m a CS student and I know only of one other guy who also uses Fedora 8 at our university. Both of us are stoics. He simply googled up a script for wpa_supplicant – circumventing NM – and has used it since.

    I’ve tried to do the same a couple of months ago, and I came to believe that wpa_supplicant did not support the new wireless subsystem (mac80211, specifically the iwl3945 driver). I didn’t bother to verify this assumption so I simply accepted it and decided to wait until wpa_supplicant catches up (or NM for that matter). In fact I had other means to gain access to the web (either dual-boot or wired). So I waited :)

    Sheer laziness, I guess :)

  9. liquidat:
    knm ist just missing options, but i will try to do it with the wpa2 enterprise settings as an answer from zdzichus link says.
    It did not try it in console although. Maybe i find some time tomorrow to test it.

  10. Matej, ok, I see, but thanks for the input. Btw., wpa_supplicant supports almost all network encryption technologies available, most of the time NM was the problematic part because they did not kept an eye on wpa_supplicant’s encryption support.

    blizzzz, in worst case you can also try to use the gnome interface (nm-applet), it might be that it supports more options than the KDE gui…

Comments are closed.