Update: We have made sofar couple of discoveries, thanks to Petr Jediny.
We suspected OpenSSL incompatibility in the OS, so as the PEAP is creating underlying TLS tunnel for auth and we see an error in wpa_supplicant regarding TLS negotiation (hello). tl;dr - Cypher set of Ubuntu bionic do not match (pass/negotiate) ciphers on our appliance/radius (We uses Aruba appliances, the firmware is not up to date with latest security standards; Aruba is working last three months on an update (obviously without pressure)). --- The radius/server or Aruba is accepting TLS_RSA_WITH_3DES_EDE_CBC_SHA The mentioned cipher suite is mandated by https://tools.ietf.org/html/rfc5216#section-2.4, but the TLS_RSA_WITH_AES_128_CBC_SHA should be supported too It looks like the radius server is not accepting any of these suggested by ubuntu bionic wpa_supplicant: Cipher Suites (28 suites) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f) Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xccaa) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) TLS_RSA_WITH_AES_128_CBC_SHA is mentioned. We think the issue directly relates to remove 3DES from Bionic: openssl ciphers -V '3DES' Error in cipher list 139999040823744:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:../ssl/ssl_lib.c:2129: --- Note similar issue was discovered on Fedora as well and has this workaround: https://www.systutorials.com/docs/linux/man/8-update-crypto-policies/ and set "LEGACY" crypto policy $ update-crypto-policies --set LEGACY --- I suggest keeping the bug open for a while, just for case somebody will come with a workaround. In a long-term this is not the problem of the Ubuntu or gnome, but the list of supported ciphers Ubuntu Bionic vs. HW appliances you connect to. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1748839 Title: Problem to connect to WPA2/PEAP WIFI - gnome-shell Status in network-manager package in Ubuntu: Confirmed Bug description: Connection to open or WPA secured wifi works without any issues. Connection to WPA2/PEAP fails. Repeatedly asks for username/password. Possible gnome-shell integration issue. The system was updated from Xenial to Bionic in mid-January. At that time this WPA2/PEAP setup worked without any issues. With the updates coming in the last week of January / First February week - the bug was experienced. 1) ➜ syncthing git:(master) lsb_release -rd Description: Ubuntu Bionic Beaver (development branch) Release: 18.04 2) - up to date packages [code] ➜ cat /etc/apt/sources.list |egrep -v '^#' deb http://cz.archive.ubuntu.com/ubuntu/ bionic main restricted deb http://cz.archive.ubuntu.com/ubuntu/ bionic-updates main restricted deb http://cz.archive.ubuntu.com/ubuntu/ bionic universe deb http://cz.archive.ubuntu.com/ubuntu/ bionic-updates universe deb http://cz.archive.ubuntu.com/ubuntu/ bionic multiverse deb http://cz.archive.ubuntu.com/ubuntu/ bionic-updates multiverse deb http://security.ubuntu.com/ubuntu/ bionic-security multiverse main universe restricted [/code] Note: # some pkg version related to problem might be from proposed-updates repo 2b) [code] dpkg -l |egrep -i 'network manager|networkm|libnm' ii gir1.2-networkmanager-1.0:amd64 1.8.4-1ubuntu4 amd64 GObject introspection data for the libnm-glib/libnm-util library ii gir1.2-nm-1.0:amd64 1.8.4-1ubuntu4 amd64 GObject introspection data for the libnm library ii gir1.2-nmgtk-1.0:amd64 1.8.10-2ubuntu1 amd64 GObject introspection data for libnm-gtk ii libnm-glib-vpn1:amd64 1.8.4-1ubuntu4 amd64 network management framework (GLib VPN shared library) ii libnm-glib4:amd64 1.8.4-1ubuntu4 amd64 network management framework (GLib shared library) ii libnm-gtk0:amd64 1.8.10-2ubuntu1 amd64 library for wireless and mobile dialogs (libnm-glib version) ii libnm-util2:amd64 1.8.4-1ubuntu4 amd64 network management framework (shared library) ii libnm0:amd64 1.8.4-1ubuntu4 amd64 GObject-based client library for NetworkManager ii libnma0:amd64 1.8.10-2ubuntu1 amd64 library for wireless and mobile dialogs (libnm version) ii libproxy1-plugin-networkmanager:amd64 0.4.15-0ubuntu1 amd64 automatic proxy configuration management library (Network Manager plugin) ii network-manager-config-connectivity-ubuntu 1.8.4-1ubuntu4 all NetworkManager configuration to enable connectivity checking ii strongswan-nm 5.6.1-2ubuntu1 amd64 strongSwan plugin to interact with NetworkManager ii wpasupplicant 2:2.6-15ubuntu2 amd64 client support for WPA and WPA2 (IEEE 802.11i) [/code] 3,4) Connection to open or WPA secured wifi works withou any issues. Connection to WPA2/PLEAP (without cert, just with username/password fails). Although wifi layer get's is associated the client (network-manager) possibly due to bug deauthenticate itself without establishing an IP connection. Connect to network. 5) Logs (syslog/kernel) Core moments: [code] Feb 12 09:19:02 dontpanic NetworkManager[1125]: <info> [1518423542.9125] keyfile: update /etc/NetworkManager/system-connections/XXXXWiFi (82c55e94-907a-458a-ae31-8cbd75db0fa5,"XXXXWiFi") Feb 12 09:19:02 dontpanic gnome-shell[4284]: g_value_get_string: assertion 'G_VALUE_HOLDS_STRING (value)' failed and ... Feb 12 09:19:02 dontpanic NetworkManager[1125]: <info> [1518423542.9450] device (wlp4s0): Activation: (wifi) connection 'XXXXWiFi' has security, and secrets exist. No new secrets needed. Feb 12 09:19:02 dontpanic NetworkManager[1125]: <info> [1518423542.9450] Config: added 'ssid' value 'XXXXWiFi' Feb 12 09:19:02 dontpanic NetworkManager[1125]: <info> [1518423542.9451] Config: added 'scan_ssid' value '1' Feb 12 09:19:02 dontpanic NetworkManager[1125]: <info> [1518423542.9451] Config: added 'key_mgmt' value 'WPA-EAP' Feb 12 09:19:02 dontpanic NetworkManager[1125]: <info> [1518423542.9451] Config: added 'password' value '<hidden>' Feb 12 09:19:02 dontpanic NetworkManager[1125]: <info> [1518423542.9451] Config: added 'eap' value 'PEAP' Feb 12 09:19:02 dontpanic NetworkManager[1125]: <info> [1518423542.9451] Config: added 'fragment_size' value '1266' Feb 12 09:19:02 dontpanic NetworkManager[1125]: <info> [1518423542.9452] Config: added 'phase2' value 'auth=MSCHAPV2' Feb 12 09:19:02 dontpanic NetworkManager[1125]: <info> [1518423542.9452] Config: added 'ca_cert' value '/home/myuser/Private/certs/XXXX/gd_bundle-g2-g1.crt' Feb 12 09:19:02 dontpanic NetworkManager[1125]: <info> [1518423542.9452] Config: added 'identity' value 'myuser' Feb 12 09:19:02 dontpanic NetworkManager[1125]: <info> [1518423542.9452] Config: added 'bgscan' value 'simple:30:-65:300' Feb 12 09:19:02 dontpanic NetworkManager[1125]: <info> [1518423542.9452] Config: added 'proactive_key_caching' value '1' Feb 12 09:19:02 dontpanic gnome-shell[4284]: Object St.Widget (0x560ce05e34e0), has been already finalized. Impossible to get any property from it. Feb 12 09:19:02 dontpanic gnome-shell[4284]: Object St.Widget (0x560ce05e34e0), has been already finalized. Impossible to set any property to it. Feb 12 09:19:02 dontpanic org.gnome.Shell.desktop[4284]: == Stack trace for context 0x560cdbda6000 == Feb 12 09:19:02 dontpanic org.gnome.Shell.desktop[4284]: #0 0x7ffd47fd8fd0 I resource:///org/gnome/shell/ui/tweener.js:73 (0x7fd5066ddef0 @ 9) Feb 12 09:19:02 dontpanic org.gnome.Shell.desktop[4284]: #1 0x7ffd47fd9070 b resource:///org/gnome/shell/ui/tweener.js:105 (0x7fd5066df230 @ 36) .... [/code] Full logs attached. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1748839/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
