|
Bugzilla – Full Text Bug Listing |
| Summary: | wpa_supplicant: Lacking support for PWD as EAP method | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Distribution | Reporter: | flo gleixner <gleixner> |
| Component: | Network | Assignee: | Ruediger Oertel <ro> |
| Status: | RESOLVED FIXED | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | ada.lovelace, astieger, gleixner, jengelh, karol, ro |
| Version: | Leap 15.0 | ||
| Target Milestone: | --- | ||
| Hardware: | x86-64 | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
flo gleixner
2018-09-20 21:51:25 UTC
We have different accounts of this working. Hmm your own docs: https://www.lrz.de/services/netz/mobil/802_1x/802_1x-linux-ubuntu/ Flo, does it not work at all or would this add another (better) option? Asking local openSUSE contributors who are in Eduroam range... I am at a conference at the Nuremberg Intitute of Technology at the moment. We are usinf WPA2-EAP for eduroam at our university and for our student accounts. It works fine on openSUSE Leap 15.0 at the moment. my version: rpm -qa wpa_supplicant wpa_supplicant-2.6-lp150.3.3.1.x86_64 The difference between Nuremberg and LRZ is, that we have to use a Telekom certificate (CA-Zertifikat) additional to our account. You can choose the Authentication Method "PWD" in NetworkManager. PWD is much easier than PEAP and it is secure enough. It is the preferred method for Android devices today. While connecting to eduroam using PEAP works, when i try PWD, it silently fails. The Logfile /var/log/wpa_supplicant.log says: Line 0: unknown EAP method 'PWD' You may need to add support for this EAP method during wpa_supplicant build time configuration. The packet maintainer should set CONFIG_EAP_PWD=y and rebuild wpa_supplicant (preferred!) or the option should not be in the NetworkManager (not preferred!). I know something like that from other universities. Our edurom works only with a special certificate and the following configuration: https://www.th-nuernberg.de/fileadmin/global/Gelenkte_Doks/ZE/RZ/RZ_5404_HR_Eduroam-Linux_public.pdf I have been surprised about our wireless security, but no other configuration works. Do we have Fernuni Students in the community/ at SUSE? They can use a configuration without Telekom certificate. Thanks for bringing this up. I've created a couple of submit requests for our openSUSE products enabling this feature within wpa_supplicant this: Factory: https://build.opensuse.org/request/show/637009 Leap 15.0: https://build.opensuse.org/request/show/637012 Leap 42.3: https://build.opensuse.org/request/show/637014 Our version of wpa_supplicant in Leap 42.3 is based on upstream version 2.2, which was vulnerable to a couple of CVEs in the EAP-PWD component (CVE-2015-5314, CVE-2015-5315, CVE-2015-5316), but they have been fixed with the patches However, these patches are missing the CVE references and I don't want to simply add them to the changes file, since this will confuse our tooling. Chiming in for the record. It also works with: WPA2 Enterprise, Tunneled TLS, anonymous@gwdg.de, and then MSCHAPv2 with a plaintext as inner authentication. On Android, something with PEAP. SUSE-SU-2018:3480-1: An update that solves one vulnerability and has 5 fixes is now available. Category: security (moderate) Bug References: 1080798,1098854,1099835,1104205,1109209,1111873 CVE References: CVE-2018-14526 Sources used: SUSE Linux Enterprise Module for Basesystem 15 (src): wpa_supplicant-2.6-4.11.1 openSUSE-SU-2018:3539-1: An update that solves one vulnerability and has 5 fixes is now available. Category: security (moderate) Bug References: 1080798,1098854,1099835,1104205,1109209,1111873 CVE References: CVE-2018-14526 Sources used: openSUSE Leap 15.0 (src): wpa_supplicant-2.6-lp150.3.6.1 Closing this bug, since it has been fixed in the meantime for all codestreams. SLE-12 / openSUSE 42.3 might not yet be released, but should become available soon-ish and there is nothing else to do in this bug. SUSE-SU-2019:1088-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1104205,1109209 CVE References: CVE-2018-14526 Sources used: SUSE OpenStack Cloud 7 (src): wpa_supplicant-2.6-15.10.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): wpa_supplicant-2.6-15.10.1 SUSE Linux Enterprise Server 12-SP4 (src): wpa_supplicant-2.6-15.10.1 SUSE Linux Enterprise Server 12-SP3 (src): wpa_supplicant-2.6-15.10.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): wpa_supplicant-2.6-15.10.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): wpa_supplicant-2.6-15.10.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): wpa_supplicant-2.6-15.10.1 SUSE Linux Enterprise Server 12-LTSS (src): wpa_supplicant-2.6-15.10.1 SUSE Linux Enterprise Desktop 12-SP4 (src): wpa_supplicant-2.6-15.10.1 SUSE Linux Enterprise Desktop 12-SP3 (src): wpa_supplicant-2.6-15.10.1 SUSE Enterprise Storage 4 (src): wpa_supplicant-2.6-15.10.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. openSUSE-SU-2019:1345-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1104205,1109209 CVE References: CVE-2018-14526 Sources used: openSUSE Leap 42.3 (src): wpa_supplicant-2.6-16.1 |