Please apply the EAP-FAST from the wpasupplicant source

I tried to enable EAP-fast support, but found a comment in our config file that this would need a rebuild of openssl. I tried it anyway, and it failed as expected. find attached the buildlog.

this bug affects openssl as well. in order to fix this bug, I need to investigate what changes in openssl would be necessary and evaluate the impact of that. perhaps an openssl guru could help me with that?

there's a patch for openssl in the wpasupplicant tarball. look for openssl-tls-extensions.patch.

ok, now I begin to understand. There is a proposed patch for current openssl shipped in the wpasupplicant upstream tarball, and under consideration at upstream.

I'm rejecting the wpasupplicant task for now, because without this patch, there is no point in enabling EAP-FAST support in wpasupplicant. After this patch has been merged into openssl, I'm happy to enable EAP-FAST.

The bugtask in openssl remains open for consideration of that patch.

the patch in question from the wpasupplicant source tarball.

Thank you for taking the time to report this bug and helping to make Ubuntu better. You reported this bug a while ago and there hasn't been any activity in it recently. We were wondering is this still an issue for you? Thanks in advance.

i haven't checked it out in a while, to be honest. i was having trouble with wpasupplicant not dealing with hidden ssids, so i haven't gotten back to this issue. but if EAP-FAST is still not natively supported by Ubuntu, then i think that's a problem. EAP-FAST is in use in enterprise environments, and if corporate IT folks aren't running Red Hat on their laptops, then they're running Ubuntu, and out of the box support would be a Good Thing (tm).

The bug is still present in gutsy.
I still am not able to connect to the wireless network with EAP-FAST authentication out of the box.

Could we please get a better response than an automated message and an attempt to get rid of the bug? Is there a reason this patch can't be applied? What are we waiting for?

Is there any update on this ?
When can we expect EAP-FAST support in Ubuntu/Kubuntu ?

Why is this "incomplete" and set to expire? The bug is still present, and a patch is available to fix it.

I've updated the bug description with the current status, AFAIUI.

Having a quick look at the patch, it seems to be that it would break other applications linked to the libssl library. I'm not too sure about this though, someone with more insight wrt libssl should review the patch and negotiate with upstream about its inclusion. I assume that's why this bug is in 'incomplete' state.

The expiration is the thing that bothers me. I suppose we can keep poking it periodically with meaningless comments, but wouldn't a better solution be assigning this bug to someone who can do that negotiation with upstream?

setting this bug to 'confirmed' so that it won't expire.

EAP-FAST support is very important, as it is widely used in Enterprise environments. It is also the authentication mechanism recommended by Cisco who are currently the leading WLAN vendor.
When is this bug going to being fixed? In Hardy?

it seems to be already reported at openssl upstream by Jouni Malinen (wpasupplicant upstream) here:

http://rt.openssl.org/Ticket/Display.html?id=1574&user=guest&pass=guest

I doubt it will make it for hardy, though.

Many of my co-workers and I would love to use Ubuntu at work as I have installed it on my standard-corporate-issue D630 laptop with great success but, like most large companies, we use EAP-FAST with our Cisco WLAN setup. This issue is preventing tens of people around me from switching to Ubuntu and I have to imagine this is a common plight. It's worth noting that this issue has been open for two years now. Do I read the above comment correctly, in that maintainers are waiting for the patch to be introduced into openssl? Why not apply it to the Ubuntu package? This seems like such a major roadblock to adoption.

Stephen Laverty <email address hidden> writes:

> Why not apply it to the Ubuntu package? This seems like such a major
> roadblock to adoption.

Maily because we are not sure what effects that patch has on other
packages using openssl.

Have you considered building your own openssl/wpasupplicant packages and
try them out?

--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Any plans for EAP-FAST support to be added to Ubuntu 8.10?
I hope this important network feature is added soon, as I see this shortcoming hindering Ubuntu adoption in my neck of the woods.

It seems that openssl does not have any plans to release this functionailty with 0.9.9 anytime soon. Can we have a alternate version of openssl and wpasupplicant in the repository with the patches applied and the EAP-FAST enabled? (with disclaimers) Then users can choose to manually install the patched openssl and wpasupplicant if they wish to.
At least this will give users in enterprise environments a working implementation for wireless. Also you would get more people testing the affects of the patch on openssl.
I have used this successfully in my environment (built the openssl and wpa_supplicant from source) and I don't see why it is taking so long for such functionality to be added.

Adrian Quek <email address hidden> writes:

> It seems that openssl does not have any plans to release this
> functionailty with 0.9.9 anytime soon.

Can you please reference discussion with the openssl folks?

I didn't try to reach them myself yet, as I'm not very involved with
openssl development.

> Can we have a alternate version of openssl and wpasupplicant in the
> repository with the patches applied and the EAP-FAST enabled? (with
> disclaimers) Then users can choose to manually install the patched
> openssl and wpasupplicant if they wish to.

If we do this, we should add the patch to the source package and build
two binary packages, one with the patch and one without. Then we built
the wpasupplicant package against the patched one.

This means a giant maintanence overhead which I'm not willing to support
unless you can clearly point to conversations with upstream that show
with what reasons they reject that patch.

> At least this will give users in enterprise environments a working
> implementation for wireless.

I'm as well online in an enterprise environment without needing that
patch. don't overexaggerate.

--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Hi Reinhard,

I do not know if you are feeling offended. But I hope not.
I have not tried to reference the discussion with the openssl folks as it has already been reported. But what I think is that it would be only be available for 0.9.9 release. However there is there's no release date and no indication as to how long will it take.
I do understand that it is an overhead for maintaining the extra packages. I also do not know what overheads are required, so if it is too much to ask for, then I accept that.
I was not trying to overexaggerate, what I meant was enterprise environments which ONLY use EAP-FAST protocol for authenticating to wireless. Without the patch, there doesn't seem to be any other way to get that to work.

regards,
Adrian

The only alternative currently is to let network manager handle your wireless connection. It supports EAP-FAST

I have not found any evidence that network manager supports EAP-FAST. Do you have any link to where I can find this information?

Adrian Quek <email address hidden> writes:

> I have not tried to reference the discussion with the openssl folks as
> it has already been reported.

That's the reference I'm asking for.

> But what I think is that it would be only be available for 0.9.9
> release. However there is there's no release date and no indication as
> to how long will it take.

On what basis do you make this guess?

> I do understand that it is an overhead for maintaining the extra
> packages. I also do not know what overheads are required, so if it is
> too much to ask for, then I accept that.

This problem does not only affect ubuntu, but every distribution that
uses tools like wpa_supplicant and network-manager. Please let's try to
get this issue fixed at the right place: Openssl upstream.

> I was not trying to overexaggerate, what I meant was enterprise
> environments which ONLY use EAP-FAST protocol for authenticating to
> wireless. Without the patch, there doesn't seem to be any other way to
> get that to work.

That is indeed correct.

--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

According to openssl developers:
http://rt.openssl.org/Ticket/History.html?id=1574
The support for EAP-FAST has been included.
Also for wpa_supplicant, it will build according to the patched openssl.

But i am not sure how Network Manager can support EAP-FAST because when i tried to add a new wireless connection, there is no option to choose EAP-FAST as authentication.

I notice that a year ago Josh pointed out that EAP-FAST became available in OpenSSL. There doesn't seem to have been any activity on this bug though. As stated in the log for OpenSSL bug #1574 (as seen in the URL below) by Steve of OpenSSL on November 15, 2008:

> You patch has now been applied to HEAD. Thank you for the contribution.
> Let me know of any problems.

Jouni Malinen of wpasupplicant replied on November 16, 2008:

> Thank you! I updated wpa_supplicant and hostapd to use the new API when
> building against OpenSSL 0.9.9. This seems to be working fine and will
> make it much easier for distributions to include EAP-FAST support in the
> future.

and then added on November 23, 2008:

> Here's a backport version of the session ticket override patch against
> OpenSSL 0.9.8i. This provides the same API that was committed into 0.9.9
> tree and it can be used with the current development snapshot of
> wpa_supplicant/hostapd 0.6.x for EAP-FAST.

Here is a URL that doesn't require login and tracks the OpenSSL bug:

http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=1574

You'll find the cited portions are the last three entries. If this can make its way into Hardy proposed I'd be happy to test it and it would get used daily. I could test it in Jaunty as well although it would see only limited use. I might be able to arrange Karmic in a limited fashion also. I'm not in a position to do anything with Lucid right now unfortunately. If the answer is that we're waiting for Lucid, I understand but is this planned for Lucid or will it slip by another release?

I notice this bug is confirmed for openssl but not currently assigned to anyone. Can someone involved in maintaining the openssl package comment?

When looking at the CHANGES file of OpenSSL (from Precise) it can be seen that EAP-FAST is included:
  *) Add session ticket override functionality for use by EAP-FAST.

This is the actual commit that included it: http://cvs.openssl.org/chngview?cn=17641

Therefore, this issue got implemented and I'll close it accordingly.

This bug does not appear to be fixed. It seems that it was closed without anyone testing it.

When I try to connect to an EAP-FAST network I get the following message in syslog:

Apr 5 16:16:57 mt-dhuggins NetworkManager[958]: <warn> EAP-FAST is not supported by the supplicant

Perhaps EAP-FAST is supported in openssl but is just not activated in wpa_supplicant?

Thank you for always reporting here. I mark this bug as confirmed because it happens to several users.

Hitting this as well on 13.04 with wpasupplicant 1.0-3ubuntu1

May 20 13:08:10 ** NetworkManager[1245]: <warn> EAP-FAST is not supported by the supplicant

Confirmed. The procedure is pretty simple really. I even recompiled my own wpa_supplicant and created a deb file. But this didn't update NetworkManager. Here's my test:

network={
         ssid="SSIDNAME"
         key_mgmt=WPA-EAP
         eap=FAST
         identity="USERNAME"
         password="PASSWORD"
         phase1="fast_provisioning=3"
         pac_file="/tmp/wpa_supplicant.pac"
}
Then uncheck enable wifi and do a "sudo rfkill unblock all" then "sudo wpa_supplicant -Dnl80211 -iwlan0 -c/etc/wpa_supplicant.conf"
wlan0: SME: Trying to authenticate with 58:35:d9:3a:3c:91 (SSID='SSIDNAME' freq=2412 MHz)
wlan0: Trying to associate with 58:35:d9:3a:3c:91 (SSID='SSIDNAME' freq=2412 MHz)
wlan0: Associated with 58:35:d9:3a:3c:91
wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=17 -> NAK
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=43
EAP-FAST: No PAC file '/tmp/wpa_supplicant.pac' - assume no PAC entries have been provisioned
wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 43 (FAST) selected
wlan0: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/O=Global Security Operations/CN=NetApp Corporate Root CA'
wlan0: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/O=Global Security Operations/CN=NetApp Corporate Root CA'
wlan0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/DC=com/DC=netapp/DC=hq/CN=NetApp Corporate Issuing CA'
wlan0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=eapfastpacs'
wlan0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
wlan0: WPA: Key negotiation completed with 58:35:d9:3a:3c:91 [PTK=CCMP GTK=CCMP]
wlan0: CTRL-EVENT-CONNECTED - Connection to 58:35:d9:3a:3c:91 completed (auth) [id=0 id_str=]

How do we integrate this into NM?

Indeed, openssl has had EAP-FAST for some time...

I'm updating wpa now for trusty, to enable EAP-FAST, that should be in shortly.

As for in saucy, we can look at releasing that change as SRU.

This bug was fixed in the package wpa - 1.0-3ubuntu3

---------------
wpa (1.0-3ubuntu3) trusty; urgency=low

  * debian/config/wpasupplicant/linux: enable EAP-FAST (LP: #34982)
 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 30 Oct 2013 09:25:39 -0700