# [SFOS 3.1.0.11] WPA-EAP wifi eduroam problem - cannot connect

Hello there,

I have tried for a long time now to connect my Xperia XA2 Ultra on Sailfish 3.0.2.8 to the eduroam wifi of my university in germany without any success. I have downloaded (with wget and curl) the certificate file (via tethering from my android phone) and put it into /etc/ssl/certs/ .

-rw-r--r-- 1 root root 1367 Jul 12  2018 eduroam.crt


I also tried copying it to /etc/pki/tls/certs which did not help either.

I tried setting the network with the Roamer-App from openrepos. This did not work. I fiddled with the settings in there and also tried using my own custom wifi_eduroam.config file in /var/lib/connman/ which also did not help (and am aware of case sensitivity).

[service_eduroam]
Type=wifi
Name=eduroam
EAP=ttls
CACertFile=/etc/ssl/certs/eduroam.crt
Phase2=PAP
AnonymousIdentity=anonymous@xyz.de
Identity=someone@xyz.de


I also tried adjusting the settings file of a connection which Sailfish added as a (very cryptic named ..._managed_ieeee8021x ) folder in /var/lib/connman/ which also did not help.

Almost every time upon changing something I went back to rebooting the device and then trying to connect. When connecting it either says "couldn't connect please try again" (or something similar) or it says "wrong password" (which cannot be).

I am now up to the point that I have no idea what else to try. Can someone please give me a hint?

edit retag close delete

@jollacen

Take a look at this question, notably, the first comment from (@Alex)

https://together.jolla.com/question/113525/cant-connect-to-eduroam-11928/

Sadly, @Tomáš Moravec has not reported the outcome.

Note: please use the search utility here on TJC before posting, so we can try to avoid duplicate questions.

( 2019-04-18 12:16:51 +0300 )edit
2

That question is from 2015 and I guess the Sailfish system has received some update since then so I am not sure how that will help. Or does this mean that every time Sailfish is updated the certificate and the config file has to be renewed? Well, I did exactly this just before running against the wall and posting my question. I redownloaded the certificate and changed the config file in /var/lib/connman/ and also retried setting up the connection with Roamer. Nothing worked.

Oh and of course I searched for the other threads and tried the solutions posted there before opening this thread... I even started this question, then went back to searching and fiddling about a week ago before finishing posting.

( 2019-04-18 12:27:08 +0300 )edit

Just for the record: For me it used to work on XA2 Ultra, without certificate though.

( 2019-04-18 14:13:53 +0300 )edit

@bomo does it still work for your XA2 Ultra? Have you already updated to SF OS 3.1.0 ?

( 2019-07-24 19:31:47 +0300 )edit

Sort by » oldest newest most voted

After connecting via the top menu it says "Sorry, password is incorrect" -> (with the gui option:) "Enter new password" (even though I know it is the correct one in Roamer and in wifi_eduroam.config ... I'm just not so sure about escaping the special characters in my passphrase... at the moment with Passphrase='thepasswordgoeshere' ) and then asks me for the password again. If I then type in the username and password in the sailfish gui it answers "Sorry. Could not connect to selected network." -> "Search again" .

Please, is there any way to (via SSH) check the logs somewhere so that I can see where the error occurs?

more

After updating from 3.0.2.8 to 3.0.3.8 I now (instead of "Wrong password" error) receive the error "Network connection error" (my translation).

Does this in any way leave a hint to an error in the configuration?

more

I am now on 3.0.3.10 and still no luck. When trying to connect the first time (activating wifi) it states "network connection error" and when I connect via the top menu it only says "Sorry. No connection to the selected network could be established" (my translation).

( 2019-05-31 17:50:06 +0300 )edit

Now running 3.1.0.11 and still no luck.

( 2019-07-23 19:03:56 +0300 )edit

Two potential issues:

• I have EAP=peap in my configuration and don’t use the AnonymousIdentity field
• In passwords the \ character have to be escaped as \\
more

thanks, I guess I didn't escape a couple of special characters in the password... oh boy that would be so obvious and I was searching in a totally different direction. I can test that on Tuesday.

PAP and anonymous@xyz.de are settings given by my university in the linux instructions and they work on my Ubuntu Touch tablet (BQ m10 FHD).

( 2019-04-19 18:37:02 +0300 )edit

I'm not having much luck with my special characters. If I escape the character with the backslash in front I still get wrong password. Since I have several special characters I tried "backslashing" them all which also did not work (maybe some do not need to be backslashed but how do I know which do and which don't?). I also tried putting single quotes around the password like Passphrase='some.password.with.numbers.and.special.characters' in hope that everything between the single quotes will be taken as is. This also did not work. It shows me "Wifi: Wrong Password" in the top display.

( 2019-04-23 11:53:18 +0300 )edit

My eduroam also does not work anymore (uni changed policy).

I am currently trying to debug this.

I found that logcat shows only (don't know if this is the right spot to search):

NetlinkListener: recvmsg failed (I/O error)


It seems that somewhere in the past, there was a connman-tracing package that was removed in sailfish 2.1.3.

Promising seems this jolla article about collecting synchronization logs.

By the way, my config file looks like this:

[service_eduroam_ttls]
Type=wifi
Name=eduroam
EAP=ttls
CACertFile=/etc/ssl/certs/ca-bundle.crt
Phase2=PAP
AnonymousIdentity=eduroam@<domain>


I have no idea what else to try..

more

The IT support of my university has access to the radius log files and told me that my client is sending the anonymous identity (eduroam@<domain>) also for inner authentication. So it seams, the AnonymousIdentity overrides the Identity field..</domain>

I tried to move the two around the file but no luck, it still fails. Anybody has an idea about that?

( 2019-06-24 17:32:51 +0300 )edit

The new update 3.1.0 Seitseminen says: "WPA-EAP extended with ability to include CA certificates and select PEAP method" which does not fit my case perfectly but there is a new form to ask also for ttls and PAP. But I still have not got it to work :-/ Sometimes I get the question for identity twice. Could it be that the first is for outer and the second for inner authentication?

( 2019-07-22 13:11:13 +0300 )edit

Hi and thank you for your info's! I just updated to the SF OS 3.1.0.11 and was eager to try it again since I also saw "WPA-EAP" progress... but also have not managed to get it working.

I choose TTLS and PAP and do not see an option to set an anonymous identity (not using roamer since I thought this WPA-EAP problem would have been fixed in SF 3.1). After including the certificate file in my home folder I set my authentication (for which I have a simple but long password, so without any special characters) and try to connect but receive an error stating that my password was wrong and I would have to re-enter my password. Second time re-entering my authentication also does not work.

I have the journalctl log but cannot quite figure out what kind of log message I am supposed to look for. My XA2 connects to the eduroam wifi, starts the EAP authentication with the given certificate, which shows the correct depth=3, depth=2, depth=1, depth=0 and the radius servers but then throws out Sailfish wpa_supplicant[3652]: wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed and some wlan: [23614:E :WMA] Invalid wma_cli_set vdev command/Not yet implemented 0x75.

( 2019-07-23 19:00:13 +0300 )edit

If I type in my data through the new sailfish form, I get from journalctl:

wpa_supplicant[1735]: wlan0: Authentication with 64:a0:e7:f8:7a:44 timed out.
kernel: CFG80211-ERROR) wl_cfg80211_disconnect : Reason 3
wpa_supplicant[1735]: wlan0: CTRL-EVENT-DISCONNECTED bssid=64:a0:e7:f8:7a:44 reason=3 locally_generated=1
kernel: CFG80211-ERROR) wl_notify_connect_status : link down if wlan0 may call cfg80211_disconnected. event : 16, reason=2 from 64:a0:e7:f8:7a:44


Also here it tries to reconnect several times and the whole process takes five minutes!

( 2019-07-24 12:23:15 +0300 )edit

The newest Sailfish update still does not solve the problem :-(

3.2.0 Torronsuo is supposed to bring "More enterprise EAP options are supported for WLAN connections" but not the ones I need for my university. It is really annoying :-/

But my journalctl output looks different now:

wpa_supplicant[1890]: wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
wpa_supplicant[1890]: wlan0: CTRL-EVENT-DISCONNECTED bssid=80:2a:a8:44:dc:70 reason=23


I don't know what is wrong..

( 2019-11-06 10:10:21 +0300 )edit

1. vi /home/.system/var/lib/connman/wifi_eduroam.config
2. Put this to created file:

[service_eduroam]

Type=wifi

Name=eduroam

EAP=ttls

CACertFile=/etc/ssl/certs/ca-bundle.crt

Phase2=PAP

Identity=user@domain

Passphrase=yoursecret

3. Save file

4. Put your cert to /etc/ssl/certs/
5. Reboot phone
more

Your config, thus without the radius server, does not work for me. I don't know what to cite from journalctl:

kernel: CFG80211-ERROR) wl_notify_connect_status : link down if wlan0 may call cfg80211_disconnected. event : 16, reason=2
wpa_supplicant[1735]: wlan0: CTRL-EVENT-DISCONNECTED bssid=64:a0:e7:f8:7a:44 reason=3 locally_generated=1
wpa_supplicant[1735]: wlan0: CTRL-EVENT-DISCONNECTED bssid=64:a0:e7:f8:7a:44 reason=7
wpa_supplicant[1735]: dbus: wpa_dbus_property_changed: no property SessionLength in object /fi/w1/wpa_supplicant1/Interfaces/1


It tries to reconnect several times but does not succeed.

But how could it work without the extra information for the outer authentication?

( 2019-07-24 12:10:38 +0300 )edit

ah, thank you. I didn't know that /var/lib/connman/ was moved from the root to /home/.system/var/lib/connman/ .

I tried this method and it did not work yet. I used the ca-bundle.crt and will now try again with the .crt provided by my university.

Setting the T-TeleSec_GlobalRoot_Class_2.crt provided by my university as the CACertFile also did not work.

I then tried to connect via the GUI and it saved my settings under /home/.system/var/lib/connman/wifi_3414andsomemorenumbers/settings even with the CA-certificate as key (when looking at the contents of settings).

( 2019-07-24 12:42:53 +0300 )edit

I find the following lines in journalctl when trying to connect:

Sailfish connmand[3127]: Skipping disconnect of 656475726f616d_managed_ieee8021x, network is connecting.
Sailfish kernel: PMI: smblib_get_apsd_result: APSD not done yet.
Sailfish wpa_supplicant[3593]: wlan0: Trying to associate with SSID 'eduroam'
Sailfish kernel: R0: [wpa_supplicant][4784294836] [....137792]  wlan: [3593:E :QDF] cds_current_connections_update: 6881: driver isn't dbs capable, no further action needed
Sailfish kernel: R0: [wpa_supplicant][4784308033] [....138480]  wlan: [3593:I :HDD] hdd_sme_roam_callback: 5166: Disabling queues
Sailfish kernel: R0: [wpa_supplicant][4784317094] [....138952]  wlan: [3593:E :SME] csr_send_join_req_msg: 15888: Connecting to ssid:eduroam bssid: <THE:ACCESS:POINT:MAC:ADD:RESS> rssi: -50 channel: 100 country_code: US
Sailfish kernel: R0: [cds_mc_thread][4784392526] [....142880]  wlan: [6221:I :WMI] send_vdev_start_cmd_tlv: vdev_id 0 freq 5500 chanmode 10 ch_info: 0xa is_dfs 1 beacon interval 100 dtim 1 center_chan 5530 center_freq2 0 reg_info_1: 0x160000 reg_info_2: 0x1600, req->max_txpow: 0x16 Tx SS 1, Rx SS 1, ldpc_rx: 1
Sailfish kernel: R0: [cds_mc_thread][4784925780] [....170654]  wlan: [6221:I :WMA] wma_send_peer_assoc: vdev_id 0 associd 1 peer_flags 621b006 nss 1 phymode 10 ht_caps 9ef
Sailfish kernel: R0: [cds_mc_thread][4784990663] [....174033]  wlan: [6221:I :HDD] hdd_send_peer_status_ind_to_oem_app: 718: OEM app is not registered(0) or pid is invalid(0)
Sailfish kernel: R0: [cds_mc_thread][4785004298] [....174743]  wlan: [6221:I :HDD] __hdd_ipa_wlan_evt:6855: wlan0: EVT: WLAN_STA_CONNECT, MAC: <THE:ACCESS:POINT:MAC:ADD:RESS> sta_id: 0
Sailfish wpa_supplicant[3593]: wlan0: Associated with <THE:ACCESS:POINT:MAC:ADD:RESS>
Sailfish wpa_supplicant[3593]: wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Sailfish kernel: R0: [cds_mc_thread][4785119212] [....180728]  wlan: [6221:W :WMA] wma_delete_bss: 5513: Outstanding msdu packets: 0
Sailfish kernel: R0: [cds_mc_thread][4785122849] [....180918]  wlan: [6221:E :WMA] Invalid wma_cli_set vdev command/Not yet implemented 0x75
Sailfish kernel: R0: [cds_mc_thread][4785167387] [....183238]  wlan: [6221:I :WMA] wma_remove_peer_by_reference: 1820: Deleting peer <THE:ACCESS:POINT:MAC:ADD:RESS> vdev id 0
Sailfish kernel: R0: [cds_mc_thread][4785207932] [....185349]  wlan: [6221:E :PE ] pe_delete_session: 699: session is not valid
Sailfish kernel: R0: [cds_mc_thread][4785211034] [....185511]  wlan: [6221:I :HDD] hdd_dis_connect_handler: 1656: Disabling queues
Sailfish kernel: R0: [cds_mc_thread][4785211570] [....185539]  wlan: [6221:I :HDD] __hdd_ipa_wlan_evt:6855: wlan0: EVT: WLAN_STA_DISCONNECT, MAC: <THE:ACCESS:POINT:MAC:ADD:RESS> sta_id: 0
Sailfish kernel: R0: [cds_mc_thread][4785219207] [....185936]  wlan: [6221:E :QDF] cds_dump_current_concurrency: 3359: unexpected num_connections value 0
Sailfish kernel: R0: [cds_mc_thread][4785219511] [....185952]  wlan: [6221:E :QDF] cds_current_concurrency_is_mcc: 2146: unexpected num_connections value 0
Sailfish kernel: R0: [cds_mc_thread][4785220264] [....185992]  wlan: [6221:E :QDF] cds_need_opportunistic_upgrade: 4087: driver isn't dbs capable, no further action needed
Sailfish kernel: R0: [cds_mc_thread][4785220595] [....186009]  wlan: [6221:I :HDD] hdd_send_peer_status_ind_to_oem_app: 718: OEM app is not registered(0) or pid is invalid(0)
Sailfish kernel: R0: [cds_mc_thread][4785230526] [....186526]  wlan: [6221:E :WMA] vdev 0 is not up skipping limit_off_chan_param
Sailfish wpa_supplicant[3593]: wlan0: CTRL-EVENT-DISCONNECTED bssid=<THE:ACCESS:POINT:MAC:ADD:RESS> reason=3
Sailfish wpa_supplicant[3593]: wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="eduroam" auth_failures=1 duration=10 reason=CONN_FAILED
Sailfish wpa_supplicant[3593]: dbus: wpa_dbus_property_changed: no property SessionLength in object /fi/w1/wpa_supplicant1/Interfaces/0


What does this for example mean: Invalid wma_cli_set vdev command/Not yet implemented 0x75 ?

( 2019-07-24 19:24:09 +0300 )edit

@jollacen I had a similar problem with my setup, that was working for along time until my uni changed a certificate. Fiddling around and looking at the debug output with journalctl wpa_supplicant had a problem with one certificate, that was expired but shouldn't be in the cert chain at all. I did my setup with the dialog provided by the wlan menu selecting eduroam, but that dialog has 2 problems: it asked for the ca-certificate to verify and I selected the root cert like yours either using "Filesystem" or "System CAs", but "No verification" did the trick. And the dialog doesn't ask for AnonymousIdentity (and its not in the settings file), which in my case is used by the uni network. So, after setting up the connection using the dialog, I edited the connman settings file and added AnonymousIdentity=eduroam@domain, restarted connman and it worked. The settings file now:

[wifi_xxxxx_xxxx_managed_ieee8021x]
Name=eduroam
SSID=xxxxxxxx
Frequency=xxxxx
EAP=peap
Identity=user@domain
AnonymousIdentity=eduroam@domain
Phase2=MSCHAPV2
Favorite=true
AutoConnect=true
Modified=xxxxxx
Passphrase=xxxxxx
IPv4.method=dhcp
IPv6.methode=auto
IPv6.privacy=disabled