On 2018-06-26 23:23:16 +0200, Axel Beckert wrote: > > Another issue is that here, it was a *new* BSSID (well, I assume > > because it is a place where I had never came before).
Actually, I think that the issue occurs only in that case. Once a config with the BSSID has been created, the behavior is reproducible with the same BSSID. FYI, in the wicd logs: [...] 2018/06/25 09:21:53 :: Putting interface up... 2018/06/25 09:21:53 :: ifconfig wlp61s0 up 2018/06/25 09:21:55 :: enctype is peap-eduroam 2018/06/25 09:21:55 :: Attempting to authenticate... 2018/06/25 09:21:55 :: ['wpa_supplicant', '-B', '-i', 'wlp61s0', '-c', '/var/lib/wicd/configurations/04bd882b5811', '-Dwext'] 2018/06/25 09:21:55 :: ['iwconfig', 'wlp61s0', 'essid', '--', 'eduroam'] 2018/06/25 09:21:55 :: iwconfig wlp61s0 channel 36 2018/06/25 09:21:55 :: iwconfig wlp61s0 ap 04:BD:88:2B:58:11 2018/06/25 09:21:55 :: WPA_CLI RESULT IS DISCONNECTED 2018/06/25 09:21:56 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:21:57 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:21:58 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:21:59 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:22:00 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:22:01 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:22:02 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:22:03 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:22:04 :: WPA_CLI RESULT IS SCANNING 2018/06/25 09:22:05 :: WPA_CLI RESULT IS SCANNING 2018/06/25 09:22:06 :: WPA_CLI RESULT IS SCANNING 2018/06/25 09:22:07 :: WPA_CLI RESULT IS SCANNING 2018/06/25 09:22:08 :: WPA_CLI RESULT IS SCANNING 2018/06/25 09:22:09 :: WPA_CLI RESULT IS SCANNING 2018/06/25 09:22:10 :: WPA_CLI RESULT IS SCANNING 2018/06/25 09:22:11 :: WPA_CLI RESULT IS SCANNING 2018/06/25 09:22:12 :: WPA_CLI RESULT IS SCANNING 2018/06/25 09:22:13 :: WPA_CLI RESULT IS SCANNING 2018/06/25 09:22:14 :: WPA_CLI RESULT IS SCANNING 2018/06/25 09:22:15 :: WPA_CLI RESULT IS SCANNING 2018/06/25 09:22:16 :: WPA_CLI RESULT IS SCANNING 2018/06/25 09:22:17 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:22:18 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:22:20 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:22:21 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:22:22 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:22:23 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:22:24 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:22:25 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:22:26 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:22:27 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:22:28 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:22:29 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:22:30 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:22:31 :: wpa_supplicant authentication may have failed. 2018/06/25 09:22:31 :: connect result is failed 2018/06/25 09:22:31 :: exiting connection thread 2018/06/25 09:22:31 :: Sending connection attempt result bad_pass [...] (This was the first time 04:BD:88:2B:58:11 was seen.) [...] 2018/06/25 09:22:38 :: enctype is peap-eduroam 2018/06/25 09:22:38 :: Attempting to authenticate... 2018/06/25 09:22:38 :: ['wpa_supplicant', '-B', '-i', 'wlp61s0', '-c', '/var/lib/wicd/configurations/04bd882b5811', '-Dwext'] 2018/06/25 09:22:38 :: ['iwconfig', 'wlp61s0', 'essid', '--', 'eduroam'] 2018/06/25 09:22:38 :: iwconfig wlp61s0 channel 36 2018/06/25 09:22:38 :: iwconfig wlp61s0 ap 04:BD:88:2B:58:11 2018/06/25 09:22:38 :: WPA_CLI RESULT IS DISCONNECTED 2018/06/25 09:22:39 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:22:40 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:22:41 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:22:42 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:22:43 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:22:44 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:22:45 :: WPA_CLI RESULT IS ASSOCIATED 2018/06/25 09:22:46 :: WPA_CLI RESULT IS SCANNING 2018/06/25 09:22:47 :: WPA_CLI RESULT IS SCANNING 2018/06/25 09:22:48 :: WPA_CLI RESULT IS SCANNING 2018/06/25 09:22:49 :: WPA_CLI RESULT IS SCANNING 2018/06/25 09:22:50 :: WPA_CLI RESULT IS SCANNING 2018/06/25 09:22:51 :: WPA_CLI RESULT IS SCANNING 2018/06/25 09:22:52 :: WPA_CLI RESULT IS SCANNING 2018/06/25 09:22:53 :: WPA_CLI RESULT IS SCANNING 2018/06/25 09:22:54 :: WPA_CLI RESULT IS SCANNING 2018/06/25 09:22:55 :: WPA_CLI RESULT IS SCANNING 2018/06/25 10:20:03 :: wpa_supplicant authentication may have failed. 2018/06/25 10:20:03 :: connect result is failed 2018/06/25 10:20:03 :: exiting connection thread 2018/06/25 10:20:03 :: Sending connection attempt result bad_pass [...] and so on with this BSSID. After I had removed all the old settings from /etc/wicd/wireless-settings.conf, everything was OK. > That sounds strange. I wonder if that could be triggered, if e.g. two > different eduroam APs/BSSIDs are ticked with "use these settings > for all wifis with this ESSID" but have different settings and it is > e.g. luck which one is used (unless the BSSID fits). That's possible. That would be the best explanation. > As far as I remember from some discussions about potential rogue > access points in general, at least WPA2 Enterprise (like with eduroam) > uses some challenge/response methods for authentication, so a leaking > of passwords should not be possible. This is not what I've heard. A few weeks ago, our lab sent us a warning that a recent flaw has been discovered. An excerpt from the e-mail message: ------------------------------------------------------------------------ You **must** set the "CA certificate" field in your Eduroam configuration, an all your devices (phone, laptop, ...). If you don't do so, it is quite easy for an attacker to steal your ENS (or Inria) login and password. ------------------------------------------------------------------------ So, IMHO, this is a critical bug. I've found the following, which might be related: https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations And also: https://community.jisc.ac.uk/library/janet-services-documentation/faqs-eduroam-users "You should *ALWAYS* validate the server certificate - the option in the supplicant (be it Windows native, SecureW2, OpenSEA et al) should always be enabled. Certification is one of the main securing blocks of EAP, which underpins the eduroam service. If you don't verify that the RADIUS server (which is handling your sensitive authentication credentials) is legitimate and not being spoofed by an unscrupulous person, you are leaving yourself open to having your credentials stolen. Maintaining the security of your credentials is one of the requirements of the eduroam usage policy that you subscribe to as part of using the service - ie. it is mandatory." I had always thought that the RADIUS server could be authenticated automatically (a bit like servers with https) and that in any case the password was never passed to the server, but apparently this is not how the protocol works! -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
