Re: Issue 10536 in chromium-os: CTRL-EVENT-EAP-FAILURE EAP authentication failed when tried to connect to Google-A

[chrom...@googlecode.com]

Updates:
Summary: CTRL-EVENT-EAP-FAILURE EAP authentication failed when tried to
connect to Google-A

Comment #2 on issue 10536 by jaganna...@chromium.org:
CTRL-EVENT-EAP-FAILURE EAP authentication failed when tried to connect to
Google-A
http://code.google.com/p/chromium-os/issues/detail?id=10536

(No comment was entered for this change.)

[chrom...@googlecode.com]

Updates:
Labels: -Sev-2 Sev-1 ReleaseBlock-Dev

Comment #3 on issue 10536 by kr...@chromium.org: CTRL-EVENT-EAP-FAILURE EAP

[chrom...@googlecode.com]

Updates:
Cc: sleff...@chromium.org ps...@chromium.org

Comment #4 on issue 10536 by jos...@chromium.org: CTRL-EVENT-EAP-FAILURE

EAP authentication failed when tried to connect to Google-A
http://code.google.com/p/chromium-os/issues/detail?id=10536

+sleffler, pstew

[chrom...@googlecode.com]

Updates:
Status: Assigned
Owner: ps...@chromium.org

Comment #6 on issue 10536 by slef...@chromium.org: CTRL-EVENT-EAP-FAILURE

EAP authentication failed when tried to connect to Google-A
http://code.google.com/p/chromium-os/issues/detail?id=10536

Paul, please take a look at the logs.

[chrom...@googlecode.com]

Updates:
Cc: tr...@chromium.org

Comment #7 on issue 10536 by ps...@chromium.org: CTRL-EVENT-EAP-FAILURE EAP

authentication failed when tried to connect to Google-A
http://code.google.com/p/chromium-os/issues/detail?id=10536

3 interesting bits of info:
1) I just updated to a new image and Google-A fails for me in an
identical manner
2) There's a new error message in the log while we're reading the server
message:
SSL: SSL_connect:error in SSLv3 read server session ticket A
This might not really be an error worth paying notice to, since both
sides
of the connection send an empty SSL session ticket.
3) The Radius server is explicitly sending an EAP Failure in response to
the
client Certificate, Key Exchange, Verify, Change Cipher Spec, et al.

This smells a lot like an issue with either the certificate as it's being
generated or a configuration issue (expired cert in the chain or
somesuch). Todd Repp still has no access to any useful logging for the
Radius server on the Google side so I have no way of knowing why it is
returning a failure. I'll keep on him, and he'll keep pestering his vendor.

[chrom...@googlecode.com]

Updates:
Cc: kmix...@chromium.org

Comment #8 on issue 10536 by ps...@chromium.org: CTRL-EVENT-EAP-FAILURE EAP

authentication failed when tried to connect to Google-A
http://code.google.com/p/chromium-os/issues/detail?id=10536

This is a crypto problem. The infrastructure is throwing an EAP Failure
because the certificate verify is corrupted. I have a wireshark comparison
of the Client Certificate Verify between an old December build and one I
made yesterday at
http://www.corp.google.com/~pstew/screenshots/certificate_verify.png .
Note that in the new build the certificate verify is all zeroes. We are
either unsuccessfully retrieving the private key or somesuch in layers
deeper than wpa_supplicant. Ken, has anything changed in this area
recently?

[chrom...@googlecode.com]

Updates:
Owner: kmix...@chromium.org

Comment #9 on issue 10536 by ps...@chromium.org: CTRL-EVENT-EAP-FAILURE EAP

authentication failed when tried to connect to Google-A
http://code.google.com/p/chromium-os/issues/detail?id=10536

I've done a test run using the same unit that fails Google-A in the testbed
and it can successfully negotiate EAP-TLS using the (non-TPM) config
files. This effectively exonerates wpa_supplicant and indeed much of
OpenSSL.

[chrom...@googlecode.com]

Updates:
Owner: ps...@chromium.org
Cc: -tr...@chromium.org nels...@chromium.org

Comment #10 on issue 10536 by ps...@chromium.org: CTRL-EVENT-EAP-FAILURE

EAP authentication failed when tried to connect to Google-A
http://code.google.com/p/chromium-os/issues/detail?id=10536

I've had a conversation with nelsona about this issue, and some combination
of his changes and re-installing the cert seems to have fixed things. I'm
going to start over again and see if I can replicate.

[chrom...@googlecode.com]

Comment #11 on issue 10536 by nels...@chromium.org: CTRL-EVENT-EAP-FAILURE

EAP authentication failed when tried to connect to Google-A
http://code.google.com/p/chromium-os/issues/detail?id=10536

Revved the openCryptoki version number to be picked by the build:
http://codereview.chromium.org/5968014/.

[chrom...@googlecode.com]

Updates:
Status: Fixed
Owner: jaganna...@chromium.org

Comment #12 on issue 10536 by ps...@chromium.org: CTRL-EVENT-EAP-FAILURE

EAP authentication failed when tried to connect to Google-A
http://code.google.com/p/chromium-os/issues/detail?id=10536

I've confirmed that the current checked in version of opencryptoki works
correctly. I did have to re-install certs. jagan...@chromium.org, could
you confirm that any ToT build later than now correctly works on Google-A
now?

[chrom...@googlecode.com]

Comment #14 on issue 10536 by nels...@google.com: CTRL-EVENT-EAP-FAILURE

EAP authentication failed when tried to connect to Google-A
http://code.google.com/p/chromium-os/issues/detail?id=10536

Did you erase the certificate and got a new one issued?

Also, isn't the latest ToT 10.136.0? (your version says 9 instead of 10).

[chrom...@googlecode.com]

Comment #15 on issue 10536 by jaganna...@google.com: CTRL-EVENT-EAP-FAILURE

EAP authentication failed when tried to connect to Google-A
http://code.google.com/p/chromium-os/issues/detail?id=10536

I mentioned the version wrong, but i had 0.10.137.0 installed on the device.
I was able to connect to Google-A after re installing the certificate.

[chrom...@googlecode.com]

Comment #16 on issue 10536 by jaganna...@chromium.org:

CTRL-EVENT-EAP-FAILURE EAP authentication failed when tried to connect to
Google-A
http://code.google.com/p/chromium-os/issues/detail?id=10536

Only when certificate re installed, it works.
I still get the notification that it was not able to connect for the first
time installation of Google-A certificate on a freshly installed CR OS
device.

[chrom...@googlecode.com]

Comment #17 on issue 10536 by stanl...@google.com: CTRL-EVENT-EAP-FAILURE

EAP authentication failed when tried to connect to Google-A
http://code.google.com/p/chromium-os/issues/detail?id=10536

To clarify, here are the steps that seem to work (only on 0.10.137.0)

1) Fresh install of the build
2) Fresh install the certificate
3) Attempt to connect to Google-A (FAIL)
4) Uninstall the certificate and then re-install it
5) Attempt to connect Google-A (PASS)

We've tried this on 0.10.136.0 and this seems to fail both times (even
after the re-installation of the certificate) even though the fix is shown
in the Change Log.

[chrom...@googlecode.com]

Comment #18 on issue 10536 by stanl...@chromium.org: CTRL-EVENT-EAP-FAILURE

[chrom...@googlecode.com]

Comment #19 on issue 10536 by ps...@chromium.org: CTRL-EVENT-EAP-FAILURE

EAP authentication failed when tried to connect to Google-A
http://code.google.com/p/chromium-os/issues/detail?id=10536

If you have logs of the fail (wpa_debug msgdump if you can) I can tell you
if this really is a network problem an not a systems (cert enroll) issue
that you'll need to continue to take up with nelsona.

[chrom...@googlecode.com]

Comment #20 on issue 10536 by jaganna...@chromium.org:

CTRL-EVENT-EAP-FAILURE EAP authentication failed when tried to connect to
Google-A
http://code.google.com/p/chromium-os/issues/detail?id=10536

Please find the attached logs at:
http://cros-hwqual-5.mtv.corp.google.com/bugs/10536/log-010611-153810.tar.bz2

[chrom...@googlecode.com]

Comment #21 on issue 10536 by ps...@chromium.org: CTRL-EVENT-EAP-FAILURE

EAP authentication failed when tried to connect to Google-A
http://code.google.com/p/chromium-os/issues/detail?id=10536

No wpa_debug msgdump available to you? In either case from this log I'm
pretty sure this is an enrollment problem and you need to continue chatting
with nelsona about this.

[chrom...@googlecode.com]

Updates:
Owner: nels...@chromium.org

Comment #22 on issue 10536 by stanl...@chromium.org: CTRL-EVENT-EAP-FAILURE

EAP authentication failed when tried to connect to Google-A
http://code.google.com/p/chromium-os/issues/detail?id=10536

Reassigning to Nelsona. Please take a look at this issue. The problem
still exists on TOT 0.10.137.0 and RC 0.10.136.0

[chrom...@googlecode.com]

Comment #23 on issue 10536 by jaganna...@chromium.org:

CTRL-EVENT-EAP-FAILURE EAP authentication failed when tried to connect to
Google-A
http://code.google.com/p/chromium-os/issues/detail?id=10536

Please find the logs with wpa_debug at
http://cros-hwqual-5.mtv.corp.google.com/bugs/10536/log-010611-161343.tar.bz2

[chrom...@googlecode.com]

Comment #24 on issue 10536 by nels...@google.com: CTRL-EVENT-EAP-FAILURE

EAP authentication failed when tried to connect to Google-A
http://code.google.com/p/chromium-os/issues/detail?id=10536

Could you grant me ssh access to the machine? Thanks.

[chrom...@googlecode.com]

Comment #25 on issue 10536 by jaganna...@chromium.org:

CTRL-EVENT-EAP-FAILURE EAP authentication failed when tried to connect to
Google-A
http://code.google.com/p/chromium-os/issues/detail?id=10536

You can ssh the device at :
172.22.75.2