unable to connect to wifi EAP-TLS with certificate |
||||||||
Issue descriptionChrome Version: stable, Beta, dev 61.0.3163.20 OS: ChromeOS What steps will reproduce the problem? (1) configure network as in https://support.google.com/chrome/a/answer/6321820?hl=en (2) connect to network (3) generate & install user certificate (4) connect to wifi network from the wifi menu What is the expected result? being able to connect from the wifi menu What happens instead? it ask again to generate the certificate workaround: if you go to the settings of the specific wifi network, you can connect from there. video of the issue by the customer: https://www.youtube.com/watch?v=PigO2FZNVW0&feature=youtu.be debug logs: https://drive.google.com/open?id=0B01ZVp8vDQocaFoxeGJEbDZ4MUU policy: https://drive.google.com/open?id=0B01ZVp8vDQocdjZVSHFLNjBXSWs extension_json: https://drive.google.com/open?id=0B01ZVp8vDQocWVh1Y0JiZW9TTms extension log: https://drive.google.com/open?id=0B01ZVp8vDQocUk16eHZuU1VwWUk customer info: https://drive.google.com/open?id=1YS0jnqb_MrdyP3i_XyD3FWsx8Q7SpVamVxYyZMv9fLE
,
Aug 11 2017
+kevin/sameer, can you evaluate/route as needed?
,
Aug 11 2017
,
Aug 14 2017
Aashutosh - any chance you have a suitable setup that shows the problem right now? Looks like this is using a special provisioning flow based around Windows infrastructure (which I have not used).
,
Aug 14 2017
@ceernekee- For testing, EAP-TLS authentication, we use Freeradius server. Nothing with windows infrastructure. I am seeing a different issue, where clicking on 801.1x network on regular(non-enterprise) device does not show "Get new certificate" popup. (Will open a different issue to track it)
,
Aug 14 2017
The "get new certificate" prompts are probably related to enterprise policy. IIRC when I've configured 802.1x by hand (in order to use a FreeRADIUS setup like yours), I couldn't even save the new network configuration until I had a cert installed.
,
Aug 14 2017
My earlier comment was not very clear. I wanted to mention that device itself was not enterprise enrolled but I logged in enterprise user. Yes, that is right, we need certificates before adding the EAP-TLS network manually.
,
Sep 12 2017
any news on this issue? We have another customer reporting this issue
,
Sep 12 2017
c#8 - if you have a repro case, ping me on Hangouts and I'll take a look.
,
Dec 14 2017
hi Kevin, as discussed we have check the details of a setup with the customer: "We have a Cisco network. We have Cisco ISE 1.4 installed and that allows us to authenticate via certificate. Our certificate server is MS certificate server. Here is how we configured the network on the OU. Drive link image 1: https://drive.google.com/open?id=15w3jAjtsCO020qv92uYsAIXT4aRa1uw- Drive link image 2: https://drive.google.com/open?id=1Dk2I0oYDRuTye_PlUfbdYIRJtIuh__uD Client EnrollmentURL = chrome-extension://fhndealchbngfhdoncgcokameljahhog/html/request_certificate.html The certificate gets created but it does not automatically get set or changed for the login. The end-user would have to change it. "
,
Dec 14 2017
Is this reproducible with Google-A. IIRC, Google-A uses a similar network config.
,
Dec 14 2017
This issue was not reproduced with Google-A. However, I could reproduce the issue with CrOS_WPA2_LinksysE3000N_5GHz network in M64.0.3282.24 10176.13.1 dev Minnie. On Cpanel, my network setting has Issued To/OrganizationalUnit(OU) field value "ChromeOS" which is matches the standard client certificate downloaded from the Radius server. However, when the client certificate is manually generated from the Radius and installed on device, the field I saw was "<Not Part of Certificate>". The mismatch prompted the certificate not installed error when I tried to connect to the network. But, when I followed the step in this bug and tried to connect from within the Configure dialog, the network was connected successfully; and not from direct connection. Screenshots: https://drive.google.com/open?id=1TZmOcNgHV8ZjEZAP-e-nyApATD_Z-QhQ
,
Dec 15 2017
@vkasatkin, according to @jingwee's findings: could we check if the Issuer pattern and the Subject pattern(specifically OrganizationalUnit/OU) pattern set in the CPanel/ONC policy matches the Issued to and Issued by fields of the certificate generated on the device. (can check this in chrome://settings/certificates, click on the corresponding client certificate and View Details)
,
Jan 2 2018
,
Jan 25 2018
we still waiting for customer's feedback re #13. I will update this bug once we have any news
,
Feb 12 2018
Unfortunately customer never got back to us on question in comment #13 I am archiving this bug for now, will reopen in case of any news/updates |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by marcore@chromium.org
, Aug 10 2017