Update: We have made sofar couple of discoveries, thanks to Petr Jediny.
We suspected OpenSSL incompatibility in the OS, so as the PEAP is creating underlying TLS tunnel for auth and we see an error in wpa_supplicant regarding TLS negotiation (hello). tl;dr - Cypher set of Ubuntu bionic do not match (pass/negotiate) ciphers on our appliance/radius (We uses Aruba appliances, the firmware is not up to date with latest security standards; Aruba is working last three months on an update (obviously without pressure)). --- The radius/server or Aruba is accepting TLS_RSA_WITH_3DES_EDE_CBC_SHA The mentioned cipher suite is mandated by https://tools.ietf.org/html/rfc5216#section-2.4, but the TLS_RSA_WITH_AES_128_CBC_SHA should be supported too It looks like the radius server is not accepting any of these suggested by ubuntu bionic wpa_supplicant: Cipher Suites (28 suites) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f) Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xccaa) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) TLS_RSA_WITH_AES_128_CBC_SHA is mentioned. We think the issue directly relates to remove 3DES from Bionic: openssl ciphers -V '3DES' Error in cipher list 139999040823744:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:../ssl/ssl_lib.c:2129: --- Note similar issue was discovered on Fedora as well and has this workaround: https://www.systutorials.com/docs/linux/man/8-update-crypto-policies/ and set "LEGACY" crypto policy $ update-crypto-policies --set LEGACY --- I suggest keeping the bug open for a while, just for case somebody will come with a workaround. In a long-term this is not the problem of the Ubuntu or gnome, but the list of supported ciphers Ubuntu Bionic vs. HW appliances you connect to. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1748839 Title: Problem to connect to WPA2/PEAP WIFI - gnome-shell To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1748839/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
