On 4/7/21 6:07 AM, Arseny Maslennikov wrote:
On Mon, Mar 29, 2021 at 11:30:03AM -0500, Denis Kenzior wrote:
> Hi Arseny,
> On 3/28/21 6:05 AM, Arseny Maslennikov wrote:
>> Hi everyone!
>> I'm running iwd 1.12 on Debian sid, package version 1.12-1.
>> I'm trying to connect to a WPA2-Enterprise network with the following
>> network config file produced by NetworkManager, to no avail:
> So an empty Identity frequently causes some EAP servers to get confused. In
> theory the outer identity is completely optional, but quite often it is
> required in practice (probably due to a mis-configured RADIUS server). Try
> setting it to anonymous(a)your.org or using your Phase2 identity.
I have tried EAP-Identity=anonymous(a)example.org (in case just a
non-empty field is required) to no success.
Then I have tried EAP-Identity=<the Phase2 identity>, and it suddenly worked!
Figured. Sometimes even giving a fake address with your domain works for the
The user is not required to know this trick beforehand, though:
solutions work automagically, and NM + wpa_supplicant in particular
don't require the user to fill in the outer identity.
Yes, I know. We have had some conversations around this internally, but what it
comes down to is the issue of privacy. The outer identity is sent in the clear,
so having iwd assume that outer identity == inner identity would compromise
privacy. The extent of the compromise depends on who you ask of course. For
now we err on the side of caution and assume that if the 802.1X configuration
requires the outer identity to be exposed, then this is something that should be
explicitly enabled by the configuration file.
Ideally, the configuration file should be provided by the organization, but
frequently the end-user is stuck figuring this out.
I'm not sure if this is an issue in IWD (i. e., as a workaround,
it should try phase2
identity equal to the outer identity if the connection fails and
EAP-Identity is empty), or in the NM backend (i. e. it should try this
workaround when provisioning settings to IWD), though, or if this is an
AP/RADIUS configuration issue and does not have to be fixed in Wi-Fi
client software at all...
The real issue is on the backend. Properly configured, the outer identity
should not even be required and should be omitted. And if the backend cannot be
fixed (for whatever reason), then the 802.1X settings should call this out
explicitly. If this network is eduroam,  may be of interest.
Also note that we do ship a tool to convert Apple WiFi configuration files to
iwd's native format. So if your organization provides these, this may be
another avenue to pursue.
Anyway, thanks a lot for the help!
No problem. Glad I could help.