You are not logged in.
Hello everyone, I hope this is the right place to ask for help.
I am having issues using my university's eduroam network with my arch laptop, that don't exist on any other mobile device I own. Specifically, I had no issues when my laptop had a different operating system installed. And this is the only network causing issues on my laptop.
I am using NetworkManager and configured the connection via the eduroam configuration script: https://cat.eduroam.org/
This is the configuration in /etc/NetworkManager/system-connections/eduroam.nmconnection:
[connection]
id=eduroam
uuid=69c81f93-4931-46c8-8996-2d1bf670b673
type=wifi
permissions=user:christoph:;
[wifi]
ssid=eduroam
[wifi-security]
group=ccmp;tkip;
key-mgmt=wpa-eap
pairwise=ccmp;
proto=rsn;
[802-1x]
altsubject-matches=DNS:radius.rz.uni-wuerzburg.de;
anonymous-identity=eduroam@uni-wuerzburg.de
ca-cert=/home/christoph/.config/cat_installer/ca.pem
eap=ttls;
identity=myPersonalIdentifier@uni-wuerzburg.de
password=aVerySecurePassword
phase2-auth=pap
[ipv4]
method=auto
[ipv6]
addr-gen-mode=default
method=auto
[proxy]
The network initially connects and the indicator in my taskbar shows a connection. However, i cannot access the network at all;
$ ping www.archlinux.org
PING www.archlinux.org (95.217.163.246) 56(84) bytes of data.
^C
--- www.archlinux.org ping statistics ---
28 packets transmitted, 0 received, 100% packet loss, time 27634ms
Pinging my access point (right?) seems to work though.
$ ping $(ip n | cut -f 1 -d " ")
PING 10.107.159.254 (10.107.159.254) 56(84) bytes of data.
64 bytes from 10.107.159.254: icmp_seq=1 ttl=255 time=3.06 ms
64 bytes from 10.107.159.254: icmp_seq=2 ttl=255 time=4.31 ms
64 bytes from 10.107.159.254: icmp_seq=3 ttl=255 time=5.98 ms
64 bytes from 10.107.159.254: icmp_seq=4 ttl=255 time=3.04 ms
^C
--- 10.107.159.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 3.036/4.095/5.978/1.203 ms
Weirdly enough, the networkmanager-gui of my XFCE-DE shows the following error:
https://imgur.com/hD8Uqbgl.png
Notice the warning at the bottom.
It says, roughly translated:
Warning: This connection has properties, that are not supported by the "provider". They will be deleted after saving.
Hovering over this warning shows the cause:
Unsupported properties: 802-1x.altsubject-matches
I have tried multiple times to reconfigure my eduroam-connection using the CAT-script, as well as manual configurations. I have searched the archlinux-forums about eduroam, but the entries concerning Networkmanager just tell to use the scripts provided by eduroam.
Mod Edit - Replaced oversized image with link.
CoC - Pasting pictures and code
Last edited by Sir-Photch (2023-01-20 14:17:09)
Offline
Unsupported properties: 802-1x.altsubject-matches
altsubject-matches=DNS:radius.rz.uni-wuerzburg.de;
Pinging my access point (right?) seems to work though.
This smells like the AP wants to manage DNS, possibly to hand you a portal where you first need to log in, and fails.
resolvectl
drill www.archlinux.org # drill doesn't use libnss…
Offline
This smells like the AP wants to manage DNS, possibly to hand you a portal where you first need to log in, and fails.
This is not unlikely, since I remember this to be default behaviour on more "integrated" devices. (Windows, Android/iOS).
Usually, this is some OS-portal though, just asking for credentials, and not a page displayed in the browser.
I entered the login data through the script, though.
$ resolvectl
Global
Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: foreign
Current DNS Server: 132.187.0.13
DNS Servers: 132.187.0.13
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google
2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net
2001:4860:4860::8888#dns.google
DNS Domain: uni-wuerzburg.de
Link 2 (enp0s31f6)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 3 (wlan0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 132.187.0.13
DNS Servers: 132.187.0.13
$ drill www.archlinux.org
/* no output, even after ctrl + c */
Last edited by Sir-Photch (2023-01-20 13:24:41)
Offline
132.187.0.13 is Universitaet Wuerzburg, drill can't resolve the domain from there and ping through libresolve probably gets the IP from the local cache.
132.187.0.13 times out for me (so it's not an open DNS) and nmap has port 53 filtered (w/ -Pn …).
Can you nmap the IP from your segment?
Did you configure the DNS server or was it auto-cofigured (by script or networkmanager)?
Try what happens when you don't use resolved, https://wiki.archlinux.org/title/Networ … management (see the blue note about the filetype driven madness…)
Offline
Can you nmap the IP from your segment?
I am not very familiar with nmap but I tried this:
$ doas nmap -O 132.187.0.13
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-20 14:42 CET
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.20 seconds
This actually seemed to work and showed some sensible output, but after retrying I get the above message. I am not 100% sure if I was connected to eduroam at the previous point though....
I did not do any DNS configuration by myself. The nm-gui shows no additional DNS-entries in IPv4/v6. The entry for altsubject-matches was added by the script.
About not using resolved:
$ bash -c "ls -l /etc/resolv.conf"
-rw-r--r-- 1 root root 57 20. Jan 14:46 /etc/resolv.conf
Doesn't seem to be symlinked?
EDIT:
actually, after reconnecting a couple of times I seem to be able to nmap this ip:
$ doas nmap -O 132.187.0.13
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-20 14:52 CET
Nmap scan report for ns2.uni-wuerzburg.de (132.187.0.13)
Host is up (0.0023s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6, Linux 5.0 - 5.4
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.95 seconds
Last edited by Sir-Photch (2023-01-20 13:55:14)
Offline
Doesn't seem to be symlinked?
Is resolved explicitly enabled?
find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f
grep -ri dns /etc/NetworkManager/conf.d
132.187.0.13 does seem to block inbound traffic from (at least) outside its segment, so maybe the first run was while you briefly had a lease in the edurom segment.
Do you still have the output?
Edit: yeah, that looks like a DNS server yuo're probably somewhat supposed to use.
Last edited by seth (2023-01-20 13:58:12)
Offline
$ find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f
avahi-daemon.service | multi-user.target.wants
avahi-daemon.socket | sockets.target.wants
cronie.service | multi-user.target.wants
cups.socket | sockets.target.wants
dbus-org.freedesktop.Avahi.service | system
dbus-org.freedesktop.network1.service | system
dbus-org.freedesktop.nm-dispatcher.service | system
dbus-org.freedesktop.resolve1.service | system
dbus-org.freedesktop.timesync1.service | system
display-manager.service | system
gcr-ssh-agent.socket | sockets.target.wants
getty@tty1.service | getty.target.wants
gnome-keyring-daemon.socket | sockets.target.wants
NetworkManager.service | multi-user.target.wants
NetworkManager-wait-online.service | network-online.target.wants
p11-kit-server.socket | sockets.target.wants
pipewire-pulse.socket | sockets.target.wants
pipewire-session-manager.service | user
pipewire.socket | sockets.target.wants
remote-fs.target | multi-user.target.wants
systemd-boot-update.service | sysinit.target.wants
systemd-networkd.service | multi-user.target.wants
systemd-networkd.socket | sockets.target.wants
systemd-networkd-wait-online.service | network-online.target.wants
systemd-network-generator.service | sysinit.target.wants
systemd-resolved.service | multi-user.target.wants
systemd-timesyncd.service | sysinit.target.wants
vncserver-x11-serviced.service | multi-user.target.wants
wireplumber.service | pipewire.service.wants
Seems to be enabled.
$ grep -ri dns /etc/NetworkManager/conf.d
/* no output */
Last edited by Sir-Photch (2023-01-20 14:06:12)
Offline
You've systemd-networkd and networkmanager enabled what doesn't work to being with (they'll fight over the NIC(s) unless you isolated the control)
=> stop and disable all systemd-networkd* services and sockets and systemd-resolved.service - then see whether you've more luck w/ eduroam
Offline
You dear sir or madam are my saviour, thank you very much
This headache that was going on for one semester already is finally resolved
Last edited by Sir-Photch (2023-01-20 14:19:22)
Offline
Flash! Ahh-ahhhh…
Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.
Offline
Weird though, why were other networks working then? I thought multiple instances of network-managers would mess up everything?
Offline
You might simply not have noticed that the control was handed over and the lease turned up and down (in doubt w/ NM, through wpa_supplicant, providing a wifi carrier for systemd-networkd)
Or: the only critical factor in the specific case was indeed resolved.
You'd have to check older journals to see what was going on, but in any event:
Running multiple network managing daemons concurrently will systematically cause issues (as is pointed out in the network config wiki)
Offline