As discussed elsewhere, I have been facing serious troubles in setting up networking using KDE frontends to the network-manager daemon (network-manager-kde or plasma-widget-networkmanagement) in Debian Squeeze.

The nightmare and some hope

To be more precise, everything worked fine until I tried to configure a WPA2 Enterprise connection (EAP-TTLS + PAP) for the Eduroam network. Unfortunately, I very badly need this for work purposes and have wasted hours trying to get this working. The symptom is the following

wpa_supplicant: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=3 ...
  ...  err='self signed certificate in certificate chain'

After fixing my hardware support issues I checked that the connection was indeed OK when using directly wpa_supplicant with network-manager stopped. One working config file is

    network={
      ssid="eduroam"
      key_mgmt=WPA-EAP
      eap=TTLS
      anonymous_identity="anonymous@myserver"
      ca_cert="/mydir/myserver.pem"
      identity="myname@myserver"
      password="mypasswrd"
      phase2="auth=PAP"
    }

and a successful connection now looks like this (in /var/log/syslog)

wpa_supplicant: CTRL-EVENT-EAP-PEER-CERT depth=3 ...
wpa_supplicant: CTRL-EVENT-EAP-PEER-CERT depth=2 ...
wpa_supplicant: CTRL-EVENT-EAP-PEER-CERT depth=1 ...
wpa_supplicant: CTRL-EVENT-EAP-PEER-CERT depth=0 ...
wpa_supplicant: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully

So the culprit must be either network-manager or the KDE frontend to it.

After hours of googling and try-and-error I am pretty much convinced that KDE frontends in squeeze cannot handle such connections. The problem has been fixed upstream as well as in current versions of plasma-widget-networkmanagement in the unstable version of Debian (if you are ready to upgrade large portions of your system, that is). Don't waste your time here as things that you can read on the web (converting your cert to a DER file or installing the required certificates to the /etc/ssl/certs directory using the update-ca-certificates -v command -don't try to do this by hand as suggested in many web documents- so as to use the 'system certificates' option in network-manager-kde) just do not work. Note that as can be guessed from the above output the file myserver.pem contains a complete chain of 4 certificates instead of just one which make things even more complicated.

Why not using network-manager directly?

That's what I tried to do by setting up and entry for nmcli (the console client from network-manager) in /etc/NetworkManager/system-connections. The problem here is that the doc is extremely sparse and all I found were a few examples with a few documents on connections and options. The best I could do was to write the following configuration file for the connection

[connection]
id=eduroam
type=802-11-wireless

[802-11-wireless]
security=802-1x

[802-1x]
eap=TTLS
ca-path=/mydir
identity=myname@myserver
anonymous-identity=anonymous@myserver
phase2-auth=PAP
password=mypasswrd

but could not get it to work (with nmcli con up id eduroam). Note that once you try it, the connection gets tagged with a unique id (and flagged as invalid as it doesn't work) and that further changes to an existing connection seems to highly confuse network-manager.

What I learned from this is that nmcli can display interesting things like the list of known connections (nmcli con list) or the list of networks scanned by the device (nmcli -f SSID,RATE,SIGNAL,SECURITY,DEVICE,ACTIVE dev wifi list), but that's all.

The fallback solution

OK, what I ended up doing was to select managed=true in the [ifupdown] section of /etc/NetworkManager/NetworkManager.conf and to leave the Eduroam entry in /etc/network/interfaces:

face wlan0 inet dhcp
  wpa-conf /etc/wpa_supplicant/eduroam.conf

So that as long as I don't need the Eduroam connection (KDE's applets work fine for other more common wifi protection schemes, WEP, WPA and WPA2 Personal) I can use the gui applet and when I need it I can take the connection up (/etc/init.d/network-manager stop; ifup wlan0) or down (ifdown wlan0; /etc/init.d/network-manager start).

That's the best I could do, if you can do better please let me know!