xRDP – Cannot connect to WiFi Networks in xRDP session – System policy prevents WiFi scans. How to Fix it !

Hello world,  

The idea of the post came from a question asked on askubuntu.com (see Authentication required. System policy prevents WiFi scans” in FocalFossa).  Some users wanted to scan and connect to WiFi networks while remotely connected to their system through the xRDP Software solution.  Usually, we do not recommend to perform changes at network connections level while remotely connected.  Indeed, if your changes are not successful (depends the changes you are performing!!!), you might loose your remote session and remote connections capabilities.  The only option left would be to go logon locally on the machine and perform the necessary changes…. 

That’s being said, we decided to give it a try and see if we could indeed create a custom polkit configuration file (*.pkla) in order to allow remotely connected users to configure their WiFi connections…

So, let’s go ! 

Overview 

Disclaimer

This guide and associated instructions are provided AS IS.  Use it at your own risk !!! 

Problem description

We have configured a machine that’s running Ubuntu 20.04.  The machine has one ethernet card and one Wireless card installed. We have performed this setup to demonstrate how to connect to a WiFi network from an xRDP session while ensuring we would not loose our connectivity to the remote machine.  

We have performed our xRDP connection to the machine (using the wired connection) and we are ready to connect to an existing WiFi network.  As you can see on the screenshot below, we are not connected to any WiFi networks yet.

Click on Picture for Better Resolution
So, let’s click on WiFi menu option > Select a Network  
 
Click on Picture for Better Resolution
 
The expected behavior would be to have a list of WiFi network to choose from.  However, because we are within a remote session, the list is not shown and a popup dialog box is  showing up instead.  The dialog box would display some informational message similar to “System Policy prevents WiFi Scans”
 
Click on Picture for Better Resolution
 
You can enter multiple time the correct admin password, you will not be able to pass this dialog box…..
 
As explained in some previous posts, this behavior is triggered by the polkit software component which basically provide an application authorization framework.  The software will monitor actions performed by the user and check if the user is authorized or not to perform such actions on the system.   Polkit software is reading some policy files that will specify if a user can perform such actions.  Polkit will behave differently if you are logged on locally on your Ubuntu machine compared to the user logged on through remote session.  The behavior difference is also controlled by the policy file. 
 
However, polkit is flexible enough to provide  a way to create your own custom rules.  To change the polkit default behavior and create your own rules, you will simply needs to create configuration file under /etc/polkit-1/localauthority/50-local.d/.  The rule file has usually   *.pkla as file extension.  So, to overcome the fact that we cannot scans WiFi, we will need to create a new pkla file…. 
 

Solution : Create your custom rules

Initial & incomplete Fix

To avoid such dialog box while trying to connect to a WiFi network, you will need to create your own pkla file.  In our scenario, we will create a file called 47-allow-wifi-scans.pkla which will be created under /etc/polkit-1/localauthority/50-local.d/.  You need administrative privileges in order to write in this location !

The initial pkla file would contains the following information 

[Allow Wifi Scan]
Identity=unix-user:*
Action=org.freedesktop.NetworkManager.wifi.scan
ResultAny=yes
ResultInactive=yes
ResultActive=yes

The following screenshot shows the content of the directory ( /etc/polkit-1/localauthority/50-local.d/) and also shows the content of the file 

Click on Picture for Better Resolution
 
After creating this file, you can try again to connect to your WiFi network and surprise, you will be able to list the available WiFi networks in your range 
 
Click on Picture for Better Resolution
 
However, this file might not be sufficient for you to proceed with your configuration.  As soon as you have selected your WiFi network and try to connect…
 
Click on Picture for Better Resolution
Another polkit Dialog box is showing up and notify you that “System policy prevents control of Network connections”.  Trying to pass your credentials, you would see that the popup will disappear and you will not be able to connect to your WiFi network…..
 
Click on Picture for Better Resolution

Working  pkla configuration file 

To avoid polkit dialog box popping up while trying to connect to a WiFi network, we have updated the our custom configuration file (located  /etc/polkit-1/localauthority/50-local.d/47-allow-wifi-scan.pkla) and we have populated it with the following contents

[Allow Wifi Scan]
Identity=unix-user:*
Action=org.freedesktop.NetworkManager.wifi.scan;org.freedesktop.NetworkManager.enable-disable-wifi;org.freedesktop.NetworkManager.settings.modify.own;org.freedesktop.NetworkManager.settings.modify.system;org.freedesktop.NetworkManager.network-control
ResultAny=yes
ResultInactive=yes
ResultActive=yes

Once the file has been created, you should be able to access the list of WiFi networks available and when trying to connect, you should be presented with the dialog box asking your for the WiFI password you are about to connect to…. 

Click on Picture for Better Resolution

We can then assess and check that you are indeed connected to the selected Wireless network 

Click on Picture for Better Resolution

Final Notes

This is it for this post ! 

We were able to configure our Ubuntu system to bypass all the polkit dialog box that would popup when trying to connect to a wireless network when remotely connected (via xRDP Software).  The fix is relatively easy once you know what causing the popup (i.e. polkit software) and how to overcome these popups (via custom rules).  As mentioned at the beginning of the post, we are not recommending to perform network changes while remotely connected to the system as you might loose your remote session.   Possibly, do the necessary changes when locally connected 

We had some fun (and we learned some news stuff about polkit) writing this post.  We hope you have enjoyed this one as well… 

Till next time 

See ya  

 

 

 

Leave a Reply