Skip to content

Core 2.5.0 WPA2-Enterprise user validation failure (Free Radius server) #5759

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
6 tasks done
FWdeveloper opened this issue Feb 14, 2019 · 6 comments
Closed
6 tasks done

Core 2.5.0 WPA2-Enterprise user validation failure (Free Radius server) #5759

FWdeveloper opened this issue Feb 14, 2019 · 6 comments

Comments

@FWdeveloper
Copy link

FWdeveloper commented Feb 14, 2019
edited
Loading

Basic Infos

  • This issue complies with the issue POLICY doc.
  • I have read the documentation at readthedocs and the issue is not addressed there.
  • I have tested that the issue is present in current master branch (aka latest git).
  • I have searched the issue tracker for a similar issue.
  • If there is a stack dump, I have decoded it.
  • I have filled out all fields below.

Platform

  • Hardware: [other]
  • Core Version: [2.5.0 Stable & Git 6c5269a]
  • Development Env: [Arduino IDE]
  • Operating System: [Windows]

Settings in IDE

  • Module: [Generic ESP8266 Module]
  • Flash Mode: [qio]
  • Flash Size: [2MB]
  • lwip Variant: [v2 Lower Memory]
  • Reset Method: [ck]
  • Flash Frequency: [80Mhz]
  • CPU Frequency: [160MHz]
  • Upload Using: [SERIAL]
  • Upload Speed: [115200] (serial upload only)

Problem Description

I have an issue establishing WPA-Enterprise connection using Free Radius server. The server properly works with my android phone.

If I use version Core 2.4.2 I have the following debug output:

SDK:2.2.1(cfd48f3)/Core:2.4.2/lwIP:2.0.3(STABLE-2_0_3_RELEASE/glue:arduino-2.4.1-13-g163bb82)/BearSSL:6d1cefc
WPA2 ENTERPRISE VERSION: [v2.0] enable
scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 5 (10)
add 0
aid 1
cnt

Method private structure allocated failure

Free Radius server output:

Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 91
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: NAK asked for bad type 0
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 91
modcall: leaving group authenticate (returns invalid) for request 91
auth: Failed to validate the user.

Core 2.5.0 fails as well, but gives me different server output:

SDK:3.0.0-dev(c0f7b44)/Core:2.5.0=20500000/lwIP:STABLE-2_1_2_RELEASE/glue:1.1/BearSSL:6778687
wifi evt: 2
WPA2 ENTERPRISE VERSION: [v2.0] enable
scandone
state: 0 -> 2 (b0)
wifi evt: 8
state: 2 -> 3 (0)

Wi-Fi connectingstate: 3 -> 5 (10)
add 0
aid 1
cnt
Method private structure allocated failure

Free Radius server output:

Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 63
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/tls
rlm_eap: ERROR! Our request for tls was NAK'd with a request for tls, what is the client thinking?
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 63
modcall: leaving group authenticate (returns invalid) for request 63
auth: Failed to validate the user.

MCVE Sketch

typedef struct 
{
  String ssid_;
  String username_;
  String password_;
} Settings;

Settings settings_;

wifi_set_opmode(STATION_MODE);

wifi_station_dhcpc_stop();

struct ip_info info;

IP4_ADDR(&info.ip, 192, 168, 1, 3);
IP4_ADDR(&info.gw, 192, 168, 1, 252);
IP4_ADDR(&info.netmask, 255, 255, 255, 0);

wifi_set_ip_info(STATION_IF, &info);

station_config wifiConfig = {0};

strncpy((char*)wifiConfig.ssid, settings_.ssid_.c_str(), sizeof(wifiConfig.ssid));

wifi_station_set_config(&wifiConfig);

wifi_station_clear_cert_key();

wifi_station_clear_enterprise_ca_cert();

wifi_station_set_wpa2_enterprise_auth(1);

wifi_station_set_enterprise_identity((uint8*)settings_.username_.c_str(), settings_.username_.length());

wifi_station_set_enterprise_username((uint8*)settings_.username_.c_str(), settings_.username_.length());

wifi_station_set_enterprise_password((uint8*)settings_.password_.c_str(), settings_.password_.length());

wifi_station_connect();
@FWdeveloper
Copy link
Author

Linked to #5784

@FWdeveloper FWdeveloper reopened this Feb 19, 2019
@devyte
Copy link
Collaborator

devyte commented Feb 19, 2019

WPA2-E is not fully supported by the NONOS sdk. There are some limited use cases, but that's it.
In addition, the NONOS sdk currently has low priority for code changes. Espressif is prioritizing the FreeRTOS sdk, so getting enhancements any time soon is unlikely.
Even so, should it somehow happen that full support is in fact added to the sdk, it will be made available in v3.x, and we still need to figure out how to migrate to sdk3 (not straightforward), so even if support is added soon, it won't reach the core for a while yet.
There is no full solution in sight, sorry. Closing for now.

@devyte devyte closed this as completed Feb 19, 2019
@d-a-v
Copy link
Collaborator

d-a-v commented Feb 20, 2019
edited
Loading

If you are the freeradius server master then you can change its configuration to make it work with esp (I guess)
Follow espressif/ESP8266_RTOS_SDK#442 (comment)
(this is on rtos-sdk repository but I believe they are referring to nonos-sdk too in this very case (EAP-TTLS-MSCHAPv2)).

@FWdeveloper
Copy link
Author

@d-a-v I setup my freeradius server to EAP-TTLS-MSCHAPv2:

eap {
    ...
    default_eap_type = ttls
    ...
    ttls {
        ...
        default_eap_type = mschapv2
        ...
    }

but got a ESP8266 crash:

SDK:3.0.0-dev(c0f7b44)/Core:2.5.0=20500000/lwIP:STABLE-2_1_2_RELEASE/glue:1.1/BearSSL:6778687
...
WPA2 ENTERPRISE VERSION: [v2.0] enable
wifi evt: 8
scandone
..scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 5 (10)
add 0
aid 1
cnt 
EAP-TTLS: Start (server ver=0, own ver=0)
.Fatal exception 28(LoadProhibitedCause):

@d-a-v
Copy link
Collaborator

d-a-v commented Feb 20, 2019

We can't be of any help.
You can wait for RTOS-SDK WPA2 examples (they are at 3.1, they promised such example for 3.2) or use latest NONOS-SDK which has this example. Their native environment is quite hard to use (at least to me), I have setup this environment to experiment with their native api, if it could help.

@FWdeveloper
Copy link
Author

Moved to ESP32 finally. It seems WPA2-Enterprise works well there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@d-a-v @devyte @FWdeveloper