Bug in WPA2 EAP?

victorclaessen
Posts: 3
Joined: Mon Aug 14, 2017 8:08 pm

Bug in WPA2 EAP?

Postby victorclaessen » Mon Aug 14, 2017 8:34 pm

Hi,

I'm trying to connect to a wpa2 enterprise network with an esp8266. I think there may be a bug in the EAP code in the esp8266 firmware (and if so, then probably also in the same module in the esp32 firmware).

I set up a build environment (described here) that can compile the following code using the SDK_2.1.0 + the relevant files from this github commit

I can successfully compile the following code

Code: Select all

#include <ESP8266WiFi.h>

extern "C" {
#include "user_interface.h"
#include "wpa2_enterprise.h"
}

// SSID to connect to
static const char* ssid = "eduroam";
// Username for authentification
static const char* username = "myusername@myinstitution";
// Password for authentication
static const char* password = "mypassword";

void setup() {
  // put your setup code here, to run once:
  Serial.begin(115200);
 
  // Setting ESP into STATION mode only (no AP mode or dual mode)
  wifi_set_opmode(STATION_MODE);
 
  struct station_config wifi_config;
 
  memset(&wifi_config, 0, sizeof(wifi_config));
  strcpy((char*)wifi_config.ssid, ssid);
 
  wifi_station_set_config(&wifi_config);
 
  wifi_station_clear_cert_key();
  wifi_station_clear_enterprise_ca_cert();
 
  wifi_station_set_wpa2_enterprise_auth(1);
  wifi_station_set_enterprise_identity((uint8*)username, strlen(username));
  wifi_station_set_enterprise_username((uint8*)username, strlen(username));
  wifi_station_set_enterprise_password((uint8*)password, strlen(password));
  wifi_station_set_enterprise_new_password((uint8*)password, strlen(password));
 
  wifi_station_connect();
 
  // Wait for connection AND IP address from DHCP
  Serial.println();
  Serial.println("Waiting for connection and IP Address from DHCP");
  while (WiFi.status() != WL_CONNECTED) {
  delay(2000);
  Serial.print(".");
  }
  Serial.println("");
  Serial.println("WiFi connected");
  Serial.println("IP address: ");
  Serial.println(WiFi.localIP());
}

void loop() {
// put your main code here, to run repeatedly:

}


When I tried to connect to my WPA2 Enterprise network at home, I got the following error in the freeradius log:

Code: Select all

Found Auth-Type = EAP
# Executing group from file /etc/raddb/radiusd.conf
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] NAK asked for bad type 0
[eap] Failed in EAP select
++[eap] = invalid


I found that other people had experienced the same problem on ESP32, so I tried their fix: to set

Code: Select all

default_eap_type = mschapv2
in the eap-section of my freeradius server, and it worked. I can successfully authenticate and log in to my WPA2 Enterprise network, and I get an IP address which I can ping from another host.

When I try the same thing at my work (an academic institution that uses the eduroam network, I cannot authenticate. I have no control over the radius server, nor can I see the logs, but it seems plausible to me that I am experiencing the same problem.

I am no expert in EAP, but it seems to me that the ESP firmware somehow does not make it clear to freeradius that it wants to authenticate using EAP-MSCHAPv2. I'm not sure at what point in the negotiation the EAP type is selected, but I see here that EAP-MSCHAPv2 is type 26, and from the freeradius log file, it seems that the ESP sends type 0.

Is that a bug, and if so, can that be fixed?

ESP_Faye
Posts: 1623
Joined: Mon Oct 27, 2014 11:08 am

Re: Bug in WPA2 EAP?

Postby ESP_Faye » Thu Aug 31, 2017 2:55 pm

Hi,

Sorry for the inconvenience. We have checked it.
The root cause is that some device cannot recongize the auth mode automatically.
We will add an API to set auth mode in the future release.

Thanks for your interest in ESP8266!

victorclaessen
Posts: 3
Joined: Mon Aug 14, 2017 8:08 pm

Re: Bug in WPA2 EAP?

Postby victorclaessen » Thu Aug 31, 2017 5:43 pm

That is great. Would it be possible to post a link to the github commit here after that API has been added?

ESP_Faye
Posts: 1623
Joined: Mon Oct 27, 2014 11:08 am

Re: Bug in WPA2 EAP?

Postby ESP_Faye » Wed Sep 06, 2017 11:29 am

Hi,

Yes. We will let you know when the work is done.

Thanks for your interest in ESP8266!

victorclaessen
Posts: 3
Joined: Mon Aug 14, 2017 8:08 pm

Re: Bug in WPA2 EAP?

Postby victorclaessen » Sat Oct 28, 2017 5:33 pm

Hi,

I forgot about this for a while, but just remembered, and am still interested in a fix. I am wondering if you are able to to report any progress?

Best regards,

Victor

Who is online

Users browsing this forum: No registered users and 1 guest