ESP8266 Developer Zone

Re: Bug in WPA2 EAP

2020-01-13T20:39:47+08:00

I know this is an old issue (and I hope that in the meantime it has been fixed properly), but I got it working with the following approach:

I use the following code to connect to a (P)EAP-enabled WPA2-Enterprise network:

Code:

  wifi_set_opmode(STATION_MODE);
  struct station_config wifi_config;
  memset(&wifi_config, 0, sizeof(wifi_config));
  strcpy((char*)wifi_config.ssid, ssid);
  wifi_station_set_config(&wifi_config);
  wifi_station_dhcpc_start();
  wifi_station_clear_cert_key();
  wifi_station_set_wpa2_enterprise_auth(1);
  wifi_station_set_enterprise_identity((uint8*)username, strlen(username));
  wifi_station_set_enterprise_username((uint8*)username, strlen(username));
  wifi_station_set_enterprise_password((uint8*)password, strlen(password));
  wifi_station_set_enterprise_ca_cert((byte*)ca_cert, strlen(ca_cert));
  wifi_station_connect();

1. I got rid of the 'No poison...' error by modifying the malloc implementation (umm_malloc) used to ignore this kind of error. Of course, this is not the correct way, because you might run into other kinds of issues, but if all you need is a working WPA2-Enterprise connection, then do this at your own risk. (insert `return 1;` at line 43 in https://raw.githubusercontent.com/esp82 ... m_poison.c`)

2. To use DHCP, I had to implement some kind of timeout as sometimes the dhcp discovery just did not fire - I checked with Wireshark running on the gateway (which also supplies the DHCP leases), and in fact every ~2nd time the ESP did not send the correct DHCP packet. My solution is the following:

Code:

  Ticker timer;
  bool connected = true;
  timer.attach(5, [&](){connected = false;});
  while (WiFi.status() != WL_CONNECTED) {
    delay(10);
  }
  timer.detach();

If I do not get a WL_CONNECTED status after 5s, I set the connected flag to false.

My entire code this way:

bool connect() {
wifi_set_opmode(STATION_MODE);
struct station_config wifi_config;
memset(&wifi_config, 0, sizeof(wifi_config));
strcpy((char*)wifi_config.ssid, ssid);
wifi_station_set_config(&wifi_config);
wifi_station_dhcpc_start();
wifi_station_clear_cert_key();
wifi_station_set_wpa2_enterprise_auth(1);
wifi_station_set_enterprise_identity((uint8*)username, strlen(username));
wifi_station_set_enterprise_username((uint8*)username, strlen(username));
wifi_station_set_enterprise_password((uint8*)password, strlen(password));
wifi_station_set_enterprise_ca_cert((byte*)ca_cert, strlen(ca_cert));
wifi_station_connect();
Ticker timer;
bool connected = true;
timer.attach(5, [&](){connected = false;});
while (WiFi.status() != WL_CONNECTED) {
delay(10);
}
timer.detach();
return connected;
}

void connectBlock(){
while(!connect()){
delay(100);
}
}

If you call connectBlock(), you will get a connection after a while - fine-tune the timeout parameter if you need to, but I found that 5s works for me; and if it seems like a long time, then maybe WiFi is not the best approach for your use-case after all.

Note: After establishing the connection, it is pretty stable, I did not experience an influx of dropouts in contrast with a regular WPA2-PSK network.

I hope I could help, please do share your experiences should you try this approach out!

Statistics: Posted by Guest — Mon Jan 13, 2020 8:39 pm

Re: Bug in WPA2 EAP

2019-03-17T02:09:55+08:00

I think we have different opinions on what 'soon' means.

Statistics: Posted by victorclaessen — Sun Mar 17, 2019 2:09 am

Re: Bug in WPA2 EAP

2018-08-11T00:13:05+08:00

I hope we are close. xcguang from Espressif promised to look into this and get back with an update soon.

Statistics: Posted by avc — Sat Aug 11, 2018 12:13 am

Re: Bug in WPA2 EAP

2018-08-10T22:41:03+08:00

The problem was not resolved for one year. It is pity. But at least SiLabs offer modules capable to handle WPA2 Enterprise.

Statistics: Posted by akouz — Fri Aug 10, 2018 10:41 pm

Re: Bug in WPA2 EAP

2018-08-06T01:56:41+08:00

@ESP_Faye @ESP_wujiangang @ESP_Deng Xin Please address this issue. The issue seems to be not fixed. See full discussion on https://github.com/esp8266/Arduino/pull/4853. We tried both Arduino and native sdk, both showing similar errors.

Statistics: Posted by avc — Mon Aug 06, 2018 1:56 am

Re: Bug in WPA2 EAP

2018-07-23T23:16:42+08:00

@ESP_Deng Xin @ESP_Faye @ESP_igrr We have been trying to get this going with the latest release but it seems there are still issues with getting the IP. Can you please look at all the related discussion too at https://github.com/esp8266/Arduino/pull/4853

In my latest attempt, the Radius Server does accept the request and seems to successfully authenticate (atleast it looks like from the Radius server logs), but the ESP cannot complete the process.

Code:

SDK:3.0.0-dev(c0f7b44)/Core:win-2.5.0-dev/lwIP:2.0.3(STABLE-2_0_3_RELEASE/glue:arduino-2.4.1-13-g163bb82)/BearSSL:6d1cefc
WPA2 ENTERPRISE VERSION: [v2.0] enable
scandone

Waiting for connection and IP Address from DHCP
wifi evt: 8
wifi evt: 2
.scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 5 (10)
add 0
aid 1
cnt 
Method private structure allocated failure
EAP-MSCHAPV2: RX identifier 4 mschapv2_id 4
EAP-MSCHAPV2: Generate Challenge Response
EAP-MSCHAPV2: RX identifier 5 mschapv2_id 4
..state: 5 -> 2 (6c0)
rm 0
wifi evt: 1
STA disconnect: 6
reconnect

Any help would be much appreciated.

Statistics: Posted by avc — Mon Jul 23, 2018 11:16 pm

Re: Bug in WPA2 EAP

2018-07-01T03:16:19+08:00

@victorclaessen I was going through the espressif repo, and I noticed a more files which were updated along the wpa2 stuff. some on lwip, some in /include folders. Now, When @ESP_Faye asked to try out the latest sdk, I would be surprised he would say so without having someone (he himself or someone in his team) test it out and made sure it is working atleast on their network. Which makes me think: Is it possible that it is not just the 2 lib files, and the wpa2_enterprise.h (which was not updated in this go) that needs to be added for this to work?

Statistics: Posted by avc — Sun Jul 01, 2018 3:16 am

Re: Bug in WPA2 EAP

2018-06-29T14:35:28+08:00

To rule out device failure I took a completely new esp8266 module (Witty Cloud board) from its protective packaging, and uploaded the same code to it. I selected 'erase all flash contents' as an arduino upload option. Same result:

Code:

SDK:3.0.0-dev(c0f7b44)/Core:win-2.5.0-dev/lwIP:2.0.3(STABLE-2_0_3_RELEASE/glue:arduino-2.4.1-13-g163bb82)/BearSSL:94e9704
WPA2 ENTERPRISE VERSION: [v2.0] enable
scandone

Waiting for connection and IP Address from DHCP
wifi evt: 8
wifi evt: 2
.scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 5 (10)
add 0
aid 1
cnt 
EAP-MSCHAPV2: RX identifier 3 mschapv2_id 3
EAP-MSCHAPV2: Generate Challenge Response
EAP-MSCHAPV2: RX identifier 4 mschapv2_id 3
there is no poison after the block. Expected poison address: 0x414910d8, actual data: 0x0e 0x00 0x00 0x00
block start: 3fff0f8c

Panic C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266\umm_malloc\umm_malloc.c:861 check_poison_block

ctx: sys 
sp: 3fffec50 end: 3fffffb0 offset: 01b0

>>>stack>>>

Decoding 67 results
0x40204af6: printf at /Users/igrokhotkov/e/newlib-xtensa/xtensa-lx106-elf/newlib/libc/stdio/../../../.././newlib/libc/stdio/printf.c line 61
0x40244394: sleep_reset_analog_rtcreg_8266 at ?? line ?
0x401004db: check_poison at C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266\umm_malloc/umm_malloc.c line 861
:  (inlined by) check_poison_block at C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266\umm_malloc/umm_malloc.c line 851
0x4010020c: _umm_free at C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266\umm_malloc/umm_malloc.c line 1295
0x4010020c: _umm_free at C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266\umm_malloc/umm_malloc.c line 1295
0x4010053a: get_unpoisoned at C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266\umm_malloc/umm_malloc.c line 946
0x401009dc: free at C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266\umm_malloc/umm_malloc.c line 1742
0x4022d8e0: _base64_decode at ?? line ?
0x40106944: vPortFree at C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266/heap.c line 59
0x4022581a: wpa2_sm_rx_eapol at ?? line ?
0x4022582e: wpa2_sm_rx_eapol at ?? line ?
0x40225869: wpa2_sm_rx_eapol at ?? line ?
0x40225434: wpa2_sm_rx_eapol at ?? line ?
0x4021cccd: sta_input at ?? line ?
0x40230d43: pp_tx_idle_timeout at ?? line ?
0x40230603: ppPeocessRxPktHdr at ?? line ?
0x40104740: call_user_start_local at ?? line ?
0x40104746: call_user_start_local at ?? line ?
0x4010000d: call_user_start at ?? line ?
0x40100a84: cont_ret at C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266/cont.S line 142
0x40100a31: cont_continue at C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266/cont.S line 51
0x40101232: pp_post at ?? line ?
0x40104620: lmacTxFrame at ?? line ?
0x4010383f: lmacRecycleMPDU at ?? line ?
0x40103ca2: lmacRecycleMPDU at ?? line ?
0x40103786: lmacProcessTxSuccess at ?? line ?
0x401025fb: wDev_ProcessFiq at ?? line ?
0x401022f8: wDev_ProcessFiq at ?? line ?
0x40100439: check_poison_block at C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266\umm_malloc/umm_malloc.c line 842
0x40104f19: ets_timer_disarm at ?? line ?
0x40245d80: sleep_reset_analog_rtcreg_8266 at ?? line ?
0x40240000: phy_gpio_cfg at ?? line ?
0x40241c31: ram_set_txbb_atten at ?? line ?
0x4023e77a: tx_atten_set_interp at ?? line ?
0x40231763: pp_attach at ?? line ?
0x402317b2: pp_attach at ?? line ?
0x4010137b: ppCalFrameTimes at ?? line ?
0x4023086b: ppTxPkt at ?? line ?
0x40219d6b: ieee80211_send_probereq at ?? line ?
0x4021ddd4: cnx_start_handoff_cb at ?? line ?
0x4021bb93: scan_remove_probe_ssid at ?? line ?
0x4021b764: scan_start at ?? line ?
0x4021ddd4: cnx_start_handoff_cb at ?? line ?
0x4010505c: ets_timer_arm_new at ?? line ?
0x4021d76b: chm_start_op at ?? line ?
0x4021ddd4: cnx_start_handoff_cb at ?? line ?
0x4021ddd4: cnx_start_handoff_cb at ?? line ?
0x4021d6e0: chm_start_op at ?? line ?
0x4021b754: scan_start at ?? line ?
0x4021b728: scan_start at ?? line ?
0x4021b6f3: scan_start at ?? line ?
0x4021bca4: scan_remove_probe_ssid at ?? line ?
0x4010505c: ets_timer_arm_new at ?? line ?
0x40203398: esp_yield at C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266/core_esp8266_main.cpp line 91
0x402014e7: delay at C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266/core_esp8266_wiring.c line 51
0x40202716: setup at C:\Users\claessen\Documents\Arduino\wpa2/wpa2.ino line 45

<<

(The attempt from the previous post used a of Wemos D1 mini v3 board.)

Statistics: Posted by victorclaessen — Fri Jun 29, 2018 2:35 pm

Re: Bug in WPA2 EAP

2018-06-29T14:06:55+08:00

At the request (https://github.com/esp8266/Arduino/pull/4853#issuecomment-401187904) of d-a-v, I updated my arduino esp8266 repo to his pull request and re-ran my code. Now the error message is different "there is no poison after the block", which is interesting but I do not yet know what it means. See below for esp8266 debug output:

Code:

ets Jan  8 2013,rst cause:2, boot mode:(3,7)

load 0x4010f000, len 1384, room 16 
tail 8
chksum 0x2d
csum 0x2d
v00000000
~ld

SDK:3.0.0-dev(c0f7b44)/Core:win-2.5.0-dev/lwIP:2.0.3(STABLE-2_0_3_RELEASE/glue:arduino-2.4.1-13-g163bb82)/BearSSL:94e9704
WPA2 ENTERPRISE VERSION: [v2.0] enable
scandone

Waiting for connection and IP Address from DHCP
wifi evt: 8
wifi evt: 2
.scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 5 (10)
add 0
aid 1
cnt 
EAP-MSCHAPV2: RX identifier 3 mschapv2_id 3
EAP-MSCHAPV2: Generate Challenge Response
EAP-MSCHAPV2: RX identifier 4 mschapv2_id 3
there is no poison after the block. Expected poison address: 0x41491208, actual data: 0x0e 0x00 0x00 0x00
block start: 3fff10bc

Panic C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\cores\esp8266\umm_malloc\umm_malloc.c:861 check_poison_block

ctx: sys 
sp: 3fffec50 end: 3fffffb0 offset: 01b0

>>>stack>>>

Statistics: Posted by victorclaessen — Fri Jun 29, 2018 2:06 pm

Re: Bug in WPA2 EAP

2018-06-28T19:19:35+08:00

Pfff it was so long ago I really had to read all my old posts to remind myself on how to do this :-S

I made a new build environment:
* Arduino 1.8.5
* git version of ESP8266 core for Arduino
* updated libwpa2.a and wpa2_enterprise.h from the latest commit of ESP8266_NONOS_SDK.
* uploaded the same code as in the original post (but edited to use actual credentials of course).

No success. Esp8266 keeps resetting itself. I Enabled Wifi debug, serial output follows below.
It does look like it is attempting mschapv2 authentication, which is what it should be doing in my case. I don't know what is causing the fatal exception.

Code:

 ets Jan  8 2013,rst cause:2, boot mode:(3,6)

load 0x4010f000, len 1384, room 16 
tail 8
chksum 0x2d
csum 0x2d
v00000000
~ld

SDK:2.2.1(cfd48f3)/Core:win-2.5.0-dev/lwIP:2.0.3(STABLE-2_0_3_RELEASE/glue:arduino-2.4.1-13-g163bb82)/BearSSL:94e9704
WPA2 ENTERPRISE VERSION: [v2.0] enable
scandone

Waiting for connection and IP Address from DHCP
wifi evt: 8
wifi evt: 2
.scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 5 (10)
add 0
aid 2
cnt 
EAP-MSCHAPV2: RX identifier 3 mschapv2_id 3
EAP-MSCHAPV2: Generate Challenge Response
EAP-MSCHAPV2: RX identifier 4 mschapv2_id 3
Fatal exception 3(LoadStoreErrorCause):
epc1=0x40100326, epc2=0x00000000, epc3=0x00000000, excvaddr=0x40243f64, depc=0x00000000

Exception (3):
epc1=0x40100326 epc2=0x00000000 epc3=0x00000000 excvaddr=0x40243f64 depc=0x00000000

ctx: sys 
sp: 3fffebf0 end: 3fffffb0 offset: 01a0

>>>stack>>>

Statistics: Posted by victorclaessen — Thu Jun 28, 2018 7:19 pm

Re: Bug in WPA2 EAP

2018-06-27T08:25:48+08:00

ESP_Faye wrote:
Hi,

Please have a try with the latest SDK https://github.com/espressif/ESP8266_NONOS_SDK, it should has been fixed.

If your problem is still unsolved, please feel free to let us know.

Thanks.

Thanks ESP_Faye, glad to see you guys working on this. Unfortunately, I just tested the updated repo but there are still issues.

While the old SDK generated the following output in the radius server:

Code:

(97) eap: Peer sent packet with method EAP NAK (3)
(97) eap: Peer NAK'd indicating it is not willing to continue 
(97) eap: Sending EAP Failure (code 4) ID 1 length 4
(97) eap: Failed in EAP select
(97)     [eap] = invalid
(97)   } # authenticate = invalid
(97) Failed to authenticate the user
(97) Using Post-Auth-Type Reject

Which is pretty much what you mentioned in your comment:

... if the client do not support it, it will send NAK to reponse...

The latest commits seem to force the device to try multiple auth modes automatically; first EAP-TLS (even if no certificates were defined by the developer - as it is my case -), thus making the authentication fail. Then, on a second try, the device seems to keep forcing the mode until the server just ignores it:

Code:

(2) eap: Peer sent packet with method EAP NAK (3)
(2) eap: Peer NAK'd our request for TLS (13) with a request for TLS (13), skipping...
(2) eap: WARNING: !!! We requested to use an EAP type as normal.
(2) eap: WARNING: !!! The supplicant rejected that, and requested to use the same EAP type.
(2) eap: WARNING: !!!     i.e. the supplicant said 'I don't like X, please use X instead.
(2) eap: WARNING: !!! The supplicant software is broken and does not work properly.
(2) eap: WARNING: !!! Please upgrade it to software that works.
(2) eap: Found mutually acceptable type MSCHAPv2 (26)
(2) eap: Calling submodule eap_mschapv2 to process data
(2) eap_mschapv2: Issuing Challenge
(2) eap: Sending EAP Request (code 1) ID 3 length 43
(2) eap: EAP session adding &reply:State = 0x51fe2fd453fd3545
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found.  Ignoring.

...the supplicant said 'I don't like X, please use X instead... The supplicant software is broken and does not work properly...

Not very encouraging.

In a final attempt, the device seems to suggest a different type MS-CHAP, but this one is also failing; I'm not sure why yet, It could be our server configuration.

Interesting enough, the device never suggests PEAP or perhaps, it never gets the chance to, since it seems to stay stuck in the mschapv2 mode and just keeps printing every few seconds on the serial monitor:

Code:

EAP-MSCHAPV2: RX identifier 3 mschapv2_id 3
EAP-MSCHAPV2: Generate Challenge Response

Rather than allowing the device to try multiple auth methods, wouldn't it be easier for all of us if the SDK included methods to allow the developers to use the correct auth method rather than trying multiple ones hoping one will work?

I will continue testing (still haven't tested EAP-TLS using certificates) and keep you all updated.

Regards,

A.

Statistics: Posted by alex323qp — Wed Jun 27, 2018 8:25 am

Re: Bug in WPA2 EAP

2018-06-26T21:09:22+08:00

Great, I expect to be able to test it on Friday when I'm back at the office (i.e. in range of the eduroam network).

Statistics: Posted by victorclaessen — Tue Jun 26, 2018 9:09 pm

Re: Bug in WPA2 EAP

2018-06-26T20:57:14+08:00

Hi,

Please have a try with the latest SDK https://github.com/espressif/ESP8266_NONOS_SDK, it should has been fixed.

If your problem is still unsolved, please feel free to let us know.

Thanks.

Statistics: Posted by ESP_Faye — Tue Jun 26, 2018 8:57 pm

Re: Bug in WPA2 EAP

2018-06-26T13:03:19+08:00

I'm also quite interested in this. The company I work for is about to launch a product to market and this is kind of a showstopper atm.

Please do keep us updated when the update is released.

A.

Statistics: Posted by alex323qp — Tue Jun 26, 2018 1:03 pm

Re: Bug in WPA2 EAP

2018-06-25T23:12:01+08:00

This is great! I hope this update wont take long. Looking forward to this.

Statistics: Posted by avc — Mon Jun 25, 2018 11:12 pm

Re: Bug in WPA2 EAP

2018-06-25T19:25:45+08:00

Also, if I can help by testing something, please let me know!

Statistics: Posted by victorclaessen — Mon Jun 25, 2018 7:25 pm

Re: Bug in WPA2 EAP

2018-06-25T17:46:23+08:00

The change has submitted, it will take a few days to take and merge

Statistics: Posted by ESP_Deng Xin — Mon Jun 25, 2018 5:46 pm

Re: Bug in WPA2 EAP

2018-06-25T16:17:32+08:00

That is great news. As I'm sure you're aware (from all the posts on the various github repo's) there are a lot of people that are *very* interested in this! Could you give us any indication on how long it will take to implement? Forgive me my bluntness, but I'd really be disappointed to wait another 10 months to hear something...

Statistics: Posted by victorclaessen — Mon Jun 25, 2018 4:17 pm

Re: Bug in WPA2 EAP

2018-06-25T12:01:19+08:00

Hi, All
Radiuse rever's default EAP method is MD5. However, we only support PEAP/TTLS/TLS now, when the connect start, server will send the EAP method type to client, if the client do not support it, it will send NAK to reponse, if we don not have any other method to use, we will set the type to zero.
However, there is another way to do is include the EAP method we want in the type.
We will add it in 8266 soon. Thank you for your continuous attention

Statistics: Posted by ESP_Deng Xin — Mon Jun 25, 2018 12:01 pm

Re: Bug in WPA2 EAP

2018-02-22T05:11:10+08:00

Can anyone from ExpressIf please comment on the status of this bug and the plans to add an API to set auth mode?

Statistics: Posted by victorclaessen — Thu Feb 22, 2018 5:11 am

Re: Bug in WPA2 EAP?

2018-01-26T19:24:13+08:00

Bug has been confirmed by yet another user.

https://github.com/esp8266/Arduino/issu ... -360691379

Statistics: Posted by victorclaessen — Fri Jan 26, 2018 7:24 pm

Re: Bug in WPA2 EAP?

2018-01-26T13:36:40+08:00

I too am hoping to see a fix soon. I know the current SDK will only authenticate to what I have set as default_eap_type at my radius server, rather than negotiate to find a common type that is supported at both ends.

Statistics: Posted by burtms — Fri Jan 26, 2018 1:36 pm

Re: Bug in WPA2 EAP?

2017-12-07T21:53:34+08:00

+1 I have also been waiting on a fix for this issue. (The optimist in me has been hoping the "future release" is the one supposedly scheduled for December 2017)

Statistics: Posted by onebytegone — Thu Dec 07, 2017 9:53 pm

Re: Bug in WPA2 EAP?

2017-12-07T19:37:02+08:00

Any reply at all?

Statistics: Posted by victorclaessen — Thu Dec 07, 2017 7:37 pm

Re: Bug in WPA2 EAP?

2017-10-28T17:33:13+08:00

Hi,

I forgot about this for a while, but just remembered, and am still interested in a fix. I am wondering if you are able to to report any progress?

Best regards,

Victor

Statistics: Posted by victorclaessen — Sat Oct 28, 2017 5:33 pm

Re: Bug in WPA2 EAP?

2017-09-06T11:29:39+08:00

Hi,

Yes. We will let you know when the work is done.

Thanks for your interest in ESP8266!

Statistics: Posted by ESP_Faye — Wed Sep 06, 2017 11:29 am

Re: Bug in WPA2 EAP?

2017-08-31T17:43:24+08:00

That is great. Would it be possible to post a link to the github commit here after that API has been added?

Statistics: Posted by victorclaessen — Thu Aug 31, 2017 5:43 pm

Re: Bug in WPA2 EAP?

2017-08-31T14:55:38+08:00

Hi,

Sorry for the inconvenience. We have checked it.
The root cause is that some device cannot recongize the auth mode automatically.
We will add an API to set auth mode in the future release.

Thanks for your interest in ESP8266!

Statistics: Posted by ESP_Faye — Thu Aug 31, 2017 2:55 pm

Bug in WPA2 EAP

2018-01-26T19:24:32+08:00

Hi,

I'm trying to connect to a wpa2 enterprise network with an esp8266. I think there may be a bug in the EAP code in the esp8266 firmware (and if so, then probably also in the same module in the esp32 firmware).

I set up a build environment (described here) that can compile the following code using the SDK_2.1.0 + the relevant files from this github commit

I can successfully compile the following code

Code:

#include 

extern "C" {
#include "user_interface.h"
#include "wpa2_enterprise.h"
}

// SSID to connect to
static const char* ssid = "eduroam";
// Username for authentification
static const char* username = "myusername@myinstitution";
// Password for authentication
static const char* password = "mypassword";

void setup() {
  // put your setup code here, to run once:
  Serial.begin(115200);
  
  // Setting ESP into STATION mode only (no AP mode or dual mode)
  wifi_set_opmode(STATION_MODE);
  
  struct station_config wifi_config;
  
  memset(&wifi_config, 0, sizeof(wifi_config));
  strcpy((char*)wifi_config.ssid, ssid);
  
  wifi_station_set_config(&wifi_config);
  
  wifi_station_clear_cert_key();
  wifi_station_clear_enterprise_ca_cert();
  
  wifi_station_set_wpa2_enterprise_auth(1);
  wifi_station_set_enterprise_identity((uint8*)username, strlen(username));
  wifi_station_set_enterprise_username((uint8*)username, strlen(username));
  wifi_station_set_enterprise_password((uint8*)password, strlen(password));
  wifi_station_set_enterprise_new_password((uint8*)password, strlen(password));
  
  wifi_station_connect();
  
  // Wait for connection AND IP address from DHCP
  Serial.println();
  Serial.println("Waiting for connection and IP Address from DHCP");
  while (WiFi.status() != WL_CONNECTED) {
  delay(2000);
  Serial.print(".");
  }
  Serial.println("");
  Serial.println("WiFi connected");
  Serial.println("IP address: ");
  Serial.println(WiFi.localIP());
}

void loop() {
// put your main code here, to run repeatedly:

}

When I tried to connect to my WPA2 Enterprise network at home, I got the following error in the freeradius log:

Code:

Found Auth-Type = EAP
# Executing group from file /etc/raddb/radiusd.conf
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] NAK asked for bad type 0
[eap] Failed in EAP select
++[eap] = invalid

I found that other people had experienced the same problem on ESP32, so I tried their fix: to set

Code:

default_eap_type = mschapv2

in the eap-section of my freeradius server, and it worked. I can successfully authenticate and log in to my WPA2 Enterprise network, and I get an IP address which I can ping from another host.

When I try the same thing at my work (an academic institution that uses the eduroam network, I cannot authenticate. I have no control over the radius server, nor can I see the logs, but it seems plausible to me that I am experiencing the same problem.

I am no expert in EAP, but it seems to me that the ESP firmware somehow does not make it clear to freeradius that it wants to authenticate using EAP-MSCHAPv2. I'm not sure at what point in the negotiation the EAP type is selected, but I see here that EAP-MSCHAPv2 is type 26, and from the freeradius log file, it seems that the ESP sends type 0.

Is that a bug, and if so, can that be fixed?

Statistics: Posted by victorclaessen — Mon Aug 14, 2017 8:34 pm