Page 1 of 3

Bug in WPA2 EAP

Posted: Mon Aug 14, 2017 8:34 pm
by victorclaessen
Hi,

I'm trying to connect to a wpa2 enterprise network with an esp8266. I think there may be a bug in the EAP code in the esp8266 firmware (and if so, then probably also in the same module in the esp32 firmware).

I set up a build environment (described here) that can compile the following code using the SDK_2.1.0 + the relevant files from this github commit

I can successfully compile the following code

Code: Select all

#include <ESP8266WiFi.h>

extern "C" {
#include "user_interface.h"
#include "wpa2_enterprise.h"
}

// SSID to connect to
static const char* ssid = "eduroam";
// Username for authentification
static const char* username = "myusername@myinstitution";
// Password for authentication
static const char* password = "mypassword";

void setup() {
  // put your setup code here, to run once:
  Serial.begin(115200);
 
  // Setting ESP into STATION mode only (no AP mode or dual mode)
  wifi_set_opmode(STATION_MODE);
 
  struct station_config wifi_config;
 
  memset(&wifi_config, 0, sizeof(wifi_config));
  strcpy((char*)wifi_config.ssid, ssid);
 
  wifi_station_set_config(&wifi_config);
 
  wifi_station_clear_cert_key();
  wifi_station_clear_enterprise_ca_cert();
 
  wifi_station_set_wpa2_enterprise_auth(1);
  wifi_station_set_enterprise_identity((uint8*)username, strlen(username));
  wifi_station_set_enterprise_username((uint8*)username, strlen(username));
  wifi_station_set_enterprise_password((uint8*)password, strlen(password));
  wifi_station_set_enterprise_new_password((uint8*)password, strlen(password));
 
  wifi_station_connect();
 
  // Wait for connection AND IP address from DHCP
  Serial.println();
  Serial.println("Waiting for connection and IP Address from DHCP");
  while (WiFi.status() != WL_CONNECTED) {
  delay(2000);
  Serial.print(".");
  }
  Serial.println("");
  Serial.println("WiFi connected");
  Serial.println("IP address: ");
  Serial.println(WiFi.localIP());
}

void loop() {
// put your main code here, to run repeatedly:

}


When I tried to connect to my WPA2 Enterprise network at home, I got the following error in the freeradius log:

Code: Select all

Found Auth-Type = EAP
# Executing group from file /etc/raddb/radiusd.conf
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] NAK asked for bad type 0
[eap] Failed in EAP select
++[eap] = invalid


I found that other people had experienced the same problem on ESP32, so I tried their fix: to set

Code: Select all

default_eap_type = mschapv2
in the eap-section of my freeradius server, and it worked. I can successfully authenticate and log in to my WPA2 Enterprise network, and I get an IP address which I can ping from another host.

When I try the same thing at my work (an academic institution that uses the eduroam network, I cannot authenticate. I have no control over the radius server, nor can I see the logs, but it seems plausible to me that I am experiencing the same problem.

I am no expert in EAP, but it seems to me that the ESP firmware somehow does not make it clear to freeradius that it wants to authenticate using EAP-MSCHAPv2. I'm not sure at what point in the negotiation the EAP type is selected, but I see here that EAP-MSCHAPv2 is type 26, and from the freeradius log file, it seems that the ESP sends type 0.

Is that a bug, and if so, can that be fixed?

Re: Bug in WPA2 EAP?

Posted: Thu Aug 31, 2017 2:55 pm
by ESP_Faye
Hi,

Sorry for the inconvenience. We have checked it.
The root cause is that some device cannot recongize the auth mode automatically.
We will add an API to set auth mode in the future release.

Thanks for your interest in ESP8266!

Re: Bug in WPA2 EAP?

Posted: Thu Aug 31, 2017 5:43 pm
by victorclaessen
That is great. Would it be possible to post a link to the github commit here after that API has been added?

Re: Bug in WPA2 EAP?

Posted: Wed Sep 06, 2017 11:29 am
by ESP_Faye
Hi,

Yes. We will let you know when the work is done.

Thanks for your interest in ESP8266!

Re: Bug in WPA2 EAP?

Posted: Sat Oct 28, 2017 5:33 pm
by victorclaessen
Hi,

I forgot about this for a while, but just remembered, and am still interested in a fix. I am wondering if you are able to to report any progress?

Best regards,

Victor

Re: Bug in WPA2 EAP?

Posted: Thu Dec 07, 2017 7:37 pm
by victorclaessen
Any reply at all?

Re: Bug in WPA2 EAP?

Posted: Thu Dec 07, 2017 9:53 pm
by onebytegone
+1 I have also been waiting on a fix for this issue. (The optimist in me has been hoping the "future release" is the one supposedly scheduled for December 2017)

Re: Bug in WPA2 EAP?

Posted: Fri Jan 26, 2018 1:36 pm
by burtms
I too am hoping to see a fix soon. I know the current SDK will only authenticate to what I have set as default_eap_type at my radius server, rather than negotiate to find a common type that is supported at both ends.

Re: Bug in WPA2 EAP?

Posted: Fri Jan 26, 2018 7:24 pm
by victorclaessen
Bug has been confirmed by yet another user.

https://github.com/esp8266/Arduino/issu ... -360691379

Re: Bug in WPA2 EAP

Posted: Thu Feb 22, 2018 5:11 am
by victorclaessen
Can anyone from ExpressIf please comment on the status of this bug and the plans to add an API to set auth mode?