ESP8266 WPA2 Enterprise connection issue and troubleshooting logs

avc
Posts: 3
Joined: Wed Sep 21, 2016 10:12 am

ESP8266 WPA2 Enterprise connection issue and troubleshooting logs

Postby avc » Thu May 10, 2018 4:49 am

I am using Arduino to get ESP8266 to connect to a WPA2 Enterprise network. I am using a TP Link EAP120 router to create a wpa2 enterprise network with external radius server. I created a testUser on the radius server, and tried with my iphone, made sure all is working correctly.

Moving on to ESP,

Platform
Hardware: [ESP-12]
Core Version: [latest git/2.4.1]
Development Env: [Arduino IDE]
Operating System: [Windows]

Settings in IDE
Module: [Nodemcu 0.9]
Flash Mode: [qio]
Flash Size: [4MB/1MB]
lwip Variant: [v1.4|v2 Lower Memory]
Reset Method: [ck|nodemcu]
Flash Frequency: [40Mhz]
CPU Frequency: [160MHz]
Upload Using: [SERIAL]
Upload Speed: [921600]


Here is test code.

Code: Select all

#include <ESP8266WiFi.h>

extern "C" {
#include "user_interface.h"
#include "wpa2_enterprise.h"
}

// SSID to connect to
char ssid[] = "UB_Secure";
char wlpasswd[] = "";
char username[] = "testUser";
char identity[] = "testUser";
char password[] = "1234abcd";
char new_password[] = "1234abcd";

const char* host = "ipinfo.io";
const char* username1 = "testUser";

u8 ca_cert[] = "-----BEGIN CERTIFICATE-----\n"
               "MIIFETCCA/mgAwIBAgIJAO0ntD34r/+QMA0GCSqGSIb3DQEBCwUAMIGiMQswCQYD\n"
               "VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExDzANBgNVBAcMBkR1cmhh\n"
               "bTEeMBwGA1UECgwVTWl0Y2hlbGwvVHJhbXBlciBJbmMuMR8wHQYJKoZIhvcNAQkB\n"
               "FhBidXJ0bXNAZ21haWwuY29tMSgwJgYDVQQDDB9CdXJ0IFNlbGYgQ2VydGlmaWNh\n"
               "dGUgQXV0aG9yaXR5MB4XDTE4MDEyMzE1NTgxOFoXDTE4MDMyNDE1NTgxOFowgaIx\n"
               "CzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEPMA0GA1UEBwwG\n"
               "RHVyaGFtMR4wHAYDVQQKDBVNaXRjaGVsbC9UcmFtcGVyIEluYy4xHzAdBgkqhkiG\n"
               "9w0BCQEWEGJ1cnRtc0BnbWFpbC5jb20xKDAmBgNVBAMMH0J1cnQgU2VsZiBDZXJ0\n"
               "aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\n"
               "AQC2O2m4JCmqimeztaZ8JasIuZqksrxvCjyWpkykoGzoR6v1/kDSuLgdp7EmtLKN\n"
               "vOJPQ2ea0yVvkFf0dQYcgDhNdAsXcqskMOprS+jefzlLQUbU1jTk+AOSiOcmxWT1\n"
               "H8uYhSp/1TkkWDM8dVO9RRIQyigVinsJNhdPyUVsTaQh3s29AL8CboixUNZWngOo\n"
               "d1+66lwy4N+3hXACJWlurgvc0q7RfqSqfJY/+lugfID0ANpGQqqu1Dq2IXZbLyx9\n"
               "roOPpC+fqX2wn5g9+RuA18OY/GPtkHc6clAoiJDGXsTRpffgsI5spdJ26WknbhO/\n"
               "3Q2vQJ2Q5m/QvSp55qOM5nevAgMBAAGjggFGMIIBQjAdBgNVHQ4EFgQUT3hChU84\n"
               "EEXHesDdKOtPqfhrg68wgdcGA1UdIwSBzzCBzIAUT3hChU84EEXHesDdKOtPqfhr\n"
               "g6+hgaikgaUwgaIxCzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGlu\n"
               "YTEPMA0GA1UEBwwGRHVyaGFtMR4wHAYDVQQKDBVNaXRjaGVsbC9UcmFtcGVyIElu\n"
               "Yy4xHzAdBgkqhkiG9w0BCQEWEGJ1cnRtc0BnbWFpbC5jb20xKDAmBgNVBAMMH0J1\n"
               "cnQgU2VsZiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCCQDtJ7Q9+K//kDAPBgNVHRMB\n"
               "Af8EBTADAQH/MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly93d3cuZXhhbXBsZS5v\n"
               "cmcvZXhhbXBsZV9jYS5jcmwwDQYJKoZIhvcNAQELBQADggEBADNmDxddEh1XSo8J\n"
               "fanCRuYqngpVFtKCzRNCtQ7aOAPrj6gRMtMAqQhlYmcbxjaVOCboAvJ8evY8x5We\n"
               "YU6eIAmg95PlDws8EvcVQhO2ZYcuOHTvdu5Q4Ior0oXaCfqdS35YcPW7pRGprY/x\n"
               "w7kbG84FFatpXPuDGQB65haqQ2KXPrILiE/jAKpTu9EBLEEN4uIAuxbB6unARovX\n"
               "YoXIQHFc32bZAjihquvs4J7FNkcSr3lJpuv03dryqMB+Qn3G8yM7PFLNL2QyS0Zu\n"
               "UbS5kDO7UqbTjtrUDolp5sUNvyrkX5ILYfZeEeaHqAlA20SFqNG7BcTY222NsCft\n"
               "yNXqX1c=\n"
               "-----END CERTIFICATE-----";
void setup() {
  Serial.begin(115200);
  delay(1000);

 
  // Setting ESP into STATION mode only (no AP mode or dual mode)
  wifi_set_opmode(0x01);

  struct station_config wifi_config;

  memset(&wifi_config, 0, sizeof(wifi_config));
  strcpy((char*)wifi_config.ssid, ssid);
  strcpy((char*)wifi_config.password, wlpasswd);

  wifi_station_set_config(&wifi_config);

 

  wifi_station_set_wpa2_enterprise_auth(1);

  // Clean up to be sure no old data is still inside
  wifi_station_clear_cert_key();
  wifi_station_clear_enterprise_ca_cert();
  wifi_station_clear_enterprise_identity();
  wifi_station_clear_enterprise_username();
  wifi_station_clear_enterprise_password();
  wifi_station_clear_enterprise_new_password();
 
  wifi_station_set_enterprise_identity((uint8*)username1, strlen(username1));
  //wifi_station_set_enterprise_ca_cert(ca_cert, sizeof(ca_cert));
 
  wifi_station_set_enterprise_identity((uint8*)identity, strlen(identity));
  wifi_station_set_enterprise_username((uint8*)username, strlen(username));
  wifi_station_set_enterprise_password((uint8*)password, strlen(password));
  //wifi_station_set_enterprise_new_password((uint8*)new_password, strlen(new_password));
  //wifi_station_set_enterprise_ca_cert(ca_pem, ca_pem_len);

 
  wifi_station_connect();
  while (WiFi.status() != WL_CONNECTED) {
    delay(1000);
    Serial.print(".");
  }

  Serial.println("WiFi connected");
  Serial.println("IP address: ");
  Serial.println(WiFi.localIP());
}

void loop() {
}



Debug Output

Code: Select all

SDK:2.2.1(cfd48f3)/Core:2.4.1/lwIP:2.0.3(STABLE-2_0_3_RELEASE/glue:arduino-2.4.1)
Connecting to UB_Secure
WPA2 ENTERPRISE VERSION: [v2.0] enable
scandone
Wifi station connect status:1
6
wifi evt: 8
wifi evt: 2
Not connected
6
scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 0 (4)
reconnect
wifi evt: 1
STA disconnect: 4
Not connected
6
Not connected
6
scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 5 (10)
add 0
aid 4
cnt
Not connected
6
Not connected
6
Not connected
6
Not connected
6
pm open,type:2 0
Not connected
6
Not connected
6
Not connected
6
Not connected
6
Not connected
6
Not connected
6
Not connected
6
Not connected
6
Not connected
6
Not connected
6
state: 5 -> 0 (2)
rm 0
pm close 7
reconnect
wifi evt: 1
STA disconnect: 204
scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 0 (4)
reconnect
wifi evt: 1
STA disconnect: 4
scandone
wifi evt: 1
STA disconnect: 201
Not connected
4
reconnect
Not connected
4
scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 5 (10)
add 0
aid 4
cnt


Observations:
When I connected my iphone to this network. It connected, asked for my username and password, and successfully authenticated. It did ask about trusting a certificate, and clicked 'Trust'. Connection succeeded ,I could browse the internet, no issues. Then, I tried with ESP, with the above version as well as various minor code changes based on comments from git and SO users, and no success. But the good thing is, now I can see what is happening on the radius server. ESP does connect to the AP, but it is the radius auth that is failing. I belive this has to do with the way ESP core is sending info? I am suspecting that the 'Trust this certificate' part that I saw on iphone might be the step that somehow is missing when ESP is attempting to connect?

Log from Radius Server when Iphone connects successfully.

Code: Select all

Access Request:   Packet-Type = Access-Request
Packet-Src-IP-Address = 172.101.117.178
Packet-Dst-IP-Address = 10.142.0.4
Packet-Src-Port = 51481
Packet-Dst-Port = 8315
User-Name = "testUser"
NAS-IP-Address = 192.168.0.254
NAS-Port = 0
Called-Station-Id = "84-16-F9-88-81-62"
Calling-Station-Id = "24-F0-94-0A-86-91"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x0200000e0161766172616368616e
Message-Authenticator = 0x38078a459ea243868a46981130743784
Event-Timestamp = "May  8 2018 18:00:50 UTC"
Tmp-Integer-3 = 8315
Tmp-String-1 = "local"
Called-Station-SSID = "UB_Secure"
Request-Session = "A8EtE6twSP"
Timestamp = 1525802450
Request Reply:   Packet-Type = Access-Accept
User-Name = "testUser"
MS-MPPE-Recv-Key = 0xd5cbe4473c46d30e890fe3c3924d523e6be032b3094bf14b60e05af5ba9b519e
MS-MPPE-Send-Key = 0xc73ef4774c2323653421aa7f4c84edd981bdbbd5112528c5d67f3ffff6176047
EAP-MSK = 0xd5cbe4473c46d30e890fe3c3924d523e6be032b3094bf14b60e05af5ba9b519ec73ef4774c2323653421aa7f4c84edd981bdbbd5112528c5d67f3ffff6176047
EAP-EMSK = 0xbcfd626b8b288217d499fcdfeab443e447c3b249f9f40534ce118b27195fcb726a5bfcb8d4daf828ac7fc5b197cae480f10d3269b95671ac1f2b55a4ec7afa25
EAP-Session-Id = 0x195af1e5d304697d2ba6c623125bbde0d6d1840641b961bab216fa17cb09a377c85af1e5d3a10361a0bfaa66c6476aa301b1e6ac09448148ccdf10a057fd9b8cab
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
Timestamp = 1525802456
authdate:   2018-05-08 14:00:50
called_station_id:   84-16-F9-88-81-62
calling_station_id:   24-F0-94-0A-86-91
inner_username:   testUser
port:   8315
result:   Access-Accept
username:   testUser



Now, with ESP conecting,

Code: Select all

Access Request:   Packet-Type = Access-Request
Packet-Src-IP-Address = 172.101.117.178
Packet-Dst-IP-Address = 10.142.0.4
Packet-Src-Port = 51481
Packet-Dst-Port = 8315
User-Name = "testUser"
NAS-IP-Address = 192.168.0.254
NAS-Port = 0
Called-Station-Id = "84-16-F9-88-81-62"
Calling-Station-Id = "5C-CF-7F-19-D7-AE"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x0200000e0161766172616368616e

Message-Authenticator = 0xb4e7aff218206bc6a65477bc7dd91c98
Event-Timestamp = "May  8 2018 19:15:04 UTC"
Tmp-Integer-3 = 8315
Tmp-String-1 = "local"
Called-Station-SSID = "UB_Secure"
Request-Session = "dx6I5LuWl0"
Timestamp = 1525806904
Request Reply:   Packet-Type = Access-Reject
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
Timestamp = 1525806905
authdate:   2018-05-08 15:15:04
called_station_id:   84-16-F9-88-81-62
calling_station_id:   5C-CF-7F-19-D7-AE
port:   8315
result:   Access-Reject
username:   testUser



#More updates

Playing around more on this, I tried the following. I tried to connect my iphone to the enterprise network with the correct username but wrong password. This time, Two interesting finds.

The radius server log for iphone matches more or less with that of the ESP
The radius server log for iphone shows a line called 'inner_usernamme' which is missing from ESP.
Does this light any bulbs, any one? :)

Radius log for iphone with correct username and wrong password

Code: Select all

Access Request:   Packet-Type = Access-Request
Packet-Src-IP-Address = 172.101.117.178
Packet-Dst-IP-Address = 10.142.0.4
Packet-Src-Port = 51481
Packet-Dst-Port = 8315
User-Name = "testUser"
NAS-IP-Address = 192.168.0.254
NAS-Port = 0
Called-Station-Id = "84-16-F9-88-81-62"
Calling-Station-Id = "24-F0-94-0A-86-91"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x0200000e0161766172616368616e

Message-Authenticator = 0x73ed9adc6cc07fc6452963f2a4a3bc3e
Event-Timestamp = "May  9 2018 18:57:46 UTC"
Tmp-Integer-3 = 8315
Tmp-String-1 = "local"
Called-Station-SSID = "UB_Secure"
Request-Session = "UOBQhUF1IQ"
Timestamp = 1525892266
Request Reply:   Packet-Type = Access-Reject
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Timestamp = 1525892268
authdate:   2018-05-09 14:57:46
called_station_id:   84-16-F9-88-81-62
calling_station_id:   24-F0-94-0A-86-91
inner_username:   testUser
port:   8315
result:   Access-Reject
username:   testUser


Radius log for ESP with correct username and password

Code: Select all

Access Request:   Packet-Type = Access-Request
Packet-Src-IP-Address = 172.101.117.178
Packet-Dst-IP-Address = 10.142.0.4
Packet-Src-Port = 51481
Packet-Dst-Port = 8315
User-Name = "testUser"
NAS-IP-Address = 192.168.0.254
NAS-Port = 0
Called-Station-Id = "84-16-F9-88-81-62"
Calling-Station-Id = "5C-CF-7F-19-D7-AE"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"

EAP-Message = 0x0201000e0161766172616368616e
Message-Authenticator = 0x66ae3c9a3d6a4306437f42d954911411
Event-Timestamp = "May  9 2018 18:32:16 UTC"
Tmp-Integer-3 = 8315
Tmp-String-1 = "local"
Called-Station-SSID = "UB_Secure"
Request-Session = "4lutlg4WNe"
Timestamp = 1525890736
Request Reply:   Packet-Type = Access-Reject
EAP-Message = 0x04020004
Message-Authenticator = 0x00000000000000000000000000000000
Timestamp = 1525890736
authdate:   2018-05-09 14:32:16
called_station_id:   84-16-F9-88-81-62
calling_station_id:   5C-CF-7F-19-D7-AE

port:   8315
result:   Access-Reject
username:   testUser

Who is online

Users browsing this forum: No registered users and 12 guests