Bug in WPA2 EAP

victorclaessen
Posts: 12
Joined: Mon Aug 14, 2017 8:08 pm

Bug in WPA2 EAP

Postby victorclaessen » Mon Aug 14, 2017 8:34 pm

Hi,

I'm trying to connect to a wpa2 enterprise network with an esp8266. I think there may be a bug in the EAP code in the esp8266 firmware (and if so, then probably also in the same module in the esp32 firmware).

I set up a build environment (described here) that can compile the following code using the SDK_2.1.0 + the relevant files from this github commit

I can successfully compile the following code

Code: Select all

#include <ESP8266WiFi.h>

extern "C" {
#include "user_interface.h"
#include "wpa2_enterprise.h"
}

// SSID to connect to
static const char* ssid = "eduroam";
// Username for authentification
static const char* username = "myusername@myinstitution";
// Password for authentication
static const char* password = "mypassword";

void setup() {
  // put your setup code here, to run once:
  Serial.begin(115200);
 
  // Setting ESP into STATION mode only (no AP mode or dual mode)
  wifi_set_opmode(STATION_MODE);
 
  struct station_config wifi_config;
 
  memset(&wifi_config, 0, sizeof(wifi_config));
  strcpy((char*)wifi_config.ssid, ssid);
 
  wifi_station_set_config(&wifi_config);
 
  wifi_station_clear_cert_key();
  wifi_station_clear_enterprise_ca_cert();
 
  wifi_station_set_wpa2_enterprise_auth(1);
  wifi_station_set_enterprise_identity((uint8*)username, strlen(username));
  wifi_station_set_enterprise_username((uint8*)username, strlen(username));
  wifi_station_set_enterprise_password((uint8*)password, strlen(password));
  wifi_station_set_enterprise_new_password((uint8*)password, strlen(password));
 
  wifi_station_connect();
 
  // Wait for connection AND IP address from DHCP
  Serial.println();
  Serial.println("Waiting for connection and IP Address from DHCP");
  while (WiFi.status() != WL_CONNECTED) {
  delay(2000);
  Serial.print(".");
  }
  Serial.println("");
  Serial.println("WiFi connected");
  Serial.println("IP address: ");
  Serial.println(WiFi.localIP());
}

void loop() {
// put your main code here, to run repeatedly:

}


When I tried to connect to my WPA2 Enterprise network at home, I got the following error in the freeradius log:

Code: Select all

Found Auth-Type = EAP
# Executing group from file /etc/raddb/radiusd.conf
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] NAK asked for bad type 0
[eap] Failed in EAP select
++[eap] = invalid


I found that other people had experienced the same problem on ESP32, so I tried their fix: to set

Code: Select all

default_eap_type = mschapv2
in the eap-section of my freeradius server, and it worked. I can successfully authenticate and log in to my WPA2 Enterprise network, and I get an IP address which I can ping from another host.

When I try the same thing at my work (an academic institution that uses the eduroam network, I cannot authenticate. I have no control over the radius server, nor can I see the logs, but it seems plausible to me that I am experiencing the same problem.

I am no expert in EAP, but it seems to me that the ESP firmware somehow does not make it clear to freeradius that it wants to authenticate using EAP-MSCHAPv2. I'm not sure at what point in the negotiation the EAP type is selected, but I see here that EAP-MSCHAPv2 is type 26, and from the freeradius log file, it seems that the ESP sends type 0.

Is that a bug, and if so, can that be fixed?
Last edited by victorclaessen on Fri Jan 26, 2018 7:24 pm, edited 1 time in total.

ESP_Faye
Posts: 1640
Joined: Mon Oct 27, 2014 11:08 am

Re: Bug in WPA2 EAP?

Postby ESP_Faye » Thu Aug 31, 2017 2:55 pm

Hi,

Sorry for the inconvenience. We have checked it.
The root cause is that some device cannot recongize the auth mode automatically.
We will add an API to set auth mode in the future release.

Thanks for your interest in ESP8266!

victorclaessen
Posts: 12
Joined: Mon Aug 14, 2017 8:08 pm

Re: Bug in WPA2 EAP?

Postby victorclaessen » Thu Aug 31, 2017 5:43 pm

That is great. Would it be possible to post a link to the github commit here after that API has been added?

ESP_Faye
Posts: 1640
Joined: Mon Oct 27, 2014 11:08 am

Re: Bug in WPA2 EAP?

Postby ESP_Faye » Wed Sep 06, 2017 11:29 am

Hi,

Yes. We will let you know when the work is done.

Thanks for your interest in ESP8266!

victorclaessen
Posts: 12
Joined: Mon Aug 14, 2017 8:08 pm

Re: Bug in WPA2 EAP?

Postby victorclaessen » Sat Oct 28, 2017 5:33 pm

Hi,

I forgot about this for a while, but just remembered, and am still interested in a fix. I am wondering if you are able to to report any progress?

Best regards,

Victor

victorclaessen
Posts: 12
Joined: Mon Aug 14, 2017 8:08 pm

Re: Bug in WPA2 EAP?

Postby victorclaessen » Thu Dec 07, 2017 7:37 pm

Any reply at all?

onebytegone
Posts: 1
Joined: Fri Dec 01, 2017 10:40 am

Re: Bug in WPA2 EAP?

Postby onebytegone » Thu Dec 07, 2017 9:53 pm

+1 I have also been waiting on a fix for this issue. (The optimist in me has been hoping the "future release" is the one supposedly scheduled for December 2017)

burtms
Posts: 1
Joined: Fri Jan 26, 2018 1:28 pm

Re: Bug in WPA2 EAP?

Postby burtms » Fri Jan 26, 2018 1:36 pm

I too am hoping to see a fix soon. I know the current SDK will only authenticate to what I have set as default_eap_type at my radius server, rather than negotiate to find a common type that is supported at both ends.

victorclaessen
Posts: 12
Joined: Mon Aug 14, 2017 8:08 pm

Re: Bug in WPA2 EAP?

Postby victorclaessen » Fri Jan 26, 2018 7:24 pm

Bug has been confirmed by yet another user.

https://github.com/esp8266/Arduino/issu ... -360691379

victorclaessen
Posts: 12
Joined: Mon Aug 14, 2017 8:08 pm

Re: Bug in WPA2 EAP

Postby victorclaessen » Thu Feb 22, 2018 5:11 am

Can anyone from ExpressIf please comment on the status of this bug and the plans to add an API to set auth mode?

Who is online

Users browsing this forum: Huntsman and 3 guests