Bug in WPA2 EAP

[ESP_Deng Xin]

Hi, All
Radiuse rever's default EAP method is MD5. However, we only support PEAP/TTLS/TLS now, when the connect start, server will send the EAP method type to client, if the client do not support it, it will send NAK to reponse, if we don not have any other method to use, we will set the type to zero.
However, there is another way to do is include the EAP method we want in the type.
We will add it in 8266 soon. Thank you for your continuous attention

[victorclaessen]

That is great news. As I'm sure you're aware (from all the posts on the various github repo's) there are a lot of people that are *very* interested in this! Could you give us any indication on how long it will take to implement? Forgive me my bluntness, but I'd really be disappointed to wait another 10 months to hear something...

[ESP_Deng Xin]

The change has submitted, it will take a few days to take and merge

[victorclaessen]

Also, if I can help by testing something, please let me know!

[avc]

This is great! I hope this update wont take long. Looking forward to this.

[alex323qp]

I'm also quite interested in this. The company I work for is about to launch a product to market and this is kind of a showstopper atm.

Please do keep us updated when the update is released.


A.

[ESP_Faye]

Hi,

Please have a try with the latest SDK https://github.com/espressif/ESP8266_NONOS_SDK, it should has been fixed.

If your problem is still unsolved, please feel free to let us know.

Thanks.

[victorclaessen]

Great, I expect to be able to test it on Friday when I'm back at the office (i.e. in range of the eduroam network).

[alex323qp]

Hi,

Please have a try with the latest SDK https://github.com/espressif/ESP8266_NONOS_SDK, it should has been fixed.

If your problem is still unsolved, please feel free to let us know.

Thanks.

Thanks ESP_Faye, glad to see you guys working on this. Unfortunately, I just tested the updated repo but there are still issues.

While the old SDK generated the following output in the radius server:

Code: Select all

(97) eap: Peer sent packet with method EAP NAK (3)
(97) eap: Peer NAK'd indicating it is not willing to continue
(97) eap: Sending EAP Failure (code 4) ID 1 length 4
(97) eap: Failed in EAP select
(97)     [eap] = invalid
(97)   } # authenticate = invalid
(97) Failed to authenticate the user
(97) Using Post-Auth-Type Reject


Which is pretty much what you mentioned in your comment:

... if the client do not support it, it will send NAK to reponse...

The latest commits seem to force the device to try multiple auth modes automatically; first EAP-TLS (even if no certificates were defined by the developer - as it is my case -), thus making the authentication fail. Then, on a second try, the device seems to keep forcing the mode until the server just ignores it:

Code: Select all

(2) eap: Peer sent packet with method EAP NAK (3)
(2) eap: Peer NAK'd our request for TLS (13) with a request for TLS (13), skipping...
(2) eap: WARNING: !!! We requested to use an EAP type as normal.
(2) eap: WARNING: !!! The supplicant rejected that, and requested to use the same EAP type.
(2) eap: WARNING: !!!     i.e. the supplicant said 'I don't like X, please use X instead.
(2) eap: WARNING: !!! The supplicant software is broken and does not work properly.
(2) eap: WARNING: !!! Please upgrade it to software that works.
(2) eap: Found mutually acceptable type MSCHAPv2 (26)
(2) eap: Calling submodule eap_mschapv2 to process data
(2) eap_mschapv2: Issuing Challenge
(2) eap: Sending EAP Request (code 1) ID 3 length 43
(2) eap: EAP session adding &reply:State = 0x51fe2fd453fd3545
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found.  Ignoring.


...the supplicant said 'I don't like X, please use X instead... The supplicant software is broken and does not work properly...

Not very encouraging.

In a final attempt, the device seems to suggest a different type MS-CHAP, but this one is also failing; I'm not sure why yet, It could be our server configuration.

Interesting enough, the device never suggests PEAP or perhaps, it never gets the chance to, since it seems to stay stuck in the mschapv2 mode and just keeps printing every few seconds on the serial monitor:

Code: Select all

EAP-MSCHAPV2: RX identifier 3 mschapv2_id 3
EAP-MSCHAPV2: Generate Challenge Response


Rather than allowing the device to try multiple auth methods, wouldn't it be easier for all of us if the SDK included methods to allow the developers to use the correct auth method rather than trying multiple ones hoping one will work?

I will continue testing (still haven't tested EAP-TLS using certificates) and keep you all updated.


Regards,

A.

[victorclaessen]

Pfff it was so long ago I really had to read all my old posts to remind myself on how to do this :-S

I made a new build environment:
* Arduino 1.8.5
* git version of ESP8266 core for Arduino
* updated libwpa2.a and wpa2_enterprise.h from the latest commit of ESP8266_NONOS_SDK.
* uploaded the same code as in the original post (but edited to use actual credentials of course).

No success. Esp8266 keeps resetting itself. I Enabled Wifi debug, serial output follows below.
It does look like it is attempting mschapv2 authentication, which is what it should be doing in my case. I don't know what is causing the fatal exception.

Code: Select all

 ets Jan  8 2013,rst cause:2, boot mode:(3,6)

load 0x4010f000, len 1384, room 16
tail 8
chksum 0x2d
csum 0x2d
v00000000
~ld

SDK:2.2.1(cfd48f3)/Core:win-2.5.0-dev/lwIP:2.0.3(STABLE-2_0_3_RELEASE/glue:arduino-2.4.1-13-g163bb82)/BearSSL:94e9704
WPA2 ENTERPRISE VERSION: [v2.0] enable
scandone

Waiting for connection and IP Address from DHCP
wifi evt: 8
wifi evt: 2
.scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 5 (10)
add 0
aid 2
cnt
EAP-MSCHAPV2: RX identifier 3 mschapv2_id 3
EAP-MSCHAPV2: Generate Challenge Response
EAP-MSCHAPV2: RX identifier 4 mschapv2_id 3
Fatal exception 3(LoadStoreErrorCause):
epc1=0x40100326, epc2=0x00000000, epc3=0x00000000, excvaddr=0x40243f64, depc=0x00000000

Exception (3):
epc1=0x40100326 epc2=0x00000000 epc3=0x00000000 excvaddr=0x40243f64 depc=0x00000000

ctx: sys
sp: 3fffebf0 end: 3fffffb0 offset: 01a0

>>>stack>>>