Core 2.5.0 WPA2-Enterprise user validation failure (Free Radius server)

FWdeveloper commented 5 years ago

Basic Infos

[x] This issue complies with the issue POLICY doc.
[x] I have read the documentation at readthedocs and the issue is not addressed there.
[x] I have tested that the issue is present in current master branch (aka latest git).
[x] I have searched the issue tracker for a similar issue.
[x] If there is a stack dump, I have decoded it.
[x] I have filled out all fields below.

Platform

Hardware: [other]
Core Version: [2.5.0 Stable & Git 6c5269a]
Development Env: [Arduino IDE]
Operating System: [Windows]

Settings in IDE

Module: [Generic ESP8266 Module]
Flash Mode: [qio]
Flash Size: [2MB]
lwip Variant: [v2 Lower Memory]
Reset Method: [ck]
Flash Frequency: [80Mhz]
CPU Frequency: [160MHz]
Upload Using: [SERIAL]
Upload Speed: [115200] (serial upload only)

Problem Description

I have an issue establishing WPA-Enterprise connection using Free Radius server. The server properly works with my android phone.

If I use version Core 2.4.2 I have the following debug output:

SDK:2.2.1(cfd48f3)/Core:2.4.2/lwIP:2.0.3(STABLE-2_0_3_RELEASE/glue:arduino-2.4.1-13-g163bb82)/BearSSL:6d1cefc WPA2 ENTERPRISE VERSION: [v2.0] enable scandone state: 0 -> 2 (b0) state: 2 -> 3 (0) state: 3 -> 5 (10) add 0 aid 1 cnt

Method private structure allocated failure

Free Radius server output:

Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 91 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: NAK asked for bad type 0 rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 91 modcall: leaving group authenticate (returns invalid) for request 91 auth: Failed to validate the user.

Core 2.5.0 fails as well, but gives me different server output:

SDK:3.0.0-dev(c0f7b44)/Core:2.5.0=20500000/lwIP:STABLE-2_1_2_RELEASE/glue:1.1/BearSSL:6778687 wifi evt: 2 WPA2 ENTERPRISE VERSION: [v2.0] enable scandone state: 0 -> 2 (b0) wifi evt: 8 state: 2 -> 3 (0)

Wi-Fi connectingstate: 3 -> 5 (10) add 0 aid 1 cnt Method private structure allocated failure

Free Radius server output:

Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 63 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/tls rlm_eap: ERROR! Our request for tls was NAK'd with a request for tls, what is the client thinking? rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 63 modcall: leaving group authenticate (returns invalid) for request 63 auth: Failed to validate the user.

MCVE Sketch


typedef struct 
{
  String ssid_;
  String username_;
  String password_;
} Settings;

Settings settings_;

wifi_set_opmode(STATION_MODE);

wifi_station_dhcpc_stop();

struct ip_info info;

IP4_ADDR(&info.ip, 192, 168, 1, 3);
IP4_ADDR(&info.gw, 192, 168, 1, 252);
IP4_ADDR(&info.netmask, 255, 255, 255, 0);

wifi_set_ip_info(STATION_IF, &info);

station_config wifiConfig = {0};

strncpy((char*)wifiConfig.ssid, settings_.ssid_.c_str(), sizeof(wifiConfig.ssid));

wifi_station_set_config(&wifiConfig);

wifi_station_clear_cert_key();

wifi_station_clear_enterprise_ca_cert();

wifi_station_set_wpa2_enterprise_auth(1);

wifi_station_set_enterprise_identity((uint8*)settings_.username_.c_str(), settings_.username_.length());

wifi_station_set_enterprise_username((uint8*)settings_.username_.c_str(), settings_.username_.length());

wifi_station_set_enterprise_password((uint8*)settings_.password_.c_str(), settings_.password_.length());

wifi_station_connect();

FWdeveloper commented 5 years ago

Linked to #5784

devyte commented 5 years ago

WPA2-E is not fully supported by the NONOS sdk. There are some limited use cases, but that's it. In addition, the NONOS sdk currently has low priority for code changes. Espressif is prioritizing the FreeRTOS sdk, so getting enhancements any time soon is unlikely. Even so, should it somehow happen that full support is in fact added to the sdk, it will be made available in v3.x, and we still need to figure out how to migrate to sdk3 (not straightforward), so even if support is added soon, it won't reach the core for a while yet. There is no full solution in sight, sorry. Closing for now.

d-a-v commented 5 years ago

If you are the freeradius server master then you can change its configuration to make it work with esp (I guess) Follow https://github.com/espressif/ESP8266_RTOS_SDK/issues/442#issuecomment-451918005 (this is on rtos-sdk repository but I believe they are referring to nonos-sdk too in this very case (EAP-TTLS-MSCHAPv2)).

FWdeveloper commented 5 years ago

@d-a-v I setup my freeradius server to EAP-TTLS-MSCHAPv2:

eap {
    ...
    default_eap_type = ttls
    ...
    ttls {
        ...
        default_eap_type = mschapv2
        ...
    }

but got a ESP8266 crash:

SDK:3.0.0-dev(c0f7b44)/Core:2.5.0=20500000/lwIP:STABLE-2_1_2_RELEASE/glue:1.1/BearSSL:6778687
...
WPA2 ENTERPRISE VERSION: [v2.0] enable
wifi evt: 8
scandone
..scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 5 (10)
add 0
aid 1
cnt 
EAP-TTLS: Start (server ver=0, own ver=0)
.Fatal exception 28(LoadProhibitedCause):

d-a-v commented 5 years ago

We can't be of any help. You can wait for RTOS-SDK WPA2 examples (they are at 3.1, they promised such example for 3.2) or use latest NONOS-SDK which has this example. Their native environment is quite hard to use (at least to me), I have setup this environment to experiment with their native api, if it could help.

FWdeveloper commented 5 years ago

Moved to ESP32 finally. It seems WPA2-Enterprise works well there.

esp8266 / Arduino