Open SaurabhCoolR opened 2 years ago
Here is the Radius Server Msg:
Authentication Details: Connection Request Policy Name: Secure Wireless Controllers Network Policy Name: Stores Secure Wireless Policy Authentication Provider: Windows Authentication Server:
From further Tests, we have found that with SDK v3.4:
--> Working with Freeradius v3.0.20 and above with basic setup running on Ubuntu. --> Not working with Windows Server 2012 R2 NPS (RADIUS) with following error:
Authentication Details: Connection Request Policy Name: Secure Wireless Controllers Network Policy Name: Stores Secure Wireless Policy Authentication Provider: Windows Authentication Type: PEAP EAP Type: - Account Session Identifier: 43434530393946454142464636423033 Logging Results: Accounting information was written to the local log file. Reason Code: 262 Reason: The supplied message is incomplete. The signature was not verified.
Note: We don't provide the domain name in example ID configuration. We give the same as Username cause that's what was working with earlier SDK. Will that cause an issue in new SDK v3.4?
@SaurabhCoolR The reason code 262 on windows server could mean any of these. 1.Are the CA cert expired on windows server? 2.Is the Validate server option enabled on the client i.e is the CA flashed on the DUT? Can you also try without flashing. 3.Any windows update was done recently? 4.Are other client able to connect using the radius server or is it just this DUT having the issue?
Pls refer to this link "https://community.spiceworks.com/topic/1342663-nps-server-certificate"
Hi @nishanth-radja.
2.Is the Validate server option enabled on the client i.e is the CA flashed on the DUT? Can you also try without flashing. Ans: We are not using it even though it is flashed. So flashing CA in DUT should be irrelevant if we have commented out it's use in code, right?
3.Any windows update was done recently? Ans: Will confirm for this.
4.Are other client able to connect using the radius server or is it just this DUT having the issue? Ans: Yes the other devices are able to connect to it fine. Our PEAP device based on SDK commit 655f934 is able to connect with it fine. Problem only with SDK v3.4.
@SaurabhCoolR Also can you pls provide the correct domain and username in the ID configuration that is the entered in Active directory of the windows.Else the windows will reject the authentication.
Hi @nishanth-radja,
Please find the needed details:
winlog.event_data.SubjectDomainName --> DHC winlog.event_data.SubjectUserName --> SVSHLFWIFI001A
In the sdk v3.4 WPA2 Example Code, We are giving following config in Menuconfig:
EXAMPLE_EAP_ID --> SVSHLFWIFI001A EXAMPLE_EAP_USERNAME --> SVSHLFWIFI001A
Also we have following Difference in Radius Server Log for working case with earlier SDK and non working SDK v3.4 Example: Working Case: winlog.event_data.EAPType --> Microsoft: Secured password (EAP-MSCHAP v2) Non Working Case: winlog.event_data.EAPType --> ""
Hi @nishanth-radja ,Could you please provide some help?
@SaurabhCoolR Looks like the EAP_type is going as blank,Do you have sniffer captures for both working and not working case. Do you have the full radius logs of the working and non working case?Can you pls share them. Also try this eap_id and username. EXAMPLE_EAP_ID --> SVSHLFWIFI001A@DHC.com EXAMPLE_EAP_USERNAME --> SVSHLFWIFI001A EXAMPLE_EAP_password --> "correct password"
Hi @nishanth-radja :
We are working on getting the full radius logs.
We tried with suggested EAP Credetentials but it doesn't seem to work and giving same Auth Fail issue.
@SaurabhCoolR sure,Pls get the sniffer capture too along with the radius logs for the working and non working case .
Hi @nishanth-radja :
We are working on the same.
Meanwhile can you please confirm which specific packets you need? We are using Wireshark to capture the packets. This will help us to capture only the needed packets and not dump unnecessary traffic capture over here.
Hi @nishanth-radja :
Here attaching the K12 Text Files of Wireshark sniffer capture of the Radius Packets for both success and failed cases. Please have a look.
Thanks. old_sdk_success2.txt old_sdk_success1.txt new_sdk_failed2.txt new_sdk_failed1.txt
Hi @SaurabhCoolR Can you please add this fix and retry? https://github.com/espressif/esp-idf/commit/6647f48dda571f3a7e2a7012fc0ba1eddfa51bf2
Hi,
Tried with the mentioned changes above, but still radius connection failed. Please find the attached reference files.
Hi,
Have tried with suggested solution but issue remains same. Please check the update on underlying issue.
Thanks and regards,
p: +91-120-4167004 m: +91-8200628847 us: 571-766-6072, 571-612-5506, 517-266-8995 a: 14100 Parke Long Ct. Suite I, Chantilly, VA – 20151 em: +1-571-346 7306 w: https://www.coolrgroup.com/
This message contains information that may be privileged or confidential and is the property of the CoolR Group Inc. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. CoolR Group Inc. does not accept any liability for virus infected mails.
On Mon, Feb 21, 2022 at 11:23 AM Kapil Gupta @.***> wrote:
Hi @SaurabhCoolR https://github.com/SaurabhCoolR Can you please add this fix and retry? @.*** https://github.com/espressif/esp-idf/commit/6647f48dda571f3a7e2a7012fc0ba1eddfa51bf2
— Reply to this email directly, view it on GitHub https://github.com/espressif/ESP8266_RTOS_SDK/issues/1145#issuecomment-1046498484, or unsubscribe https://github.com/notifications/unsubscribe-auth/AWIBCLMHEYOJQ2FQI7E6G4LU4HHOTANCNFSM5G5C3YUA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you were mentioned.Message ID: @.***>
-- This message contains information that may be privileged or confidential and is the property of the Spraxa Solutions Pvt. Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. Spraxa Solutions Pvt. Ltd. does not accept any liability for virus infected mails.
@SaurabhCoolR The difference between the pass case and the fail case is the TLS version used. Pass case is using TLS 1.0 and fail case is using TLS1.2.As you have mentioned that the connection was successful in free radius, Was the freeradius using TLS v1.0? Can you enable wpa_supplicant logs,while connecting to the windows server?
Hi @nishanth-radja :
For Freeradius v3.0.25 (Successful with both SDKs): OLD SDK: TLS v1.0 New SDK: TLS v1.2
Will share the wpa suppllicant logs as well shortly.
Hi, Have tried with suggested solution but issue remains same. Please check the update on underlying issue. Thanks and regards, Saurabh Yadav Firmware Engineer ----------------------------------------- p: +91-120-4167004 m: +91-8200628847 us: 571-766-6072, 571-612-5506, 517-266-8995 a: 14100 Parke Long Ct. Suite I, Chantilly, VA – 20151 em: +1-571-346 7306 w: https://www.coolrgroup.com/ This message contains information that may be privileged or confidential and is the property of the CoolR Group Inc. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. CoolR Group Inc. does not accept any liability for virus infected mails. … On Mon, Feb 21, 2022 at 11:23 AM Kapil Gupta @.> wrote: Hi @SaurabhCoolR https://github.com/SaurabhCoolR Can you please add this fix and retry? @. [espressif/esp-idf@6647f48](https://github.com/espressif/esp-idf/commit/6647f48dda571f3a7e2a7012fc0ba1eddfa51bf2) — Reply to this email directly, view it on GitHub <#1145 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AWIBCLMHEYOJQ2FQI7E6G4LU4HHOTANCNFSM5G5C3YUA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you were mentioned.Message ID: @.***> -- This message contains information that may be privileged or confidential and is the property of the Spraxa Solutions Pvt. Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. Spraxa Solutions Pvt. Ltd. does not accept any liability for virus infected mails.
Hi @SaurabhCoolR ,
Is it possible for you to share the sniffer capture and logs? Please enable the logs for both wpa_supplicant and mbedTLS logs which will help to debug this faster.
Also can you disable WPA_MBEDTLS_CRYPTO option and retry? Is it able to connect in that case(as a separate exercise then the upper one)?
Hi @kapilkedawat,
We have tried with both WPA_MBEDTLS_CRYPTO enabled and disabled and both cases connection/auth failed. Please find the attached device logs and packet capture for both the cases.
WPA_MBEDTLS_CRYPTO_disabled.txt WPA_MBEDTLS_CRYPTO_enabled.txt WPA_MBEDTLS_CRYPTO_enabled.log WPA_MBEDTLS_CRYPTO_disabled.log
Hi @nishanth-radja @kapilkedawat Any update on this issue?
Hi @SaurabhCoolR are you using CMake or make? In case using make, please apply this patch https://github.com/espressif/esp-idf/pull/8044/commits/6acb4620b41edda01dea115b5ffcd06c3084851e and retry with mbedtls_crypto disabled.
Hi @kapilkedawat :
We are using make. We have checked with the above patch with crypto disabled. But it is giving compilation error, on both release/v3.4 branch and sdk v3.4.
Hi @SaurabhCoolR , you copied the line as it is, which is why the compilation issue is occurring. Only -DCONFIG_SHA256 needs to be added, please don't remove CONFIG_WPA3_SAE which has caused that compilation issue.
Hi @kapilkedawat :
The wpa2 example ran successfully with Mbedtls Crypto Disabled and the -DCONFIG_SHA256 flag. Attached the logs for reference. So are we using TLSv1.0 now, is that what helped with the connection? Also is this the final setting to be used with SDK v3.4 for Windows NPS Servers? new_sdk_success2_tplink_archer_C6.log new_sdk_success2_tplink_archer_C6.txt
Thanks @SaurabhCoolR ,
seems like issue is in mbedTLS client.
Can you please apply https://github.com/espressif/esp-idf/commit/6647f48dda571f3a7e2a7012fc0ba1eddfa51bf2 and https://github.com/espressif/esp-idf/commit/d3a42d787d3d9a0ab916855bb48b1cd530e47961 correctly? After that, enable WPA_MBEDTLS_CRYPTO, clean the build directory and build the app again to make sure changes are included and then retry?
In case you face trouble applying these patches, you can directly replace components/wpa_supplicant/src/crypto/tls_mbedtls.c with https://github.com/espressif/esp-idf/blob/master/components/wpa_supplicant/src/crypto/tls_mbedtls.c
Hi @kapilkedawat ,
Thanks for getting back. We applied the patch and then were able to connect with WPA_MBEDTLS_CRYPTO enabled. Attached are the logs for your reference.
Please let us know the next steps.
Thanks for update @SaurabhCoolR .
Please use the default WPA_MBEDTLS_CRYPTO enabled config which provides faster and better crypto. We will backport the fixes.
Thanks @kapilkedawat
Environment
Problem Description
The WPA2 Enterprise Example Doesn't Work with SDK v3.4.
Due to inconsistency in PEAP Connection, We wanted to move our firmware based on ESP8266 RTOS SDK commit ID 655f934 (near release/v3.1.2) to SDK v3.4. But we observe that using SDK v3.4, the PEAP Connection becomes worse.
Expected Behavior
The PEAP Connection with SDK v3.4 is supposed to improve.
Actual Behavior
As we compared the PEAP connection by running the wpa2_enterprise example, it seems PEAP connection way worse with latest release v3.4. It's always giving Disconnect reason 23, 802.1x Auth Failed. This was not the issue when we tried the same example with commit ID 655f934****.
Steps to reproduce
Code to reproduce this issue
Just attaching the code for
initialise_wifi
function where I have commented the lines to set the cert bytes.Following is the PEAP Config details in SDK Config:
Debug Logs
Attached Items: