Closed Bradleyking4 closed 2 years ago
Hi @Bradleyking4 , Can you please help with supplicant logs in 4.1.1 case? Need to compile with CONFIG_WPA_DEBUG_PRINT=y.
log-wpa4.1.1.log Here is the updated file, sorry about that.
Hi @Bradleyking4 , can we have the radius server logs,so that we can try to reproduce the Issue.Is the Radius server configured with PEAP-mschapv2?
Here you go, please let me know if you require anything else. With regards to, PEAP-mschapv2 it looks like a yes.
Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Hi @Bradleyking4 After going through the logs, we found that in the 4.1.1 case the inner identity is blank.Which is not the case in 4.1 peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - [peap] Got inner identity ''
Can we pls have the Radius Config which is being used and which version of 4.1.1 is being used on the DUT.(Commit ID)
@Bradleyking4 Thanks for reporting, would you please help share if any updates for this issue? Thanks.
@Bradleyking4 Thanks for reporting, would you please help share if any updates for this issue? Thanks.
Hi @Alvin1Zhang AND @nishanth-radja. I've taken over @Bradleyking4's work and we are still having this issue with 4.3.1 as well. We note that you found that the inner identity was blank. Can you advise on how we might be able to resolve that?
@timmyhadwen
Then can you provide the Radius Config (which was asked by https://github.com/espressif/esp-idf/issues/6905#issuecomment-845639079)
@timmyhadwen Also can you also provide the radius server logs similar to the https://github.com/espressif/esp-idf/issues/6905#issuecomment-841757744. To make sure that it is the same issue in 4.3.1 as well
@AxelLin We are using the UniFi internal RADIUS server. Looks like its based on freeradius. Attached config file.
We can confirm that it is also broken on 4.3 and also on other networks. Namely we have tried Eduroam with 4.1 (success), 4.1.1 (failure) and 4.3 (failure).
This is what im seeing from FreeRadius logs. Im not sure why changing this changes the number of requests and the TLS tunnel status etc.
With MBED TLS Disabled
Tue Oct 5 18:29:09 2021 : Auth: Login incorrect: [tim/
With MBED TLS Enabled
Tue Oct 5 18:10:40 2021 : Auth: Login incorrect: [/
@timmyhadwen ,I had gone through the radius.conf.txt file. The following lines that specify the location are missing in your file.
confdir = ${raddbdir} modconfdir = ${confdir}/mods-config certdir = ${confdir}/certs cadir = ${confdir}/certs run_dir = ${localstatedir}/run/${name} So can you attach the following files from the radius server.To find out from where the certs are getting picked up by the radius server.
@AxelLin @nishanth-radja Please find the files as requested and let me know of any further files you need. We are still having the problem on Eduroam networks as well, however we are unable to get the files from their config. Errors still persist on our test net.
@timmyhadwen Thanks for the conf files,Using the eap.conf,I am trying to repro the issue locally.Can you point me to the IDF commit you are using. I have tried on the latest 4.1.1 and 4.3 but did not see the issue. Can you pls share your commit ID? From the fail hostapd logs of 4.1.1 and sdkconfig, I see the following. The outer identity username which is supposed to be "example@espressif.com" is getting replaced by the inner identity username "fiffy" and the inner identity is left blank. 1.Are you using the example as such or are you calling the API's and having your own code? a. If you are using your own code,Can you verify the assignment of outer identity and inner identity. b. If you are using the example,Can you do a idf.py fullclean,remove the build and sdk config and then build fresh. Erase the chip using "idf.py erase_flash" and then flash again.This will erase any previous identity stored on the chip. 2.Can you pls share the commit ID on 4.3 and 4.1.1 on which you are seeing the issue,so that we can check if there is any change in code.
HI All, this seems to be resolved on latest master.
Thanks for reporting, sorry for slow turnaround, the fix on master branch is available at https://github.com/espressif/esp-idf/commit/190b31bb1b9b1e6e21feb038797aed6e14cb765b, thanks.
Thanks for reporting, sorry for slow turnaround, the fix on master branch is available at 190b31b, thanks.
Above fix only available on master. That fix was committed on Jan 12 which is several months ago, why stable branches do not have the fix?
Thanks @Alvin1Zhang
Thanks for reporting, sorry for slow turnaround, the fix on master branch is available at 190b31b, thanks.
@Alvin1Zhang This issue was reported on v4.1.1, so I suppose stable branches need backport fix. Could you confirm if stable branches need this fix? (If yes, why it takes such long time for backport fix?)
Thanks for reporting, sorry for slow turnaround, fixes on release branches are
Feel free to reopen.
Environment
Problem Description
After updating to v4.1.1 from v4.1 WPA ENT PEAP no longer connects to the access point, Using either the example program or ours.
Expected Behavior
Actual Behavior
Steps to reproduce
// If possible, attach a picture of your setup/wiring here. No wiring needed.
Code to reproduce this issue
WPA ENT example program
Debug Logs
I've attached logs of the default sdk config after changing the examples for PEAP, and one with verbose logging turned on.
Other items if possible
default-wpa4.1.1.log log-wpa4.1.1.log
default-wpa4.1.log log-wpa4.1.log
sdkconfig v4.1.1.txt sdkconfig v4.1.txt