search

espressif / esp-idf

Espressif IoT Development Framework. Official development framework for Espressif SoCs.
Apache License 2.0
13.58k stars 7.27k forks source link

WPA2 ENT EAP example not connecting to ubiquiti network. 4.1.1 (IDFGH-5123) #6905

Closed Bradleyking4 closed 2 years ago

Bradleyking4 commented 3 years ago

Environment

Problem Description

After updating to v4.1.1 from v4.1 WPA ENT PEAP no longer connects to the access point, Using either the example program or ours.

Expected Behavior

I (2965) wpa: EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed
I (2975) wpa: >>>>>wpa2 FINISH

I (2995) wifi:connected with wpawep, aid = 2, channel 6, BW20, bssid = 3a:e8:29:5a:5a:e5
I (2995) wifi:security: WPA2-Ent, phy: bgn, rssi: -56
I (2995) wifi:pm start, type: 1

I (3045) wifi:AP's beacon interval = 102400 us, DTIM period = 1
I (4965) example: ~~~~~~~~~~~
I (4965) example: IP:0.0.0.0
I (4965) example: MASK:0.0.0.0
I (4965) example: GW:0.0.0.0
I (4965) example: ~~~~~~~~~~~
I (5125) esp_netif_handlers: sta ip: 192.168.1.32, mask: 255.255.255.0, gw: 192.168.1.1
I (6965) example: ~~~~~~~~~~~
I (6965) example: IP:192.168.1.32
I (6965) example: MASK:255.255.255.0
I (6965) example: GW:192.168.1.1
I (6965) example: ~~~~~~~~~~~
I (8965) example: ~~~~~~~~~~~
I (8965) example: IP:192.168.1.32
I (8965) example: MASK:255.255.255.0
I (8965) example: GW:192.168.1.1
I (8965) example: ~~~~~~~~~~~

Actual Behavior

I (15219) wifi:new:<6,0>, old:<6,0>, ap:<255,255>, sta:<6,0>, prof:1
I (15219) wifi:state: init -> auth (b0)
I (15239) wifi:state: auth -> assoc (0)
I (15249) wifi:state: assoc -> run (10)
I (16909) example: ~~~~~~~~~~~
I (16909) example: IP:0.0.0.0
I (16909) example: MASK:0.0.0.0
I (16909) example: GW:0.0.0.0
I (16909) example: ~~~~~~~~~~~
I (17319) wifi:state: run -> init (17c0)
I (17329) wifi:new:<6,0>, old:<6,0>, ap:<255,255>, sta:<6,0>, prof:1
I (17329) wifi:new:<6,0>, old:<6,0>, ap:<255,255>, sta:<6,0>, prof:1
I (18909) example: ~~~~~~~~~~~
I (18909) example: IP:0.0.0.0
I (18909) example: MASK:0.0.0.0
I (18909) example: GW:0.0.0.0
I (18909) example: ~~~~~~~~~~~

Steps to reproduce

  1. open wpa enterprise example
  2. change example configs, 
    #
# Example Configuration
#
CONFIG_EXAMPLE_WIFI_SSID="wpawep"
# CONFIG_EXAMPLE_VALIDATE_SERVER_CERT is not set
# CONFIG_EXAMPLE_EAP_METHOD_TLS is not set
CONFIG_EXAMPLE_EAP_METHOD_PEAP=y
# CONFIG_EXAMPLE_EAP_METHOD_TTLS is not set
CONFIG_EXAMPLE_EAP_METHOD=1
CONFIG_EXAMPLE_EAP_ID="example@espressif.com"
CONFIG_EXAMPLE_EAP_USERNAME="userr"
CONFIG_EXAMPLE_EAP_PASSWORD="userr123"
# end of Example Configuration

// If possible, attach a picture of your setup/wiring here. No wiring needed.

Code to reproduce this issue

WPA ENT example program

Debug Logs

I've attached logs of the default sdk config after changing the examples for PEAP, and one with verbose logging turned on.

Other items if possible

default-wpa4.1.1.log log-wpa4.1.1.log

default-wpa4.1.log log-wpa4.1.log

sdkconfig v4.1.1.txt sdkconfig v4.1.txt

sagb2015 commented 3 years ago

Hi @Bradleyking4 , Can you please help with supplicant logs in 4.1.1 case? Need to compile with CONFIG_WPA_DEBUG_PRINT=y.

Bradleyking4 commented 3 years ago

log-wpa4.1.1.log Here is the updated file, sorry about that.

nishanth-radja commented 3 years ago

Hi @Bradleyking4 , can we have the radius server logs,so that we can try to reproduce the Issue.Is the Radius server configured with PEAP-mschapv2?

Bradleyking4 commented 3 years ago

Here you go, please let me know if you require anything else. With regards to, PEAP-mschapv2 it looks like a yes.

 Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
  mschap {
        use_mppe = yes
        require_encryption = no
        require_strong = no
        with_ntdomain_hack = no
        allow_retry = yes
  }

 Module: Instantiating eap-peap
   peap {
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = no
        use_tunneled_reply = yes
        proxy_tunneled_request_as_eap = yes
        virtual_server = "inner-tunnel"
        soh = no
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
        with_ntdomain_hack = no
        send_error = no
   }

4.1.1-fail.txt 4.1-success.txt

nishanth-radja commented 3 years ago

Hi @Bradleyking4 After going through the logs, we found that in the 4.1.1 case the inner identity is blank.Which is not the case in 4.1 peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - [peap] Got inner identity ''

Can we pls have the Radius Config which is being used and which version of 4.1.1 is being used on the DUT.(Commit ID)

Alvin1Zhang commented 3 years ago

@Bradleyking4 Thanks for reporting, would you please help share if any updates for this issue? Thanks.

Alvin1Zhang commented 3 years ago

@Bradleyking4 Thanks for reporting, would you please help share if any updates for this issue? Thanks.

timmyhadwen commented 3 years ago

Hi @Alvin1Zhang AND @nishanth-radja. I've taken over @Bradleyking4's work and we are still having this issue with 4.3.1 as well. We note that you found that the inner identity was blank. Can you advise on how we might be able to resolve that?

AxelLin commented 3 years ago

@timmyhadwen

Then can you provide the Radius Config (which was asked by https://github.com/espressif/esp-idf/issues/6905#issuecomment-845639079)

nishanth-radja commented 3 years ago

@timmyhadwen Also can you also provide the radius server logs similar to the https://github.com/espressif/esp-idf/issues/6905#issuecomment-841757744. To make sure that it is the same issue in 4.3.1 as well

timmyhadwen commented 3 years ago

@AxelLin We are using the UniFi internal RADIUS server. Looks like its based on freeradius. Attached config file.

radiusd.conf.txt

We can confirm that it is also broken on 4.3 and also on other networks. Namely we have tried Eduroam with 4.1 (success), 4.1.1 (failure) and 4.3 (failure).

timmyhadwen commented 3 years ago

This is what im seeing from FreeRadius logs. Im not sure why changing this changes the number of requests and the TLS tunnel status etc.

With MBED TLS Disabled

Tue Oct 5 18:29:09 2021 : Auth: Login incorrect: [tim/] (from client client-5ef159a650b5653f9556baa0 port 0 cli 94-3C-C6-7D-34-E0)

With MBED TLS Enabled

Tue Oct 5 18:10:40 2021 : Auth: Login incorrect: [/] (from client client-5ef159a650b5653f9556baa0 port 0 via TLS tunnel) Tue Oct 5 18:10:40 2021 : Auth: Login incorrect: [tim/] (from client client-5ef159a650b5653f9556baa0 port 0 cli 94-3C-C6-7D-34-E0)

nishanth-radja commented 3 years ago

@timmyhadwen ,I had gone through the radius.conf.txt file. The following lines that specify the location are missing in your file.

Location of config and logfiles.

confdir = ${raddbdir} modconfdir = ${confdir}/mods-config certdir = ${confdir}/certs cadir = ${confdir}/certs run_dir = ${localstatedir}/run/${name} So can you attach the following files from the radius server.To find out from where the certs are getting picked up by the radius server.

  1. /raddb/mods-available/eap
  2. /raddb/mods-available/eap
  3. /raddb/clients.conf
  4. /raddb/users
timmyhadwen commented 2 years ago

@AxelLin @nishanth-radja Please find the files as requested and let me know of any further files you need. We are still having the problem on Eduroam networks as well, however we are unable to get the files from their config. Errors still persist on our test net.

clients.conf.txt eap.conf.txt users.txt

nishanth-radja commented 2 years ago

@timmyhadwen Thanks for the conf files,Using the eap.conf,I am trying to repro the issue locally.Can you point me to the IDF commit you are using. I have tried on the latest 4.1.1 and 4.3 but did not see the issue. Can you pls share your commit ID? From the fail hostapd logs of 4.1.1 and sdkconfig, I see the following. The outer identity username which is supposed to be "example@espressif.com" is getting replaced by the inner identity username "fiffy" and the inner identity is left blank. 1.Are you using the example as such or are you calling the API's and having your own code? a. If you are using your own code,Can you verify the assignment of outer identity and inner identity. b. If you are using the example,Can you do a idf.py fullclean,remove the build and sdk config and then build fresh. Erase the chip using "idf.py erase_flash" and then flash again.This will erase any previous identity stored on the chip. 2.Can you pls share the commit ID on 4.3 and 4.1.1 on which you are seeing the issue,so that we can check if there is any change in code.

timmyhadwen commented 2 years ago

HI All, this seems to be resolved on latest master.

Alvin1Zhang commented 2 years ago

Thanks for reporting, sorry for slow turnaround, the fix on master branch is available at https://github.com/espressif/esp-idf/commit/190b31bb1b9b1e6e21feb038797aed6e14cb765b, thanks.

AxelLin commented 2 years ago

Thanks for reporting, sorry for slow turnaround, the fix on master branch is available at 190b31b, thanks.

Above fix only available on master. That fix was committed on Jan 12 which is several months ago, why stable branches do not have the fix?

timmyhadwen commented 2 years ago

Thanks @Alvin1Zhang

AxelLin commented 2 years ago

Thanks for reporting, sorry for slow turnaround, the fix on master branch is available at 190b31b, thanks.

@Alvin1Zhang This issue was reported on v4.1.1, so I suppose stable branches need backport fix. Could you confirm if stable branches need this fix? (If yes, why it takes such long time for backport fix?)

Alvin1Zhang commented 2 years ago

Thanks for reporting, sorry for slow turnaround, fixes on release branches are

Feel free to reopen.