Closed ish-org closed 1 year ago
Hi @ish-org, could you please be more specific? How did you try to configure WPA Enterprise and what did you get?
Thank you for reply.
My environment is shown below. And this access point is working on pixel 6a(android 13), PCs(ubuntu 22.04/windows 11pro) with WPA2-enterprise.
host:# cat /usr/local/etc/wifibox/wpa_supplicant/wpa_supplicant.conf ap_scan=1
network={ ssid="ishorg-XXXXXXXXX-a" scan_ssid=1 proto=RSN key_mgmt=WPA-EAP pairwise=CCMP group=CCMP eap=TLS identity="foo" ca_cert="/etc/wpa_supplicant/cacert.pem" client_cert="/etc/wpa_supplicant/newcert.pem" private_key="/etc/wpa_supplicant/newkey.pem" private_key_passwd="password" }
wifibox:~# wpa_supplicant -Dnl80211 -iwlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf Successfully initialized wpa_supplicant wlan0: CTRL-EVENT-REGDOM-CHANGE init=DRIVER type=WORLD wlan0: SME: Trying to authenticate with XX:XX:XX:XX:XX:XX (SSID='ishorg-XXXXXXXX-a' freq=5220 MHz) wlan0: CTRL-EVENT-REGDOM-CHANGE init=DRIVER type=COUNTRY alpha2=JP wlan0: Trying to associate with XX:XX:XX:XX:XX:XX (SSID='ishorg-XXXXXXXX-a' freq=5220 MHz) wlan0: Associated with XX:XX:XX:XX:XX:XX wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected wlan0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=JP/ST=Tokyo/O=ish/CN=cucumber.ish.org/emailAddress=ishizuka@ish.org' hash=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX wlan0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=JP/ST=Tokyo/L=Suginami/O=ish/CN=gw3.ish.org/emailAddress=ishizuka@ish.org' hash=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX SSL: SSL3 alert: write (local SSL3 detected an error):fatal:internal error OpenSSL: openssl_handshake - SSL_connect error:0A00014D:SSL routines::legacy sigalg disallowed or unsupported wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed wlan0: Authentication with XX:XX:XX:XX:XX:XX timed out. wlan0: CTRL-EVENT-DISCONNECTED bssid=XX:XX:XX:XX:XX:XX reason=3 locally_generated=1 wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="ishorg-XXXXXXXXX-a" auth_failures=1 duration=10 reason=AUTH_FAILED BSSID XX:XX:XX:XX:XX:XX ignore list count incremented to 2, ignoring for 10 seconds wlan0: CTRL-EVENT-DSCP-POLICY clear_all
host:#cat newcert.pem Certificate: Data: Version: 3 (0x2) Serial Number: XX:XX:XX:XX:XX:XX:XX:XX Signature Algorithm: sha256WithRSAEncryption Issuer: C=JP, ST=Tokyo, O=ish, CN=cucumber.ish.org/emailAddress=ishizuka@ish.org Validity Not Before: Mar 7 08:38:47 2023 GMT Not After : Mar 4 08:38:47 2033 GMT Subject: C=JP, ST=Tokyo, L=Suginami, O=ish, CN=gw3.ish.org/emailAddress=ishizuka@ish.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: (snip) Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: (snip) X509v3 Authority Key Identifier: keyid: (snip)
Signature Algorithm: sha256WithRSAEncryption
(snip)
-----BEGIN CERTIFICATE----- (snip) -----END CERTIFICATE-----
Sorry, this is a bug of wpa_supplicant 2.10 for SSL3. My wifi router(buffalo WAPM-APG600H) is too old and internal radius didn't support TLS 1.2 and uses SSL3. Although this bug was fixed at wap_supplicant 2.10.7, it seems that the latest wpa_supplicant for alpine is wpa_supplicant-2.10-r4.apk. So, I made back to wpa_supplicant-2.9-r17 (and libssl1.1-1.1.1t-r1 and libcrypto1.1-1.1.1t-r1), it worked fine. Another solution is to use external radius server. I installed freeradius on FreeBSD 13.1-R server and this works fine on wifibox-alpine-iwlwifi-20230213 (wpa_supplicant-2.10-r1.apk).
Thank you very much for tracking down this issue! Although Alpine Linux indeed includes only wpa_supplicant
2.10 (even on edge
), Wifibox can independently update the package by providing its own and fix the bug. I could experiment with submitting an update to Alpine Linux (i.e. upstream) first and see how receptive they are. I would leave this ticket open until it is resolved to make other users aware of this discovery.
@ish-org I have checked the home page of WPA Supplicant and the latest release is 2.10. I could not find any further minor version, such as 2.10.7 as you suggested in your earlier comment. You actually wrote wap_supplicant
but I guess you meant wpa_supplicant
. Nevertheless I believe you that the fix for the named bug has been published but I would like to ask for your help in extracting the related patch from the wpa_supplicant
git repository to ship that with Wifibox.
@ish-org for your information, I have pushed an update to wifibox-alpine
where the wpa_supplicant
build configuration has been changed. I am not sure if this helps with your problem, but it may be worth a try.
@ish-org could you please answer?
Thank you and sorry to late repry. Unfortunately, this is not work for SSL3. To enable SSL3, wpa_supplicant must link libssl1.1 and libcrypto1.1. wpa_supplicant-2.10-r2.apk dosen't use them.
P.S. wpa_supplicant-2.10-r2 seems to handle WPA-EAP-SUITE-B and WPA-EAP-SUITE-B-192. This is necessary to use WPA3-enterprise but I cannot connect with WPA3-enterprise. My setting may be wrong.
@ish-org could you please elaborate on your comment about the WPA Supplicant upstream fix for your problem? I would like to include this in the Wifibox Alpine image, but I do not know where to find it.
I'm not an expert either, but I think the following information will be helpful. https://bbs.archlinux.org/viewtopic.php?id=281039 https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1958267
Many thanks for the hint, that is what I exactly needed! I created an updated version (r3
) of the wpa_supplicant
2.10 package that you can try with the 20230326
version of wifibox-alpine
.
Thank you very much. As I'm very busy now and I'll try later.
Great! wifibox-alpine-20230326 works fine with SSL3.
P.S. It still can't be connected with the WPA3-enterprise 192bit-security. The following is my wap_supplicant.conf.
network={ ssid="XXXXX" proto=RSN key_mgmt=WPA-EAP-SUITE-B-192 pairwise=GCMP-256 group_mgmt=BIP-GMAC-256 pairwise=GCMP-256 group=GCMP-256 group_mgmt=BIP-GMAC-256 eap=TLS identity="xxx" ca_cert="/etc/wpa_supplicant/cacert.pem" private_key="/etc/wpa_supplicant/bundle.p12" private_key_passwd="xxxxxxxxx" openssl_ciphers="SUITEB192" ieee80211w=2 }
wifibox:~# wpa_supplicant -Dnl80211 -iwlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf Successfully initialized wpa_supplicant wlan0: CTRL-EVENT-REGDOM-CHANGE init=DRIVER type=WORLD wlan0: SME: Trying to authenticate with xx:xx:xx:xx:xx:xx (SSID='XXXXXXXXX' freq=5260 MHz) wlan0: CTRL-EVENT-REGDOM-CHANGE init=DRIVER type=COUNTRY alpha2=JP wlan0: Trying to associate with xx:xx:xx:xx:xx:xx (SSID='XXXXXXXXX' freq=5260 MHz) wlan0: Associated with xx:xx:xx:xx:xx:xx wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed wlan0: CTRL-EVENT-DISCONNECTED bssid=xx:xx:xx:xx:xx:xx reason=23 wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="XXXXXXXXX" auth_failures=1 duration=10 reason=AUTH_FAILED BSSID xx:xx:xx:xx:xx:xx ignore list count incremented to 2, ignoring for 10 seconds
Perhaps, I missed to enable SUITEB192 cipher of openssl, but I don't know the right way.
It seems that it can't connect by wpa3-enterprise due to incorrect settings in wpa_supplicant.conf. On ubuntu, although I can connect by wpa3-enterprise with nmcli settings, after 'systemctl mask wpa_supplicant' and reboot to don't use nmcli settings, I can't connect with this wpa_supplicant.conf, the same error occured. Can somebody tell me the right settings in wpa_supplicant.conf ?
Finally, I can connect via wpa3-enterprise on wifibox-alpine-iwlwifi-20230326 by removing 'openssl_ciphers="SUITEB192"' from wpa_supplicant.conf. Sorry to worry about you.
No problem. Thanks for the confirmation! That said, I am closing this ticket.
I tested wifibox on FreeBSD 14-Current with intel AX210ngw wifi card. It works fine wpa2-personal but seems that wpa2-enterprise is not working. Is there any way to use wpa2-enterprise ?