search

pgj / freebsd-wifibox

wifibox: Use Linux to drive your wireless card on FreeBSD
BSD 2-Clause "Simplified" License
159 stars 12 forks source link

wpa[23]-enterprise #46

Closed ish-org closed 1 year ago

ish-org commented 1 year ago

I tested wifibox on FreeBSD 14-Current with intel AX210ngw wifi card. It works fine wpa2-personal but seems that wpa2-enterprise is not working. Is there any way to use wpa2-enterprise ?

pgj commented 1 year ago

Hi @ish-org, could you please be more specific? How did you try to configure WPA Enterprise and what did you get?

ish-org commented 1 year ago

Thank you for reply.

My environment is shown below. And this access point is working on pixel 6a(android 13), PCs(ubuntu 22.04/windows 11pro) with WPA2-enterprise.

host:# cat /usr/local/etc/wifibox/wpa_supplicant/wpa_supplicant.conf ap_scan=1

network={ ssid="ishorg-XXXXXXXXX-a" scan_ssid=1 proto=RSN key_mgmt=WPA-EAP pairwise=CCMP group=CCMP eap=TLS identity="foo" ca_cert="/etc/wpa_supplicant/cacert.pem" client_cert="/etc/wpa_supplicant/newcert.pem" private_key="/etc/wpa_supplicant/newkey.pem" private_key_passwd="password" }

wifibox:~# wpa_supplicant -Dnl80211 -iwlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf Successfully initialized wpa_supplicant wlan0: CTRL-EVENT-REGDOM-CHANGE init=DRIVER type=WORLD wlan0: SME: Trying to authenticate with XX:XX:XX:XX:XX:XX (SSID='ishorg-XXXXXXXX-a' freq=5220 MHz) wlan0: CTRL-EVENT-REGDOM-CHANGE init=DRIVER type=COUNTRY alpha2=JP wlan0: Trying to associate with XX:XX:XX:XX:XX:XX (SSID='ishorg-XXXXXXXX-a' freq=5220 MHz) wlan0: Associated with XX:XX:XX:XX:XX:XX wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected wlan0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=JP/ST=Tokyo/O=ish/CN=cucumber.ish.org/emailAddress=ishizuka@ish.org' hash=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX wlan0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=JP/ST=Tokyo/L=Suginami/O=ish/CN=gw3.ish.org/emailAddress=ishizuka@ish.org' hash=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX SSL: SSL3 alert: write (local SSL3 detected an error):fatal:internal error OpenSSL: openssl_handshake - SSL_connect error:0A00014D:SSL routines::legacy sigalg disallowed or unsupported wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed wlan0: Authentication with XX:XX:XX:XX:XX:XX timed out. wlan0: CTRL-EVENT-DISCONNECTED bssid=XX:XX:XX:XX:XX:XX reason=3 locally_generated=1 wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="ishorg-XXXXXXXXX-a" auth_failures=1 duration=10 reason=AUTH_FAILED BSSID XX:XX:XX:XX:XX:XX ignore list count incremented to 2, ignoring for 10 seconds wlan0: CTRL-EVENT-DSCP-POLICY clear_all

host:#cat newcert.pem Certificate: Data: Version: 3 (0x2) Serial Number: XX:XX:XX:XX:XX:XX:XX:XX Signature Algorithm: sha256WithRSAEncryption Issuer: C=JP, ST=Tokyo, O=ish, CN=cucumber.ish.org/emailAddress=ishizuka@ish.org Validity Not Before: Mar 7 08:38:47 2023 GMT Not After : Mar 4 08:38:47 2033 GMT Subject: C=JP, ST=Tokyo, L=Suginami, O=ish, CN=gw3.ish.org/emailAddress=ishizuka@ish.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: (snip) Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: (snip) X509v3 Authority Key Identifier: keyid: (snip)

Signature Algorithm: sha256WithRSAEncryption
           (snip)

-----BEGIN CERTIFICATE----- (snip) -----END CERTIFICATE-----

ish-org commented 1 year ago

Sorry, this is a bug of wpa_supplicant 2.10 for SSL3. My wifi router(buffalo WAPM-APG600H) is too old and internal radius didn't support TLS 1.2 and uses SSL3. Although this bug was fixed at wap_supplicant 2.10.7, it seems that the latest wpa_supplicant for alpine is wpa_supplicant-2.10-r4.apk. So, I made back to wpa_supplicant-2.9-r17 (and libssl1.1-1.1.1t-r1 and libcrypto1.1-1.1.1t-r1), it worked fine. Another solution is to use external radius server. I installed freeradius on FreeBSD 13.1-R server and this works fine on wifibox-alpine-iwlwifi-20230213 (wpa_supplicant-2.10-r1.apk).

pgj commented 1 year ago

Thank you very much for tracking down this issue! Although Alpine Linux indeed includes only wpa_supplicant 2.10 (even on edge), Wifibox can independently update the package by providing its own and fix the bug. I could experiment with submitting an update to Alpine Linux (i.e. upstream) first and see how receptive they are. I would leave this ticket open until it is resolved to make other users aware of this discovery.

pgj commented 1 year ago

@ish-org I have checked the home page of WPA Supplicant and the latest release is 2.10. I could not find any further minor version, such as 2.10.7 as you suggested in your earlier comment. You actually wrote wap_supplicant but I guess you meant wpa_supplicant. Nevertheless I believe you that the fix for the named bug has been published but I would like to ask for your help in extracting the related patch from the wpa_supplicant git repository to ship that with Wifibox.

pgj commented 1 year ago

@ish-org for your information, I have pushed an update to wifibox-alpine where the wpa_supplicant build configuration has been changed. I am not sure if this helps with your problem, but it may be worth a try.

pgj commented 1 year ago

@ish-org could you please answer?

ish-org commented 1 year ago

Thank you and sorry to late repry. Unfortunately, this is not work for SSL3. To enable SSL3, wpa_supplicant must link libssl1.1 and libcrypto1.1. wpa_supplicant-2.10-r2.apk dosen't use them.

P.S. wpa_supplicant-2.10-r2 seems to handle WPA-EAP-SUITE-B and WPA-EAP-SUITE-B-192. This is necessary to use WPA3-enterprise but I cannot connect with WPA3-enterprise. My setting may be wrong.

pgj commented 1 year ago

@ish-org could you please elaborate on your comment about the WPA Supplicant upstream fix for your problem? I would like to include this in the Wifibox Alpine image, but I do not know where to find it.

ish-org commented 1 year ago

I'm not an expert either, but I think the following information will be helpful. https://bbs.archlinux.org/viewtopic.php?id=281039 https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1958267

pgj commented 1 year ago

Many thanks for the hint, that is what I exactly needed! I created an updated version (r3) of the wpa_supplicant 2.10 package that you can try with the 20230326 version of wifibox-alpine.

ish-org commented 1 year ago

Thank you very much. As I'm very busy now and I'll try later.

ish-org commented 1 year ago

Great! wifibox-alpine-20230326 works fine with SSL3.

P.S. It still can't be connected with the WPA3-enterprise 192bit-security. The following is my wap_supplicant.conf.

network={ ssid="XXXXX" proto=RSN key_mgmt=WPA-EAP-SUITE-B-192 pairwise=GCMP-256 group_mgmt=BIP-GMAC-256 pairwise=GCMP-256 group=GCMP-256 group_mgmt=BIP-GMAC-256 eap=TLS identity="xxx" ca_cert="/etc/wpa_supplicant/cacert.pem" private_key="/etc/wpa_supplicant/bundle.p12" private_key_passwd="xxxxxxxxx" openssl_ciphers="SUITEB192" ieee80211w=2 }

wifibox:~# wpa_supplicant -Dnl80211 -iwlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf Successfully initialized wpa_supplicant wlan0: CTRL-EVENT-REGDOM-CHANGE init=DRIVER type=WORLD wlan0: SME: Trying to authenticate with xx:xx:xx:xx:xx:xx (SSID='XXXXXXXXX' freq=5260 MHz) wlan0: CTRL-EVENT-REGDOM-CHANGE init=DRIVER type=COUNTRY alpha2=JP wlan0: Trying to associate with xx:xx:xx:xx:xx:xx (SSID='XXXXXXXXX' freq=5260 MHz) wlan0: Associated with xx:xx:xx:xx:xx:xx wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed wlan0: CTRL-EVENT-DISCONNECTED bssid=xx:xx:xx:xx:xx:xx reason=23 wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="XXXXXXXXX" auth_failures=1 duration=10 reason=AUTH_FAILED BSSID xx:xx:xx:xx:xx:xx ignore list count incremented to 2, ignoring for 10 seconds

Perhaps, I missed to enable SUITEB192 cipher of openssl, but I don't know the right way.

ish-org commented 1 year ago

It seems that it can't connect by wpa3-enterprise due to incorrect settings in wpa_supplicant.conf. On ubuntu, although I can connect by wpa3-enterprise with nmcli settings, after 'systemctl mask wpa_supplicant' and reboot to don't use nmcli settings, I can't connect with this wpa_supplicant.conf, the same error occured. Can somebody tell me the right settings in wpa_supplicant.conf ?

ish-org commented 1 year ago

Finally, I can connect via wpa3-enterprise on wifibox-alpine-iwlwifi-20230326 by removing 'openssl_ciphers="SUITEB192"' from wpa_supplicant.conf. Sorry to worry about you.

pgj commented 1 year ago

No problem. Thanks for the confirmation! That said, I am closing this ticket.