wpa2 enterprise not sending NAK at EAP request

[dumarjo]

Basic Infos

• [x ] This issue complies with the issue POLICY doc.
• [x ] I have read the documentation at readthedocs and the issue is not addressed there.
• [x ] I have tested that the issue is present in current master branch (aka latest git).
• [x ] I have searched the issue tracker for a similar issue.
• [x ] If there is a stack dump, I have decoded it.
• [x ] I have filled out all fields below.

Platform

• Hardware: [ESP-8266-wroom2d]
• Core Version: [SDK:3.0.0-dev(c0f7b44)/Core:2.5.2-108-ge77f96c3=20502108/lwIP:STABLE-2_1_2_RELEASE/glue:1.1-8-g2314329/BearSSL:89454af]
• Development Env: [Arduino IDE]
• Operating System: [Windows]

Settings in IDE

• Module: [OLIMEX-MOD-WIFI]
• lwip Variant: [v2 Lower Memory]
• Flash Frequency: [40Mhz]
• CPU Frequency: 80Mhz
• Upload Using: SERIAL
• Upload Speed: 115200

Problem Description

I cannot connect to a customer PEAP-mschapV2 WIFI setup. The setup is in a big school that use a microsoft redius server to do the authentification. I can connect with my pc without problem.

I did some packet sniffing to check the difference and it's look like the esp8266 don't refuse the eap authentification and respond to the server like it was on PEAP challenge.

here a screenshot of wireshark connection from the esp8266 and from my pc

MCVE Sketch

#include <ESP8266WiFi.h>

extern "C" {
#include "user_interface.h"
#include "wpa2_enterprise.h"
}

// SSID to connect to
static const char* ssid = "MySSID";
// Username for authentification
static const char* username = "myUserName";
// Password for authentication
static const char* password = "myPassword";

void setup() {
  // put your setup code here, to run once:
  Serial.begin(115200);
  
  // Setting ESP into STATION mode only (no AP mode or dual mode)
  wifi_set_opmode(STATION_MODE);
  
  struct station_config wifi_config;
  
  memset(&wifi_config, 0, sizeof(wifi_config));
  strcpy((char*)wifi_config.ssid, ssid);
  
  wifi_station_set_config(&wifi_config);
  
  wifi_station_clear_cert_key();
  wifi_station_clear_enterprise_ca_cert();
  wifi_station_clear_enterprise_identity();
  wifi_station_clear_enterprise_username();
  wifi_station_clear_enterprise_password();
  wifi_station_clear_enterprise_new_password();
  
  wifi_station_set_wpa2_enterprise_auth(1);
  wifi_station_set_enterprise_identity((uint8*)username, strlen(username));
  wifi_station_set_enterprise_username((uint8*)username, strlen(username));
  wifi_station_set_enterprise_password((uint8*)password, strlen(password));

  
  wifi_station_connect();

  Serial.print("Status: ");
  Serial.println(wifi_station_get_connect_status());
  
  // Wait for connection AND IP address from DHCP
  Serial.println();
  Serial.println("Waiting for connection and IP Address from DHCP");
  while (WiFi.status() != WL_CONNECTED) {
  Serial.println(WiFi.status());
  delay(2000);
  Serial.print(".");
  }
  Serial.println("");
  Serial.println("WiFi connected");
  Serial.println("IP address: ");
  Serial.println(WiFi.localIP());
}

void loop() {
}

Debug Messages

SDK:3.0.0-dev(c0f7b44)/Core:2.5.2-108-ge77f96c3=20502108/lwIP:STABLE-2_1_2_RELEASE/glue:1.1-8-g2314329/BearSSL:89454af
WPA2 ENTERPRISE VERSION: [v2.0] enable
Status: 1

Waiting for connection and IP Address from DHCP
6
wifi evt: 8
wifi evt: 2
.6
scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 5 (10)
add 0
aid 1
cnt 
EAP-MSCHAPV2: RX identifier 2 mschapv2_id 2
EAP-MSCHAPV2: Generate Challenge Response
.6
.6
.
pm open,type:2 0
.6

state: 5 -> 0 (2)
rm 0
pm close 7
reconnect
wifi evt: 1
STA disconnect: 204
.4
scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 5 (10)
add 0
aid 1
cnt 
EAP-MSCHAPV2: RX identifier 2 mschapv2_id 2
EAP-MSCHAPV2: Generate Challenge Response
.4
.4

Is there any settings that i can change to force the PEAP mode instead of EAP ?

Regards

Jonathan

[d-a-v]

We don't know.
Ask on nonos-sdk repository.
Or better on rtos-sdk (esp32-s2 is out, so its WiFi must be certified, so their engineers can work on that :).

[devyte]

wpa2 enterprise isn't officially supported by our core. There are unofficial examples out there that sometimes work under specific cases. The underlying implementation is provided by the Espressif NONOS SDK, not by our core. Until we can get fully working wpa2 enterprise examples from Espressif, and actually characterize the conditions under which they work, we can't really offer support.
Closing.