-
Notifications
You must be signed in to change notification settings - Fork 536
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WPA2 Enterprise PEAP outer identity wrong #5
Comments
The same problem like this and unfortunately, no eduroam network for me to test. |
Also, it seems that the authentication info is not persisted, leaving as the only option to have automatic logon to include the username and password in the code. Not good from a security point of view (I'm assuming espressif is using something stronger than ROT13 to store it in flash...) |
In my case the radius server (freeradius) is configured not to care what the anonymous identity is and tests fine with eapol_test using [email protected] via EAP-PEAP. contents of test.conf
Test session
And here is the relevent section from the
When my device attempts to connect it seems to be telling the server it is providing a client certificate, which it is not as I am using username/password authentication. If I generate a certificate and set it, I still get the same error on the radius server.
This occurs regardless of if I provide a client certificate or not. The relevent difference here seems to be Here is my code
I have also confirmed that
|
Further investigation now shows that this is not a client certificate issue as I had initially thought, the error from freeradius is an error sent by the ESP8266, it is rejecting the server's certificate. Removing the call to |
Seems that the device doesn't support SHA512 certificates! After dropping back go SHA256 the device can now authenticate properly using EAP-PEAP with MSCHAPv2
|
@gnif Hi, i have tried the SHA256 certificates, but the same issue again. Could you write a tutorial to show that how you configure the freeradius not to care what the anonymous identity is and create the ca certificate? In addation, maybe we need to configure authentication with Active Directory to solve the problem of the anonymous identity. |
I am using Freeradius with a Samba AD server, but I believe this is not a requirement in making this work. The > SHA256 certificate issue does not resolve the outer/anonymous identity issue, it is just worth noting that the client will reject the auth on certs with > SHA256. I am not well versed enough on Radius to comment on exactly why my setup is working, but at a guess I would say it is due to the fact that the authentication occurs on the inner-tunnel not the outer/default. |
@Jostikas @Michel-XU |
@TimXia |
@Michel-XU Do not need to wait for the next version. We will add the API as soon as possible. |
Hi, we have updated the SDK about the WPA2 issue, please have a try with it. Thanks for your interest in ESP8266! |
@FayeY GREAT! Thanks. For SHA-512, simply a sensible error code would be enough to prevent a developer wasting a ton of time like I did trying to figure this one out. For the record the two new API functions added are:
|
@FayeY You are the only one I could find here who seem to be responding to WPA2-Enterprise related stuff. A bunch of us on the Arduino core side have been struggling to get ESP8266 to connect to enterprise networks. Could you please look into the various posts, info we have so may be you could guide us correctly? esp8266/Arduino#4698 As per @victorclaessen
Any help would be much appreciated |
Hello, I have the chance to have a full access (with logs) to the infamous It does not work here and I think for a simple reason: the ESP is using the
FWIW,
Laconic logs of the radius server of my local network:
So my questions are:
Thanks for your support edit: relevant part of the source code (source)
edit2: I just realized this is a closed issue. I will create a new one with this same message if it is not reopened within a few days. |
@d-a-v Thanks for this comment. Really insightful. Great to have someone with log access to eduroam. I'm kind of confused now. In my institution, if I understand it correctly (from https://eva.eduroam.nl/help-en-support) we can use either TTLS/PAP or PEAP/MSCHAPv2. And my ESP8266 won't connect so I figure it must be trying another combination. When I set up my own radius server to emulate eduroam (in order to be able to see some logs), I seemed to have the problem that the ESP8266 did not select MSCHAPv2 (as described in my bug report on their bbs [see link above]), but your experience suggests otherwise. |
Maybe the esp knows only TTLS/MSCHAPV2 ? edit: |
Excellent question. Honestly, I am not sure. It was august last year. I'll have to think about how I did it in the first place and see if I can replicate it. |
@d-a-v Thanks for responding. I have access to an eduroam network but not to its logs. Hence I got my own enterprise router TPLINK EAP120. I used an external radius server, and was able to see the logs. Hope you saw my posts, and findings that I posted on esp8266/Arduino#4698. You said
As far as the test codes I tried, I do not see an option to set any of this. Do you mean to set this in the code? or is this something to be set on the router or radius side? I can do more tests if you can provide some info as to where to make those above changes you suggested. I still have all the stuff with me. |
@kapyaar I mean in the code. There seems to be currently no option in the API to select phase1 or phase2 methods. I don't know if they can be automatically selected by protocol, and if so, if the esp does this. I think a new issue should be opened with only the minimum relevant details about all this. |
@d-a-v ok I see. Yeah, I could not find any reference to setting/ selecting methods on the ESP side. Further, I am not well versed to the core terminology of WPA2- Enterprise, I am just playing around on the top layer (user level). It looks like like this issue was raised on ESP forums before as @victorclaessen pointed out. Though an Espressif member responded promising a fix on an upcoming update, that date has passed, an update was released but yet no signs of addressing this. So my questions are
Do you know if there anything newer that I am not aware of that addresses this?
|
@d-a-v Would you be able to open a new issue with just the relevant issues only on this matter as you had suggested? |
As discussed in http://bbs.espressif.com/viewtopic.php?t=2904#p10855 and http://bbs.espressif.com/viewtopic.php?t=2904#p11053 ,
The current implementation of WPA2-PEAP is incomplete: there is a hardcoded identity ([email protected]) in libwpa2.a that is not replaced with the actual user identity.
For now there's a workaround by editing the libwpa2.a file directly, if the identity is shorter than the default one.
[email protected]
should be replaced with the correct identity, zero-padding the end to 23 bytes.ing the end to 23 bytes.Also, what do the functions
wifi_station_set_enterprise_new_password
andwifi_station_clear_enterprise_new_password
do? At least for me, once I edited the libwpa2.a file, connecting worked with the functions without_new_
, and the network uses MSCHAPv2.log from before editing libwpa2.a:
repeat ad infinitum with error code 203
Log after editing libwpa2.a:
The text was updated successfully, but these errors were encountered: