-
1. Re: console: join_ent test peap failure
I got confused while reading the code:
Looking at the implementation:
join_ent()
....
besl_supplicant_start() success then...
wifi_join()
wiced_network_up()
wiced_join_ap()
wiced_join_ap_specific()
The part reading ap->security_key_length, ap->security_key from DCT (in wiced_join_ap()) is very strange for
enterprise security because there is no valid security_key_length/security_key setting in DCT at all.
-
2. Re: console: join_ent test peap failure
GauravS_31
Sep 1, 2017 5:51 AM
CYW4343W and CYW43438 support enterprise security. Please post the scan results containing LAB-ENT-TEST.
-
3. Re: console: join_ent test peap failure
grsr wrote:
CYW4343W and CYW43438 support enterprise security. Please post the scan results containing LAB-ENT-TEST.
Good to know that. I will post scan result after I back to office.
Can you explain the question I mentioned in this thread about the join_ent() process?
It looks does not make sense to me that it calls wiced_join_ap() which read security_key/key_length from DCT and pass it to wiced_join_ap_specific(). comments?
-
4. Re: console: join_ent test peap failure
GauravS_31
Sep 1, 2017 7:14 AM
1 of 1 people found this helpfulThe function wifi_join() is common to both commands "join" and "join_ent". In case of "join_ent", the function is called as wifi_join( ssid, strlen(ssid), auth_type, NULL, 0, NULL, NULL, NULL ) which means that key points to NULL and key_length=0. Within wifi_join(), the DCT is modified as per the information specified in the parameters of function wifi_join() before calling wiced_network_up(). Which means that security_key=NULL and key_length=0 should be read from DCT during wiced_join_ap() if I interpreted correctly. Now coming to your question, I believe wifi_join() (and consequently the code section in wiced_join_ap()) has been used in "join" and "join_ent" to re-use the code to connect to the AP. For enterprise security, NULL and 0 will be used for those parameters. For non-enterprise security, the appropriate parameters in "join" command will be used.
-
5. Re: console: join_ent test peap failure
grsr wrote:
The function wifi_join() is common to both commands "join" and "join_ent". In case of "join_ent", the function is called as wifi_join( ssid, strlen(ssid), auth_type, NULL, 0, NULL, NULL, NULL ) which means that key points to NULL and key_length=0. Within wifi_join(), the DCT is modified as per the information specified in the parameters of function wifi_join() before calling wiced_network_up(). Which means that security_key=NULL and key_length=0 should be read from DCT during wiced_join_ap() if I interpreted correctly. Now coming to your question, I believe wifi_join() (and consequently the code section in wiced_join_ap()) has been used in "join" and "join_ent" to re-use the code to connect to the AP. For enterprise security, NULL and 0 will be used for those parameters. For non-enterprise security, the appropriate parameters in "join" command will be used.
Your reading seems wrong.
join_ent()
wifi_join( ssid, strlen(ssid), auth_type, NULL, 0, NULL, NULL, NULL )
for enterprise AP, wifi_join does not save credentials. it only saves SSID.
The key and key_length parameters are not used at all in wifi_join() for enterprise AP case.
Then wiced_network_up() -> wiced_join_ap() calls
result = wiced_join_ap_specific( &ap->details, ap->security_key_length, ap->security_key );
the ap->security_key_length is not 0 and ap->security_key is never null because it's address of an array.
I know it because I print it while testing, it shows the default CLIENT_AP_PASSPHRASE.
You can add below in the begin of wiced_join_ap_specific() to verify:
WPRINT_WICED_INFO(("Key %u: %s\n", (unsigned) security_key_length, security_key));
-
6. Re: console: join_ent test peap failure
GauravS_31
Sep 8, 2017 4:58 AM
1 of 1 people found this helpfulSo the security key and key length are getting saved in DCT only for non-enterprise AP which is why the default values were read from DCT.
if ( ( auth_type & ENTERPRISE_ENABLED ) == 0 )
{
/* Save credentials for non-enterprise AP */
memcpy((char*)dct_wifi_config->stored_ap_list[0].security_key, (char*)key, MAX_PASSPHRASE_LEN);
dct_wifi_config->stored_ap_list[0].security_key_length = key_length;
}
This means that in enterprise security, wiced_join_ap() calls wiced_join_ap_specific( &ap->details, ap->security_key_length, ap->security_key ) But if you keep going further into wwd_wifi_prepare_join(), security_key and security_key_length are not used for enterprise security if you check case WICED_SECURITY_WPA_AES_ENT, only a break statement is written.
-
7. Re: console: join_ent test peap failure
Below is my testing AP info:
Cell 12 - Address: BA:55:10:CF:AA:D0
Channel:8
Frequency:2.447 GHz (Channel 8)
Quality=70/70 Signal level=-23 dBm
Encryption key:on
ESSID:"LAB-ENT-TEST"
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s
24 Mb/s; 36 Mb/s; 54 Mb/s
Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 48 Mb/s
Mode:Master
Extra:tsf=00000000bddd945a
Extra: Last beacon: 3548ms ago
IE: Unknown: 000C4C41422D575053322D454E54
IE: Unknown: 010882840B162430486C
IE: Unknown: 030108
IE: Unknown: 2A0100
IE: Unknown: 2F0100
IE: IEEE 802.11i/WPA2 Version 1
Group Cipher : CCMP
Pairwise Ciphers (1) : CCMP
Authentication Suites (1) : 802.1x
IE: Unknown: 32040C121860
IE: Unknown: 2D1AFC191BFFFF000000000000000000000000000000000000000000
IE: Unknown: 3D1608080000000000000000000000000000000000000000
IE: Unknown: 4A0E14000A002C01C800140005001900
IE: Unknown: 7F0101
IE: Unknown: DD090010180200F02C0000
IE: Unknown: DD180050F2020101000003A4000027A4000042435E0062322F00
In wiced_join_events_handler, I got below events:
WLC_E_AUTH (3)
WLC_E_LINK (16)
WLC_E_SET_SSID (0)
In wwd_wifi_check_join_status(), my code run into below case:
case JOIN_AUTHENTICATED | JOIN_LINK_READY | JOIN_SSID_SET :
return WWD_NOT_KEYED;
That is the reason it fails with 1007 (WWD_NOT_KEYED).
So wwd_wifi_is_ready_to_transceive( (wwd_interface_t) event_header->interface ) fails.
Compare WWD_NOT_KEYED and WWD_SUCCESS, it looks like JOIN_SECURITY_COMPLETE is missed.
Any idea?
-
8. Re: console: join_ent test peap failure
GauravS_31
Sep 24, 2017 10:35 PM
Please share Wireshark logs for analysis.
-
9. Re: console: join_ent test peap failure
I have problem to capture the wireshark log to debug this, it seems does not
capture all packets.
But I use radsniff to get the debug log on freeRADIUS server.
Attached 2 log files:
log-wiced-err is the log using wiced device to join the AP.
log-iphone-ok is the log using iphone to join the AP.
From log-wiced-err, it never reach Access-Accept state and the join_ent returns 1007 error.
From log-iphone-ok, the end of log shows Access-Accept and the join success.
-
10. Re: console: join_ent test peap failure
Here is FreeRADIO debug log:
Connect using wiced device: (join AP failure)
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 154
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< Unknown TLS version [length 0005]
[peap] <<< Unknown TLS version [length 0095]
[peap] TLS_accept: unknown state
[peap] >>> Unknown TLS version [length 0005]
[peap] >>> Unknown TLS version [length 0031]
[peap] TLS_accept: unknown state
[peap] >>> Unknown TLS version [length 0005]
[peap] >>> Unknown TLS version [length 02c0]
[peap] TLS_accept: unknown state
[peap] >>> Unknown TLS version [length 0005]
[peap] >>> Unknown TLS version [length 020f]
[peap] TLS_accept: unknown state
[peap] >>> Unknown TLS version [length 0005]
[peap] >>> Unknown TLS version [length 0004]
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] TLS_accept: Need to read more data: unknown state
[peap] TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
connect using iphone: (join AP ok)
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< Unknown TLS version [length 0005]
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] <<< Unknown TLS version [length 0005]
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< Unknown TLS version [length 0005]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: unknown state
[peap] >>> Unknown TLS version [length 0005]
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: unknown state
[peap] >>> Unknown TLS version [length 0005]
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
-
11. Re: console: join_ent test peap failure
GauravS_31
Oct 8, 2017 11:09 PM
When join_ent was tested with IAS radius server using PEAP and EAP-TLS, there was an association failure. A ticket had been raised on this issue and it is still being worked on. Basically this issue is seen because of mismatch in TLS versions of client and server. You need to check if this mismatch is seen in your test also. I can see >>> Unknown TLS version in the logs.
-
12. Re: console: join_ent test peap failure
I still hit Join result 1007 while testing peap with join_ent on SDK-6.0.0.
The same error was also reported by particle community: (see the latest post)
https://community.particle.io/t/setting-up-photon-p1-on-wpa-enterprise-0-7-0/34167/25
-
13. Re: console: join_ent test peap failure
Test again on sdk-6.0.0 and found some difference with ThreadX v.s. FreeRTOS.
Both test fails, but fails at different place:
With ThreadX build:
> join_ent LAB-WPA2-ENT peap bob hello wpa2␍␊
Joining : LAB-WPA2-ENT␍␊
Failed to join : LAB-WPA2-ENT␍␊
Joining : LAB-WPA2-ENT␍␊
Failed to join : LAB-WPA2-ENT␍␊
Joining : LAB-WPA2-ENT␍␊
Failed to join : LAB-WPA2-ENT␍␊
Join result 1007: ␍␊
Error setting supplicant event handler 2␍␊
De-init supplicant␍␊
After join_ent
Attached log shows Access-Accept at the end of the log.
With FreeRTOS build:
> join_ent LAB-WPA2-ENT peap bob hello wpa2␍␊
Joining : LAB-WPA2-ENT␍␊
Failed to join : LAB-WPA2-ENT␍␊
Joining : LAB-WPA2-ENT
(Sometime stuck here, sometimes got Join result 1007)
Attached log shows Access-Challenge at the end of the log.
-
14. Re: console: join_ent test peap failure
GauravS_31
Oct 31, 2017 2:11 AM
It appears that the TLS version used by your server is v1.0. SDK 6.0 has included compatibility for TLSv1.0 and TLSv1.1. Go to include/wiced_defaults.h and adjust the value of both WICED_TLS_MINOR_VERSION_MIN and WICED_TLS_MINOR_VERSION_MAX as per the appropriate TLS version. The TLS version is set in \mbedtls_open\include\mbedtls\config.h as shown below:
#if (WICED_TLS_MINOR_VERSION_MIN == 0)
#define MBEDTLS_SSL_PROTO_TLS1 /* TLSv1_0 */
#endif
#if ( ((WICED_TLS_MINOR_VERSION_MIN <= 1) && (WICED_TLS_MINOR_VERSION_MAX >= 1)) )
#define MBEDTLS_SSL_PROTO_TLS1_1 /* TLSv1_1 */
#endif
#if ( ((WICED_TLS_MINOR_VERSION_MIN <= 2) && (WICED_TLS_MINOR_VERSION_MAX >= 2)) )
#define MBEDTLS_SSL_PROTO_TLS1_2 /* TLSv1_2 */
#endif