- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using join_ent test application on the 43362 platform:
Platform DPM3_ISM43362_M3G_L44 initialised
Initialising NetX_Duo v5.7_sp2
Creating Packet pools
WLAN MAC Address : C4:7F:51:01:6A:E9
WLAN Firmware : wl0: Oct 23 2017 09:31:05 version 5.90.230.22 FWID 01-303030
Console app
> join_ent it-test eap_tls wpa2
trying to connect using Enterprise EAP-TLS. Works for TLSv1.0 and TLSv1.1. TLSv1.2 appears to complete the handshake, then receives the following event WLC_E_DEAUTH_IND and starts the connection again:
wiced_join_events_handler: event_type=0x2e status=0x105 reason=0x20e wiced_join_status=0x16
wiced_join_events_handler: Waiting Key Exchange
wwd_wifi_check_join_status: wiced_join_status=0x16
wiced_join_events_handler: event_type=0x6 status=0x0 reason=0xf wiced_join_status=0x16
wwd_wifi_check_join_status: wiced_join_status=0x14
wiced_join_events_handler: event_type=0x3 status=0x0 reason=0x0 wiced_join_status=0x14
wwd_wifi_check_join_status: wiced_join_status=0x16
wiced_join_events_handler: event_type=0x10 status=0x0 reason=0x0 wiced_join_status=0x16
Any reason why it is receiving error event after completing the handshake?
I have included logs for both TLSv1.1 and TLSv1.2
Regards,
Leif
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. The issue persists in WICED 6.2.1 but there is a patch available for the same here https://community.cypress.com/thread/35745. To get supplicant debug info, you can uncomment the following macros from wiced_defaults.h:
//#define WPRINT_ENABLE_SECURITY_INFO /* Security stack prints */
//#define WPRINT_ENABLE_SECURITY_DEBUG
//#define WPRINT_ENABLE_SECURITY_ERROR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looking at the logs of EAP_TLSv1.2, it appears that the TLS handshake is failing. I could see ! mbedtls_ssl_handshake returned -0x138b in the logs but at another place, I saw error code -0xffffbcf0. The wiced_join_status=0x16 in TLSv1.2 logs indicates that JOIN_SECURITY_COMPLETE flag is 0. Please check with wireshark if the handshake is completing and if there are any problems with EAP handshake and attach the wireshark logs if there are any. Let us know the RADIUS server for reference. Is this issue replicated with another Wi-Fi chip?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, in that log the TLS handshake fails but that is after the 1st attempt appears to complete ok (line 61)
Then line 63 shows the error:
wiced_join_events_handler: event_type=0x2e status=0x105 reason=0x20e wiced_join_status=0x16
event = WLC_E_PSK_SUP status = WLC_SUP_KEYXCHANGE reason = WLC_E_SUP_DEAUTH
Appears an error with receiving the PMK?
whereas the TLS1.1 returns:
wiced_join_events_handler: event_type=0x2e status=0x106 reason=0x200 wiced_join_status=0x16
event = WLC_E_PSK_SUP status = WLC_SUP_KEYED reason = WLC_E_SUP_OTHER
which completes and acquires and IP address.
I included 2 new captures without the retries after the failure.
Running a Windows Network Policy Server.
I still have to figure out how to capture the EAP handshake on a windows machine?
Do you run the wireshark capture on the server?
I did connect with a Wi-Fi Nano USB adapter on my desktop but not sure what level of TLS it connected with.
I will force the server to TLS1.2 only and check again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I verified that the EDiMax WiFi Nano does connect to the Network Policy Server with TLS 1.2 (both eap-tls and eap-peap) included the WireShark captures using AirPcap.
Inlcuded the debug .txt and WireShark captures of the failing WICED ISM43362 device for both EAP-PEAP and EAP-TLS (TLSv1.2).
EAP-PEAP fails with all levels of TLSv1.0, TLSv1.1, and TLSv1.2
Not sure but only issue I see is after TLS completes Server sends App Data ID=7 then App Data ID=8 without a response to App Data ID=7?
EAP-TLS only fails with TLSv1.2, WICED device does not respond to the Key message?
I am using the same set of certificates\username\password for the WICED device and the EDiMax.
The wireshark capture file name has the mac address of the wifi device to filter with.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Resolved the problem we are having with the BESL supplicant export of the MSK. Could not connect with security WPA2, enterprise mode, methods EAP-TLS and EAP-PEAP with TLSv1.2 to a 2018 Network Policy Server. Fixed the issue by replacing the security key returned by besl supplicant with the MSK key we calculate in mbedtls_ssl_derive_keys(). Included the two modified files besl_host.c andssl_tls.c, search for: #ifdef FIX_PMK_TLS to find the changes.
Can you look into the calculation of the key returned to the host by the besl supplicant?
Calculated the MSK key according to EAP TLS RFC5216
EAP-TLS derives exported keying material and parameters as follows:
Key_Material = TLS-PRF-128(master_secret, "client EAP encryption",
client.random || server.random)
MSK = Key_Material(0,63)
EMSK = Key_Material(64,127)
IV = TLS-PRF-64("", "client EAP encryption",
client.random || server.random)
Running WICED SDK6.2.1:
Starting WICED vWiced_006.002.001.0002
[wiced_platform_init]Platform DPM3_ISM43362_M3G_L44 initialised
[wiced_rtos_init]Started ThreadX v5.8
[wiced_network_init]Initialising NetX_Duo v5.10_sp3
[wiced_network_init]Creating Packet pools
[wiced_wlan_connectivity_init]WLAN MAC Address : C4:7F:51:02:E2:B3
[wiced_wlan_connectivity_init]WLAN Firmware : wl0: May 16 2018 00:27:03 version 5.90.230.31 FWID 01-5849
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is this still an issue on 6.2.1? I am trying to connect to eap-tls v1.2 ssid. Did they change the output of join_ent? How do you get the more detailed debugging info?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. The issue persists in WICED 6.2.1 but there is a patch available for the same here https://community.cypress.com/thread/35745. To get supplicant debug info, you can uncomment the following macros from wiced_defaults.h:
//#define WPRINT_ENABLE_SECURITY_INFO /* Security stack prints */
//#define WPRINT_ENABLE_SECURITY_DEBUG
//#define WPRINT_ENABLE_SECURITY_ERROR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
grsr
Where do I apply the patch? Im using the 43907. I have tried root, "wiced" security and the subfolders and the patch can't match the files.