Failing EAP-TLSv1.2 on WICED 6.0 after Handshake completes

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
lock attach
Attachments are accessible only for community members.
LeWi_2227251
Level 3
Level 3
First like received Welcome!

Using join_ent test application on the 43362 platform:

Platform DPM3_ISM43362_M3G_L44 initialised

Initialising NetX_Duo v5.7_sp2

Creating Packet pools

WLAN MAC Address : C4:7F:51:01:6A:E9

WLAN Firmware    : wl0: Oct 23 2017 09:31:05 version 5.90.230.22 FWID 01-303030

Console app

> join_ent it-test eap_tls wpa2

trying to connect using Enterprise EAP-TLS.  Works for TLSv1.0 and TLSv1.1.  TLSv1.2 appears to complete the handshake, then receives the following event WLC_E_DEAUTH_IND and starts the connection again:

wiced_join_events_handler: event_type=0x2e status=0x105 reason=0x20e wiced_join_status=0x16

wiced_join_events_handler: Waiting Key Exchange

wwd_wifi_check_join_status: wiced_join_status=0x16

wiced_join_events_handler: event_type=0x6 status=0x0 reason=0xf wiced_join_status=0x16

wwd_wifi_check_join_status: wiced_join_status=0x14

wiced_join_events_handler: event_type=0x3 status=0x0 reason=0x0 wiced_join_status=0x14

wwd_wifi_check_join_status: wiced_join_status=0x16

wiced_join_events_handler: event_type=0x10 status=0x0 reason=0x0 wiced_join_status=0x16

Any reason why it is receiving error event after completing the handshake?

I have included logs for both TLSv1.1 and TLSv1.2

Regards,

Leif

0 Likes
1 Solution

Yes. The issue persists in WICED 6.2.1 but there is a patch available for the same here https://community.cypress.com/thread/35745. To get supplicant debug info, you can uncomment the following macros from wiced_defaults.h:

//#define WPRINT_ENABLE_SECURITY_INFO    /* Security stack prints */
//#define WPRINT_ENABLE_SECURITY_DEBUG
//#define WPRINT_ENABLE_SECURITY_ERROR

View solution in original post

8 Replies
AxLi_1746341
Level 7
Level 7
10 comments on KBA 5 comments on KBA First comment on KBA

Add grsr

The result is similar to my PEAP test with ThreadX, TLS1.0/1.1 works but TLS1.2 fails.

0 Likes
GauravS_31
Moderator
Moderator
Moderator
10 questions asked 250 solutions authored 250 sign-ins

Looking at the logs of EAP_TLSv1.2, it appears that the TLS handshake is failing. I could see ! mbedtls_ssl_handshake returned -0x138b in the logs but at another place, I saw error code -0xffffbcf0. The wiced_join_status=0x16 in TLSv1.2 logs indicates that JOIN_SECURITY_COMPLETE flag is 0. Please check with wireshark if the handshake is completing and if there are any problems with EAP handshake and attach the wireshark logs if there are any. Let us know the RADIUS server for reference. Is this issue replicated with another Wi-Fi chip?

0 Likes
lock attach
Attachments are accessible only for community members.

Yes, in that log the TLS handshake fails but that is after the 1st attempt appears to complete ok (line 61)

Then line 63 shows the error:

wiced_join_events_handler: event_type=0x2e status=0x105 reason=0x20e wiced_join_status=0x16

event = WLC_E_PSK_SUP  status = WLC_SUP_KEYXCHANGE  reason = WLC_E_SUP_DEAUTH

Appears an error with receiving the PMK?

whereas the TLS1.1 returns:

wiced_join_events_handler: event_type=0x2e status=0x106 reason=0x200 wiced_join_status=0x16

event = WLC_E_PSK_SUP  status = WLC_SUP_KEYED  reason = WLC_E_SUP_OTHER

which completes and acquires and IP address.

I included 2 new captures without the retries after the failure.

Running a Windows Network Policy Server.

I still have to figure out how to capture the EAP handshake on a windows machine?

Do you run the wireshark capture on the server?

I did connect with a Wi-Fi Nano USB adapter on my desktop but not sure what level of TLS it connected with.

I will force the server to TLS1.2 only and check again.

lock attach
Attachments are accessible only for community members.

I verified that the EDiMax WiFi Nano does connect to the Network Policy Server with TLS 1.2 (both eap-tls and eap-peap) included the WireShark captures using AirPcap.

Inlcuded the debug .txt and WireShark captures of the failing WICED ISM43362 device for both EAP-PEAP and EAP-TLS (TLSv1.2).

EAP-PEAP fails with all levels of TLSv1.0, TLSv1.1, and TLSv1.2

Not sure but only issue I see is after TLS completes Server sends App Data ID=7 then App Data ID=8 without a response to App Data ID=7?

EAP-TLS only fails with TLSv1.2, WICED device does not respond to the Key message?

I am using the same set of certificates\username\password for the WICED device and the EDiMax.

The wireshark capture file name has the mac address of the wifi device to filter with.

lock attach
Attachments are accessible only for community members.

Resolved the problem we are having with the BESL supplicant export of the MSK.  Could not connect with security WPA2, enterprise mode, methods EAP-TLS and EAP-PEAP with TLSv1.2 to a 2018 Network Policy Server.  Fixed the issue by replacing the security key returned by besl supplicant with the MSK key we calculate in mbedtls_ssl_derive_keys().  Included the two modified files besl_host.c andssl_tls.c, search for:  #ifdef FIX_PMK_TLS to find the changes.

Can you look into the calculation of the key returned to the host by the besl supplicant?

Calculated the MSK key according to EAP TLS RFC5216

EAP-TLS derives exported keying material and parameters as follows:

Key_Material = TLS-PRF-128(master_secret, "client EAP encryption",

client.random || server.random)

MSK = Key_Material(0,63)

EMSK = Key_Material(64,127)

IV = TLS-PRF-64("", "client EAP encryption",

client.random || server.random)

Running WICED SDK6.2.1:

Starting WICED vWiced_006.002.001.0002

  [wiced_platform_init]Platform DPM3_ISM43362_M3G_L44 initialised

  [wiced_rtos_init]Started ThreadX v5.8

  [wiced_network_init]Initialising NetX_Duo v5.10_sp3

  [wiced_network_init]Creating Packet pools

  [wiced_wlan_connectivity_init]WLAN MAC Address : C4:7F:51:02:E2:B3

[wiced_wlan_connectivity_init]WLAN Firmware    : wl0: May 16 2018 00:27:03 version 5.90.230.31 FWID 01-5849

0 Likes
JoSt_3481606
Level 4
Level 4
First like received

is this still an issue on 6.2.1?  I am trying to connect to eap-tls v1.2 ssid.  Did they change the output of join_ent?  How do you get the more detailed debugging info?

0 Likes

Yes. The issue persists in WICED 6.2.1 but there is a patch available for the same here https://community.cypress.com/thread/35745. To get supplicant debug info, you can uncomment the following macros from wiced_defaults.h:

//#define WPRINT_ENABLE_SECURITY_INFO    /* Security stack prints */
//#define WPRINT_ENABLE_SECURITY_DEBUG
//#define WPRINT_ENABLE_SECURITY_ERROR

grsr

Where do I apply the patch?  Im using the 43907.  I have tried root, "wiced"  security and the subfolders and the patch can't match the files.

0 Likes