Looking at the logs of EAP_TLSv1.2, it appears that the TLS handshake is failing. I could see ! mbedtls_ssl_handshake returned -0x138b in the logs but at another place, I saw error code -0xffffbcf0. The wiced_join_status=0x16 in TLSv1.2 logs indicates that JOIN_SECURITY_COMPLETE flag is 0. Please check with wireshark if the handshake is completing and if there are any problems with EAP handshake and attach the wireshark logs if there are any. Let us know the RADIUS server for reference. Is this issue replicated with another Wi-Fi chip?
Yes, in that log the TLS handshake fails but that is after the 1st attempt appears to complete ok (line 61)
Then line 63 shows the error:
wiced_join_events_handler: event_type=0x2e status=0x105 reason=0x20e wiced_join_status=0x16
event = WLC_E_PSK_SUP status = WLC_SUP_KEYXCHANGE reason = WLC_E_SUP_DEAUTH
Appears an error with receiving the PMK?
whereas the TLS1.1 returns:
wiced_join_events_handler: event_type=0x2e status=0x106 reason=0x200 wiced_join_status=0x16
event = WLC_E_PSK_SUP status = WLC_SUP_KEYED reason = WLC_E_SUP_OTHER
which completes and acquires and IP address.
I included 2 new captures without the retries after the failure.
Running a Windows Network Policy Server.
I still have to figure out how to capture the EAP handshake on a windows machine?
Do you run the wireshark capture on the server?
I did connect with a Wi-Fi Nano USB adapter on my desktop but not sure what level of TLS it connected with.
I will force the server to TLS1.2 only and check again.
I verified that the EDiMax WiFi Nano does connect to the Network Policy Server with TLS 1.2 (both eap-tls and eap-peap) included the WireShark captures using AirPcap.
Inlcuded the debug .txt and WireShark captures of the failing WICED ISM43362 device for both EAP-PEAP and EAP-TLS (TLSv1.2).
EAP-PEAP fails with all levels of TLSv1.0, TLSv1.1, and TLSv1.2
Not sure but only issue I see is after TLS completes Server sends App Data ID=7 then App Data ID=8 without a response to App Data ID=7?
EAP-TLS only fails with TLSv1.2, WICED device does not respond to the Key message?
I am using the same set of certificates\username\password for the WICED device and the EDiMax.
The wireshark capture file name has the mac address of the wifi device to filter with.
Resolved the problem we are having with the BESL supplicant export of the MSK. Could not connect with security WPA2, enterprise mode, methods EAP-TLS and EAP-PEAP with TLSv1.2 to a 2018 Network Policy Server. Fixed the issue by replacing the security key returned by besl supplicant with the MSK key we calculate in mbedtls_ssl_derive_keys(). Included the two modified files besl_host.c andssl_tls.c, search for: #ifdef FIX_PMK_TLS to find the changes.
Can you look into the calculation of the key returned to the host by the besl supplicant?
Calculated the MSK key according to EAP TLS RFC5216
EAP-TLS derives exported keying material and parameters as follows:
Key_Material = TLS-PRF-128(master_secret, "client EAP encryption",
client.random || server.random)
MSK = Key_Material(0,63)
EMSK = Key_Material(64,127)
IV = TLS-PRF-64("", "client EAP encryption",
client.random || server.random)
Running WICED SDK6.2.1:
Starting WICED vWiced_006.002.001.0002
[wiced_platform_init]Platform DPM3_ISM43362_M3G_L44 initialised
[wiced_rtos_init]Started ThreadX v5.8
[wiced_network_init]Initialising NetX_Duo v5.10_sp3
[wiced_network_init]Creating Packet pools
[wiced_wlan_connectivity_init]WLAN MAC Address : C4:7F:51:02:E2:B3
[wiced_wlan_connectivity_init]WLAN Firmware : wl0: May 16 2018 00:27:03 version 22.214.171.124 FWID 01-5849
EAP_MSK_Fix.zip 54.8 K
is this still an issue on 6.2.1? I am trying to connect to eap-tls v1.2 ssid. Did they change the output of join_ent? How do you get the more detailed debugging info?
1 of 1 people found this helpful
Yes. The issue persists in WICED 6.2.1 but there is a patch available for the same here https://community.cypress.com/thread/35745. To get supplicant debug info, you can uncomment the following macros from wiced_defaults.h:
//#define WPRINT_ENABLE_SECURITY_INFO /* Security stack prints */