Please add PAP for authentication phase 2 (along with MSCHAPV2) · Issue #133 · espressif/ESP8266_NONOS_SDK (original) (raw)

Hello,

I have the chance to have a full access (with logs) to a local server of the widely used (and now reaching asia) 'EDUcation ROAMing' eduroam network to which a bunch of esp8266 users would like to connect to. It's generally a wpa2-enterprise network.

It does not work here and I think for a simple reason: the ESP is using MSCHAPV2,
But this network can require the PAP phase 2 authentication method.
That explains why some user can connect to that network, and why some others not.
The required EAP method is TTLS which the ESP honours from user application and according to the esp-nonos-sdk logs below:

11:41:45.038 -> SDK:2.2.1(cfd48f3)

edit: same result with current git version of the firmware SDK:3.0.0-dev(097de86)

[...]
11:42:13.606 -> reconnect
11:42:13.606 -> state: 2 -> 0 (0)
11:42:13.706 -> scandone
11:42:13.706 -> state: 0 -> 2 (b0)
11:42:13.706 -> state: 2 -> 3 (0)
11:42:13.706 -> state: 3 -> 5 (10)
11:42:13.706 -> add 0
11:42:13.706 -> aid 5
11:42:13.739 -> cnt 
11:42:13.739 -> EAP-TTLS: Start (server ver=0, own ver=0)
11:42:17.482 -> (user log:) Status: 1 - Arduino status: 6 - Local IP:0.0.0.0
11:42:17.515 -> EAP-TTLS: TLS done, proceed to Phase 2
11:42:17.548 -> EAP-TTLS: received 0 bytes encrypted data for Phase 2
11:42:17.548 -> EAP-TTLS: empty data in beginning of Phase 2 - use fake EAP-Request Identity
11:42:17.548 -> EAP-TTLS: Phase 2 MSCHAPV2 Request
11:42:17.548 -> (user log:) Status: 1 - Arduino status: 6 - Local IP:0.0.0.0
11:42:18.608 -> state: 5 -> 2 (2a0)
11:42:18.608 -> rm 0
11:42:18.608 -> wifi evt: 1
11:42:18.608 -> STA disconnect: 2
11:42:19.342 -> state: 2 -> 3 (0)
11:42:19.541 -> (user log:) Status: 1 - Arduino status: 6 - Local IP:0.0.0.0
11:42:20.369 -> state: 3 -> 0 (4)
11:42:20.370 -> reconnect

FWIW,

• Here are the Phase 2 authentication available methods proposed by my android phone:
  None PAP MSCHAP MSCHAPV2 GTC.
  The ESP uses MSCHAPV2 and to my knowledge the nonos-sdk API does not propose to select something here.
• After forgetting the network and setting it up again, my android phone does not automatically propose the right Phase 2 authentication method, it must be configured by the user. I don't know if they can be deduced from initial handhake. This eduroam wifi network was historically not supported by some android phone at the beginning, especially because of the unavailable PAP phase 2 method.

Here are the laconic logs of the radius server of my local network. Note that my user name is correctly transmitted from the esp, but not the password. The mac address shown is the esp's one:

Jun 11 11:42:17 servername radiusd[6804]:   [ldap] Attribute "User-Password" is required for authentication.
Jun 11 11:42:17 servername radiusd[6804]: Login incorrect: [my-working-login] (from client some-client port 0 via TLS tunnel)
Jun 11 11:42:17 servername radiusd[6804]: Login incorrect: [my-working-login] (from client some-client port 12293 cli 5C-CF-7F-C3-AD-51)

Relevant part of the source code:

[...]

#define SSID          "eduroam"
#define PASSWORD      ""
#define WPA2_USERNAME "my-working-login"
#define WPA2_IDENTITY WPA2_USERNAME
#define WPA2_PASSWORD "my-working-password"

[...]

// the following is a slightly modified copy-paste of the wpa2-enterprise nonos-sdk's example

void setup() {
  wifi_station_disconnect();

  Serial.begin(115200);
  Serial.setDebugOutput(true);

  Serial.print("Trying to connect to ");
  Serial.println(SSID);

  {
    char ssid[32] = SSID;
    char password[64] = PASSWORD;
    struct station_config sta_conf;// = { 0 };

    os_memset(&sta_conf, 0, sizeof(sta_conf));
    os_memcpy(sta_conf.ssid, ssid, 32);
    os_memcpy(sta_conf.password, password, 64);
    wifi_station_set_config(&sta_conf);
  }

  {
    typedef enum {
      EAP_TLS,
      EAP_PEAP,
      EAP_TTLS,
    } eap_method_t;

    eap_method_t method = EAP_TTLS;
    const char *identity = WPA2_IDENTITY;
    const char *username = WPA2_USERNAME;
    const char *password = WPA2_PASSWORD;

    wifi_station_set_wpa2_enterprise_auth(1);

    wifi_station_set_enterprise_identity((u8*)(void*)identity, os_strlen(identity));

    if (method == EAP_TLS) {
      Serial.println("error");
      //wifi_station_set_enterprise_cert_key(client_cert, os_strlen(client_cert) + 1, client_key, os_strlen(client_key) + 1, NULL, 1);
      //wifi_station_set_enterprise_username(username, os_strlen(username));//This is an option for EAP_PEAP and EAP_TLS.
    }
    else if (method == EAP_PEAP || method == EAP_TTLS) {
      wifi_station_set_enterprise_username((u8*)(void*)username, os_strlen(username));
      wifi_station_set_enterprise_password((u8*)(void*)password, os_strlen(password));
      //wifi_station_set_enterprise_ca_cert(ca, os_strlen(ca)+1);//This is an option for EAP_PEAP and EAP_TTLS.
    }
  }

  wifi_station_connect();

  // Wait for connection AND IP address from DHCP
  while (true)
  {
    Serial.print("Status: ");
    Serial.print(wifi_station_get_connect_status());
    
    Serial.print(" - Arduino status: ");
    Serial.print(WiFi.status());
    Serial.print(" - Local IP:");
    Serial.println(WiFi.localIP());
    delay(2000);
  }
} // setup

Thus, the question is:

Would you be able to propose an API to select at least the Phase2 authentication method ?

Thanks for your support