WPA2 enterprise with credentials auth ok with radius but still get STATION_WRONG_PASSWORD after 30s #6803
Description
Basic Infos
- This issue complies with the issue POLICY doc.
- I have read the documentation at readthedocs and the issue is not addressed there.
- I have tested that the issue is present in current master branch (aka latest git).
- I have searched the issue tracker for a similar issue.
- If there is a stack dump, I have decoded it.
- I have filled out all fields below.
Platform
- Hardware: [ESP-12E / NodeMCU v3]
- Core Version: [2.6.1] (esp8266 by ESP8266 Community)
- Development Env: [Arduino IDE 1.8.10]
- Operating System: [Windows 10 x64]
Settings in IDE
- Module: [NodeMCU 1.0 (ESP-12E Module)]
- Flash Mode: [???]
- Flash Size: [4MB]
- lwip Variant: [v2 Lower Memory]
- Reset Method: [??? (probably NodeMCU)]
- Flash Frequency: [???]
- CPU Frequency: [80Mhz]
- Upload Using: [USB/SERIAL]
- Upload Speed: [115200 and/or 256000] (serial upload only)
Problem Description
Wifi router is a Synology RT1900ac with WPA2 Enterprise authentication enabled.
RADIUS server is a NPS running on Windows Server 2019.
Policies are configured with :
- Conditions > NAS Port Type > Wireless - Other OR Wireless - IEEE 802.11
- Conditions > NAS Identifier >
- Conditions > Calling Station ID > <MAC ADDRESS FROM NodeMCU/ESP8266>
- Conditions > Windows Groups >
- Constraints > Authentication Methods > Microsoft Secure Password (EAP-MSCHAP v2)
Behavior of code (chronologically) :
- [ESP8266] boots up then tries to associate/authenticate
- [RADIUS/NPS] receives AUTH and grant access
- [ESP8266] On the first 30 seconds, "wifi_station_get_connect_status" == 1 ()
- [ESP8266] Then after 2nd AUTH which takes place at 30s after 1st one : "wifi_station_get_connect_status" switch to == 2 (STATION_WRONG_PASSWORD)
- [RADIUS/NPS] Everytime ESP8266 tries to AUTH it gets access granted anyway
- [ESP8266] Never gets DHCP lease / IP address (even trying to assign it manually // code is available inside the given example)
Seems like a lot of people have problems trying to use WPA2 Enterprise with credentials.
NB : I did not tried to use certificates at all as I do not want to.
Thanks for ideas/suggestions/anything of value will be greatly appreciated.
Sample message from NPS server on Windows Server 2019 (acting as RADIUS server here)
Network Policy Server granted access to a user.
User:
Security ID: <DOMAIN\username>
Account Name: <username>
Account Domain: <DOMAIN>
Fully Qualified Account Name: <DOMAIN\username>
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: <MAC ADDRESS FROM ROUTER WIFI INTERFACE>
Calling Station Identifier: <MAC ADDRESS FROM NodeMCU/ESP8266>
NAS:
NAS IPv4 Address: <IP ADDRESS FROM AP WIFI INTERFACE>
NAS IPv6 Address: -
NAS Identifier: <MAC ADDRESS FROM WIFI AP INTERFACE>
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 4
RADIUS Client:
Client Friendly Name: <FQDN FROM AP WIFI INTERFACE>
Client IP Address: <IP ADDRESS FROM AP WIFI INTERFACE>
Authentication Details:
Connection Request Policy Name: Connexions sans fil sécurisées (SimKard)
Network Policy Name: <NETWORK POLICY NAMED AS DEFINED IN NPS/RADIUS SERVER>
Authentication Provider: Windows
Authentication Server: <ACTIVE DIRECTORY DOMAIN CONTROLLER FQDN>
Authentication Type: EAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
MCVE Sketch
#include <ESP8266WiFi.h>
extern "C" {
#include "user_interface.h"
#include "wpa2_enterprise.h"
}
// WPA2 Enterprise informations
//
// Security Mode : WAP2-Enterprise / PEAP (Protected Extensible Authentication Protocol)
// Tunnel authentication type : MS CHAP v2 (Challenge Handshake Authentication Protocol)
// Encryption type : AES
// SSID informations + credentials (username/password for WPA2-Enterprise)
static const char* ssid = "<AP SSID GOES THERE>";
// Pre-Shared Key for authentication (if not using WPA2 EAP-MSCHAP-v2)
//static const char* PreSharedKey = "<WEP/WPA/WPA2 PRESHARED KEY IF USED>";
// Username for authentification
static const char* username = "<USERNAME>";
// Password for authentication
static const char* password = "<PASSWORD>";
// Device hostname and static IP address configuration
const char* deviceName = "<HOSTNAME GOES THERE>";
//IPAddress staticIP(192, 168, 0, 123); // IP address
//IPAddress subnet(255, 255, 255, 0); // Subnet mask
//IPAddress gateway(192, 168, 0, 254); // Gateway
//IPAddress dns(192, 168, 0, 254); // DNS
// WiFi variables
int WiFi_status; // WiFi connection status
unsigned long millis_WiFi_association_start;
int millis_WiFi_association_reset = 35000;
void setup() {
// INIT Serial communication
Serial.begin(115200);
delay(500); // Waits for systems to become ready
WiFi.disconnect(); // Disconnect WiFi to flush out configuration
WiFi.hostname(deviceName); // Set hostname
//WiFi.config(staticIP, subnet, gateway, dns); // Set manual IP address configuration (If disabled, DHCP will be enforced)
// =============================================================================================
// ===== Variables configuration for WPA2 EAP-MSCHAP-v2 with username/password credentials =====
// =============================================================================================
// Setting ESP into STATION mode only (no AP mode or dual mode)
wifi_set_opmode(STATION_MODE); // 0x01 = Station mode ; 0x02 = SoftAP mode ; 0x03 = Station + SoftAP
// Creating the struct to handle parameters/variables
struct station_config wifi_config;
memset(&wifi_config, 0, sizeof(wifi_config));
strcpy((char*)wifi_config.ssid, ssid);
wifi_station_set_config(&wifi_config);
// Flushing stored configuration from FLASH
wifi_station_clear_cert_key();
wifi_station_clear_enterprise_ca_cert();
wifi_station_clear_enterprise_identity();
wifi_station_clear_enterprise_username();
wifi_station_clear_enterprise_password();
wifi_station_clear_enterprise_new_password();
// Configuring authentication with AP
wifi_station_set_wpa2_enterprise_auth(1);
wifi_station_set_enterprise_identity((uint8*)username, strlen(username));
//wifi_station_set_enterprise_ca_cert(ca_cert, sizeof(ca_cert));
wifi_station_set_enterprise_username((uint8*)username, strlen(username));
wifi_station_set_enterprise_password((uint8*)password, strlen(password));
// Starting association with AP
wifi_station_connect();
// =============================================================================================
/*
// =============================================================================================
// ===== Variables configuration for standard Pre-Shared Key configuration =====
// =============================================================================================
WiFi.mode(WIFI_STA);
WiFi.begin(ssid, PreSharedKey);
// Normal Connection ends here
// =============================================================================================
*/
Serial.println();
Serial.print("Connecting to SSID [");
Serial.print(ssid);
Serial.print("] : ");
// Wait for WiFi connection to be authenticated and IP address obtained from DHCP (if not disabled)
// At that stage, values in parenthesis can be : 0 = STATION_IDLE ; 1 = STATION_CONNECTING ; 2 = STATION_WRONG_PASSWORD ; 3 = STATION_NO_AP_FOUND ; 4 = STATION_CONNECT_FAIL
millis_WiFi_association_start = millis();
while (WiFi.status() != WL_CONNECTED) {
WiFi_status = wifi_station_get_connect_status();
Serial.print("");
if (WiFi_status != 1){
Serial.print(WiFi_status, DEC);
} else {
Serial.print(".");
}
// Restart ESP8266 if no WiFi association has been successful
if (millis() - millis_WiFi_association_start >= millis_WiFi_association_reset){
ESP.restart();
}
delay(500);
}
Serial.println("");
Serial.println("WiFi connected");
Serial.println("IP address: ");
Serial.println(WiFi.localIP());
IPAddress myAddr = WiFi.localIP();
}
void loop() {
}