Unable to use wpa2_enterprise example on ESP32 (IDFGH-119) #1297
Comments
FayeY
changed the title
|
@XinDeng11 Can you please help ? |
|
@mduanaa Hi, the issue may caused by certificate not match, in the main folder in the example, you can find some certificates, you need copy the certificates relative to server to the radius server, and renamed them as server.crt, server.key and server.pem, after this, this issue will solved. What's more. there is a simple way to verify whether is due to the certificate, just mark the certificates check function in the example, esp_wifi_sta_wpa2_ent_set_ca_cert() and esp_wifi_sta_wpa2_ent_set_cert_key(), if it work, it should be the reason |
|
@XinDeng11 Thanks for your suggestions. However, I have no access to the Radius Server and I don't think the manager of the Radius Server of our university would let me do that. The debug info. shown in my first trial (failed to parse the certificate) indicates even the certificate in the example folder is not recognized by your example code. I don't know how many people has tried this example and how many successful cases ? |
|
Faced lots and lots of problem with this example too. |
|
@mduanaa @yoshi Dearing, the wpa2_enterprise example and its certificates are surely 100% OK, many newers failed because they didn't have matched certificates between client and server, certificates verify based on RSA algorithm. It needs matched public key and private key. That's why we add the both server and client's certificates in the main floder, but you need build an server on linux at first. Then put the ca.pem, server.pem, sever.crt and server.pem. in the server. @mduanaa, What's more, if you try with your school's server, you need use the client's certificates offered by school server. Also make sure the EAP method is PEAP or TLS, because we noly support those two methods in the example now. |
|
@XinDeng11 I think you need more example certificates with different key lengths and better error messages to figure out what the problem is when it doesn't work |
|
@negativekelvin We have tried with 1024 bit, 2048bit and 4096 bit key, all of them are work, what you mentioned add more error logs and log switch, that what we plan to do in the next version. After it finished, I will let you know, thanks. |
|
@XinDeng11 I have exactly the same problems that @mduanaa mentioned with 4096 bit certificates. Backtrace: 0x4013cd85:0x3ffdd740 0x4013dae9:0x3ffdd760 0x401398ca:0x3ffdd780 0x400eab05:0x3ffdd7b0 0x400eaceb:0x3ffdd860 0x400e7a7e:0x3ffdd930 0x400e7e6d:0x3ffdd970 0x400e70e9:0x3ffdd9f0 0x400e6b56:0x3ffdda40 0x400e6bb9:0x3ffdda80 0x400e5274:0x3ffddaa0 0x400e5865:0x3ffddae0 0x400e3029:0x3ffddb30 0x400e3389:0x3ffddb70 0x4013cd85: mp_read_unsigned_bin at /Users/ficeto/Desktop/ESP32/ESP32/esp-idf-public/components/wpa_supplicant/src/crypto/libtommath.h line 990 Tested with all available examples. Only worked until August, since than only Guru Mediation Error Guru Meditation Error: Core 0 panic'ed (LoadProhibited) |
|
@XinDeng11 Hi, we are running into the same Guru Mediation error with a properly configured PKI since the end of August. Before that, the same binary and certificates are running without any issues. The difference to the certificates provided by the example seams to be the size of the CA certificate and the used signing algorithm. The example is using a 1024bit CA certificate and SHA-1 to sign the client/server certificates. Both leads to smaller signatures, which seams to be the cause, why all other configurations fail. A test implementation with a fresh CA and the same certificate parameters works perfectly. If we than change the size of the CA certificate to 2048bit and use a state-of-the-art SHA-265 signing algorithm, we run again into the same Guru Mediation error. In both cases we exchange the ca.pem, client.crt and client.key on the client-side and the ca.pem, server.crt and server.key on the radius-server-side. I've attached the certificates for both cases. It would be a big help if you could test both configurations and analyse, why 2048bit certificates (CA and client/server) in combination with SHA-256 are causing this issue. From my point of view, this configuration is pretty standard in enterprise environments and should be supported by the esp-idf. Thanks in advance. |
|
@igrr Do you have an idea, what line is causing this / how to use a workaround? Currently the WPA2 support only works with ca with 1024. However eduroam is using 4096bit and SHA256 certificates. The WPA2 example currently only works with commits prior to May - August. |
|
@XinDeng11: Are there any Updates for this issue? Could you find the rootcause? Many thanks |
|
@nubiator123 @mduanaa @ToBeSmavoo Hi, guys.We have reproduced the phenmenon and found the root casue, the issue had fixed already, maybe you can check the commit bc97b0f for detail, thanks. |
|
@XinDeng11 does it also fix this tls alert issue #248 (comment) ? |
|
@XinDeng11 there doesn't seem to be a commit bc97b0f in the repo, can you please link to it? |
|
@mtowara Apologies, the fix (along with a few other changes) did not make it to Github yet. It may take an hour or two for the integration tests to complete, then the change will be deployed to Github. |
The order of wpa2_crypto_funcs_t structure mismatch between IDF and wifi libray close github issue #1297
|
With the new commits I see connection attempts in my eduroam logs, which is an improvement. Guru Meditation Error: Core 1 panic'ed (LoadProhibited) Backtrace: 0x4000c2e0:0x3ffca040 0x40104e09:0x3ffca050 0x40107296:0x3ffca070 I'm running the wpa2_enterprise example adapted for username / pw instead of certificates. |
|
I have never had success connecting the ESP32 to a WPA2 Enterprise network. This is very frustrating. |
|
Hi, Can someone please help me with the following error: E (3905) wpa: Method private structure allocated failure E (33913) wpa: Method private structure allocated failure [D][WiFiGeneric.cpp:304] _eventCallback(): Event: 5 - STA_DISCONNECTED I am trying to connect my ESP32 with a WPA2 -Enterprise network. |
|
Hi @igrr sorry I've posted this in the arduino-esp32 first but supposedly it's related here more. wpa2_enterprise example is struggling with connecting to WS2008 / Cisco-based corporate PEAP-MSCHAPv2 network. I'm in a no way a wpa2 expert but it seems that it depends on the certificates configuration (or maybe negotiation scenario) on the network and the wpa2 supplicant code somehow did not ignore optional certificate checking results so it's either failing on checking server self-signed certificate when ca cert is supplied like this: wpa: X509: Did not find any of the issuers from the list of trusted certificates or failing to provide a proper certificate to server when it was not set up (by commenting out these lines): ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_ca_cert(ca_pem_start, ca_pem_bytes) ); ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_cert_key(client_crt_start, client_crt_bytes, client_key_start, client_key_bytes, NULL, 0) ); It fails this time on server side after this diagnostic appears locally: wpa: TLSv1: Full client certificate chain not configured - validation may fail What is still not quite clear to me is why is the local decision to test for remote server certificate validity is based on local one being supplied or not. Android phones are connecting to the network just fine without any certificates being installed. All I know about network configuration so far is that it has been set years ago (and still working just fine) up by admin with this Cisco how-to (so this setup expected to be also very common): There is a discussion here as well, and there is at least one guy with exactly the same problem. https://www.esp32.com/viewtopic.php?f=2&t=3108&p=29227#p29227 Something is still wrong with PEAP/MSCHAPv2 in esp32 and this is gating us from finally going to production. Help please, thanks! |
projectgus
changed the title
|
We now have mbedtls port for supplicant TLS connection as well as option to enable/disable server certificate validation. Please help to check with latest build. If not seen we will close this issue. |
|
Please tell us how to test even with master pull and phase 2 selected to MSCHAPV2 it doesn't work ! Do we have to change something in menuconfig ? I also saw that LwIP can do mschap ???? I tried to enable it no success either. |
|
I'm trying to connect to our wpa2 enterprise, but it no success |
|
Hi @WilliamAtek , Is it possible to provide whole server logs? Please also provide following along with that:
In case you have recently pulled the IDF, please make sure you have updated the submodules. |
|
For everyone having the same problem, the problem comes from MbedTLS that doesn't support PEAPv0. To fix it go to menuconfig > components config > Wpa supplicant > Unchek "Use mbedTLS crypto API" Then it will work with Windows, Linux and everything else like it should. Please note that this problem seems purely related to mbedTLS as I had the same problem on openWRT and when I switched to openSSL the problem disappeared. For espressif you should use openSSL calls for peap mschapv2 instead of mbedTLS automatically, or else I don't know what is the difference but you can easily reproduce the problem so it should be easy to fix. |
|
@WilliamAtek : Thank u so much! That really did the trick! |
I try to flash the wpa2_enterprise example to my ESP32 board but facing endless failure. The debug info. is as follow.
//debug info. begins
I (246) phy: phy_version: 366.0, ba9923d, Oct 31 2017, 18:06:17, 0, 0
I (246) wifi: mode : sta (24:0a:c4:0e:56:74)
I (376) wifi: n:1 0, o:1 0, ap:255 255, sta:1 0, prof:1
I (1346) wifi: state: init -> auth (b0)
I (1356) wifi: state: auth -> assoc (0)
I (1366) wifi: state: assoc -> run (10)
I (1366) wpa: wpa2_task prio:2, stack:6656
I (1376) wpa: TLSv1: tlsv1_add_cert_der - failed to parse certificate
I (1376) wpa: TLS: Failed to configure trusted CA certificates
I (1376) wpa: TLS: Failed to set TLS connection parameters
I (1386) wpa: EAP-PEAP: Failed to initialize SSL.
E (1386) wpa: Method private structure allocated failure
I (2396) wpa: >>>>>wpa2 FIALED
I (2406) wpa: wpa2 task delete
I (4246) example: ~~~~~~~~~~~
I (4246) example: IP:0.0.0.0
I (4246) example: MASK:0.0.0.0
I (4246) example: GW:0.0.0.0
I (4246) example: ~~~~~~~~~~~
I (4366) wifi: pm start, type:0
//debug info. ends
There is no logging info. in the Radius Server which means this program fails at the self-configuration stage. The issues seems to be the certification verification.
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
I tried to comment the certification command in the wpa2_enterprise_main.c as someone says the certification is optional for EAP+PEAP. However, the connection is still unsuccessful.
The corresponding error info. is : Guru meditation error: core 1 panic'ed(LoadProhibited). Exception was unhandled.
//debug info. begeins
Guru Meditation Error: Core 1 panic'ed (LoadProhibited)
. Exception was unhandled.
Register dump:
PC : 0x40129a71 PS : 0x00060330 A0 : 0x8012af39 A1 : 0x3ffc83f0
0x40129a71: bignum_set_unsigned_bin at ??:?
A2 : 0x3ffba464 A3 : 0x00000001 A4 : 0x3ffca378 A5 : 0x3ffca379
A6 : 0x3ffc84c4 A7 : 0x00000001 A8 : 0x80129a6c A9 : 0x3ffc83d0
A10 : 0x3ffba478 A11 : 0x000000ff A12 : 0x3ffba464 A13 : 0x92492493
A14 : 0x00000014 A15 : 0x00000000 SAR : 0x00000018 EXCCAUSE: 0x0000001c
EXCVADDR: 0x00000001 LBEG : 0x40129a59 LEND : 0x40129a5d LCOUNT : 0x00000000
0x40129a59: bignum_set_unsigned_bin at ??:?
0x40129a5d: bignum_set_unsigned_bin at ??:?
Backtrace: 0x40129a71:0x3ffc83f0 0x4012af36:0x3ffc8410 0x400fd81d:0x3ffc8440 0x400fda17:0x3ffc84f0 0x400fa742:0x3ffc85c0 0x400fab31:0x3f
fc8600 0x400f9dc1:0x3ffc8680 0x400f9844:0x3ffc86d0 0x400f989d:0x3ffc8710 0x400f7ea8:0x3ffc8730 0x400f75fe:0x3ffc8770 0x400f5c1d:0x3ffc87
d0 0x400f5f75:0x3ffc8810
//debug info ends
///////////////////////////////////////////////////////////////////////////////////////////////
Supplement Information: 1) latest esp-idf version; 2) wifi try to be reached eduroam; 3) development enviroment / tools: windows7-64bit msys32 / mingw32
Can anyone give a hint? Thanks a lot.
The text was updated successfully, but these errors were encountered: