New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Regression][WPA2 Enterprise] WPA2 Enterprise connection fail (IDFGH-5866) #7565
Comments
Have you tried latest release/v4.3 branch instead of the tag |
I have by now tried: I will test release/v4.3 as soon as possible |
Hi @PaulFreund , Can you please try on the latest master once? Which patch from #7384 have you tried since there are multiple discussions in that? Also please provide following:
|
Can you bisect to find bad commit? (This is probably the fastest way to find the problem) GOPTIONS\pfrost (1): Hrudaynath Dhabe (2): Jiang Jiang Jian (2): Nachiket Kukade (5): kapil.gupta (6): ronghulin (1): |
I already tried the latest master yesterday evening (CEST) which did not work.
|
Hi @PaulFreund , Just to reconfirm both e8360fe and #7384 (comment) were present in master when you tested this? Also is it possible to share sniffer capture and logs of the issue? Please note in case mbedTLS is enabled, Please enable logs for both mbedTLS and wpa_supplicant. |
I think it's not related unless v4.1 includes the fix of #7384 (comment) |
@kapilkedawat I was definitely on master which included your commit and I think I also tested with the fix enabled but not 100% sure. Unfortuantely I don't have physical access to the devices or can read serial output. I'm getting all log output by intercepting vsprintf and sending it to an InfluxDB. I'm fine tuning the log output to not overwhelm the network (some devices are also connected via Ethernet) and it looks like the error is an assoc expire. I'll try to get more relevant output. |
@PaulFreund If you are sure about the issue after disabling mbedTLS in tags/v4.1.1. Can you please try following:
and see if that helps? Also are you aware of the TLS version cisco infra is using? Again, does the remote setup has any system which can help you to capture the packets over the air? |
I just tested with: I also tried before with tags/v4.3 and mbedTLS disabled but I will retest with that version We should be able to extract information like the TLS version from the Posts I linked above, the infrastructure has not changed since then, I assume TLSv1 (there should even be some captures IIRC) Small update: 0c13662 is my last tested working commit so far, I'm trying to do a binary search |
Both didn't work(MbedTLS was disabled in supplicant config)?
Even if you have older captures please share in case nothing has changed on the server side.
Thanks, we will take a look internally as well. |
The allocation failure only happens if CONFIG_WPA_MBEDTLS_CRYPTO is unset. If MBEDTLS in supplicant is enabled it also does NOT work but the allocation failure does not happen. Just to clarify, in 77eb201 WPA2 Enterprise works both with MBEDTLS enabled and disabled |
@PaulFreund Can you please share partition.csv file? We are trying to check this with the exact config on windows and linux radius servers. |
Sure :) Thank you for working on it, this is the content |
@PaulFreund Unfortunately this is working for us with hostapd/freeradius. A fresh capture/serial logs will help to determine the issue faster, Is there any chance we can get them? |
ESPIDFv4.3_mbedTLS_Enabled.csv here is a first (anonymised) log of v4.3 with mbedTLS enabled and debug output of wpa and wifi |
@PaulFreund I took a look at the logs, Can you please retry with the latest master? Please make sure d3a42d7 and patch mentioned in #7384 (comment) both are present? Please capture the logs again. |
I will do as soon as possible. Meanwhile, here is the log with mbedTLS disabled in wpa supplicant |
Here is the log of the current master with d3a42d7 included and the fix from the comment. Mbedtls is enabled in supplicant settings |
Hi @PaulFreund , do you use make instead of cmake by any chance? |
Hi, yes I still have to use make because of some legacy components |
Can you please try this change when mbedTLS disabled? (CONFIG_SHA256 flag is missing in cflags) diff --git a/components/wpa_supplicant/component.mk b/components/wpa_supplicant/component.mk -CFLAGS += -DCONFIG_DPP -DCONFIG_IEEE80211W -DESP_SUPPLICANT -DIEEE8021X_EAPOL -DEAP_PEER_METHOD -DEAP_TLS -DEAP_TTLS -DEAP_PEAP -DEAP_MSCHAPv2 -DUSE_WPA2_TASK -DCONFIG_WPS2 -DCONFIG_WPS_PIN -DUSE_WPS_TASK -DESPRESSIF_USE -DESP32_WORKAROUND -DCONFIG_ECC -DCONFIG_WNM -D__ets__ -Wno-strict-aliasing ifdef CONFIG_ESP32_WIFI_ENABLE_WPA3_SAE |
Yes that works with current master! |
I just tried to compile with mbedtls in current master but I get linking errors
|
I don't see any linking issue here, maybe retry after cleaning older project files? That may happen when os_xtensa.o is generated from the old config. |
Okay here is a small summary WITH the patch you posted here #7565 (comment), WITHOUT the patch from this comment #7384 (comment) and built with make:
|
I always deleted my ./espressif and build directory before starting a new test to not get any old state. But maybe in that test the sdkconfig was slightly different. Anyway, I think I can work with v4.3 + mbedtls disabled + your patch for now. Would be interresting why mbedtls does not work though |
@kapilkedawat Thank you so much! You saved my weekend :) 👍 |
Because the application is quite universal I have to do a lot of testing before doing a release. Is it possible to backport this fix to release/v4.3? |
Hi @PaulFreund , for the mbedTLS part, Is it possible for you to share this packet? wpa: SSL: 146 bytes left to be sent out (of total 146 bytes) Excel line : 516, seems like this is causing AP to send a fail message. Also if the server is reporting some error, please let me know. Yes, we will backport this till v4.0 and all versions will have this fix. |
I will put it on my todo list, is it enough to enable verbose for wpa to get the data? |
Yes, Please set both supplicant and MbedTLS to verbose level. |
Thanks for reporting, fix on master branch is available at 71a5003. |
@PaulFreund |
Since it was working in 77eb201, this looks like a regression. |
@PaulFreund Thanks for reporting, would you please help share if any further updates? Thanks. |
Thanks for reporting, will close due to short of feedback, feel free to reopen with more updates. |
Hello,
our application has been working fine for over a year now. We used ESP IDF tags/v4.1 and now wanted to upgrade to tags/v4.3 (stable). The lowest tested version was tags/v4.1.2 which also was not able to connect to a WPA2 Enterprise network that works with the previous version of ESP IDF. I will try to provide more addditional information but only have limited time available. Is this a known regression?
I already tried the patch from this issue: #7384 and also disabling mbedTLS in WPA supplicant options.
The text was updated successfully, but these errors were encountered: