• State Resolved
  • Locked Locked
  • Replies 2 replies
  • Subscribers 41 subscribers
  • Views 805 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

LAUNCHXL-CC3235SF: EAP - PEAP0_MSCHAPv2

Artur Debowski
Prodigy 20 points
Part Number: LAUNCHXL-CC3235SF
Other Parts Discussed in Thread: CC3200

Hello,

Are any special configuration's rules for enterprise network ? Im trying to implement enterprise connection on my board and start with type SL_WLAN_ENT_EAP_METHOD_PEAP0_MSCHAPv2.

I have configured SlWlanSecParamsExt_t struct like it should, but using user name and password im not able to connect. Radius server reject request with logs

eap_peap: (TLS) EAP Peer says that the final record size will be 56 bytes
eap_peap: (TLS) EAP Got all data (56 bytes)
eap_peap: (TLS) Handshake state - before SSL initialization
eap_peap: (TLS) Handshake state - Server before SSL initialization
eap_peap: (TLS) Handshake state - Server before SSL initialization
eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello
eap_peap: (TLS) send TLS 1.0 Alert, fatal protocol_version
eap_peap: ERROR: (TLS) Alert write:fatal:protocol version
eap_peap: ERROR: (TLS) Server : Error in error
eap_peap: ERROR: (TLS) Failed reading from OpenSSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
eap_peap: ERROR: (TLS) System call (I/O) error (-1)
eap_peap: ERROR: (TLS) EAP Receive handshake failed during operation
eap_peap: ERROR: [eaptls process] = fail
ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed

I have catched packet using wireshark and it shows that texas board is sending access request using TLS in version 1.0.

RADIUS Protocol
    Code: Access-Request (1)
    Packet identifier: 0x58 (88)
    Length: 287
    Authenticator: 3b33b53afd9977fdcbafa4cf502fc546
    [The response to this request is in frame 904449]
    Attribute Value Pairs
        AVP: t=User-Name(1) l=6 val=test
        AVP: t=Called-Station-Id(30) l=37 val=5C-5B-35-02-50-21:EnterpriseNetwork
        AVP: t=NAS-Port-Type(61) l=6 val=Wireless-802.11(19)
        AVP: t=Service-Type(6) l=6 val=Framed(2)
        AVP: t=Calling-Station-Id(31) l=19 val=90-E2-02-28-9E-CF
        AVP: t=Connect-Info(77) l=23 val=CONNECT 0Mbps 802.11b
        AVP: t=Acct-Session-Id(44) l=18 val=8236B990FA6647AB
        AVP: t=Acct-Multi-Session-Id(50) l=18 val=2C58022D67F83127
        AVP: t=Unknown-Attribute(186) l=6 val=000fac04
        AVP: t=Unknown-Attribute(187) l=6 val=000fac04
        AVP: t=Unknown-Attribute(188) l=6 val=000fac01
        AVP: t=Framed-MTU(12) l=6 val=1200
        AVP: t=EAP-Message(79) l=68 Last Segment[1]
            Type: 79
            Length: 68
            EAP fragment: 02b4004219800000003816030100330100002f0301000000…
            Extensible Authentication Protocol
                Code: Response (2)
                Id: 180
                Length: 66
                Type: Protected EAP (EAP-PEAP) (25)
                EAP-TLS Flags: 0x80
                    1... .... = Length Included: True
                    .0.. .... = More Fragments: False
                    ..0. .... = Start: False
                    .... .000 = Version: 0
                EAP-TLS Length: 56
                Transport Layer Security
                    TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
                        Content Type: Handshake (22)
                        Version: TLS 1.0 (0x0301)
                        Length: 51
                        Handshake Protocol: Encrypted Handshake Message
        AVP: t=State(24) l=18 val=8f3337ed8f872ede372d3b59b7c455b7
        AVP: t=NAS-IP-Address(4) l=6 val=192.168.1.152
        AVP: t=Message-Authenticator(80) l=18 val=d7f8a4d95037396dc4e4e5da75c55866

Did somebody configure the enterprise on CC323x and knows how to configure board to use higher version of tls ?

Best,

Artur

  • +1
    Guru 79905 points

    Hi Artur,

    At log provided above is obvious that you have configured TLS EAP (e.g. PEAP0_TLS) method not a PEAP0_MSCHAPv2.

    CC3200, CC3220, CC3235 devices supports for EAP TLS 1.0 only. For this moment there is no way how to use higher TLS version for EAP at current generation of CC32xx devices.

    Jan

  • +1 in reply to Jan D
    Prodigy 20 points

    Hi Jan,

    Thank you for your response. It is sufficient for me. It was needed to reconfigure the radius server and use follow settings

            #  In order to enable TLS 1.0 and TLS 1.1, you may
            #  also need to update cipher_list below to:
            #
            #   * OpenSSL >= 3.x
            #
             # cipher_list = "DEFAULT@SECLEVEL=0"
            #
            #   * OpenSSL < 3.x
            #
                cipher_list = "DEFAULT@SECLEVEL=1"

            tls_min_version = "1.0"
            tls_max_version = "1.2"

    Best,

    Artur