CC3235SF: Wifi cannot connect to AP using PEAP method

user3692010

Part Number: CC3235SF
Other Parts Discussed in Thread: UNIFLASH

Using THE PEAP function of CC3235, the routing and RADIUS server have been configured and the mobile phone can use EAP method to connect the routing + RADIUS, but the same parameters as the mobile phone wifi send AT instruction AT+WlanConnect=" TP-link_6034 ", WPA_ENT,test, LKZ, LKZ,PEAP0_MSCHAPv2 but not connected, prompt missing certificate, does the WIFI use PEAP function must use a certificate

over 5 years ago

0 Benjamin Moore over 5 years ago

TI__Mastermind 30225 points

Hi,

Even for PEAP0 with MSCHAP, the device should verify the server with the server certificate.

Please see section 4.6.2 (server authentication) of the Network Processor Programmer's Guide for details on how to remove this requirement if desired.

Best Regards,

Ben M

0 user3692010 over 5 years ago in reply to Benjamin Moore

Prodigy 55 points

Hi, Benjamin

I have read the document. Before sending AT Connect, I have sent AT WlanSet to set up that the server does not need to be authenticated, but the return status is still lack of certificate, so I feel very confused

0 Benjamin Moore over 5 years ago in reply to user3692010

TI__Mastermind 30225 points

Hi,

Thanks for confirming. To make sure I understand, you are seeing the prompt in the logs from the Wi-Fi device right? Not from the logs of the Radius server?

Can you share a screenshot or printout of what you are seeing?

Thanks,
Ben M

0 user3692010 over 5 years ago in reply to Benjamin Moore

Prodigy 55 points

Later, I use the network terminal example of simplelink_cc32xx_sdk_4_10_00_07. I placed all the certificates in the correct path of the Linux radius server, and added and burned the certificate using uniflash, and then sent wlanconnect Commands in the terminal. The connection failed. What is the reason? (note: If I configure no certificate authentication, I can connect successfully)

The radius log is as follows when it connection failed :

Received Access-Request Id 47 from 192.168.1.1:1063 to 192.168.1.102:1812 length 150
(4)   User-Name = "lkz"
(4)   NAS-IP-Address = 192.168.1.1
(4)   NAS-Port = 0
(4)   Called-Station-Id = "C0-61-18-3F-60-34:TP-LINK_6034"
(4)   Calling-Station-Id = "34-03-DE-11-35-9D"
(4)   Framed-MTU = 1400
(4)   NAS-Port-Type = Wireless-802.11
(4)   Connect-Info = "CONNECT 0Mbps 802.11"
(4)   EAP-Message = 0x02000008016c6b7a
(4)   Message-Authenticator = 0xcd92696392c1edd266039a1cb2e2d374
(4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(4)   authorize {
(4)     policy filter_username {
(4)       if (&User-Name) {
(4)       if (&User-Name) -> TRUE
(4)       if (&User-Name) {
(4)         if (&User-Name =~ / /) {
(4)         if (&User-Name =~ / /) -> FALSE
(4)         if (&User-Name =~ /@[^@]*@/ ) {
(4)         if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4)         if (&User-Name =~ /\.\./ ) {
(4)         if (&User-Name =~ /\.\./ ) -> FALSE
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(4)         if (&User-Name =~ /\.$/) {
(4)         if (&User-Name =~ /\.$/)   -> FALSE
(4)         if (&User-Name =~ /@\./) {
(4)         if (&User-Name =~ /@\./)   -> FALSE
(4)       } # if (&User-Name) = notfound
(4)     } # policy filter_username = notfound
(4)     [preprocess] = ok
(4)     [chap] = noop
(4)     [mschap] = noop
(4)     [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "lkz", looking up realm NULL
(4) suffix: No such realm "NULL"
(4)     [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 0 length 8
(4) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(4)     [eap] = ok
(4)   } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4)   authenticate {
(4) eap: Peer sent packet with method EAP Identity (1)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Initiating new EAP-TLS session
(4) eap_peap: Setting verify mode to require certificate from client
(4) eap_peap: [eaptls start] = request
(4) eap: Sending EAP Request (code 1) ID 1 length 6
(4) eap: EAP session adding &reply:State = 0xc67f216dc67e3830
(4)     [eap] = handled
(4)   } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4)   Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 47 from 192.168.1.102:1812 to 192.168.1.1:1063 length 0
(4)   EAP-Message = 0x010100061920
(4)   Message-Authenticator = 0x00000000000000000000000000000000
(4)   State = 0xc67f216dc67e383004e4540aab8efed2
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 48 from 192.168.1.1:1063 to 192.168.1.102:1812 length 226
(5)   User-Name = "lkz"
(5)   NAS-IP-Address = 192.168.1.1
(5)   NAS-Port = 0
(5)   Called-Station-Id = "C0-61-18-3F-60-34:TP-LINK_6034"
(5)   Calling-Station-Id = "34-03-DE-11-35-9D"
(5)   Framed-MTU = 1400
(5)   NAS-Port-Type = Wireless-802.11
(5)   Connect-Info = "CONNECT 0Mbps 802.11"
(5)   EAP-Message = 0x0201004219800000003816030100330100002f030100000054360e181d02865fee23e3c677a340375ade2cdd90fcb4ce7fd6001ddd000008002f000a000500040100
(5)   State = 0xc67f216dc67e383004e4540aab8efed2
(5)   Message-Authenticator = 0x6efca2413ae8ca6aefd7b74c13106917
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(5)   authorize {
(5)     policy filter_username {
(5)       if (&User-Name) {
(5)       if (&User-Name) -> TRUE
(5)       if (&User-Name) {
(5)         if (&User-Name =~ / /) {
(5)         if (&User-Name =~ / /) -> FALSE
(5)         if (&User-Name =~ /@[^@]*@/ ) {
(5)         if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5)         if (&User-Name =~ /\.\./ ) {
(5)         if (&User-Name =~ /\.\./ ) -> FALSE
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(5)         if (&User-Name =~ /\.$/) {
(5)         if (&User-Name =~ /\.$/)   -> FALSE
(5)         if (&User-Name =~ /@\./) {
(5)         if (&User-Name =~ /@\./)   -> FALSE
(5)       } # if (&User-Name) = notfound
(5)     } # policy filter_username = notfound
(5)     [preprocess] = ok
(5)     [chap] = noop
(5)     [mschap] = noop
(5)     [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "lkz", looking up realm NULL
(5) suffix: No such realm "NULL"
(5)     [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 1 length 66
(5) eap: Continuing tunnel setup
(5)     [eap] = ok
(5)   } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5)   authenticate {
(5) eap: Expiring EAP session with state 0xc67f216dc67e3830
(5) eap: Finished EAP session with state 0xc67f216dc67e3830
(5) eap: Previous EAP request found for state 0xc67f216dc67e3830, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer indicated complete TLS record size will be 56 bytes
(5) eap_peap: Got complete TLS record (56 bytes)
(5) eap_peap: [eaptls verify] = length included
(5) eap_peap: (other): before SSL initialization
(5) eap_peap: TLS_accept: before SSL initialization
(5) eap_peap: TLS_accept: before SSL initialization
(5) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 0033]
(5) eap_peap: TLS_accept: SSLv3/TLS read client hello
(5) eap_peap: >>> send TLS 1.0 Handshake [length 002a], ServerHello
(5) eap_peap: TLS_accept: SSLv3/TLS write server hello
(5) eap_peap: >>> send TLS 1.0 Handshake [length 03e9], Certificate
(5) eap_peap: TLS_accept: SSLv3/TLS write certificate
(5) eap_peap: >>> send TLS 1.0 Handshake [length 0089], CertificateRequest
(5) eap_peap: TLS_accept: SSLv3/TLS write certificate request
(5) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone
(5) eap_peap: TLS_accept: SSLv3/TLS write server done
(5) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(5) eap_peap: In SSL Handshake Phase
(5) eap_peap: In SSL Accept mode
(5) eap_peap: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 2 length 1004
(5) eap: EAP session adding &reply:State = 0xc67f216dc77d3830
(5)     [eap] = handled
(5)   } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5)   Challenge { ... } # empty sub-section is ignored
(5) Sent Access-Challenge Id 48 from 192.168.1.102:1812 to 192.168.1.1:1063 length 0
(5)   EAP-Message = 0x010203ec19c0000004b4160301002a02000026030111fb81f86473b91c014e03743216919b109a93d9d3684929444f574e4752440000002f0016030103e90b0003e50003e20003df308203db308202c3a003020102020103300d06092a864886f70d01010b0500308193310b3009060355040613024652
(5)   Message-Authenticator = 0x00000000000000000000000000000000
(5)   State = 0xc67f216dc77d383004e4540aab8efed2
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 49 from 192.168.1.1:1063 to 192.168.1.102:1812 length 166
(6)   User-Name = "lkz"
(6)   NAS-IP-Address = 192.168.1.1
(6)   NAS-Port = 0
(6)   Called-Station-Id = "C0-61-18-3F-60-34:TP-LINK_6034"
(6)   Calling-Station-Id = "34-03-DE-11-35-9D"
(6)   Framed-MTU = 1400
(6)   NAS-Port-Type = Wireless-802.11
(6)   Connect-Info = "CONNECT 0Mbps 802.11"
(6)   EAP-Message = 0x020200061900
(6)   State = 0xc67f216dc77d383004e4540aab8efed2
(6)   Message-Authenticator = 0x4976d7686b5cc6da0f2d1bb9b218d09d
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(6)   authorize {
(6)     policy filter_username {
(6)       if (&User-Name) {
(6)       if (&User-Name) -> TRUE
(6)       if (&User-Name) {
(6)         if (&User-Name =~ / /) {
(6)         if (&User-Name =~ / /) -> FALSE
(6)         if (&User-Name =~ /@[^@]*@/ ) {
(6)         if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6)         if (&User-Name =~ /\.\./ ) {
(6)         if (&User-Name =~ /\.\./ ) -> FALSE
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(6)         if (&User-Name =~ /\.$/) {
(6)         if (&User-Name =~ /\.$/)   -> FALSE
(6)         if (&User-Name =~ /@\./) {
(6)         if (&User-Name =~ /@\./)   -> FALSE
(6)       } # if (&User-Name) = notfound
(6)     } # policy filter_username = notfound
(6)     [preprocess] = ok
(6)     [chap] = noop
(6)     [mschap] = noop
(6)     [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "lkz", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)     [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 2 length 6
(6) eap: Continuing tunnel setup
(6)     [eap] = ok
(6)   } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6)   authenticate {
(6) eap: Expiring EAP session with state 0xc67f216dc77d3830
(6) eap: Finished EAP session with state 0xc67f216dc77d3830
(6) eap: Previous EAP request found for state 0xc67f216dc77d3830, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer ACKed our handshake fragment
(6) eap_peap: [eaptls verify] = request
(6) eap_peap: [eaptls process] = handled
(6) eap: Sending EAP Request (code 1) ID 3 length 216
(6) eap: EAP session adding &reply:State = 0xc67f216dc47c3830
(6)     [eap] = handled
(6)   } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6)   Challenge { ... } # empty sub-section is ignored
(6) Sent Access-Challenge Id 49 from 192.168.1.102:1812 to 192.168.1.1:1063 length 0
(6)   EAP-Message = 0x010300d81900b7c7df66394f4a38cf71aa8af0658adc81a0ad9add8d46cc82813cee3c65f849e1e4a9e539e50c337d8a5981b63e8c8acb497aea015fbde2184a0516030100890d00008503010240007f007d307b310b300906035504061302434e310c300a06035504080c034c6b7a310c300a06035504
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0xc67f216dc47c383004e4540aab8efed2
(6) Finished request
Waking up in 4.9 seconds.
(7) Received Access-Request Id 50 from 192.168.1.1:1063 to 192.168.1.102:1812 length 510
(7)   User-Name = "lkz"
(7)   NAS-IP-Address = 192.168.1.1
(7)   NAS-Port = 0
(7)   Called-Station-Id = "C0-61-18-3F-60-34:TP-LINK_6034"
(7)   Calling-Station-Id = "34-03-DE-11-35-9D"
(7)   Framed-MTU = 1400
(7)   NAS-Port-Type = Wireless-802.11
(7)   Connect-Info = "CONNECT 0Mbps 802.11"
(7)   EAP-Message = 0x0203015c19800000015216030100070b00000300000016030101061000010201003ee9763648588657a2b5fadd19d87ddf4c2e0ecc9401e828f72b3f4847bae305043a38374c81a8a016df0bb0915ea5275ea15eb6a8de30936fdde3b201626e1883f0c5944e36dfcbf9a6ae96d5dce72ca81d87b6632f
(7)   State = 0xc67f216dc47c383004e4540aab8efed2
(7)   Message-Authenticator = 0xe9edd01fcb5ea072ad05a033f6ba2fb1
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(7)   authorize {
(7)     policy filter_username {
(7)       if (&User-Name) {
(7)       if (&User-Name) -> TRUE
(7)       if (&User-Name) {
(7)         if (&User-Name =~ / /) {
(7)         if (&User-Name =~ / /) -> FALSE
(7)         if (&User-Name =~ /@[^@]*@/ ) {
(7)         if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7)         if (&User-Name =~ /\.\./ ) {
(7)         if (&User-Name =~ /\.\./ ) -> FALSE
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(7)         if (&User-Name =~ /\.$/) {
(7)         if (&User-Name =~ /\.$/)   -> FALSE
(7)         if (&User-Name =~ /@\./) {
(7)         if (&User-Name =~ /@\./)   -> FALSE
(7)       } # if (&User-Name) = notfound
(7)     } # policy filter_username = notfound
(7)     [preprocess] = ok
(7)     [chap] = noop
(7)     [mschap] = noop
(7)     [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "lkz", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)     [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 3 length 348
(7) eap: Continuing tunnel setup
(7)     [eap] = ok
(7)   } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7)   authenticate {
(7) eap: Expiring EAP session with state 0xc67f216dc47c3830
(7) eap: Finished EAP session with state 0xc67f216dc47c3830
(7) eap: Previous EAP request found for state 0xc67f216dc47c3830, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: Peer indicated complete TLS record size will be 338 bytes
(7) eap_peap: Got complete TLS record (338 bytes)
(7) eap_peap: [eaptls verify] = length included
(7) eap_peap: TLS_accept: SSLv3/TLS write server done
(7) eap_peap: <<< recv TLS 1.0 Handshake [length 0007], Certificate
(7) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal handshake_failure
(7) eap_peap: ERROR: TLS Alert write:fatal:handshake failure tls: TLS_accept: Error in error
(7) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate
(7) eap_peap: ERROR: System call (I/O) error (-1)
(7) eap_peap: ERROR: TLS receive handshake failed during operation
(7) eap_peap: ERROR: [eaptls process] = fail
(7) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(7) eap: Sending EAP Failure (code 4) ID 3 length 4
(7) eap: Failed in EAP select
(7)     [eap] = invalid
(7)   } # authenticate = invalid
(7) Failed to authenticate the user
(7) Using Post-Auth-Type Reject
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7)   Post-Auth-Type REJECT {
(7) sql: EXPAND .query
(7) sql:    --> .query
(7) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (5)
(7) sql: EXPAND %{User-Name}
(7) sql:    --> lkz
(7) sql: SQL-User-Name set to 'lkz'
(7) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(7) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'lkz', '', 'Access-Reject', '2020-06-29 08:37:08')
(7) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'lkz', '', 'Access-Reject', '2020-06-29 08:37:08')
(7) sql: SQL query returned: success
(7) sql: 1 record(s) updated
rlm_sql (sql): Released connection (5)
Need 1 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (7), 1 of 30 pending slots used
(7)     [sql] = ok
(7) attr_filter.access_reject: EXPAND %{User-Name}
(7) attr_filter.access_reject:    --> lkz
(7) attr_filter.access_reject: Matched entry DEFAULT at line 11
(7)     [attr_filter.access_reject] = updated
(7)     [eap] = noop
(7)     policy remove_reply_message_if_eap {
(7)       if (&reply:EAP-Message && &reply:Reply-Message) {
(7)       if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(7)       else {
(7)         [noop] = noop
(7)       } # else = noop
(7)     } # policy remove_reply_message_if_eap = noop
(7)   } # Post-Auth-Type REJECT = updated
(7) Login incorrect (eap_peap: TLS Alert write:fatal:handshake failure): [lkz] (from client lkz port 0 cli 34-03-DE-11-35-9D)
(7) Delaying response for 5.000000 seconds
Waking up in 0.3 seconds.
Waking up in 4.4 seconds.
(7) (7) Discarding duplicate request from client lkz port 1063 - ID: 50 due to delayed response
Waking up in 1.8 seconds.
(4) Cleaning up request packet ID 47 with timestamp +101
(5) Cleaning up request packet ID 48 with timestamp +101
(6) Cleaning up request packet ID 49 with timestamp +101
(7) Sending delayed response
(7) Sent Access-Reject Id 50 from 192.168.1.102:1812 to 192.168.1.1:1063 length 44
(7)   EAP-Message = 0x04030004
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7) Cleaning up request packet ID 50 with timestamp +101

0 Benjamin Moore over 5 years ago in reply to user3692010

TI__Mastermind 30225 points

Ok, so you're saying you are able to pass the connection when you use the Network Terminal application and disable server authentication on the CC3235 side, correct?

The issue only occurs when you are not disabling server authentication and you have flashed the certificate for verifying the server?

Can you share the server certificate and a screenshot of how you have flashed them to the device?

Best,

Ben M

0 user3692010 over 5 years ago in reply to Benjamin Moore

Prodigy 55 points

Yes, you are right!

I Can share the server certificate and a screenshot.

screenshot:

three certificates:

certificates.zip

0 Benjamin Moore over 5 years ago in reply to user3692010

TI__Mastermind 30225 points

The location in the file system appears to be correct. And you can verify that the server appears to be doing the client authentication correctly based on the client cert/private key when server authentication is skipped?

Can you collect and provide NWP logs of your test according to Chapter 20 of this guide:

http://www.ti.com/lit/swru455

Thanks,

Ben M

Wi-Fi

Wi-Fi forum

CC3235SF: Wifi cannot connect to AP using PEAP method