WPA2-Enterprise using EAP-TLS? (no password.)

[tpbedford]

Have opened a ticket https://github.com/espressif/esp-idf/issues/13429 but thought the community might have some ideas. I'm trying to connect to an enterprise wifi (WPA2 Enterprise using EAP-TLS) but the enterprise AP reports that the ESP is requesting PEAP. But, I'm not specifying a username/password so the ESP shouldn't be trying PEAP.

Any tricks to work with WPA2-Enterprise EAP-TLS? It's not even reaching TLS negotiation because it's failing in negotiating the auth type (The AP supports only EAP-TLS, so it rejects PEAP)

Code: Select all

    // this is from example/wifi-enterprise when configured for EAP-TLS (as opposed to TTLS or PEAP, which use username/password)
    ESP_ERROR_CHECK(esp_wifi_set_mode(WIFI_MODE_STA) );
    ESP_ERROR_CHECK(esp_wifi_set_config(WIFI_IF_STA, &wifi_config) );
    ESP_ERROR_CHECK(esp_eap_client_set_identity((uint8_t *)EXAMPLE_EAP_ID, strlen(EXAMPLE_EAP_ID)) );
    ESP_ERROR_CHECK(esp_eap_client_set_ca_cert(ca_pem_start, ca_pem_bytes) );
    ESP_ERROR_CHECK(esp_eap_client_set_certificate_and_key(client_crt_start, client_crt_bytes,
                                      client_key_start, client_key_bytes, NULL, 0) );
    ESP_ERROR_CHECK(esp_wifi_sta_enterprise_enable());
    ESP_ERROR_CHECK(esp_wifi_start());

I'm not setting up the credentials, yet the Cisco AP event logs show:

Event: 5400 Authentication failed
Failure Reason: 12851 Received unexpected EAP NAK message. Client rejected the conversation
Resolution: Verify that the client's supplicant does not have any known compatibility issues and that it is properly configured.
Root cause: ISE expects for regular conversation continuation but client sent outer EAP method NAK message. It means that client rejected conversation for some reason that is unknown to ISE. Known issue: CSSC 5.1.1.10 sends outer EAP method NAK during EAP-FAST/EAP-GTC conversation to reject the conversation according to user's input.
Username: <my ESP32's identity here>

and the Cisco logs show the ESP is requesting PEAP (line 12301):

[1:49 pm] Joseph
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - DEVICE.Wired Dot1x
15048 Queried PIP - Radius.User-Name
15048 Queried PIP - Normalised Radius.RadiusFlowType
15048 Queried PIP - Cisco.cisco-av-pair
15048 Queried PIP - Radius.Called-Station-ID
15048 Queried PIP - DEVICE.Location
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12851 Received unexpected EAP NAK message. Client rejected the conversation
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject
[1:50 pm] Joseph
I can see your device is proposing PEAP on line12301
[1:50 pm] Joseph
That means it is doing username and password

[tpbedford]

For anyone finding this refer the ticket but:
a) certs were using an encryption that was unsupported by mbedtls
b) the "len" arg given to esp_eap_client_set_certificate_and_key() unintuitively needs to be strlen(cert)+1
c) the esp_eap_client_set_certificate_and_key() doesn't parse the cert, so always returns ESP_OK even if the cert can't be parsed - the actual parsing is done in the background by the wifi task and this isn't communicated to the user unless additional WPA Supplicant debug log output is enabled in sdkconfig.