Hi,
I have an issue where we are trying to connect a Raspberry Pi CM4 based product to a customer network from a Yocto Linux OS.
I have an OpenWRT based PEAP-MSCHAPv2 network with the Radius server running on the OpenWRT router to test with. Its a BPI R3 so the hardware seems to be well supported and capable.
Here is the output from "iw dev wlan0 scan" for the network in question:
freq: 5660
beacon interval: 100 TUs
capability: ESS Privacy SpectrumMgmt RadioMeasure (0x1111)
signal: -75.00 dBm
last seen: 0 ms ago
SSID: testnetwork
Supported rates: 9.0 12.0* 18.0 24.0* 36.0 48.0 54.0
TIM: DTIM Count 0 DTIM Period 1 Bitmap Control 0x0 Bitmap[0] 0x0
Country: US Environment: bogus
Channels [36 - 36] @ 24 dBm
Channels [40 - 40] @ 24 dBm
Channels [44 - 44] @ 24 dBm
Channels [48 - 48] @ 24 dBm
Channels [52 - 52] @ 24 dBm
Channels [56 - 56] @ 24 dBm
Channels [60 - 60] @ 24 dBm
Channels [64 - 64] @ 24 dBm
Channels [100 - 100] @ 24 dBm
Channels [104 - 104] @ 24 dBm
Channels [108 - 108] @ 24 dBm
Channels [112 - 112] @ 24 dBm
Channels [116 - 116] @ 24 dBm
Channels [120 - 120] @ 24 dBm
Channels [124 - 124] @ 24 dBm
Channels [128 - 128] @ 24 dBm
Channels [132 - 132] @ 24 dBm
Channels [136 - 136] @ 24 dBm
Channels [140 - 140] @ 24 dBm
Channels [144 - 144] @ 24 dBm
Channels [149 - 149] @ 30 dBm
Channels [153 - 153] @ 30 dBm
Channels [157 - 157] @ 30 dBm
Channels [161 - 161] @ 30 dBm
Channels [165 - 165] @ 30 dBm
Power constraint: 0 dB
RSN: * Version: 1
* Group cipher: CCMP
* Pairwise ciphers: CCMP
* Authentication suites: IEEE 802.1X IEEE 802.1X/SHA-256
* Capabilities: 4-PTKSA-RC 4-GTKSA-RC (0x0028)
BSS Load:
* station count: 0
* channel utilisation: 2/255
* available admission capacity: 23437 [*32us]
RM enabled capabilities:
Capabilities: 0x33 0x00 0x00 0x00 0x00
Link Measurement
Neighbor Report
Beacon Passive Measurement
Beacon Active Measurement
Nonoperating Channel Max Measurement Duration: 0
Measurement Pilot Capability: 0
HT capabilities:
Capabilities: 0x9ef
RX LDPC
HT20/HT40
SM Power Save disabled
RX HT20 SGI
RX HT40 SGI
TX STBC
RX STBC 1-stream
Max AMSDU length: 7935 bytes
No DSSS/CCK HT40
Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
Minimum RX AMPDU time spacing: 4 usec (0x05)
HT RX MCS rate indexes supported: 0-31
HT TX MCS rate indexes are undefined
HT operation:
* primary channel: 132
* secondary channel offset: above
* STA channel width: any
* RIFS: 0
* HT protection: no
* non-GF present: 0
* OBSS non-GF present: 0
* dual beacon: 0
* dual CTS protection: 0
* STBC beacon: 0
* L-SIG TXOP Prot: 0
* PCO active: 0
* PCO phase: 0
Extended capabilities:
* Extended Channel Switching
* BSS Transition
* DMS
* Operating Mode Notification
* Max Number Of MSDUs In A-MSDU is unlimited
VHT capabilities:
VHT Capabilities (0x0f8b69b1):
Max MPDU length: 7991
Supported Channel Width: neither 160 nor 80+80
RX LDPC
short GI (80 MHz)
TX STBC
SU Beamformer
MU Beamformer
VHT RX MCS set:
1 streams: MCS 0-9
2 streams: MCS 0-9
3 streams: MCS 0-9
4 streams: MCS 0-9
5 streams: not supported
6 streams: not supported
7 streams: not supported
8 streams: not supported
VHT RX highest supported: 0 Mbps
VHT TX MCS set:
1 streams: MCS 0-9
2 streams: MCS 0-9
3 streams: MCS 0-9
4 streams: MCS 0-9
5 streams: not supported
6 streams: not supported
7 streams: not supported
8 streams: not supported
VHT TX highest supported: 0 Mbps
VHT extended NSS: supported
VHT operation:
* channel width: 0 (20 or 40 MHz)
* center freq segment 1: 134
* center freq segment 2: 0
* VHT basic MCS set: 0xfffc
Transmit Power Envelope:
* Local Maximum Transmit Power For 20 MHz: 17 dBm
* Local Maximum Transmit Power For 40 MHz: 17 dBm
HE capabilities:
HE MAC Capabilities (0x000112081000):
+HTC HE Supported
BSR
OM Control
Maximum A-MPDU Length Exponent: 2
OM Control UL MU Data Disable RX
HE PHY Capabilities: (0x442002c00f438518000c00):
HE40/HE80/5GHz
242 tone RUs/5GHz
LDPC Coding in Payload
NDP with 4x HE-LTF and 3.2us GI
Rx HE MU PPDU from Non-AP STA
SU Beamformer
SU Beamformee
MU Beamformer
Beamformee STS <= 80Mhz: 3
Sounding Dimensions <= 80Mhz: 3
Ng = 16 SU Feedback
Codebook Size SU Feedback
Triggered SU Beamforming Feedback
PPE Threshold Present
Max NC: 3
TX 1024-QAM
RX 1024-QAM
HE RX MCS and NSS set <= 80 MHz
1 streams: MCS 0-11
2 streams: MCS 0-11
3 streams: MCS 0-11
4 streams: MCS 0-11
5 streams: not supported
6 streams: not supported
7 streams: not supported
8 streams: not supported
HE TX MCS and NSS set <= 80 MHz
1 streams: MCS 0-11
2 streams: MCS 0-11
3 streams: MCS 0-11
4 streams: MCS 0-11
5 streams: not supported
6 streams: not supported
7 streams: not supported
8 streams: not supported
PPE Threshold 0x3b 0x1c 0xc7 0x71 0x1c 0xc7 0x71 0x1c 0xc7 0x71
WMM: * Parameter version 1
* u-APSD
* BE: CW 15-1023, AIFSN 3
* BK: CW 15-1023, AIFSN 7
* VI: CW 7-15, AIFSN 2, TXOP 3008 usec
* VO: acm CW 3-7, AIFSN 2, TXOP 1504 usec
I have gotten a wpa_supplicant.conf file put together that successfully connects to several test PEAP-MSCHAPv2 secured networks.
The problem is that for whatever reason on the network it needs to work on it doesn't and thus far the only thing we have gotten from their IT is that a "MIC validation error" is occuring and the Cisco system seems to think that means incorrect credentials.
The thing is the packet capture shows that it is connecting successfully the handshake works perfectly ending with a success message. Then 6 seconds later the Cisco network prompts our device to reidentify/authenticate and this goes on in a loop forever.
Here is our WPA supplicant file:
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface=DIR=/var/run/wpa_supplicant
ctrl_interface_group=0
p2p_disabled=1
update_config=1
network={
ssid="exampleNetwork"
priority=1
proto=RSN
key_mgmt=WPA-EAP
pairwise=CCMP
eap=PEAP
identity="exampleUsername"
password="examplePassword"
phase2="auth=MSCHAPV2"
}
Any idea on what kind of settings I might need to replicate this on the OpenWRT router? I realize this could be all on their authentication server the Cisco 9800 but I am hoping its something I can replicate with the OpenWRT router.
Right now this is what my /etc/config/wireless file is looking like its a work in progress.
config wifi-device 'radio1'
option type 'mac80211'
option band '5g'
#option hwmode '11g' # 2.4GHz band compatbile with older g and b networks
option path 'platform/soc/18000000.wifi+1'
option country 'US'
option channel '6' # Set to a preferred channel in the 2.4GHz range
#option channel '36'
option htmode 'HE80'
option cell_density '0'
option txpower '20'
config wifi-iface 'wifinet0'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'testNetwork5g'
option encryption 'wpa2+aes'
#option ieee80211w '1' # Management Frame Protection (MFP)
option auth_server '192.168.1.1'
option auth_port '1812'
option auth_secret 'testing123'
option acct_server '192.168.1.1'
option acct_port '1813'
option acct_secret 'testing123'
option wpa_disable_eapol_key_retries '1'
option auth_suites 'IEEE8021X IEEE8021X/SHA-256'
#option ieee80211k '1' # Enable 802.11k
#option ieee80211v '1' # Enable 802.11v
#option ieee80211r '1' # Enable 802.11r (Fast Transition)
#option mobility_domain '1234' # Mobility domain identifier (4 hex digits)
#option ft_psk_generate_local '1'
#option reassociation_deadline '10000'
#option pmk_r1_push '1'
#option nasid 'my-nasid' # NAS Identifier