Help replicating a network on OpenWRT

Hi,

I have an issue where we are trying to connect a Raspberry Pi CM4 based product to a customer network from a Yocto Linux OS.

I have an OpenWRT based PEAP-MSCHAPv2 network with the Radius server running on the OpenWRT router to test with. Its a BPI R3 so the hardware seems to be well supported and capable.

Here is the output from "iw dev wlan0 scan" for the network in question:

        freq: 5660
        beacon interval: 100 TUs
        capability: ESS Privacy SpectrumMgmt RadioMeasure (0x1111)
        signal: -75.00 dBm
        last seen: 0 ms ago
        SSID: testnetwork
        Supported rates: 9.0 12.0* 18.0 24.0* 36.0 48.0 54.0
        TIM: DTIM Count 0 DTIM Period 1 Bitmap Control 0x0 Bitmap[0] 0x0
        Country: US     Environment: bogus
                Channels [36 - 36] @ 24 dBm
                Channels [40 - 40] @ 24 dBm
                Channels [44 - 44] @ 24 dBm
                Channels [48 - 48] @ 24 dBm
                Channels [52 - 52] @ 24 dBm
                Channels [56 - 56] @ 24 dBm
                Channels [60 - 60] @ 24 dBm
                Channels [64 - 64] @ 24 dBm
                Channels [100 - 100] @ 24 dBm
                Channels [104 - 104] @ 24 dBm
                Channels [108 - 108] @ 24 dBm
                Channels [112 - 112] @ 24 dBm
                Channels [116 - 116] @ 24 dBm
                Channels [120 - 120] @ 24 dBm
                Channels [124 - 124] @ 24 dBm
                Channels [128 - 128] @ 24 dBm
                Channels [132 - 132] @ 24 dBm
                Channels [136 - 136] @ 24 dBm
                Channels [140 - 140] @ 24 dBm
                Channels [144 - 144] @ 24 dBm
                Channels [149 - 149] @ 30 dBm
                Channels [153 - 153] @ 30 dBm
                Channels [157 - 157] @ 30 dBm
                Channels [161 - 161] @ 30 dBm
                Channels [165 - 165] @ 30 dBm
        Power constraint: 0 dB
        RSN:     * Version: 1
                 * Group cipher: CCMP
                 * Pairwise ciphers: CCMP
                 * Authentication suites: IEEE 802.1X IEEE 802.1X/SHA-256
                 * Capabilities: 4-PTKSA-RC 4-GTKSA-RC (0x0028)
        BSS Load:
                 * station count: 0
                 * channel utilisation: 2/255
                 * available admission capacity: 23437 [*32us]
        RM enabled capabilities:
                Capabilities: 0x33 0x00 0x00 0x00 0x00
                        Link Measurement
                        Neighbor Report
                        Beacon Passive Measurement
                        Beacon Active Measurement
                Nonoperating Channel Max Measurement Duration: 0
                Measurement Pilot Capability: 0
        HT capabilities:
                Capabilities: 0x9ef
                        RX LDPC
                        HT20/HT40
                        SM Power Save disabled
                        RX HT20 SGI
                        RX HT40 SGI
                        TX STBC
                        RX STBC 1-stream
                        Max AMSDU length: 7935 bytes
                        No DSSS/CCK HT40
                Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
                Minimum RX AMPDU time spacing: 4 usec (0x05)
                HT RX MCS rate indexes supported: 0-31
                HT TX MCS rate indexes are undefined
        HT operation:
                 * primary channel: 132
                 * secondary channel offset: above
                 * STA channel width: any
                 * RIFS: 0
                 * HT protection: no
                 * non-GF present: 0
                 * OBSS non-GF present: 0
                 * dual beacon: 0
                 * dual CTS protection: 0
                 * STBC beacon: 0
                 * L-SIG TXOP Prot: 0
                 * PCO active: 0
                 * PCO phase: 0
        Extended capabilities:
                 * Extended Channel Switching
                 * BSS Transition
                 * DMS
                 * Operating Mode Notification
                 * Max Number Of MSDUs In A-MSDU is unlimited
        VHT capabilities:
                VHT Capabilities (0x0f8b69b1):
                        Max MPDU length: 7991
                        Supported Channel Width: neither 160 nor 80+80
                        RX LDPC
                        short GI (80 MHz)
                        TX STBC
                        SU Beamformer
                        MU Beamformer
                VHT RX MCS set:
                        1 streams: MCS 0-9
                        2 streams: MCS 0-9
                        3 streams: MCS 0-9
                        4 streams: MCS 0-9
                        5 streams: not supported
                        6 streams: not supported
                        7 streams: not supported
                        8 streams: not supported
                VHT RX highest supported: 0 Mbps
                VHT TX MCS set:
                        1 streams: MCS 0-9
                        2 streams: MCS 0-9
                        3 streams: MCS 0-9
                        4 streams: MCS 0-9
                        5 streams: not supported
                        6 streams: not supported
                        7 streams: not supported
                        8 streams: not supported
                VHT TX highest supported: 0 Mbps
                VHT extended NSS: supported
        VHT operation:
                 * channel width: 0 (20 or 40 MHz)
                 * center freq segment 1: 134
                 * center freq segment 2: 0
                 * VHT basic MCS set: 0xfffc
        Transmit Power Envelope:
                 * Local Maximum Transmit Power For 20 MHz: 17 dBm
                 * Local Maximum Transmit Power For 40 MHz: 17 dBm
        HE capabilities:
                HE MAC Capabilities (0x000112081000):
                        +HTC HE Supported
                        BSR
                        OM Control
                        Maximum A-MPDU Length Exponent: 2
                        OM Control UL MU Data Disable RX
                HE PHY Capabilities: (0x442002c00f438518000c00):
                        HE40/HE80/5GHz
                        242 tone RUs/5GHz
                        LDPC Coding in Payload
                        NDP with 4x HE-LTF and 3.2us GI
                        Rx HE MU PPDU from Non-AP STA
                        SU Beamformer
                        SU Beamformee
                        MU Beamformer
                        Beamformee STS <= 80Mhz: 3
                        Sounding Dimensions <= 80Mhz: 3
                        Ng = 16 SU Feedback
                        Codebook Size SU Feedback
                        Triggered SU Beamforming Feedback
                        PPE Threshold Present
                        Max NC: 3
                        TX 1024-QAM
                        RX 1024-QAM
                HE RX MCS and NSS set <= 80 MHz
                        1 streams: MCS 0-11
                        2 streams: MCS 0-11
                        3 streams: MCS 0-11
                        4 streams: MCS 0-11
                        5 streams: not supported
                        6 streams: not supported
                        7 streams: not supported
                        8 streams: not supported
                HE TX MCS and NSS set <= 80 MHz
                        1 streams: MCS 0-11
                        2 streams: MCS 0-11
                        3 streams: MCS 0-11
                        4 streams: MCS 0-11
                        5 streams: not supported
                        6 streams: not supported
                        7 streams: not supported
                        8 streams: not supported
                PPE Threshold 0x3b 0x1c 0xc7 0x71 0x1c 0xc7 0x71 0x1c 0xc7 0x71
        WMM:     * Parameter version 1
                 * u-APSD
                 * BE: CW 15-1023, AIFSN 3
                 * BK: CW 15-1023, AIFSN 7
                 * VI: CW 7-15, AIFSN 2, TXOP 3008 usec
                 * VO: acm CW 3-7, AIFSN 2, TXOP 1504 usec

I have gotten a wpa_supplicant.conf file put together that successfully connects to several test PEAP-MSCHAPv2 secured networks.

The problem is that for whatever reason on the network it needs to work on it doesn't and thus far the only thing we have gotten from their IT is that a "MIC validation error" is occuring and the Cisco system seems to think that means incorrect credentials.

The thing is the packet capture shows that it is connecting successfully the handshake works perfectly ending with a success message. Then 6 seconds later the Cisco network prompts our device to reidentify/authenticate and this goes on in a loop forever.

Here is our WPA supplicant file:

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface=DIR=/var/run/wpa_supplicant
ctrl_interface_group=0
p2p_disabled=1
update_config=1

network={
ssid="exampleNetwork"
priority=1
proto=RSN
key_mgmt=WPA-EAP
pairwise=CCMP
eap=PEAP
identity="exampleUsername"
password="examplePassword"
phase2="auth=MSCHAPV2"
}

Any idea on what kind of settings I might need to replicate this on the OpenWRT router? I realize this could be all on their authentication server the Cisco 9800 but I am hoping its something I can replicate with the OpenWRT router.

Right now this is what my /etc/config/wireless file is looking like its a work in progress.

config wifi-device 'radio1'
    	option type 'mac80211'
    	option band '5g'
    	#option hwmode '11g'           # 2.4GHz band compatbile with older g and b networks
    	option path 'platform/soc/18000000.wifi+1'
    	option country 'US'
    	option channel '6'            # Set to a preferred channel in the 2.4GHz range
	#option channel '36'
    	option htmode 'HE80'         
	option cell_density '0'			
	option txpower '20'

config wifi-iface 'wifinet0'
    	option device 'radio1'
    	option network 'lan'
    	option mode 'ap'
    	option ssid 'testNetwork5g'
    	option encryption 'wpa2+aes'
    	#option ieee80211w '1'         # Management Frame Protection (MFP)
    	option auth_server '192.168.1.1'
    	option auth_port '1812'
    	option auth_secret 'testing123'
    	option acct_server '192.168.1.1'
    	option acct_port '1813'
    	option acct_secret 'testing123'
    	option wpa_disable_eapol_key_retries '1'
    	option auth_suites 'IEEE8021X IEEE8021X/SHA-256'
    	#option ieee80211k '1'         # Enable 802.11k
    	#option ieee80211v '1'         # Enable 802.11v
    	#option ieee80211r '1'         # Enable 802.11r (Fast Transition)
    	#option mobility_domain '1234' # Mobility domain identifier (4 hex digits)
    	#option ft_psk_generate_local '1'
    	#option reassociation_deadline '10000'
    	#option pmk_r1_push '1'
    	#option nasid 'my-nasid'       # NAS Identifier

I'm not sure exactly what you are trying to do but it sounds like you want to configure a wifi-capable OpenWrt device to be a client of a Cisco network using EAP authentication.

The OpenWrt equivalent to the wpa_supplicant configuration that you posted would be:

config wifi-iface 'example'
   option device 'radio0'
   option mode 'sta'
   option network 'wwan'
   option ssid 'exampleNetwork'
   option encryption 'wpa2'
   option eap_type 'peap'
   option auth 'MSCHAPV2'
   option identity 'exampleUsername'
   option password 'examplePassword'

You'll also need to create a network named wwan of proto dhcp (and add it to a firewall zone in order to pass any useful traffic).

This requires the full wpad package-- remove the wpad-basic that is present by default, install wpad-mbedtls and reboot. There used to be a bug (maybe still is) in libopenssl that had problems connecting to Cisco systems. I used mbedtls instead.

Thanks for the reply.

So what I am trying to do is get a Raspberry Pi CM4 based device using Yocto Linux / wpa_supplicant nl80211 driver to connect to a Cisco PEAP-MSCHAPv2 secured network.

During development in order to debug this I set up an OpenWRT router as a test network. It broadcasts two test networks "testNetwork2g" and "testNetwork5g". On the OpenWRT router itself I have setup Freedradius to handle authentication and have a couple sets of credentials.

This works perfectly and our device can connect.

I posted the "iw dev wlan0 scan" information for the network we are trying to connect to from the Raspberry Pi CM4 currently unsuccessfully.

So what I want to do is setup my OpenWRT router to mimic the network shown in the "iw dev wlan0 scan" data above as closely as possible.

Here is my current WORKING /etc/config/wireless configuration from my OpenWRT router.

  • What do I need to modify in this configuration to match the network shown in the "iw dev wlan0 scan" information in my original post.

  • I am fixated on IEEE8021X/SHA-256 as being one major thing I noticed to be different and that I need to replicate.

Goal is to setup an OpenWRT router to mimic the customer network and hopefully recreate this connection issue so I can figure out how to fix it.

If OpenWRT is configured right, then "iw dev wlan0 scan" of the network should look almost identical to the output in my original post.

Laptops/phones can successfully connect to this customer network, just not our device.

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option cell_density '0'
	option txpower '20'
	
config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option cell_density '0'
	option txpower '20'

config wifi-iface 'wifinet0'
    	option device 'radio1'
    	option network 'lan'
    	option mode 'ap'
    	option ssid 'testNetwork5g'
    	option encryption 'wpa2'
    	option auth_server '127.0.0.1'
    	option auth_secret 'testing123'
    	option acct_server '127.0.0.1'
    	option acct_secret 'testing123'
    	option auth_suites 'IEEE8021X'

config wifi-iface 'wifinet1'
    	option device 'radio2'
    	option network 'lan'
    	option mode 'ap'
    	option ssid 'testNetwork2g'
    	option encryption 'wpa2'
    	option auth_server '127.0.0.1'
    	option auth_secret 'testing123'
    	option acct_server '127.0.0.1'
    	option acct_secret 'testing123'
    	option auth_suites 'IEEE8021X'

So you’re asking how to make openwrt respond to your device the same as the Cisco device is?

That’s not going to be possible. Cisco is proprietary to the nth degree with all kinds of additions to usual standards, you have to work with their implementations, not try to duplicate it on another system

2 Likes

Yes the only way to be certain you can connect to a Cisco AP and network is to test in place with an actual Cisco AP.

The WiFi chip and driver in the Pi 4 is very limited in what it can do as (a) it's an old chip intended for low-end smartphones and (b) Broadcom has no open-source support. At some point your customer's network will be upgraded to require WPA3, and the Pi definitely cannot do that. Your project will then stop working.

I know it wouldn't be exactly the same but I was hoping I could approximate it enough to cause the same connect/disconnect behavior on our device.

The cost to setup our own Cisco network to test with was very prohibitive even used equipment not to mention the learning curve to do so.

Really the only thing I am currently focused on is the IEEE8021X/SHA-256. That seems promising maybe? Idk I'm trying to set that up on OpenWRT.

Otherwise your right its some issue between our device and the proprietary Cisco hardware/software. I was hoping it was more generalized like some network configuration I could replicate with OpenWRT.

Next week we will finally learn exactly why the MIC validation error is happening on the Cisco side of things. I'm hoping that gives us our answer we'll see.

Your wifi signal is wildly out of spec for US

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall