Wi-Fi enterprise: Radius server connection issue with specific router brands

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
No_Name
Level 3
Level 3
25 sign-ins 10 likes given 5 questions asked

Hi,

I'm trying to make Wi-Fi enterprise connection with TP-LINK router using radius server but, while connecting I'm getting error as MBEDTLS_SSL_ALERT_MSG_BAD_CERT at the time of parsing server certificate.

Same scenario I tested with Cisco router then there is no error. Able to connect successfully.

FYI: Using  CYW43455 chip as Wi-Fi module

TP-link model no: Archer MR200

Cisco Model no: Linksys E900

Thanks

0 Likes
1 Solution
Phanindra_I
Moderator
Moderator
Moderator
250 sign-ins 10 likes given 25 likes received

Hi,

The error message points to server certificate being not proper so please make sure you've configured the server certificate correctly on the Free Radius side. Apart from this, you can provide the terminal logs after uncommenting "supplicant stack prints" in "wiced_defaults.h" file. 

Also, please provide the wireshark logs containing the TLS exchanges between your device and AP.

Thanks

View solution in original post

14 Replies
Phanindra_I
Moderator
Moderator
Moderator
250 sign-ins 10 likes given 25 likes received

Hello,

Please provide info for my below questions.

1. Which SDK you're using (WICED or MTB with ver)?

2. What is the host MCU?

3. Are you using FreeRadius? If so, what is the version?

Thanks

No_Name
Level 3
Level 3
25 sign-ins 10 likes given 5 questions asked

Hi,

SDK: WICED-Studio-6.6

Host MCU: i.MX RT1051

Yes, I'm using FreeRadius.

Version : 3.0

Thanks

0 Likes
Phanindra_I
Moderator
Moderator
Moderator
250 sign-ins 10 likes given 25 likes received

Hi,

Are you using WICED only or MCUXpresso by porting WICED stack to it? Asking this as i.MX by default doesn't have support in WICED. Host is interfaced with WLAN through SDIO only right?

Thanks

No_Name
Level 3
Level 3
25 sign-ins 10 likes given 5 questions asked

Host is interfaced with WLAN through SDIO only right yes correct.

Not using MCUXpresso ide. Using Eclipse ide as per project requirement code is there.

But, WICED stack no change.

Thanks

 

0 Likes
No_Name
Level 3
Level 3
25 sign-ins 10 likes given 5 questions asked

Hi,

Any update?

Thanks

0 Likes
Phanindra_I
Moderator
Moderator
Moderator
250 sign-ins 10 likes given 25 likes received

Hi,

The error message points to server certificate being not proper so please make sure you've configured the server certificate correctly on the Free Radius side. Apart from this, you can provide the terminal logs after uncommenting "supplicant stack prints" in "wiced_defaults.h" file. 

Also, please provide the wireshark logs containing the TLS exchanges between your device and AP.

Thanks

No_Name
Level 3
Level 3
25 sign-ins 10 likes given 5 questions asked

Hi,

I know the error message is regarding certificate. But, same certificate when I'm using with Cisco router it's working fine.

Regarding Wireshark logs  I'll send you as soon as possible .

Thanks

0 Likes
No_Name
Level 3
Level 3
25 sign-ins 10 likes given 5 questions asked

Hi,

Sorry for late reply.

Please check Wireshark logs & radius server logs.

Thanks

0 Likes
No_Name
Level 3
Level 3
25 sign-ins 10 likes given 5 questions asked

Hi,

Any update on Wi-Fi enterprise issue.

Thanks

0 Likes
Phanindra_I
Moderator
Moderator
Moderator
250 sign-ins 10 likes given 25 likes received

Hi,

The wireshark logs you've attached doesn't have TLS interactions between 43455 & AP. I believe you've captured the logs on windows machine using wireshark. I would want to see the certificate in wireshark logs for both the cases (success and failure).

Thanks

Hi,

Can you please try using radius filter in Wireshark.

I think network logs are mixed.

No_Name_0-1684504205412.png

 

Thanks

0 Likes
Phanindra_I
Moderator
Moderator
Moderator
250 sign-ins 10 likes given 25 likes received

Hi,

I can see Radius packets in the logs but they are not helpful to understand the failure. As I've mentioned before, TLS packets will have server certificate and will give some clue on whether the server certificate is correctly sent to the 43455 from the AP.

Thanks

0 Likes
TorshaDas
Level 1
Level 1
5 replies posted 10 sign-ins First question asked

Hi, 

Could you please tell how to get those TLS packets so that we could provide you with the information u are looking for

 

Thanks

0 Likes
Phanindra_I
Moderator
Moderator
Moderator
250 sign-ins 10 likes given 25 likes received

Hello,

There are two modes of sniffing - Native, Monitor. In monitor mode, you can capture packets from all devices on any network. In native mode, you can only capture packets between your PC and router. Linux, Mac PCs support monitor mode usually so you can run wireshark on them and capture logs. You can do it on your windows machine if your wifi card supports monitor mode to capture TLS packets between 43455 & AP. 

Thanks 

0 Likes