Handshake error connecting particle to eduroam

Dear particle team and community,

Thank you for a fantastic product and all the support available on this forum. We’ve been using particle photons for a long time on our university wireless but have recently started migration to the eduroam network that is more widely available at universities in the US and abroad following the instructions available here https://docs.particle.io/support/particle-devices-faq/wpa2-enterprise/ and in various threads on this forum. Working closely with our IT team and the radius server admins, we solved initial authentication issues and the particle photons now successfully authenticate with the radius server, however, they never request an IP address from the DHCP server and instead reports error 1064 which means “Unknown failure occurred during the EAPOL key handshake” according to the error constants listed here. Even our radius admins are puzzled by this error and not sure what could be wrong either in the server configuration or with the way the particles interpret the successful authentication response. Any help or suggestions very much appreciated.

The system firmware version is 1.0.1 and I’m using @rickkas7 wonderful photon-clouddebug program with a few extra info messages added in to see what is happening on the photon side. I’m including an excerpt from the serial log of this program as well as the logs from the radius server below (id and other sensitive information replaced by *******).

Photon serial log:

----- turning on WiFi module -----
0000005545 [hal.wlan] INFO: Using internal antenna
----- setting to use dynamic IP -----
MAC address: **************
----- configured credentials -----
ssid=eduroam, security=wpa2 e, cipher=1, channel = 0
----- available access points -----
**************
----- connecting to WiFi... -----
0000006888 [hal.wlan] TRACE: Free RAM before suppl: 51992
0000006888 [hal.wlan] TRACE: Starting supplicant
0000006913 [hal.wlan] TRACE: Supplicant started 0
0000006913 [hal.wlan] TRACE: Free RAM after suppl: 38552
0000006913 [hal.wlan] INFO: Joining eduroam
0000006914 [hal.wlan] TRACE: Free RAM connect: 38552
0000010938 [hal.wlan] ERROR: wiced_join_ap_specific(), result: 1064
0000010938 [hal.wlan] TRACE: Stopping supplicant
0000010939 [hal.wlan] TRACE: Supplicant stopped
0000010939 [hal.wlan] TRACE: Free RAM after suppl stop: 51992

RADIUS log (access-request followed by access-accept):

Thu May 23 14:27:25 2019: DEBUG: Handling with EAP: code 2, 12, 75, 25
Thu May 23 14:27:25 2019: DEBUG: Response type 25
Code: Access-Request
Identifier: 146
Authentic: <31><203>5~=W<151><142>8<219>_S<245><29>Z<128>
Attributes:
User-Name = "**************"
Chargeable-User-Identity = ""
Location-Capable = CIVIC_LOCATION
Calling-Station-Id = "e0-4f-43-7b-d2-33"
Called-Station-Id = "00-17-0f-21-dd-00:eduroam"
NAS-Port = 13
cisco-avpair = "audit-session-id=0ac7c844014682055ce700aa"
Acct-Session-Id = "5ce700aa/e0:4f:43:7b:d2:33/21204207"
NAS-IP-Address = 10.199.200.68
NAS-Identifier = "neo-wism2-2-rgnt"
Airespace-WLAN-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-IEEE-802-11
Tunnel-Type = 0:VLAN
Tunnel-Medium-Type = 0:802
Tunnel-Private-Group-ID = 882
EAP-Message = <2><12><0>K<25><0><23><3><3><0>@<180><0>z5<158>E<193><225>L<154>Tg<220>#U<13>P<205><147><232><252><5><129><150>[<194>Z<246><131><138><21><217><15>t?<16><234>9M,<176><176><14><29><1>"G<193><191>[rw<173>'<172><<219><20><159><10><178><31><208><187>
Location-Capable = CIVIC_LOCATION
Calling-Station-Id = "e0-4f-43-7b-d2-33"
Called-Station-Id = "00-17-0f-21-dd-00:eduroam"
NAS-Port = 13
cisco-avpair = "audit-session-id=0ac7c844014682055ce700aa"
Acct-Session-Id = "5ce700aa/e0:4f:43:7b:d2:33/21204207"
NAS-IP-Address = 10.199.200.68
NAS-Identifier = "neo-wism2-2-rgnt"
Airespace-WLAN-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-IEEE-802-11
Tunnel-Type = 0:VLAN
Tunnel-Medium-Type = 0:802
Tunnel-Private-Group-ID = 882
EAP-Message = <2><12><0>K<25><0><23><3><3><0>@<180><0>z5<158>E<193><225>L<154>Tg<220>#U<13>P<205><147><232><252><5><129><150>[<194>Z<246><131><138><21><217><15>t?<16><234>9M,<176><176><14><29><1>"G<193><191>[rw<173>'<172><<219><20><159><10><178><31><208><187>
Message-Authenticator = v)W<176>d<183>+[<254><144><252>J<6><154><181><182>
 
Thu May 23 14:27:25 2019: DEBUG: Handling request with Handler 'Client-Identifier=DOT1X, Realm=******', Identifier ''
Thu May 23 14:27:25 2019: DEBUG: Deleting session for **************, 10.199.200.68, 13
Thu May 23 14:27:25 2019: DEBUG: Handling with Radius::AuthFILE:
Thu May 23 14:27:25 2019: DEBUG: Handling with EAP: code 2, 12, 75, 25
Thu May 23 14:27:25 2019: DEBUG: Response type 25
Thu May 23 14:27:25 2019: DEBUG: EAP Success, elapsed time 0.271921
Thu May 23 14:27:25 2019: DEBUG: EAP result: 0,
Thu May 23 14:27:25 2019: DEBUG: AuthBy FILE result: ACCEPT,
Thu May 23 14:27:25 2019: DEBUG: Access accepted for **************
Thu May 23 14:27:25 2019: DEBUG: Packet dump:
*** Sending to 10.199.200.68 port 32772 ....
Code: Access-Accept
Identifier: 146
Authentic: <175><20>/<248><204>`C<177>9]<175><246><184><139>PH
Attributes:
EAP-Message = <3><12><0><4>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
MS-MPPE-Send-Key = <166><237><181>(H<244>K$<26><204><162>x<29>L<251><217><238><22>po<245>=<250><163><187><201><15><183><23><199>A0
MS-MPPE-Recv-Key = <181><241>}<153><240><245><229><210><196>p<197><227><183><190><145>C'<6><220>23><195><211>1g<143><141><1><220>G<172>
 

Welcome to the community.

I have been trying to get photons to access the Particle cloud using WPA Enterprise and eduroam for a while now.

I have tried on 2 different University sites to connect a Photon to eduroam - both failed. @nrobinson2000 has succeeded at his University with a simple username and password on PEAP-MSSCHAPv2. I am not sure he has access to the logs on the freeRadius server - apparently it just worked!

I have a test setup which is meant to mimic the Particle developer’s test environment (Ubiquiti WAP and freeRadius running on a RPi) but this is not working either. I am getting the same result on the Photon (1.1.0) as you are - 1064 and I am seeing the same success in authentication but then the photon is dropping the authentication session from the freeRadius server.

The challenge is that there is very little resource in Particle to investigate such WiFi issues and what there is, is working on Mesh or Cellular as a priority over WiFi. :frowning:

One thing I need to try is the same test but with device OS 0.7.0 which was the first to have WPA2 Enterprise support. If you look in the release notes there have been a few cryptos added and some removed and re-instated (MD5). Not sure if this has any bearing on the issues we are both seeing.

3 Likes