Forums - WPA2-Enterprise disconnect precisely 30 minutes after initial authentication, loading CA certificate prevents authentication

3 posts / 0 new
Last post
WPA2-Enterprise disconnect precisely 30 minutes after initial authentication, loading CA certificate prevents authentication
rsent
Join Date: 19 Aug 22
Posts: 2
Posted: Fri, 2022-08-19 11:55

Hi all,

I am connecting to a WPA2 Enterprise network with a QCA4020 using PEAP MSCHAPV2 and am able to successfully authenticate. However, after connecting, the device will disconnect after precisely 30 minutes.

I observed the same issue on an Apple iPad, also on the same network. The solution that worked there was installing a root CA cert provided to me by the network administrator.

I attempted to implement a similar fix using the SDK (v3.4) by setting the __QAPI_WLAN_PARAM_GROUP_SECURITY_8021X_CA_CER parameter using the below snippet of code. I wrote the certificate to the flash filesystem at /spinor/cacert successfully before calling this function. I did not change the authentication method, leaving it as QAPI_WLAN_8021X_METHOD_EAP_PEAP_MSCHAPV2_E.

  #define CERT_PATH "/spinor/cacert"
  /* Snip */
  const char * const certificate = CERT_PATH;
  status = qapi_WLAN_Set_Param(0,
                               __QAPI_WLAN_PARAM_GROUP_WIRELESS_SECURITY,
                               __QAPI_WLAN_PARAM_GROUP_SECURITY_8021X_CA_CER,
                               certificate, strlen(certificate) + 1, FALSE);

Once I do the above, however, the QCA4020 now fails to authenticate. It does begin the authentication process, but fails to authenticate with the RADIUS server and obviously fails to connect to the network.

Am I misunderstanding how to configure the CA certificate? Is there another solution available? I read through the QCLI_Demo code (specifically wifi_cmd_handler.c:4037) and I see that the CA cert is only configured when using EAP TLS. However, this requires another client side certificate, which is not available for the network.

Thanks for the help.

  • Up0
  • Down0
c_rpedad
Profile picture
Join Date: 18 Jun 18
Location: San Jose
Posts: 317
Posted: Fri, 2022-08-19 12:58

Can you try with QCLI_Demo to verify the same behaviour ?

Step 1: Modify Build.bat to enable 802.1X
SET CFG_FEATURE_WLAN_8021X=true

Step 2:
wlan SetWpaCertParameters PEAP-MSCHAPV2 ioetest ioetest 12345678 0 0 0 0 0 1 QAPI_NET_SSL_NO_SERVER_AUTH

Or

net cert get clientCAlist.crt 192.168.20.130 -s clientCAlist -t pem_ca_list
WLAN SetWpaParameters WPA2CERT CCMP CCMP
WLAN SetWpaCertParameters TLS 4020_ap 4020test 12345678 0 clientCAlist client 0 0 0x1006b



 

  • Up0
  • Down0
rsent
Join Date: 19 Aug 22
Posts: 2
Posted: Wed, 2022-08-24 14:06

Hi Raja,

I ran a test using QCLI_demo and observed the same behavior. Using PEAP-MSCHAPV2, the device is able to initially connect before losing connection at the 30 minute mark. It does automatically reconnect afterwards, printing DHCPv4c information. However, the connection is still lost for a brief period of time.

I was not able to test the behavior when using TLS since the network is not configured for that authentication method. No client certificates are available.

Thanks for the help!

  • Up0
  • Down0
or Register

Opinions expressed in the content posted here are the personal opinions of the original authors, and do not necessarily reflect those of Qualcomm Incorporated or its subsidiaries (“Qualcomm”). The content is provided for informational purposes only and is not meant to be an endorsement or representation by Qualcomm or any other party. This site may also provide links or references to non-Qualcomm sites and resources. Qualcomm makes no representations, warranties, or other commitments whatsoever about any non-Qualcomm sites or third-party resources that may be referenced, accessible from, or linked to this site.