Connect Baby to WPA2-EAP

[inkasso]

Hi folks!

I recently updated my network and would like to switch completely to WPA2-EAP authentication. The setup works already with other WiFi devices but I'm struggeling to get my Squeezebox connected.

Player-Modell: Squeezebox Radio
Gerätetyp: baby
Firmware: 8.0.1-r16855

LMS and device were recently updated to 8.0.1 and I already found a howto at blog.raptor2101.de/2011/12/27/squeezebox-und-radius/ for setting up WPA supllicant to connect to my new WiFi, but it doesn't work as expected. I get a connection to the WiFi but the RADIUS authentication failes. I tweaked the parameters int the wpa_supplicant.conf file, but this just lead to various other errors (on the Squeezebox on the RADIUS).

What got my attention from the start: I wanted to connect without certificates - just username and password over TLS. While other clients connection attemps show up in the RADIUS log with a hint to a TLS tunnel (regardless if successfull or not), I do not find anything about TLS when the Squeezebox tries to authenticate.

I thought, I may have to use certificates, so I changed the configuration and created a client certificate and converted it according to the howto. I changed the RADIUS server configuration accordingly and tried to connect again. Now the error message even more points me to TLS:

2021-07-14T11:57:30 Auth: (28) Login incorrect (eap_tls: (TLS) Alert write:fatalrotocol version): [username/<via Auth-Type = eap>] (from client hotspot port 0 cli 00-04-??-??-??-??)

So my questions are:
Which TLS is inclueded in the 8.0.1 firmware or how can I find out? The usual commands I know don't work
And: is there any hope to get this to work without using workarounds like connecting the ethernet port to another device that does the connection instead?

[ralphy]

The radio 8.0.1 community firmware wpa_supplicant does not support TLS/SSL at this time.

[inkasso]

Thank you for your answer.

Which methods are supported then?
Maybe I'm willing to allow them on the RADIUS side...

[mrw]

Thank you for your answer.

Despite @ralphy's post, wpa_supplicant has been built (I think) with an "internal" TLS library, which apparently supports TLS v1. That may be why the author of "Raptors blog" claimed to be able to get somewhere back in 2011. Does your RADIUS server support TLS v1 ? It is, I believe, somewhat deprecated.

Squeezeplay does not attempt to support anything other than WPA-PSK, WPA2-PSK, WEP, etc, so what you're attempting is outside a supported use case. I've never used RADIUS, and I have no experience of what you're trying to achieve. I haven't (knowingly) exercised the built-in TLS v1.

You could try a custom build of the firmware, if that approach is open to you. The wpa_supplicant configuration file that @ralphy used is here:
https://github.com/ralph-irving/sque...iles/defconfig

I think the same configuration was used for the 'stock' firmware build.

[ralphy]

As @mrw suggested, TLS is actually listed as available for eap on the radio.

Code:

# wpa_cli
wpa_cli v2.9
Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi> and contributors

This software may be distributed under the terms of the BSD license.
See README for more details.


Selected interface 'eth1'

Interactive mode

> get_capability eap
TLS WSC

[mrw]

wpa_supplicant has been built (I think) with an "internal" TLS library, which apparently supports TLS v1.

I shall add that the "internal" TLS library now appears to support TLS v1.1 and v1.2, but would require additional build options, these I think:

Code:

CONFIG_TLSV11=y
CONFIG_TLSV12=y

Refer changelog:
wpa_supplicant v1.0 https://w1.fi/cgit/hostap/tree/wpa_s...hangeLog#n1143
wpa_supplicant v2.0 https://w1.fi/cgit/hostap/tree/wpa_s...ChangeLog#n792

But I have no idea how any of this stuff works.

[inkasso]

Oh great! The topic is advancing... Thank you all for the input.

I have to take a look if the RADIUS supports TLS 1.0, but I'd rather not use that deprecated protocol as it is deemed unsafe, so it wouldn't help anyway.

The reason, why I would use this: You can dynamically assign VLAN Tags depending on the RADIUS account used to authenticate.
Advantage: You do not have to create a multi SSID environment where each SSID has a different VLAN assigned. So especially in dense WLAN environments, you can use only one SSID, but still separate your devices into groups with different access rights.

I'm currently not thinking about building my own firmware. I have alredy compiled software for my Debian box, but what I read here about making firmware for a Squeezebox makes me feel underqualified to even try this without risking to brick the device. So my deepest respect for everyone that does it.

When I read about "it has only to be compiled with other build options", I cannot discern if this is just a minor change, that I would like to see included in the next update or if this might raise some major issues, that would incur weeks of debugging... So I hope, ralphy will tell me about it

[mrw]

I have to take a look if the RADIUS supports TLS 1.0, but I'd rather not use that deprecated protocol as it is deemed unsafe, so it wouldn't help anyway.

But it would help to prove that it *can* work, as it apparently did in 2011. Given that it does work, it might then be worth building wpa_supplicant with the added TLS options, and seeing if you get it working with TLS 1.1/1.2.

[inkasso]

But it would help to prove that it *can* work, as it apparently did in 2011. Given that it does work, it might then be worth building wpa_supplicant with the added TLS options, and seeing if you get it working with TLS 1.1/1.2.

I wanted to do a quick try and looked, how to enable TLS 1.0 support on the freeRADIUS plugin of my firewall. Found out, that it is enabled per default to support older devices. After that, I found a bugReport that seems to be associated to my problem. I cannot validate this, as I don't know how it was before the recent firewall update. My tests to connect the Squeezebox started after that update.

My idea was to try to verify the problem on another machine that is capable of TLS 1.0 and 1.2, but so far, I have not found out, how I could do the actual test. radclient and radtest have no switches for TLS version and my experience with RADIUS is very basic.

[ralphy]

I've rebuilt the wpa binaries for the radio with TLSV11 and TLSV12 enabled in the config for you to try.

This is the contents of the .config file in the wpa v2.9 sources on my build system used to build the above.

Code:

CONFIG_DRIVER_WEXT=y
CONFIG_WIRELESS_EXTENSION=y
CONFIG_IEEE8021X_EAPOL=y
CONFIG_EAP=y
CONFIG_TLS=internal
CONFIG_EAP_TLS=internal
CONFIG_TLSV11=y
CONFIG_TLSV12=y
CONFIG_INTERNAL_LIBTOMMATH=y
CONFIG_CTRL_IFACE=y
CONFIG_WPS=y

The wpa_supplicant binary is only 536 bytes bigger than the original, which makes me question if the config changes made a difference.

Hopefully, you can try TLS v1.2 with your radius server to see if it works.