Home of the Squeezebox™ & Transporter® network music players.
Results 1 to 10 of 17

Hybrid View

  1. #1
    Junior Member
    Join Date
    Jul 2021
    Posts
    7

    Connect Baby to WPA2-EAP

    Hi folks!

    I recently updated my network and would like to switch completely to WPA2-EAP authentication. The setup works already with other WiFi devices but I'm struggeling to get my Squeezebox connected.

    Player-Modell: Squeezebox Radio
    Gerätetyp: baby
    Firmware: 8.0.1-r16855

    LMS and device were recently updated to 8.0.1 and I already found a howto at blog.raptor2101.de/2011/12/27/squeezebox-und-radius/ for setting up WPA supllicant to connect to my new WiFi, but it doesn't work as expected. I get a connection to the WiFi but the RADIUS authentication failes. I tweaked the parameters int the wpa_supplicant.conf file, but this just lead to various other errors (on the Squeezebox on the RADIUS).

    What got my attention from the start: I wanted to connect without certificates - just username and password over TLS. While other clients connection attemps show up in the RADIUS log with a hint to a TLS tunnel (regardless if successfull or not), I do not find anything about TLS when the Squeezebox tries to authenticate.

    I thought, I may have to use certificates, so I changed the configuration and created a client certificate and converted it according to the howto. I changed the RADIUS server configuration accordingly and tried to connect again. Now the error message even more points me to TLS:

    2021-07-14T11:57:30 Auth: (28) Login incorrect (eap_tls: (TLS) Alert write:fatalrotocol version): [username/<via Auth-Type = eap>] (from client hotspot port 0 cli 00-04-??-??-??-??)

    So my questions are:
    Which TLS is inclueded in the 8.0.1 firmware or how can I find out? The usual commands I know don't work
    And: is there any hope to get this to work without using workarounds like connecting the ethernet port to another device that does the connection instead?

  2. #2
    Senior Member ralphy's Avatar
    Join Date
    Jan 2006
    Location
    Canada
    Posts
    2,935
    The radio 8.0.1 community firmware wpa_supplicant does not support TLS/SSL at this time.
    Ralphy

    1-Touch, 5-Classics, 3-Booms, 2-UE Radio
    Squeezebox client builds donations always appreciated.

  3. #3
    Junior Member
    Join Date
    Jul 2021
    Posts
    7
    Thank you for your answer.

    Which methods are supported then?
    Maybe I'm willing to allow them on the RADIUS side...

  4. #4
    Senior Member
    Join Date
    May 2010
    Location
    London, UK
    Posts
    923
    Quote Originally Posted by inkasso View Post
    Thank you for your answer.
    Despite @ralphy's post, wpa_supplicant has been built (I think) with an "internal" TLS library, which apparently supports TLS v1. That may be why the author of "Raptors blog" claimed to be able to get somewhere back in 2011. Does your RADIUS server support TLS v1 ? It is, I believe, somewhat deprecated.

    Squeezeplay does not attempt to support anything other than WPA-PSK, WPA2-PSK, WEP, etc, so what you're attempting is outside a supported use case. I've never used RADIUS, and I have no experience of what you're trying to achieve. I haven't (knowingly) exercised the built-in TLS v1.

    You could try a custom build of the firmware, if that approach is open to you. The wpa_supplicant configuration file that @ralphy used is here:
    https://github.com/ralph-irving/sque...iles/defconfig

    I think the same configuration was used for the 'stock' firmware build.

  5. #5
    Senior Member ralphy's Avatar
    Join Date
    Jan 2006
    Location
    Canada
    Posts
    2,935
    As @mrw suggested, TLS is actually listed as available for eap on the radio.

    Code:
    # wpa_cli
    wpa_cli v2.9
    Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi> and contributors
    
    This software may be distributed under the terms of the BSD license.
    See README for more details.
    
    
    Selected interface 'eth1'
    
    Interactive mode
    
    > get_capability eap
    TLS WSC
    Ralphy

    1-Touch, 5-Classics, 3-Booms, 2-UE Radio
    Squeezebox client builds donations always appreciated.

  6. #6
    Senior Member
    Join Date
    May 2010
    Location
    London, UK
    Posts
    923
    Quote Originally Posted by mrw View Post
    wpa_supplicant has been built (I think) with an "internal" TLS library, which apparently supports TLS v1.
    I shall add that the "internal" TLS library now appears to support TLS v1.1 and v1.2, but would require additional build options, these I think:
    Code:
    CONFIG_TLSV11=y
    CONFIG_TLSV12=y
    Refer changelog:
    wpa_supplicant v1.0 https://w1.fi/cgit/hostap/tree/wpa_s...hangeLog#n1143
    wpa_supplicant v2.0 https://w1.fi/cgit/hostap/tree/wpa_s...ChangeLog#n792

    But I have no idea how any of this stuff works.

  7. #7
    Junior Member
    Join Date
    Jul 2021
    Posts
    7
    Oh great! The topic is advancing... Thank you all for the input.

    I have to take a look if the RADIUS supports TLS 1.0, but I'd rather not use that deprecated protocol as it is deemed unsafe, so it wouldn't help anyway.

    The reason, why I would use this: You can dynamically assign VLAN Tags depending on the RADIUS account used to authenticate.
    Advantage: You do not have to create a multi SSID environment where each SSID has a different VLAN assigned. So especially in dense WLAN environments, you can use only one SSID, but still separate your devices into groups with different access rights.

    I'm currently not thinking about building my own firmware. I have alredy compiled software for my Debian box, but what I read here about making firmware for a Squeezebox makes me feel underqualified to even try this without risking to brick the device. So my deepest respect for everyone that does it.

    When I read about "it has only to be compiled with other build options", I cannot discern if this is just a minor change, that I would like to see included in the next update or if this might raise some major issues, that would incur weeks of debugging... So I hope, ralphy will tell me about it

  8. #8
    Senior Member
    Join Date
    May 2010
    Location
    London, UK
    Posts
    923
    Quote Originally Posted by mrw View Post
    Despite @ralphy's post, wpa_supplicant has been built (I think) with an "internal" TLS library, which apparently supports TLS v1. That may be why the author of "Raptors blog" claimed to be able to get somewhere back in 2011.
    Well, I tried this out on an RPi based access point running hostapd, which I set up to use its internal, (minimal ?), radius server.
    At first it wouldn't work, but that's because the RPi system defaulted to minimum TLS v1.2. When hostapd was persuaded to use TLS v1.0 (tls_flags=[ENABLE-TLSv1.0]) then, well, it worked.

    Code:
    > wpa_cli status
    <snip>
    pairwise_cipher=CCMP
    group_cipher=CCMP
    key_mgmt=WPA2/IEEE 802.1X/EAP
    <snip>
    EAP state=SUCCESS
    selectedMethod=13 (EAP-TLS)
    eap_tls_version=TLSv1
    EAP TLS cipher=DHE-RSA-AES-256-SHA
    tls_session_reused=0
    <snip>
    I then tried it using @ralphy's modified wpa_supplicant build, configured for for TLS 1.1 & 1.2. That, too, worked:
    Code:
    > wpa_cli status
    <snip>
    pairwise_cipher=CCMP
    group_cipher=CCMP
    key_mgmt=WPA2/IEEE 802.1X/EAP
    <snip>
    EAP state=SUCCESS
    selectedMethod=13 (EAP-TLS)
    eap_tls_version=TLSv1.2
    EAP TLS cipher=DHE-RSA-AES-256-SHA256
    tls_session_reused=0
    <snip>
    I had a number of false starts with this, with things behaving in a somewhat peculiar manner. At one point I was finding myself seemingly needing to put phase1="tls_disable_tlsv1_0=1" into wpa_supplicant.conf's network configuration before it would work. But then, mysteriously, I didn't. So that's probably a red herring, and I remain a bit puzzled. But that's common with the Radio's wireless.

    This change to hostapd/wpa_supplicant may be relevant:
    https://w1.fi/cgit/hostap/commit/src...6729476556853e

    My wireless configuration:
    Code:
    network={
    	ssid="MY SSID"
    	scan_ssid=1
    	key_mgmt=WPA-EAP
    	pairwise=CCMP
    	group=CCMP
    	eap=TLS
    	identity="Anything"
    	ca_cert="/root/ca.pem"
    	client_cert="/root/clientcert.der"
    	private_key="/root/clientkey.der"
    }
    The identity setting is necessary, even though the actual identity seems to be irrelevant. The private key is not encrypted, so no password needed.

    So, in principal it seems to work, but I will say that, on restart, the Radio does not always seem to get any DHCP configuration, even though it does connect to the AP. Sometimes it does, sometimes it doesn't. That may be a difficulty with my test AP arrangements. But it all seems a bit delicate. I don't think I'll be pursuing it further.
    Last edited by mrw; 2021-07-27 at 12:54.

  9. #9
    Junior Member
    Join Date
    Jul 2021
    Posts
    7
    Sorry, I still didn't find the time for another test. So much is happening at the moment here...

    Just a quick question to mrw: Does your SSID really contain a space in it's name or did you just put it in to make it easier to read?

    I do have an SSID with space and guessed that my problems were coming exactly from there. My next test would have been to change the SSID to one without a space. The problems you describe seem common to me. It does associate with the AP but does not obtain an IP via DHCP. Would not be such a big issue for me, as I'd also be willing to assign one manually.

    And before everyone starts to give me the hint, that I should enclose my SSID into double quotes in the wpa_supplicant.conf and the interfaces file as well... I did and sadly it did not work :-/

  10. #10
    Senior Member
    Join Date
    May 2010
    Location
    London, UK
    Posts
    923
    Quote Originally Posted by mrw View Post
    So, in principal it seems to work, but I will say that, on restart, the Radio does not always seem to get any DHCP configuration, even though it does connect to the AP. Sometimes it does, sometimes it doesn't. That may be a difficulty with my test AP arrangements. But it all seems a bit delicate. I don't think I'll be pursuing it further.
    Problem located, an issue with "new" behaviours in wpa_supplicant v2.9.

    I've opened a PR: https://github.com/ralph-irving/squeezeos/pull/10

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •