Home of the Squeezebox™ & Transporter® network music players.
Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12
  1. #11
    Junior Member
    Join Date
    Jul 2021
    Posts
    5
    Thank you for all your help ralphy!
    I really appreciate that you are doing this just because of my request.

    My test results:

    I have downloaded and scp'd the files to my Sqeezebox after connecting it via LAN.
    Afterwards I stopped the WiFi service, made a backup of the original files and replaced them with the ones from the download.
    Then I started the WiFi service again, which worked without any error.
    I disconnected LAN and tried to connect to my old WiFi which is WPA2-PSK, which worked without any problems.

    Until this point I can say: At least, it hasn't become worse

    Now I reconnected LAN, transferred again all files and the configuration for my WPA2-EAP connection and tried to do the WPA2-EAP connection.
    It didn't work, but the error message gave clues now, why.

    After various different configurations of wpa_supplicant I finally found a config that successfully authenticated against my RADIUS server.

    I replaced /etc/wpa_supplicant.conf with my successfull test-config and replaced /etc/network/interfaces as described in the tutorial. After rebooting, the device did not connect automatically to WiFi and did not find any WiFIs to connect to. Even LAN connections did not work any more and I had to factory reset. I guess, there was a problem with my /etc/network/interfaces file, but I have not the time to debug this now.

    I'll give it another try later, so stay tuned. After everything works, I'll provide a little howTo for other interested people here.

  2. #12
    Senior Member
    Join Date
    May 2010
    Location
    London, UK
    Posts
    821
    Quote Originally Posted by mrw View Post
    Despite @ralphy's post, wpa_supplicant has been built (I think) with an "internal" TLS library, which apparently supports TLS v1. That may be why the author of "Raptors blog" claimed to be able to get somewhere back in 2011.
    Well, I tried this out on an RPi based access point running hostapd, which I set up to use its internal, (minimal ?), radius server.
    At first it wouldn't work, but that's because the RPi system defaulted to minimum TLS v1.2. When hostapd was persuaded to use TLS v1.0 (tls_flags=[ENABLE-TLSv1.0]) then, well, it worked.

    Code:
    > wpa_cli status
    <snip>
    pairwise_cipher=CCMP
    group_cipher=CCMP
    key_mgmt=WPA2/IEEE 802.1X/EAP
    <snip>
    EAP state=SUCCESS
    selectedMethod=13 (EAP-TLS)
    eap_tls_version=TLSv1
    EAP TLS cipher=DHE-RSA-AES-256-SHA
    tls_session_reused=0
    <snip>
    I then tried it using @ralphy's modified wpa_supplicant build, configured for for TLS 1.1 & 1.2. That, too, worked:
    Code:
    > wpa_cli status
    <snip>
    pairwise_cipher=CCMP
    group_cipher=CCMP
    key_mgmt=WPA2/IEEE 802.1X/EAP
    <snip>
    EAP state=SUCCESS
    selectedMethod=13 (EAP-TLS)
    eap_tls_version=TLSv1.2
    EAP TLS cipher=DHE-RSA-AES-256-SHA256
    tls_session_reused=0
    <snip>
    I had a number of false starts with this, with things behaving in a somewhat peculiar manner. At one point I was finding myself seemingly needing to put phase1="tls_disable_tlsv1_0=1" into wpa_supplicant.conf's network configuration before it would work. But then, mysteriously, I didn't. So that's probably a red herring, and I remain a bit puzzled. But that's common with the Radio's wireless.

    This change to hostapd/wpa_supplicant may be relevant:
    https://w1.fi/cgit/hostap/commit/src...6729476556853e

    My wireless configuration:
    Code:
    network={
    	ssid="MY SSID"
    	scan_ssid=1
    	key_mgmt=WPA-EAP
    	pairwise=CCMP
    	group=CCMP
    	eap=TLS
    	identity="Anything"
    	ca_cert="/root/ca.pem"
    	client_cert="/root/clientcert.der"
    	private_key="/root/clientkey.der"
    }
    The identity setting is necessary, even though the actual identity seems to be irrelevant. The private key is not encrypted, so no password needed.

    So, in principal it seems to work, but I will say that, on restart, the Radio does not always seem to get any DHCP configuration, even though it does connect to the AP. Sometimes it does, sometimes it doesn't. That may be a difficulty with my test AP arrangements. But it all seems a bit delicate. I don't think I'll be pursuing it further.
    Last edited by mrw; 2021-07-27 at 12:54.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •