Hi,

I am having a lot of trouble connecting our product to a customers WiFi network. Their network is entirely Cisco hardware with Cisco ISE I think its called. The network uses PEAP-MSCHAPv2 and the authentication device is a Cisco 9800 WLC.

Our product uses a Raspberry Pi CM4 running our own Yocto Linux build. The OS has standard networking and wpa_supplicant installed along with utilities for doing DHCP. We currently only want to connect with a static IP.

I have the WiFi working perfectly on every network I tested it on except for the customers network. I don't understand why its not working. I build a PEAP-MSCHAPv2 network at home to validate this and tested it on our in office network using the same with both static and DHCP IP's.

The packet capture from our device shows that we successfully complete the PEAP handshake and the Cisco network sends a final "success" message. That matches the packet captures I took on the other networks exactly.

The problem is that exactly 6 seconds later the Cisco network sends a message to our device asking it to reidentifying/reauthenticate which leads to it going through the PEAP handshake again and once again receiving a "success" message. This goes on in a loop forever.

On our device the WiFi connection indicator turns on, then off, then on forever.

A laptop or a phone can connect to the network using the same credentials/settings.

I have spent over a month on this and its driving me nuts.

The customer created a TAC case and the Cisco tech said nothing looked to be wrong. I was able to get in touch with some of the customers IT personal and so far a "radio active" capture revealed that the Cisco network is in fact deleting our device as a client and causing this to happen. It is a MIC validation error see below for full error text.

Hopefully next week I will have a more in depth error message since I believe there is a more detailed error message on the Cisco ISE portal/site something like that but the person who can access that is out of the office.

The only thing I noticed that was really different about the network was that with an "iw dev wlan0 scan" command I found that the two PEAP-MSCHAPV2 networks that worked had

authentication suite = IEEE8021X

Whereas the Cisco network shows up as:

authentication suite = IEEE8021X IEEE8021X/SHA-256

Here is an example wpa_supplicant.conf file that we have been using:

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface=DIR=/var/run/wpa_supplicant
ctrl_interface_group=0
p2p_disabled=1
update_config=1

network={
ssid="exampleNetwork"
priority=1
proto=RSN
key_mgmt=WPA-EAP
pairwise=CCMP
eap=PEAP
identity="exampleUsername"
password="examplePassword"
phase2="auth=MSCHAPV2"
}

The specific error is a MIC validation error. The credentials are correct though so what is happening here???

L2 Authentication Key Exchange Start. Resolved VLAN: 2709, Audit Session id: 1234567890
Keymgmt: Failed to validate eapol mic. MIC mismatch.
Keymgmt: Failed to validate eapol key m2. MIC validation failed
Keymgmt: Failed to validate eapol mic. MIC mismatch.
Keymgmt: Failed to validate eapol key m2. MIC validation failed
Keymgmt: Failed to validate eapol mic. MIC mismatch.
Keymgmt: Failed to validate eapol key m2. MIC validation failed
Keymgmt: Failed to eapol key m1 retransmit failure. Max retries for M1 over
Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_KEY_MGMT_MIC_VALIDATION, details: , fsm-state