]> git.ipfire.org Git - thirdparty/openwrt.git/commitdiff
wifi-scripts: ucode: fix EAP phase2 authentication method
authorHauke Mehrtens <hauke@hauke-m.de>
Sun, 5 Jul 2026 17:27:35 +0000 (19:27 +0200)
committerHauke Mehrtens <hauke@hauke-m.de>
Mon, 6 Jul 2026 23:50:56 +0000 (01:50 +0200)
The supplicant config generator emitted the phase2 directive as
phase2="auth=${auth}" for every PEAP/TTLS/FAST configuration. That is
wrong whenever the configured inner method is an EAP method: for
auth='EAP-MSCHAPV2' it produced phase2="auth=EAP-MSCHAPV2", which
wpa_supplicant rejects with:

  TLS: Unsupported Phase2 EAP method 'EAP-MSCHAPV2'

breaking WPA-Enterprise clients that use an EAP inner method.

Mirror the shell config generator (hostapd.sh): strip the "EAP-" prefix
and pick the phase2 prefix from the method type, i.e. "autheap=" for a
tunneled EAP method with TTLS and "auth=" for a non-EAP method or a
full "auth=..." spec provided by the user.

Fixes: https://github.com/openwrt/openwrt/issues/24086
Fixes: c92ded2f6e7a ("wifi-scripts: fix EAP STA support in supplicant config generation")
Assisted-by: Claude:claude-opus-4-8
Link: https://github.com/openwrt/openwrt/pull/24088
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/supplicant.uc

index 7f0effadd8c9c5e8e9d6a70aa582da6465aea97c..e99df269aec3b1aa6640f5361389c8781e07c57f 100644 (file)
@@ -164,7 +164,20 @@ function setup_sta(data, config) {
                case 'peap':
                case 'ttls':
                        set_default(config, 'auth', 'MSCHAPV2');
-                       config.phase2 = `"auth=${config.auth}"`;
+
+                       let auth = config.auth;
+                       let phase2proto = 'auth=';
+                       if (index(auth, 'auth') == 0) {
+                               /* user already provided a full "auth=..." spec */
+                               phase2proto = '';
+                       } else if (index(auth, 'EAP-') == 0) {
+                               /* inner EAP method, e.g. EAP-MSCHAPV2 -> MSCHAPV2 */
+                               auth = substr(auth, 4);
+                               if (config.eap_type == 'ttls')
+                                       phase2proto = 'autheap=';
+                       }
+                       config.phase2 = `"${phase2proto}${auth}"`;
+
                        if (config.auth == 'EAP-TLS') {
                                if (config.ca_cert2_usesystem && fs.stat('/etc/ssl/certs/ca-certificates.crt'))
                                        config.ca_cert2 = '/etc/ssl/certs/ca-certificates.crt';