]> Posts for January 2023 🌐:aligrant.com

Kindle Paperwhite not connecting with WPA2-Enterprise

Alastair Grant | Sunday 8 January 2023

The Kindle Paperwhite (e-ink devices) support WiFI for downloading new books etc, so you don't tend to notice when it's not working until you need to download a new book.  I'm using WPA2-Enterprise to secure my home WiFi, which allows for more granular authentication (e.g. per-user or per-device credentials), and support for VLANs etc.  WPA2-Enterprise is not common in domestic environments, but fairly standard in an office or education environment, a long time ago I occasionally saw issues with Samsung mobile phones, but these days support seems fairly robust.  And the Kindle (2018/10th generation) worked for a long time before it refused to connect to the WiFi.

Unfortunately pinning down exactly what was the problem was a little tricky as I've made a lot of updates and changes to my network over the last few months.  But the basic process is:

  1. Device connects to a WiFi access point
  2. Access point talks to RADIUS server to authenticate
  3. Device requests DHCP address
  4. Access point forwards DHCP requests to server
  5. DHCP server grants address

If any of these things fail, then you won't get a WiFi connection established.  So I started at the beginning, and checked my UniFi console, and I could see a few sessions being listed against the Kindle of 0 length, which suggested to me it could talk to the Access Point, but something else was afoot.  I took out of the loop additional Access Points that I had added and went back to a device I know it had worked against before, but still no joy.

Next was to check FreeRADIUS, my RADIUS daemon.  Looking at my logs, there was this suspicious entry rocking up every time the Kindle tried to connect:

eap_peap: ERROR: (TLS) Alert write:fatal:protocol version
eap_peap: ERROR: (TLS) Server : Error in error

TL;DR

Not super helpful, but an idea, a problem with TLS related to a protocol.  Which made me immediately think of TLS protocol versions.  A bit of a dive through the documentation and config files highlighted the 'min_tls_version' in the /etc/raddb/mods-available/eap file.  This was set to 1.2, which is best practice for security, but it seems that the Kindle doesn't support this, so we have to drop this back to version 1.0, which poses a bit of a security concern.

Breaking from the voyeuristic norms of the Internet, any comments can be made in private by contacting me.

Diagnosing Windows Update 0x8024401C error

Alastair Grant | Thursday 5 January 2023

Everybody, quite rightly, hates Windows Update.  Especially the confusing error codes that are given to diagnose the information.  You could search for those codes, but that will get you a million articles telling you to either run "sfx /scannow" or download some dodgy looking app that will magically fix your system, and never going to go into much useful detail.

Well let me start you off on your journey, by pointing you at the list of error codes directly from Microsoft:

This at the very least gives you a constant name that makes more sense than a hexadecimal code.  Hopefully too, a bit of a hint where you need to start looking.

The problem I'm covering today is 0x8024401C, or WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT.  Instantly the latter gives me a really good place to start looking at the problem, I know it's not some issue with figuring something out locally, it's a problem with connectivity to somewhere.

The obvious thing to check is: do you have Internet access?  Just check by pinging a popular search engine in a command line/powershell.  If you can resolve and get a response for this, your basic internet connectivity check is ok.

What I did next, was jump straight into trying to see a bit more about what's going on, and dug out my trusty Wireshark and started sniffing data while trying to run an update.  Instantly, my particular problem became apparent: 407 Proxy Authentication Required.  This happens when using an authenticated HTTP proxy for connecting to the Internet.  This is strange as I have Internet access.

Well it turns out this is a quirk for my setup, where I'm running a lab with a proxy server in (Squid).  But I had this machine configured to use the DNS search suffix to include the domain that the proxy WPAD file is on.  So when Windows does a search for a WPAD configuration host, it adds on the DNS suffixes it has configured and pulled down the configuration from that server.

How you work around this depends on your particular setup.  The easiest way is to remove the DNS suffixes, but this is likely to cause longer term problems if you have this setup in the first place.  Another option would be to intercept/override the WPAD request to a config that points the system directly to the Internet.

Breaking from the voyeuristic norms of the Internet, any comments can be made in private by contacting me.

Entries for: January 2023

Previous