]> Kindle Paperwhite not connecting with WPA2-Enterprise 🌐:aligrant.com

Kindle Paperwhite not connecting with WPA2-Enterprise

Alastair Grant | Sunday 8 January 2023

The Kindle Paperwhite (e-ink devices) support WiFI for downloading new books etc, so you don't tend to notice when it's not working until you need to download a new book.  I'm using WPA2-Enterprise to secure my home WiFi, which allows for more granular authentication (e.g. per-user or per-device credentials), and support for VLANs etc.  WPA2-Enterprise is not common in domestic environments, but fairly standard in an office or education environment, a long time ago I occasionally saw issues with Samsung mobile phones, but these days support seems fairly robust.  And the Kindle (2018/10th generation) worked for a long time before it refused to connect to the WiFi.

Unfortunately pinning down exactly what was the problem was a little tricky as I've made a lot of updates and changes to my network over the last few months.  But the basic process is:

  1. Device connects to a WiFi access point
  2. Access point talks to RADIUS server to authenticate
  3. Device requests DHCP address
  4. Access point forwards DHCP requests to server
  5. DHCP server grants address

If any of these things fail, then you won't get a WiFi connection established.  So I started at the beginning, and checked my UniFi console, and I could see a few sessions being listed against the Kindle of 0 length, which suggested to me it could talk to the Access Point, but something else was afoot.  I took out of the loop additional Access Points that I had added and went back to a device I know it had worked against before, but still no joy.

Next was to check FreeRADIUS, my RADIUS daemon.  Looking at my logs, there was this suspicious entry rocking up every time the Kindle tried to connect:

eap_peap: ERROR: (TLS) Alert write:fatal:protocol version
eap_peap: ERROR: (TLS) Server : Error in error

TL;DR

Not super helpful, but an idea, a problem with TLS related to a protocol.  Which made me immediately think of TLS protocol versions.  A bit of a dive through the documentation and config files highlighted the 'min_tls_version' in the /etc/raddb/mods-available/eap file.  This was set to 1.2, which is best practice for security, but it seems that the Kindle doesn't support this, so we have to drop this back to version 1.0, which poses a bit of a security concern.

Breaking from the voyeuristic norms of the Internet, any comments can be made in private by contacting me.