Kindle Oasis does not connect to home WPA2-Enterprise Network

My Kindle Oasis (3rd generation) decided to stop connecting to my home WiFi network today. It displayed a cryptic message about not being able to connect so I investigated. Logging in to my Ubiquiti console I did not notice any attempted logins. Checking pfSense / FreeRADIUS also turned up zero log events. The Kindle itself did not provide any log messages...

The best I had to go on was a hunch: A few months back I had issues with my Android devices after a security patch blocked connections to WPA2 Enterprise networks without specifying a CA Certificate. Could that be the problem here?

Update (2023-04-08): After configuring the CA Certificate the Kindle connected, self-updated then failed to connect again. Additional detail added below


Part 1: CA Certificates

In a word: Yes! I had to install and specify a valid CA certificate that pertains to my WPA2 enterprise network in order to get the Kindle to connect.

Here's a breakdown of what steps had to be performed to get this to work:

  1. Plug in the kindle to your computer
  2. Open up the 'root' level of your device
  3. Create a folder titled certificates
  4. Copy the CA Certificate which issues the certificate used by your WPA2-Enterprise network to the certificates folder on the kindle
    1. Ensure that the certificate is in PEM format
    2. Ensure that the certificate extension is .crt
  5. When configuring the WiFi network on the Kindle:
    1. Go to Advanced
    2. Ensure that both WPA2 and Enterprise are selected
    3. Based on your network, choose either MSCHAPv2 (most common!) or PEAP (more rare)
    4. In the CA Certificate field type the file name for your certificate
      1. For example, if you copied a file named mywifiCA.crt to the certificates folder on your Kindle... You would enter mywifiCA.crt in the field!
  6. At this point you can enter your username and password and then connect

If all goes well you should be connected! (If not - see below for additional troubleshooting)

Here's a pic of the wifi configuration noting where to configure the CA Certificate:

Part 2: Pull System Logs From Kindle and Adjust WiFi Access Point (AP) Configuration

If your Kindle device successfully connects to the wireless network after following the steps above you might find that it stops working once it self-updates. After my Kindle Oasis (10th Generation) self-updated, it failed to re-connect to my wireless network.

How to pull logs from Kindle Oasis / Paperwhite / non-fire devices:

  1. Go to the device Home screen where you are given the option to Search Kindle
  2. Type ;dm in the search box and press Enter
  3. Kindle will generate the system logs and place them in the Documents folder on your device. They can be retrieved by connecting your device to your computer via USB cable. The file names will be similar to these:
    • all_netlog_logs_as_of_Sat_Apr_8_11.53.33_GMT-7.21100_2023.txt
    • all_system_logs_as_of_Sat_Apr_8_11.53.33_GMT-7.21100_2023.txt
    • all_wpa_supplicant_logs_as_of_Sat_Apr_8_11.53.33_GMT-7.21100_2023.txt
    • wininfo_logs_as_of_Sat_Apr_8_11.53.33_GMT-7.21100_2023.txt
    • Here's what you'll see in the Kindle UI :

Analyzing my Kindle's Logs

At this point you can open the log files in your editor of choice for debugging. When I examined the logs I found a few interesting messages in the all_wpa_supplicant_logs_as_of... file:

# Interesting, perhaps not directly 'relevant'
230405:001712 wpa_supplicant[6019]: nl80211: Added 802.11b mode based on 802.11g information
230405:001712 wpa_supplicant[6019]: RSN: expired PMKSA cache entry for 22:xx:xx:xx:5d:5d
230405:001712 wpa_supplicant[6019]: nl80211: Delete PMKID for 22:xx:xx:xx:5d:5d
230405:001712 wpa_supplicant[6019]: wlan0: RSN: PMKSA cache entry free_cb: 22:xx:xx:xx:5d:5d reason=2
230405:001712 wpa_supplicant[6019]: wlan0: RSN: deauthenticating due to expired PMK
230405:001712 wpa_supplicant[6019]: wlan0: Request to deauthenticate - bssid=00:xx:xx:xx:00:00 pending_bssid=00:xx:xx:xx:00:00 reason=1 state=DISCONNECTED
230405:001712 wpa_supplicant[6019]: wlan0: State: DISCONNECTED -> DISCONNECTED

# It looks like the device decided to disconnect
230408:115222 wpa_supplicant[14088]: TX EAPOL: dst=8a:xx:xx:xx:90:9d
230408:115222 wpa_supplicant[14088]: EAPOL: SUPP_BE entering state RECEIVE
230408:115228 wpa_supplicant[14088]: wlan0: Control interface command 'SET_NETWORK [REMOVED]'
230408:115228 wpa_supplicant[14088]: CTRL_IFACE: SET_NETWORK id=2 name='priority'
230408:115234 wpa_supplicant[14088]: wlan0: Control interface command 'REMOVE_NETWORK 2'
230408:115234 wpa_supplicant[14088]: CTRL_IFACE: REMOVE_NETWORK id=2
230408:115234 wpa_supplicant[14088]: wlan0: Request to deauthenticate - bssid=8a:xx:xx:xx:90:9d pending_bssid=00:xx:xx:xx:00:00 reason=3 state=ASSOCIATED
230408:115234 wpa_supplicant[14088]: wpa_driver_nl80211_disconnect(reason_code=3)
230408:115234 wpa_supplicant[14088]: wlan0: Event DEAUTH (12) received
230408:115234 wpa_supplicant[14088]: wlan0: Deauthentication notification
230408:115234 wpa_supplicant[14088]: wlan0:  * reason 3 (locally generated)
230408:115234 wpa_supplicant[14088]: Deauthentication frame IE(s) - hexdump(len=0): [NULL]
230408:115234 wpa_supplicant[14088]: CTRL_IFACE monitor sent successfully to 
230408:115234 wpa_supplicant[14088]: wlan0: CTRL-EVENT-DISCONNECTED bssid=8a:xx:xx:xx:90:9d reason=3 locally_generated=1

From the above it appears that my device disconnected itself (Re: wlan0 : * reason 3 (locally generated) ). This caused me to cast about further for a solution.

Settings Changes That Worked (Ubiquiti Wifi)

To get my kindle to connect reliably at this point I had to make 2 changes:

  1. Enable 'Optional' PMF functionality in the Wireless Network Configuration. PMF == Protected Management Frames:
  2. Disable Minimum data rate control

Saving and reprovisioning the wireless network at this point allowed me to connect the Kindle successfully.

At this point you can retry the Wireless connection and it should connect.