Skip to content

WPA2-enterprise + PEAP #1032

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
kadu opened this issue Nov 17, 2015 · 142 comments
Closed

WPA2-enterprise + PEAP #1032

kadu opened this issue Nov 17, 2015 · 142 comments
Labels
component: libraries type: enhancement
Milestone
2.1.0

Comments

@kadu
Copy link

kadu commented Nov 17, 2015

Can ESP connect to WPA2-enterprise + PEAP networks ? If yes, how to do that ?
@bakercp
Copy link

bakercp commented Nov 18, 2015

There is a longer discussion of this topic on the esp8266 forum http://www.esp8266.com/viewtopic.php?f=6&t=1243&start=15.

@igrr
Copy link
Member

igrr commented Nov 30, 2015

WPA2-enterprise is supported in SDK 1.5, so linking this to #1102.

@igrr igrr added this to the 2.1.0 milestone Nov 30, 2015
@joostd
Copy link

joostd commented Dec 12, 2015

I suspect only eap-tls is supported.

See http://bbs.espressif.com/download/file.php?id=988. The only reference to wpa2-enterprise is in
wifi_station_set_cert_key

Also:

$ ar -t esp_iot_sdk_v1/esp_iot_sdk_v1.5.0/lib/libwpa2.a
/
//
asn1.o/
base64.o/
bignum.o/
eap_common.o/
eap.o/
/0
eap_tls.o/
ext_password.o/
pkcs1.o/
pkcs5.o/
pkcs8.o/
rsa.o/
tls_internal.o/
tlsv1_client.o/
/18
/39
tlsv1_common.o/
tlsv1_cred.o/
tlsv1_record.o/
tlsv1_server.o/
/61
/82
x509v3.o/

@JeroenBeemster
Copy link

HI guys. Finally WPA2 Enterprise is supported. But I cannot find any example. Actually I saw that only 1 person got it working.
My question is: I need to fill in a username (identity) and a password for the WPA2 and no private key or something like that. Where to fill in the "username" ? Or is this not supported yet. I know this is not an arduino question. But anyway here are the specialists :)

@igrr
Copy link
Member

igrr commented Dec 18, 2015

I have not yet added -lwpa2 to linker flag because I wasn't able to get WPA2-Enterprise to work.
If anyone wants to try, feel free to add this flag here

@pauldekkers
Copy link

@igrr shouldn't that be line 33? Either way that doesn't work for me, I included

#include <user_interface.h>
...
wifi_station_clear_cert_key();

... in my code to see if that would build, but it doesn't:

sketch_dec20a.ino:5: undefined reference to `wifi_station_clear_cert_key()'
collect2: error: ld returned 1 exit status

But I'm not sure this is the right way to call those functions.

@igrr
Copy link
Member

igrr commented Dec 21, 2015

You need to wrap that include with extern "C":

extern "C" {
#include "user_interface.h"
}

Regarding line number: after I wrote that comment a few lines got added, so now compiler.c.elf.libs is on line 33.

@pauldekkers
Copy link

@igrr extern "C" does get me further, except for this:

/Applications/Arduino.app/Contents/Java/hardware/esp8266com/esp8266/tools/sdk/lib/libcrypto.a(aes-internal-dec.o):(.irom0.text+0x4): undefined reference to Td0'
/Applications/Arduino.app/Contents/Java/hardware/esp8266com/esp8266/tools/sdk/lib/libcrypto.a(aes-internal-dec.o): In function aes_decrypt_init': (.irom0.text+0x134): undefined reference to Td4s'
collect2: error: ld returned 1 exit status`

I hope you know what's missing :-)

@JeroenBeemster
Copy link

I also added the -lwpa2 parameter.
I have exact the same error as Paul.
Same result when I tried this new function: wifi_station_clear_cert_key();

@igrr
Copy link
Member

igrr commented Dec 22, 2015

Should be fixed by 70cf3c3

@JeroenBeemster
Copy link

Yes, now it compiles. Thanks Igrr, Back to my first question. Where to put the username (Identity)?
How does it work? I am missing one part of the puzzle. And I do not know which

@pauldekkers
Copy link

@igrr Great, that compiles and I've actually got it to authenticate. But: with the wrong User-Name, that seems to be set to "tianhao" and not taken from the certificate CN. Maybe it uses the Microsoft UPN attribute or a subjectAltName; I'll try to experiment with that, but suggestions are welcome.

@DavidXanatos
Copy link

I also need to connect to a WPA2 Enterprise secured network, it requirers user authentication that is Username + Password, no certificate.
The server certificate is a self signed one.

Did anyone got this to work? And if so is there a guide + example

@pauldekkers
Copy link

So far only EAP-TLS is supported; so client-certificate based and not username/password. This works fine for me, but if you have no client-certificate and no control over the RADIUS server, I don't think you can do a lot (but wait for a series of other EAP-mechanisms to be supported).

@DavidXanatos
Copy link

I have full control over the RADIUS server just never configured anything else than user name based.
If I have to add certificate based (if that can coexist) than its doable.
Still how do I do that on the arduino side?

@joostd
Copy link

joostd commented Feb 15, 2016

You can use something like https://github.com/joostd/esp8266-eduroam/blob/master/Arduino/eduroam/eduroam.ino. At the moment, it needs a patched esp8266 Arduino core (#1633)

@igrr igrr closed this as completed Feb 27, 2016
@someburner
Copy link

FYI Espressif just released 1.5.3 which adds username/password support.

@joostd
Copy link

joostd commented Apr 19, 2016

Alas, all that 1.5.3 adds are the missing prototypes in include/user_interface.h (wifi_station_set_username and wifi_station_clear_username). These are not used for username/password authentication, but for setting/clearing the username used in EAP. As such, EAP-TLS (i.e. using client certificates) is still the only supported EAP method.
(In fact lib/libwpa2.a has not changed since version 1.5.2).

It does mean that PR #1633 is no longer necessary once the SDK is upgraded to 1.5.3.

@someburner
Copy link

@joostd Yeah I didn't notice that at first.. got a bit excited. I haven't been able to get PEAP going at my workplace.

@Potato-Matic
Copy link

Potato-Matic commented Aug 13, 2016
edited
Loading

I'm very interested. Can someone give a quick run down of the step by step for what almost "works" as of right now so I could give it a try? I take it it's only certificate based and not identity/password based that works (would be nice, but ok).

Edit: Are we waiting on Espressif for the identity/password bit?

@bloons3
Copy link

bloons3 commented Aug 22, 2016

I'm interested in seeing the arduino implementation for username/password on 801.2x

@Potato-Matic
Copy link

What's the current status of this?

@joostd
Copy link

joostd commented Oct 28, 2016

With the switch to V2.0 of the espressif sdk, EAP-TTLS and PEAP should now work as well.

@bospre
Copy link

bospre commented Oct 29, 2016

Hi @ all,
but where is an example on how to use it?
I could not find one.
Does anybody has an example for WPA2 with PEAP?

@svatos-jirka
Copy link

I tried 2.4.0-rc but It looks, that WPA2 enterprise doesnt work. Did I mistake?

@exquisitetelescope
Copy link

@svatos-jirka WPA2 enterprise doesn't work is a very broad statement. Which authentication method are you trying to use (PEAP, TLS, etc.)? What code are you using and types of errors are you getting? Also, do note the previous comment by @victorclaessen where we were talking about a bug in the firmware with WPA2 auth selection which I hope they fix soon.

@mru4913
Copy link

mru4913 commented Nov 15, 2017
edited
Loading

@ninjabe86 and @victorclaessen As the code you mentioned, you directly upload programs to ESP8266 and treat it like Arduino. Is there a way to talk to ESP8266 via Arduino? (Arduino controls ESP8266 to connect to eduroam?)

@svatos-jirka
Copy link

svatos-jirka commented Nov 26, 2017 via email

@xsrf
Copy link
Contributor

xsrf commented Dec 21, 2017

Hey, I'm watching this topic for a long time now... I also want to use WPA2 Enterprise, but in my case, I want to use EAP-PWD. Problem with MSCHAPv2 is, that it is actually very unsecure if not used right. And as far as I can tell from the conversations above, noone is using it correctly.
If you don't actually check that the radius servers certificate is issued by a trusted CA and also check that the certificate is issued for the radius server you want to connect to, you will actually leak your credentials to any fake access point that pretends to be one of your organisation... This is a huge problem with eduroam because most mainstream clients allow unsecure configurations, too.
However, I haven't found any hints for EAP-PWD implementation or good secure MSCHAPv2/TTLS examples. Is this still a topic for espressif, or might this never be usable?

@devyte
Copy link
Collaborator

devyte commented Dec 21, 2017

@xsrf that is a question best asked directectly to Espressif.

@victorclaessen
Copy link

victorclaessen commented Dec 21, 2017 via email

@victorclaessen victorclaessen mentioned this issue Dec 25, 2017
Open
@Burt-Silverman
Copy link

To reiterate what others have stated, the ESP8266 has an authentication type selection bug. In my case, using a freeradius server, the mode set as default_eap_type is the only type that ESP8266 will try to communicate with. I was able to authenticate with default_eap_type set to ttls, peap, or tls, and not able to authenticate with the nominal default_eap_type of md5. Totally different from the eapol_test program that exists in the Linux wpa_supplicant source package. Although tls worked well enough to authenticate, I found that my ESP8266 software crashed always about one minute after authentication succeeded. ttls and peap had no problems.

@chunkysteveo chunkysteveo mentioned this issue Feb 8, 2018
Closed
@fti7
Copy link

fti7 commented Feb 28, 2018

Is there a github issue which tracks this Bug? This Issue here is closed. I dont think they will respond here

@victorclaessen
Copy link

I don't think so. Might be worth a shot. Feel free to link to this post on their own message board:
http://bbs.espressif.com/viewtopic.php?p=18595&sid=e8e14cd6f97ee908d96ca75d0d47edd8#p15165

@xsrf
Copy link
Contributor

xsrf commented Feb 28, 2018

@fti7 no, since it's an issue with the underlying sdk of espressif, not with ESP8266 core for Arduino. There's also a post on espressifs forum for EAP+PWD: https://bbs.espressif.com/viewtopic.php?f=7&t=8802

@victorclaessen
Copy link

victorclaessen commented Mar 1, 2018
edited
Loading

@xsrf. That is, of course, very true and a really good point. But at this stage, what other options do we have to get this issue some more attention?

@xsrf
Copy link
Contributor

xsrf commented Mar 2, 2018

I don't know :( But I lost all hope espressif will ever address this issue. Maybe someone is actually implementing WPA2-Enterprise without the help of the SDK... I don't see other options.

@charliesz charliesz mentioned this issue Mar 8, 2018
Closed
@martinius96
Copy link

Hello there, some working sketch for WPA2 EAP OR PEAP?

@lzydavid
Copy link

Hi there, is there any working sketch for Arduino for WPA2 EAP for the current version : SDK:2.2.1(cfd48f3)/Core:2.4.1/lwIP:2.0.3(STABLE-2_0_3_RELEASE/glue:arduino-2.4.1)
I have been trying to connect my huzzah esp8266 to my school network for my project but still not succesful.

@ttimpe
Copy link

ttimpe commented Dec 10, 2018

It seems some people were able to make it work, does anyone have a working sketch yet? I'm trying to connect my NodeMCU to a WPA2-Enterprise hotspot and it doesn't work using wifi_station_set_config etc.

@d-a-v
Copy link
Collaborator

d-a-v commented Dec 10, 2018

It seems to depend on authentication protocol. It may work when using MSCHAPv2 but not PAP.
You should try first espressif's native SDK with their example.
I've made a repo to ease trying https://github.com/d-a-v/esp8266-nonos-easy-sdk
I still have no time to pursue, but I will at some point.
Best would be to setup a local (linux+hostapd) access point with WPA2+TTLS+MSCHAPv2 and test with SDKv3. Next step would be to setup a WPA2+TTLS+PAP and try it out too. With this feedback, open a new detailed issue with all the details on nonos-sdk repo.
There is already there an opened issue which is quite polluted. A nice and concise new issue with SDKv3 example and possibly hostapd conf files would be necessary. Without any mention to arduino in it, of course.

@Burt-Silverman
Copy link

Do not forget my January result above with the free radius server; unfortunately the default eap type was the only one the ESP8266 would authenticate with. So it helps to be able to change that setting in your server when you are testing things out.

@bospre
Copy link

bospre commented Dec 17, 2018

Hello together,
good news.
I found a working sketch for wpa2 enterprise with username and password (PAP)
Look here:
https://github.com/jtuttas/ESP8266-WPA2-Enterprise/blob/master/ino/webserver/webserver.ino
I think the difference is resetting (or initialise) the certificate.
2 years of waiting are now ending....

@ttimpe
Copy link

ttimpe commented Dec 17, 2018 via email

@martinius96
Copy link

almost nobody is using PAP...
Most users are looking for sketch for network similar to Eduroam with PEAP method

@bospre
Copy link

bospre commented Dec 17, 2018

I think i had a typo and the authentication PEAP.
At least i can now login with username and password.
@ ttimpe
Do you use the latest Arduino sdk?
I use 2.5.0-beta2
Maybe that makes a difference?

@xsrf
Copy link
Contributor

xsrf commented Dec 17, 2018

Most eduroam / enterprise networks also support EAP-PWD which should be easier to implement than EAP-PEAP-MSCHAPV2 or EAP-TTLS-MSCHAPV2. EAP-TTLS-PAP shouldn't be used anyways because it leaks your password quite easily if not configured 100% right.

@bospre
Copy link

bospre commented Dec 17, 2018

Okay it was a typo (PAP =>PEAP)
That is the log of the radiusserver:
Mon Dec 17 21:38:47 2018 : Auth: Login OK: [userESP8266/] (from client WLANxxxxx port 1 cli 5C-CF-7F-C8-80-01)

@bospre
Copy link

bospre commented Dec 17, 2018

Huh, the server hides some part of the line.
Mon Dec 17 21:37:21 2018 : Auth: Login OK: [ESP8266/] (from client WLANxxx port 1 cli 5C-CF-7F-C8-80-01)

@bospre
Copy link

bospre commented Dec 17, 2018

Still missing the part: via Auth-Type = EAP

@komw komw mentioned this issue Feb 2, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component: libraries type: enhancement
Projects
None yet
Milestone
2.1.0
Development

No branches or pull requests