WPA2 Enterprise connection

[RavenHawk]

Oh, I might know why some got it to work. Those that have it working, could you please confirm that instead of Arduino IDE https://github.com/espressif/arduino-esp32, you use the official ESP-IDF https://github.com/espressif/esp-idf?

[averri]

I have the same issue to connect the ESP32 to the WiFi using WPA2 Enterprise (PEAP). This connection does not use certificates, it just need the identity and password. The code I'm using is the one bellow:

Code: Select all

/* 
 *  This example shows how to use WPA2 enterprise 
 *  Written by: Jeroen Beemster
 *  12 July 2017
 *  Version 1.00
 */
#include "esp_wpa2.h"
#include <WiFi.h>

const char *ssid = "MySSID"; // The SSID
#define EAP_ID "MyID"  // This is the identity, the email address in my network.
#define EAP_USERNAME "myUsername" // Tried with or without it, without success.
#define EAP_PASSWORD "MyPassword"

void setup()
{
    Serial.begin(9600);
    delay(10);

    Serial.println();
    Serial.print("Connecting to ");
    Serial.println(ssid);

    // WPA2 enterprise magic starts here
    WiFi.disconnect(true);
    esp_wifi_sta_wpa2_ent_set_identity((uint8_t *)EAP_ID, strlen(EAP_ID));
    esp_wifi_sta_wpa2_ent_set_username((uint8_t *)EAP_USERNAME, strlen(EAP_USERNAME));
    esp_wifi_sta_wpa2_ent_set_password((uint8_t *)EAP_PASSWORD, strlen(EAP_PASSWORD));
    esp_wpa2_config_t config = WPA2_CONFIG_INIT_DEFAULT(); 
    esp_wifi_sta_wpa2_ent_enable(&config);
    // WPA2 enterprise magic ends here
    
    delay(100);

    WiFi.begin(ssid);

    while (WiFi.status() != WL_CONNECTED)
    {
        delay(1000);
        Serial.print(".");        
    }

    Serial.println("");
    Serial.println("WiFi connected");
    Serial.println("IP address: ");
    Serial.println(WiFi.localIP());
}

int value = 0;
const char *host = "lora.beemster.biz";

void loop()
{
    delay(5000);
    ++value;

    Serial.print("connecting to ");
    Serial.println(host);

    WiFiClient client;
    if (!client.connect(host, 80))
    {
        Serial.println("connection failed");
        return;
    }

    // We now create a URI for the request
    String url = "/wpa2successmesage.php";

    Serial.print("Requesting URL: ");
    Serial.println(url);

    // This will send the request to the server
    client.print(String("GET ") + url + " HTTP/1.1\r\n" +
                 "Host: " + host + "\r\n" +
                 "Connection: close\r\n\r\n");
    unsigned long timeout = millis();
    while (client.available() == 0)
    {
        if (millis() - timeout > 5000)
        {
            Serial.println(">>> Client Timeout !");
            client.stop();
            return;
        }
    }

    // Read all the lines of the reply from server and print them to Serial
    while (client.available())
    {
        String line = client.readStringUntil('\r');
        Serial.print(line);
    }

    Serial.println();
    Serial.println("closing connection");
}

The ESP32 gives the following error:

Code: Select all

(1155) wpa: Method private structure allocated failure

[PaulFreund]

Unfortunately I am facing the same problem. I want my devices to connect to our corporate Wi-Fi that I don't have control over. I can connect with my Android phone with only Identity and Password (although I don't really know what android _really_ sends.

Unfortunately I lack the neccessary knowledge about WPA2 Enterprise to tell where the problem could be and what meaning those certificates and keys really have. I have tried without certificates and with the ones in the WPA2 example in case they are meant only as client side identification.

With the certificates I get:

Code: Select all

I (268) wpa: WPA2 ENTERPRISE VERSION: [v2.0] enable

I (378) phy: phy_version: 3910, c0c45a3, May 21 2018, 18:07:06, 0, 0
I (378) wifi: mode : sta (xx:xx:xx:xx:xx:xx)
I (498) wifi: n:1 0, o:1 0, ap:255 255, sta:1 0, prof:1
I (1478) wifi: state: init -> auth (b0)
I (1488) wifi: state: auth -> assoc (0)
I (1518) wifi: state: assoc -> run (10)
I (1518) wpa: wpa2_task prio:2, stack:6656

I (1668) wpa: SSL: Need 2347 bytes more input data
I (1758) wpa: SSL: Need 1057 bytes more input data
I (2048) wpa: >>>>>wpa2 FIALED

I (2058) wpa: wpa2 task delete

Without them with only username, identity or both I get:

Code: Select all

I (266) wpa: WPA2 ENTERPRISE VERSION: [v2.0] enable

I (376) phy: phy_version: 3910, c0c45a3, May 21 2018, 18:07:06, 0, 0
I (376) wifi: mode : sta (xx:xx:xx:xx:xx:xx)
I (506) wifi: n:1 0, o:1 0, ap:255 255, sta:1 0, prof:1
I (1476) wifi: state: init -> auth (b0)
I (1486) wifi: state: auth -> assoc (0)
I (1516) wifi: state: assoc -> run (10)
I (1516) wpa: wpa2_task prio:2, stack:6656

I (1596) wpa: EAP-TLS: Private key not configured
E (1596) wpa: Method private structure allocated failure

I (1636) wpa: >>>>>wpa2 FIALED

I (1646) wpa: wpa2 task delete

The MAC address in both cases is censored. Interstingly sometimes in the second case I don't get the "Private key not configure" but a loop with:

Code: Select all

I (232) wpa: WPA2 ENTERPRISE VERSION: [v2.0] enable

I (352) phy: phy_version: 3910, c0c45a3, May 21 2018, 18:07:06, 0, 0
I (352) wifi: mode : sta (xx:xx:xx:xx:xx:xx)
I (472) wifi: n:1 0, o:1 0, ap:255 255, sta:1 0, prof:1
I (1452) wifi: state: init -> auth (b0)
I (1452) wifi: state: auth -> assoc (0)
I (2462) wifi: state: assoc -> init (4)
I (2462) wifi: n:1 0, o:1 0, ap:255 255, sta:1 0, prof:1
I (2582) wifi: n:1 0, o:1 0, ap:255 255, sta:1 0, prof:1
I (2582) wifi: state: init -> auth (b0)
I (2582) wifi: state: auth -> assoc (0)
I (3582) wifi: state: assoc -> init (4)
I (3592) wifi: n:1 0, o:1 0, ap:255 255, sta:1 0, prof:1
I (3712) wifi: n:1 0, o:1 0, ap:255 255, sta:1 0, prof:1
I (3712) wifi: state: init -> auth (b0)
I (3732) wifi: state: auth -> assoc (0)
...

I also looked around if somebody else found a solution and have a little link collection:

1. https://github.com/espressif/esp-idf/issues/1297
2. https://github.com/espressif/esp-idf/issues/1054
3. https://github.com/espressif/esp-idf/issues/248

Most interesting for me was the quote from #248:

[...]I couldnt make it work without calling esp_wifi_sta_wpa2_ent_set_ca_cert (ie, once I added in esp_wifi_sta_wpa2_ent_set_ca_cert with the CA used in my authentication server's TLS Server Hello, it worked and wouldnt work without it). This might just be an older IDF thing as the IDF I am using is from a while ago, but still, it seems like its very easy to get the process to fail without a CA certificate. Reason seems to be that the client (ESP32) will send a TLS Alert telling the server that the server certificate was bad even if you call esp_wifi_sta_wpa2_ent_clear_ca_cert[...]

Optimal for me would be to connect without any certificate but if there is a way to extract this without access to the infrastructure (promiscious mode wifi?) it would also solve the problem. We will have >100 devices with ESP and would like to refrain from creating an additional wifi network.

Best regards,

Paul

Update:

I re-ran the example every log set to Verbose and with the WPA2 enterprise example there is the following error:

Code: Select all

D (3002) wpa: X509: Did not find any of the issuers from the list of trusted certificates
D (3012) wpa: TLSv1: Server certificate chain validation failed (reason=6)
D (3022) wpa: TLSv1: Send Alert(2:48)
D (3022) wpa: SSL: 7 bytes left to be sent out (of total 7 bytes)
I (3102) wpa: >>>>>wpa2 FIALED

After that I removed the esp_wifi_sta_wpa2_ent_set_ca_cert because this can not match and get to the point:

Code: Select all

D (74001) wpa: X509: Did not find any of the issuers from the list of trusted certificates
D (74001) wpa: X509: Certificate chain validation disabled - ignore unknown CA issue
D (74011) wpa: X509: Certificate chain valid
D (74021) wpa: TLSv1: Received CertificateRequest
D (74021) wpa: TLSv1: Received ServerHelloDone
D (74031) wpa: TLSv1: Send Certificate
D (74031) wpa: TLSv1: Full client certificate chain not configured - validation may fail
D (74041) wpa: TLSv1: Send ClientKeyExchange
D (74211) wpa: TLSv1: Send CertificateVerify
D (76101) wpa: TLSv1: Send ChangeCipherSpec
D (76101) wpa: TLSv1: Record Layer - New write cipher suite 0x0035
D (76101) wpa: TLSv1: Send Finished
D (76101) wpa: SSL: 1458 bytes left to be sent out (of total 1458 bytes)
D (76111) wpa: SSL: sending 1400 bytes, more fragments will follow
D (76211) wpa: SSL: Received packet(len=6) - Flags 0x00
D (76211) wpa: SSL: 58 bytes left to be sent out (of total 1458 bytes)
D (76281) wpa: SSL: Received packet(len=17) - Flags 0x80
D (76281) wpa: SSL: TLS Message Length: 7
D (76281) wpa: TLSv1: Received content type 21 version 3.1 length 2
D (76281) wpa: TLSv1: Received alert 2:49
D (76291) wpa: SSL: No data to be sent out
D (76291) wpa: SSL: Building ACK (type=13 id=8 ver=0)

I (76371) wpa: >>>>>wpa2 FIALED

D (76371) wpa: TLSv1: Selected cipher suite: 0x0000
D (76371) wpa: TLSv1: Record Layer - New write cipher suite 0x0000
D (76371) wpa: TLSv1: Record Layer - New read cipher suite 0x0000

I (76391) wpa: wpa2 task delete

I assume that "D (76281) wpa: TLSv1: Received alert 2:49" corresponds to https://tools.ietf.org/html/rfc5246#section-7.2: fatal - access_denied and that might be because "D (74031) wpa: TLSv1: Full client certificate chain not configured - validation may fail".

access_denied has the description:

A valid certificate was received, but when access control was
applied, the sender decided not to proceed with negotiation. This
message is always fatal.

Update 2:

I also tried to generate my own certificate with 2048 bit just in case. Could it be that the client certificate has to be referenced to the server CA?

[fabio.rocha]

Hello,

In my case my university uses "eduroam" WPA2 Enterprise, TTLS, no certificate, MSCHAPv2(no EAP)
and I was able to connect using the code below. I had to insert the WiFi.mode(WIFI_STA); otherwise my ESP32 would reset with Guru meditation..

// eduroam WPA2 Enterprise, TTLS, no certificate, MSCHAPv2(no EAP)
#include "esp_wpa2.h"
#include <WiFi.h>
#define EAP_IDENTITY "jonny" // ID eg: "jonny" not jonny@univ.xx
#define EAP_PASSWORD "passwd"
#define MENOPC "ESP32 Board"

String line;
const char* ssid = "eduroam";
WiFiClient client;

void setup() {
Serial.begin(115200);
delay(10);
Serial.println();
Serial.println(ssid);
WiFi.disconnect(true);
WiFi.mode(WIFI_STA);
esp_wifi_sta_wpa2_ent_set_identity((uint8_t *)EAP_IDENTITY, strlen(EAP_IDENTITY));
esp_wifi_sta_wpa2_ent_set_username((uint8_t *)EAP_IDENTITY, strlen(EAP_IDENTITY));
esp_wifi_sta_wpa2_ent_set_password((uint8_t *)EAP_PASSWORD, strlen(EAP_PASSWORD));
esp_wpa2_config_t config = WPA2_CONFIG_INIT_DEFAULT();
esp_wifi_sta_wpa2_ent_enable(&config);

Serial.println("MAC address: ");
Serial.println(WiFi.macAddress());
WiFi.begin(ssid);
while (WiFi.status() != WL_CONNECTED) {
delay(500);
Serial.print(".");
}
Serial.println("");
Serial.println("IP address: ");
Serial.println(WiFi.localIP());

}

void loop() {
while (client.available()) {
char c = client.read();
Serial.write(c);
}

if (!client.connected()) {
if (client.connect("my-site", 3000)) {
client.println("GET /sensores?temperatura=123&id=ESP32 HTTP/1.1");
client.println("Connection: close");
client.println();
delay(2000);
}
}
}

[ybuyankin]

PaulFreund, I am having exactly the same issue you've faced. Unfortunately, I don't have a lot of experience with enterprise WPA2 as well. Have you found any solution so far? Network I'm trying to connect to has been set up (not by me) with the following how-to:

https://www.cisco.com/c/en/us/support/d ... g-000.html

I was trying to find out a way to control certificate request/checking on the server side (that's probably what's causing the problem) but haven't succeeded so far.

[PaulFreund]

Hello,
In my case my university uses "eduroam" WPA2 Enterprise, TTLS, no certificate, MSCHAPv2(no EAP)
and I was able to connect using the code below. I had to insert the WiFi.mode(WIFI_STA); otherwise my ESP32 would reset with Guru meditation..

Hello Fabio,

unfortunately this does not work for me with the latest ESP-IDF (I replicated the Wifi.mode function from the arduino sdk). Can you set all logs to maximum and provide them? This would mean that you successfully connected to a Wifi without a certificate. This was one of my main question because I can connect to our WPA2 Enterprise network with my Android phone but not the ESP and I thought it might be that the Android creates a self signed certificate or something. With your example I get:

Code: Select all

I (1671) wpa: EAP-TLS: Private key not configured
E (1671) wpa: Method private structure allocated failure

I (1901) wpa: >>>>>wpa2 FAILED

Could that mean that the Wifi driver from Espressif could be fixed to properly work without certificate? If yes I would really appreciate some feedback because I will need to enroll up to 500 devices soon.

EDIT: At least the following two issues seem to be related too:
https://github.com/espressif/esp-idf/issues/2152
https://github.com/espressif/esp-idf/issues/1297

[RavenHawk]

One idea for troubleshooting is to use something like Kali Linux to monitor the conversation between the Radius and ESP32 to gain a better understanding of the problem. I would imagine there's a way to filter the wireless interactions and narrow them down to just the conversation involving the ESP32. Let me know if I'm wrong, -- I'll try to learn Kali Linux for this sole purpose.

[PaulFreund]

Hi RavenHawk, this is what I am planning too, what you will need is a wifi interface that supports monitor mode and then use Wireshark for capturing. Kali Linux is a good point to start.

Edit: I've ordereed a Alfa Network AWUS036NHA because of it's monitor mode and injection capabilities

[PaulFreund]

This pull request solves my issue and I can connect to my WPA2 Enterprise network now https://github.com/espressif/esp-idf/pull/2354

[RavenHawk]

Oh, so this pull uses the ESP-IDF libraries ( https://github.com/espressif/esp-idf/pull/2354 ). I am using the Arduino IDE with the latest Arduino-ESP32 libraries: https://github.com/espressif/arduino-esp32

Is there a way to make this work whilst using the Arduino-ESP32 1.0.0 Libraries? If not, does that mean I have to completely switch and learn to use ESP-IDF or is it possible to just #include a few files and be able to use them alongside the native <WiFi.h> library like I did below?

Code: Select all

#include <WiFi.h>
#include "esp_wpa2.h"

const char* ssid = "SSID";
#define EAP_ID "ID"
#define EAP_USERNAME "USERNAME"
#define EAP_PASSWORD "PASSWORD"


void setup() {
    Serial.begin(115200);
    delay(10);

    Serial.println();
    Serial.print("Connecting to ");
    Serial.println(ssid);
    
    // WPA2 enterprise magic starts here
    WiFi.disconnect(true);  
    //wifi_auth_mode_t(WIFI_AUTH_WPA2_ENTERPRISE);
    esp_wpa2_config_t config = WPA2_CONFIG_INIT_DEFAULT();
    esp_wifi_sta_wpa2_ent_set_identity((uint8_t *)EAP_ID, strlen(EAP_ID));
    esp_wifi_sta_wpa2_ent_set_username((uint8_t *)EAP_USERNAME, strlen(EAP_USERNAME));
    esp_wifi_sta_wpa2_ent_set_password((uint8_t *)EAP_PASSWORD, strlen(EAP_PASSWORD));
    esp_wifi_sta_wpa2_ent_enable(&config);
    // WPA2 enterprise magic ends here


    WiFi.begin(ssid);

    while (WiFi.status() != WL_CONNECTED) {
        delay(500);
        Serial.print(".");
    }

    Serial.println("");
    Serial.println("WiFi connected");
    Serial.println("IP address: ");
    Serial.println(WiFi.localIP());

}


void loop ()
{
  
}

If there is no way to make the above code work, is there a way to make the wpa2_enterprise_main.c example work in Arduino IDE? (Shown below):

Code: Select all

/* WiFi Connection Example using WPA2 Enterprise
 *
 * Original Copyright (C) 2006-2016, ARM Limited, All Rights Reserved, Apache 2.0 License.
 * Additions Copyright (C) Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD, Apache 2.0 License.
 *
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
#include <string.h>
#include <stdlib.h>
#include "freertos/FreeRTOS.h"
#include "freertos/task.h"
#include "freertos/event_groups.h"
#include "esp_wifi.h"
#include "esp_wpa2.h"
#include "esp_event_loop.h"
#include "esp_log.h"
#include "esp_system.h"
#include "nvs_flash.h"
#include "tcpip_adapter.h"

/* The examples use simple WiFi configuration that you can set via
   'make menuconfig'.

   If you'd rather not, just change the below entries to strings with
   the config you want - ie #define EXAMPLE_WIFI_SSID "mywifissid"

   You can choose EAP method via 'make menuconfig' according to the
   configuration of AP.
*/
#define EXAMPLE_WIFI_SSID "SSID"
#define EXAMPLE_EAP_METHOD 1

#define EXAMPLE_EAP_ID "ID"
#define EXAMPLE_EAP_USERNAME "USERNAME"
#define EXAMPLE_EAP_PASSWORD "PASSWORD"

/* FreeRTOS event group to signal when we are connected & ready to make a request */
static EventGroupHandle_t wifi_event_group;

/* The event group allows multiple bits for each event,
   but we only care about one event - are we connected
   to the AP with an IP? */
const int CONNECTED_BIT = BIT0;

/* Constants that aren't configurable in menuconfig */
#define EAP_PEAP 1
#define EAP_TTLS 2

static const char *TAG = "example";

/* CA cert, taken from wpa2_ca.pem
   Client cert, taken from wpa2_client.crt
   Client key, taken from wpa2_client.key

   The PEM, CRT and KEY file were provided by the person or organization
   who configured the AP with wpa2 enterprise.

   To embed it in the app binary, the PEM, CRT and KEY file is named
   in the component.mk COMPONENT_EMBED_TXTFILES variable.
*/
extern uint8_t ca_pem_start[] asm("_binary_wpa2_ca_pem_start");
extern uint8_t ca_pem_end[]   asm("_binary_wpa2_ca_pem_end");
extern uint8_t client_crt_start[] asm("_binary_wpa2_client_crt_start");
extern uint8_t client_crt_end[]   asm("_binary_wpa2_client_crt_end");
extern uint8_t client_key_start[] asm("_binary_wpa2_client_key_start");
extern uint8_t client_key_end[]   asm("_binary_wpa2_client_key_end");

static esp_err_t event_handler(void *ctx, system_event_t *event)
{
    switch(event->event_id) {
    case SYSTEM_EVENT_STA_START:
        esp_wifi_connect();
        break;
    case SYSTEM_EVENT_STA_GOT_IP:
        xEventGroupSetBits(wifi_event_group, CONNECTED_BIT);
        break;
    case SYSTEM_EVENT_STA_DISCONNECTED:
        esp_wifi_connect();
        xEventGroupClearBits(wifi_event_group, CONNECTED_BIT);
        break;
    default:
        break;
    }
    return ESP_OK;
}

static void initialise_wifi(void)
{
    unsigned int ca_pem_bytes = ca_pem_end - ca_pem_start;
    unsigned int client_crt_bytes = client_crt_end - client_crt_start;
    unsigned int client_key_bytes = client_key_end - client_key_start;
    esp_wpa2_config_t config = WPA2_CONFIG_INIT_DEFAULT();

    tcpip_adapter_init();
    wifi_event_group = xEventGroupCreate();
    ESP_ERROR_CHECK( esp_event_loop_init(event_handler, NULL) );
    wifi_init_config_t cfg = WIFI_INIT_CONFIG_DEFAULT();
    ESP_ERROR_CHECK( esp_wifi_init(&cfg) );
    ESP_ERROR_CHECK( esp_wifi_set_storage(WIFI_STORAGE_RAM) );
    
    wifi_config_t wifi_config = {
        .sta = {
            .ssid = EXAMPLE_WIFI_SSID,
        }
    };
    
    ESP_LOGI(TAG, "Setting WiFi configuration SSID %s...", wifi_config.sta.ssid);
    ESP_ERROR_CHECK( esp_wifi_set_mode(WIFI_MODE_STA) );
    ESP_ERROR_CHECK( esp_wifi_set_config(ESP_IF_WIFI_STA, &wifi_config) );
    ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_ca_cert(ca_pem_start, ca_pem_bytes) );
    ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_cert_key(client_crt_start, client_crt_bytes,\
        client_key_start, client_key_bytes, NULL, 0) );
    ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_identity((uint8_t *)EXAMPLE_EAP_ID, strlen(EXAMPLE_EAP_ID)) );
    if (EXAMPLE_EAP_METHOD == EAP_PEAP || EXAMPLE_EAP_METHOD == EAP_TTLS) {
        ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_username((uint8_t *)EXAMPLE_EAP_USERNAME, strlen(EXAMPLE_EAP_USERNAME)) );
        ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_password((uint8_t *)EXAMPLE_EAP_PASSWORD, strlen(EXAMPLE_EAP_PASSWORD)) );
    }
   
    ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_enable(&config) );
    ESP_ERROR_CHECK( esp_wifi_start() );
}

static void wpa2_enterprise_example_task(void *pvParameters)
{
    tcpip_adapter_ip_info_t ip;
    memset(&ip, 0, sizeof(tcpip_adapter_ip_info_t));
    vTaskDelay(2000 / portTICK_PERIOD_MS);

    while (1) {
        vTaskDelay(2000 / portTICK_PERIOD_MS);

        if (tcpip_adapter_get_ip_info(ESP_IF_WIFI_STA, &ip) == 0) {
            ESP_LOGI(TAG, "~~~~~~~~~~~");
            ESP_LOGI(TAG, "IP:"IPSTR, IP2STR(&ip.ip));
            ESP_LOGI(TAG, "MASK:"IPSTR, IP2STR(&ip.netmask));
            ESP_LOGI(TAG, "GW:"IPSTR, IP2STR(&ip.gw));
            ESP_LOGI(TAG, "~~~~~~~~~~~");
        }
    }
}

void setup()
{
    ESP_ERROR_CHECK( nvs_flash_init() );
    initialise_wifi();
    xTaskCreate(&wpa2_enterprise_example_task, "wpa2_enterprise_example_task", 4096, NULL, 5, NULL);
}

void loop () 
{

}