ESP32 WPA2 Enterprise Connection via Identity and Certificate

Jonel_Ph
Posts: 1
Joined: Wed Dec 09, 2020 6:20 am

ESP32 WPA2 Enterprise Connection via Identity and Certificate

Postby Jonel_Ph » Wed Dec 09, 2020 6:35 am

I am new to the ESP32 and IoT in general.
I am trying to connect to an Access Point via Identity and Certificate provided by my IT counterpart
but the connection fails on the authentication part of the radius server. the radius server log shows
this error "EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate".
Can anyone point me to a guide/documentation on how to fix/bypass this handshake?

Below are the libraries that I am using at the moment.
#include "esp_wpa2.h"
#include "esp_wifi.h"

Appreciate any help!

Leander
Posts: 28
Joined: Thu Sep 26, 2019 8:50 pm

Re: ESP32 WPA2 Enterprise Connection via Identity and Certificate

Postby Leander » Mon Jan 11, 2021 10:04 am

I'm also having troubles connecting to a Certificate based WPA2-enterprise network.
Did you find a solution?

RabbitRF
Posts: 15
Joined: Tue Mar 01, 2022 12:28 am

Re: ESP32 WPA2 Enterprise Connection via Identity and Certificate

Postby RabbitRF » Sat Mar 19, 2022 8:26 am

I'm thinking to use this feature for our commercial product design, is this problem fixed?

Leander
Posts: 28
Joined: Thu Sep 26, 2019 8:50 pm

Re: ESP32 WPA2 Enterprise Connection via Identity and Certificate

Postby Leander » Sat Mar 19, 2022 9:21 am

Enable the debug log on mbedtls, lwip and WiFi to see any errors during authentication.
This worked for me and I could see that there was insufficient heap to validate the customer ServerCa.crt upon handshake. Customer used quite a large certificate of 20kb.
Also make sure the identity is set the way the Radius expects it. Sometimes it's a name, might be a friendlyName property from the certificate or the device Mac.

We are using the esp32 in commercial products on all types of WiFi networks, including wpa2-peap and certificates based.

Amir_El
Posts: 17
Joined: Thu Nov 19, 2020 3:55 pm

Re: ESP32 WPA2 Enterprise Connection via Identity and Certificate

Postby Amir_El » Wed Mar 23, 2022 10:05 am

Leander wrote:
Sat Mar 19, 2022 9:21 am
Enable the debug log on mbedtls, lwip and WiFi to see any errors during authentication.
This worked for me and I could see that there was insufficient heap to validate the customer ServerCa.crt upon handshake. Customer used quite a large certificate of 20kb.
Also make sure the identity is set the way the Radius expects it. Sometimes it's a name, might be a friendlyName property from the certificate or the device Mac.

We are using the esp32 in commercial products on all types of WiFi networks, including wpa2-peap and certificates based.
Hi

I'm trying to make my ESP32 connect to 2 different networks (Eduroam). One of them asks only for the Username & Password while the other requires registering with an account then an SMS will be sent to my phone.

How i can distinguish which type of Eduroam is this? and what type of certificates that i should include in the code to make the device connect?

I tried the WPA2 Enterprise Example that comes with the ESP-IDF but my ESP32 get stuck in the connecting state until it reset.


Thank you....

Leander
Posts: 28
Joined: Thu Sep 26, 2019 8:50 pm

Re: ESP32 WPA2 Enterprise Connection via Identity and Certificate

Postby Leander » Wed Mar 23, 2022 10:26 am

I don''t believe esp32 supports networks with an authentication website after connecting to the wifi.
The other network with wpa2-enterprise PEAP authentication should work.

You will need to know the following before connecting:
  • PEAP identity (can be the username or device mac address)
    PEAP username
    PEAP password
    Server-CA certificate
You will need to set these parameters before attempting a wifi_connect()
First do the regular stuf such as creating a handle, init netif, init wifi, register handlers.
Then set the esp_wifi_set_mode and the esp_wifi_set_config
Then for PEAP networks set esp_wifi_sta_wpa2_ent_set_identity, esp_wifi_sta_wpa2_ent_set_username,esp_wifi_sta_wpa2_ent_set_password and esp_wifi_sta_wpa2_ent_set_ca_cert.
Don't forget to set the esp_wifi_sta_wpa2_ent_enable() function and only then execute with esp_wifi_start()

The same network SSID can't have 2 different authentication types. The SSID name should be different, that's how you set the connection to the correct network. Put the ssid in the esp_wifi_set_config function.

Who is online

Users browsing this forum: Michaelboeding and 45 guests