Chat freely about anything...

User avatar
By lethe
#47844
zhenyuan992 wrote:I'm looking for a sketch too. I'm unsure of how to generate the certificate that is needed to sign into wpa2 enterprise network.

Any more information about the cert generation would be helpful. :D

There is no certificate for you to generate, eduroam uses username & passphrase to authenticate, not a client certificate.
Afaik the latest SDK does support WPA2 enterprise using login/password, SDK API doc.
User avatar
By martin_g
#60843 Good news: eduroam with PEAP works!
Bad news: with SDK V2.0 it urgently needs the dirty, dirty hack with the patch in libwpa2.a

I used the code from: https://github.com/joostd/esp8266-eduroam (requires esp-open-sdk with /ESP8266_NONOS_SDK_V2.0.0_16_08_10). May work with the arduino wrappers as well...

I did the patch with replacing the hardcoded outer authentication string "anonymous@espressif.com" with my eduroam identity, let's say "martin_g@someuni.de". Did this with bbe:

Code: Select allbbe -e "s/anonymous@espressif.com\x00/martin_g@someuni.de\x00\x00\x00\x00\x00/" libwpa2.a > libwpa2patch.a


The original string is 24 bytes (23 plus the final \0) long, guess, the replacement should have the same length.

Also added my credentials in those two lines of user_init() and commented out the line with the ca_cert (MITM-pttack possible, I know, but I wanted to test the basic functionality):
Code: Select all//wifi_station_set_enterprise_ca_cert(ca_pem, ca_pem_len + 1);    wifi_station_set_enterprise_username("martin_g@someuni.de", os_strlen("martin_g@someuni.de"));
wifi_station_set_enterprise_password("MyPassWD", os_strlen("MyPassWD"));


This finally gives me a connect and an IP-address:

WPA2 ENTERPRISE VERSION: [v2.0] enable
mode : sta(xx:xx:xx:xx:xx:xx)
add if0
scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 5 (10)
add 0
aid 3
cnt
EAP-PEAP: received 37 bytes encrypted data for Phase 2
EAP-PEAP: received Phase 2: code=1 identifier=11 length=5
EAP-PEAP: Phase 2 Request: type=1
EAP-PEAP: received 69 bytes encrypted data for Phase 2
EAP-PEAP: received Phase 2: code=1 identifier=12 length=43
EAP-PEAP: Phase 2 Request: type=26
EAP-PEAP: Selected Phase 2 EAP vendor 0 method 26
EAP-MSCHAPV2: RX identifier 12 mschapv2_id 12
EAP-MSCHAPV2: Generate Challenge Response
EAP-PEAP: received 85 bytes encrypted data for Phase 2
EAP-PEAP: received Phase 2: code=1 identifier=13 length=51
EAP-PEAP: Phase 2 Request: type=26
EAP-MSCHAPV2: RX identifier 13 mschapv2_id 12
EAP-PEAP: received 37 bytes encrypted data for Phase 2
EAP-PEAP: received Phase 2: code=1 identifier=14 length=11
EAP-PEAP: Phase 2 Request: type=33
3fff1100 already freed

connected with eduroam, channel 6
dhcp client start...
[connect to ssid eduroam, channel 6]
ip:10.156.8.195,mask:255.255.255.0,gw:10.156.8.254
[ip:10.156.8.195,mask:255.255.255.0,gw:10.156.8.254]
pm open,type:2 0


Same test without the patch results in repeated timeouts "Reason: 204"
I am pretty sure that the request is never routed to the correct RADIUS server. The outer authentication is not required for the actual authentication process, but for routing the request. In a lab setup with only one RADIUS server it might work with a nonsense outer authentication string, in a real world szenario it fails.

@Espressif: Great chip, great work, but please give us the API to set the outer authentication string!!!