trying with WPA2-enterprise on a TP-Link EAP with external Radius Server

[kapyaar]

Platform

• Hardware: [ESP-12]
• Core Version: [latest git/2.4.1]
• Development Env: [Arduino IDE]
• Operating System: [Windows]

Settings in IDE

• Module: [Nodemcu 0.9]
• Flash Mode: [qio]
• Flash Size: [4MB/1MB]
• lwip Variant: [v1.4|v2 Lower Memory]
• Reset Method: [ck|nodemcu]
• Flash Frequency: [40Mhz]
• CPU Frequency: [160MHz]
• Upload Using: [SERIAL]
• Upload Speed: [921600]

Problem Description

I am trying to connect an ESP to wpa2 network at my university. it keeps looping between scandone, and trying to connect, then disconnect. I tried so many variations based on different examples that people say worked for them, this is kind of a jamboree of such code. I also tried with eduroam and pretty much the same result.

Once user mentioned he had this working on 2.4.0, so I went back to that version from 2.4.1, yet no success with that either.

###Edit: I got a test enterprise router, and am testing with an external radius router now.

MCVE Sketch

#include "ESP8266WiFi.h"
extern "C" {
#include "user_interface.h"
#include "wpa2_enterprise.h"
}

static const char* ssid = "UB_Secure";
static const char* username = testUser";//
static const char* password = "testpswd";
const char* host = "host_ip";
const char* username1 = "testUser"; //based on a comment on forum

u8 ca_cert[] = "-----BEGIN CERTIFICATE-----\n"
               "MIIFETCCA/mgAwIBAgIJAO0ntD34r/+QMA0GCSqGSIb3DQEBCwUAMIGiMQswCQYD\n"
               "VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExDzANBgNVBAcMBkR1cmhh\n"
               "bTEeMBwGA1UECgwVTWl0Y2hlbGwvVHJhbXBlciBJbmMuMR8wHQYJKoZIhvcNAQkB\n"
               "FhBidXJ0bXNAZ21haWwuY29tMSgwJgYDVQQDDB9CdXJ0IFNlbGYgQ2VydGlmaWNh\n"
               "dGUgQXV0aG9yaXR5MB4XDTE4MDEyMzE1NTgxOFoXDTE4MDMyNDE1NTgxOFowgaIx\n"
               "CzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEPMA0GA1UEBwwG\n"
               "RHVyaGFtMR4wHAYDVQQKDBVNaXRjaGVsbC9UcmFtcGVyIEluYy4xHzAdBgkqhkiG\n"
               "9w0BCQEWEGJ1cnRtc0BnbWFpbC5jb20xKDAmBgNVBAMMH0J1cnQgU2VsZiBDZXJ0\n"
               "aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\n"
               "AQC2O2m4JCmqimeztaZ8JasIuZqksrxvCjyWpkykoGzoR6v1/kDSuLgdp7EmtLKN\n"
               "vOJPQ2ea0yVvkFf0dQYcgDhNdAsXcqskMOprS+jefzlLQUbU1jTk+AOSiOcmxWT1\n"
               "H8uYhSp/1TkkWDM8dVO9RRIQyigVinsJNhdPyUVsTaQh3s29AL8CboixUNZWngOo\n"
               "d1+66lwy4N+3hXACJWlurgvc0q7RfqSqfJY/+lugfID0ANpGQqqu1Dq2IXZbLyx9\n"
               "roOPpC+fqX2wn5g9+RuA18OY/GPtkHc6clAoiJDGXsTRpffgsI5spdJ26WknbhO/\n"
               "3Q2vQJ2Q5m/QvSp55qOM5nevAgMBAAGjggFGMIIBQjAdBgNVHQ4EFgQUT3hChU84\n"
               "EEXHesDdKOtPqfhrg68wgdcGA1UdIwSBzzCBzIAUT3hChU84EEXHesDdKOtPqfhr\n"
               "g6+hgaikgaUwgaIxCzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGlu\n"
               "YTEPMA0GA1UEBwwGRHVyaGFtMR4wHAYDVQQKDBVNaXRjaGVsbC9UcmFtcGVyIElu\n"
               "Yy4xHzAdBgkqhkiG9w0BCQEWEGJ1cnRtc0BnbWFpbC5jb20xKDAmBgNVBAMMH0J1\n"
               "cnQgU2VsZiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCCQDtJ7Q9+K//kDAPBgNVHRMB\n"
               "Af8EBTADAQH/MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly93d3cuZXhhbXBsZS5v\n"
               "cmcvZXhhbXBsZV9jYS5jcmwwDQYJKoZIhvcNAQELBQADggEBADNmDxddEh1XSo8J\n"
               "fanCRuYqngpVFtKCzRNCtQ7aOAPrj6gRMtMAqQhlYmcbxjaVOCboAvJ8evY8x5We\n"
               "YU6eIAmg95PlDws8EvcVQhO2ZYcuOHTvdu5Q4Ior0oXaCfqdS35YcPW7pRGprY/x\n"
               "w7kbG84FFatpXPuDGQB65haqQ2KXPrILiE/jAKpTu9EBLEEN4uIAuxbB6unARovX\n"
               "YoXIQHFc32bZAjihquvs4J7FNkcSr3lJpuv03dryqMB+Qn3G8yM7PFLNL2QyS0Zu\n"
               "UbS5kDO7UqbTjtrUDolp5sUNvyrkX5ILYfZeEeaHqAlA20SFqNG7BcTY222NsCft\n"
               "yNXqX1c=\n"
               "-----END CERTIFICATE-----";
void setup() {
  Serial.begin(115200);

  Serial.print("Connecting to ");
  Serial.println(ssid);
  // Setting ESP into STATION mode only (no AP mode or dual mode)
  wifi_set_opmode(0x01);

  struct station_config wifi_config;

  memset(&wifi_config, 0, sizeof(wifi_config));
  strcpy((char*)wifi_config.ssid, ssid);

  wifi_station_set_config(&wifi_config);

  wifi_station_clear_cert_key();
  wifi_station_clear_enterprise_ca_cert();

  wifi_station_set_wpa2_enterprise_auth(1);
  wifi_station_set_enterprise_identity((uint8*)username1, strlen(username1));
  wifi_station_set_enterprise_ca_cert(ca_cert, sizeof(ca_cert));
  wifi_station_set_enterprise_username((uint8*)username, strlen(username));
  wifi_station_set_enterprise_password((uint8*)password, strlen(password));

  wifi_station_connect();
  Serial.print("Wifi station connect status:");
  Serial.println(wifi_station_get_connect_status());

  // Wait for connection AND IP address from DHCP
  while (WiFi.status() != WL_CONNECTED) {
    Serial.println(WiFi.status());
    delay(2000);
    Serial.println("Not connected");
  }

  Serial.println("");
  Serial.println("WiFi connected");
  Serial.println("IP address: ");
  Serial.println(WiFi.localIP());
}

void loop()
{
  delay(2000);
}

Debug Messages

SDK:2.2.1(cfd48f3)/Core:2.4.1/lwIP:2.0.3(STABLE-2_0_3_RELEASE/glue:arduino-2.4.1)
Connecting to UB_Secure
WPA2 ENTERPRISE VERSION: [v2.0] enable
scandone
Wifi station connect status:1
6
wifi evt: 8
wifi evt: 2
Not connected
6
scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 0 (4)
reconnect
wifi evt: 1
STA disconnect: 4
Not connected
6
Not connected
6
scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 5 (10)
add 0
aid 4
cnt 
Not connected
6
Not connected
6
Not connected
6
Not connected
6
pm open,type:2 0
Not connected
6
Not connected
6
Not connected
6
Not connected
6
Not connected
6
Not connected
6
Not connected
6
Not connected
6
Not connected
6
Not connected
6
state: 5 -> 0 (2)
rm 0
pm close 7
reconnect
wifi evt: 1
STA disconnect: 204
scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 0 (4)
reconnect
wifi evt: 1
STA disconnect: 4
scandone
wifi evt: 1
STA disconnect: 201
Not connected
4
reconnect
Not connected
4
scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 5 (10)
add 0
aid 4
cnt 

[kapyaar]

OK, I went a step further, got a TP Link EAP access point, and configured it with an external radius server, created a testUser, etc. Then, First, I connected my iphone to this network. It connected, asked for my username and password, and successfully authenticated. It did ask about trusting a certificate, and clicked 'Trust'. Connection succeeded ,I could browse the internet, no issues. Then, I tried with ESP, with various minor code changes, and no success. But the good thing is, now I can see what is happening on the radius server. ESP does connect to the AP, but it is the radius auth that is failing. I belive this has to do with the way ESP core is sending info? I am suspecting that the 'Trust this certificate' part that I saw on iphone might be the step that somehow is missing when ESP is attempting to connect?

Someone who is familiar with the core might be able to help.

Log when Iphone connects successfully.

Access Request:	Packet-Type = Access-Request
Packet-Src-IP-Address = 172.101.117.178
Packet-Dst-IP-Address = 10.142.0.4
Packet-Src-Port = 51481
Packet-Dst-Port = 8315
User-Name = "testUser"
NAS-IP-Address = 192.168.0.254
NAS-Port = 0
Called-Station-Id = "84-16-F9-88-81-62"
Calling-Station-Id = "24-F0-94-0A-86-91"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x0200000e0161766172616368616e
Message-Authenticator = 0x38078a459ea243868a46981130743784
Event-Timestamp = "May  8 2018 18:00:50 UTC"
Tmp-Integer-3 = 8315
Tmp-String-1 = "local"
Called-Station-SSID = "UB_Secure"
Request-Session = "A8EtE6twSP"
Timestamp = 1525802450
Request Reply:	Packet-Type = Access-Accept
User-Name = "testUser"
MS-MPPE-Recv-Key = 0xd5cbe4473c46d30e890fe3c3924d523e6be032b3094bf14b60e05af5ba9b519e
MS-MPPE-Send-Key = 0xc73ef4774c2323653421aa7f4c84edd981bdbbd5112528c5d67f3ffff6176047
EAP-MSK = 0xd5cbe4473c46d30e890fe3c3924d523e6be032b3094bf14b60e05af5ba9b519ec73ef4774c2323653421aa7f4c84edd981bdbbd5112528c5d67f3ffff6176047
EAP-EMSK = 0xbcfd626b8b288217d499fcdfeab443e447c3b249f9f40534ce118b27195fcb726a5bfcb8d4daf828ac7fc5b197cae480f10d3269b95671ac1f2b55a4ec7afa25
EAP-Session-Id = 0x195af1e5d304697d2ba6c623125bbde0d6d1840641b961bab216fa17cb09a377c85af1e5d3a10361a0bfaa66c6476aa301b1e6ac09448148ccdf10a057fd9b8cab
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
Timestamp = 1525802456
authdate:	2018-05-08 14:00:50
called_station_id:	84-16-F9-88-81-62
calling_station_id:	24-F0-94-0A-86-91
inner_username:	testUser
port:	8315
result:	Access-Accept
username:	testUser

Now, with ESP conecting,

Access Request:	Packet-Type = Access-Request
Packet-Src-IP-Address = 172.101.117.178
Packet-Dst-IP-Address = 10.142.0.4
Packet-Src-Port = 51481
Packet-Dst-Port = 8315
User-Name = "testUser"
NAS-IP-Address = 192.168.0.254
NAS-Port = 0
Called-Station-Id = "84-16-F9-88-81-62"
Calling-Station-Id = "5C-CF-7F-19-D7-AE"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x0200000e0161766172616368616e

Message-Authenticator = 0xb4e7aff218206bc6a65477bc7dd91c98
Event-Timestamp = "May  8 2018 19:15:04 UTC"
Tmp-Integer-3 = 8315
Tmp-String-1 = "local"
Called-Station-SSID = "UB_Secure"
Request-Session = "dx6I5LuWl0"
Timestamp = 1525806904
Request Reply:	Packet-Type = Access-Reject
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
Timestamp = 1525806905
authdate:	2018-05-08 15:15:04
called_station_id:	84-16-F9-88-81-62
calling_station_id:	5C-CF-7F-19-D7-AE
port:	8315
result:	Access-Reject
username:	testUser

By the way, if it helps I would be more than happy to work with anyone familiar on this via screen sharing or other modes if that helps.

[kapyaar]

#More updates

Playing around more on this, I tried the following. I tried to connect my iphone to the enterprise network with the correct username but wrong password. This time, Two interesting finds.

1. The radius server log for iphone matches more or less with that of the ESP
2. The radius server log for iphone shows a line called 'inner_usernamme' which is missing from ESP.

Does this light any bulbs, any one? :)

Radius log for iphone with correct username and wrong password

Access Request:	Packet-Type = Access-Request
Packet-Src-IP-Address = 172.101.117.178
Packet-Dst-IP-Address = 10.142.0.4
Packet-Src-Port = 51481
Packet-Dst-Port = 8315
User-Name = "testUser"
NAS-IP-Address = 192.168.0.254
NAS-Port = 0
Called-Station-Id = "84-16-F9-88-81-62"
Calling-Station-Id = "24-F0-94-0A-86-91"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x0200000e0161766172616368616e

Message-Authenticator = 0x73ed9adc6cc07fc6452963f2a4a3bc3e
Event-Timestamp = "May  9 2018 18:57:46 UTC"
Tmp-Integer-3 = 8315
Tmp-String-1 = "local"
Called-Station-SSID = "UB_Secure"
Request-Session = "UOBQhUF1IQ"
Timestamp = 1525892266
Request Reply:	Packet-Type = Access-Reject
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Timestamp = 1525892268
authdate:	2018-05-09 14:57:46
called_station_id:	84-16-F9-88-81-62
calling_station_id:	24-F0-94-0A-86-91
inner_username:	testUser
port:	8315
result:	Access-Reject
username:	testUser

Radius log for ESP with correct username and password

Access Request:	Packet-Type = Access-Request
Packet-Src-IP-Address = 172.101.117.178
Packet-Dst-IP-Address = 10.142.0.4
Packet-Src-Port = 51481
Packet-Dst-Port = 8315
User-Name = "testUser"
NAS-IP-Address = 192.168.0.254
NAS-Port = 0
Called-Station-Id = "84-16-F9-88-81-62"
Calling-Station-Id = "5C-CF-7F-19-D7-AE"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"

EAP-Message = 0x0201000e0161766172616368616e
Message-Authenticator = 0x66ae3c9a3d6a4306437f42d954911411
Event-Timestamp = "May  9 2018 18:32:16 UTC"
Tmp-Integer-3 = 8315
Tmp-String-1 = "local"
Called-Station-SSID = "UB_Secure"
Request-Session = "4lutlg4WNe"
Timestamp = 1525890736
Request Reply:	Packet-Type = Access-Reject
EAP-Message = 0x04020004
Message-Authenticator = 0x00000000000000000000000000000000
Timestamp = 1525890736
authdate:	2018-05-09 14:32:16
called_station_id:	84-16-F9-88-81-62
calling_station_id:	5C-CF-7F-19-D7-AE

port:	8315
result:	Access-Reject
username:	testUser

[d-a-v]

https://github.com/espressif/ESP8266_RTOS_SDK/issues/635

[Flole998]

@d-a-v Your link is messed up

[d-a-v]

#3442 (comment)

[bkrajendra]

Any update on this for ESP8266 WPA2-enterprise PEAP?

[Vbansal1996]

Did we have any success with ESP8266 WPA2-enterprise PEAP?

[bkrajendra]

not possible with ESP8266. Got success with ESP32 but only works with few network, not with all.
Finally shifted to RPI3B+