[WPA2-ENT] Problem connecting to WPA2 Enterprise using PEAP-MSCHAPV2



  • Currently trying to connect a LoPy4 to Eduroam network using WPA2-E with PEAP-MSCHAPV2

    basicly i have a pair USER & PASS and no certificate

    I've tryed both what is stated on the oficial documentation [<here> and <here>] and also other sugestions that ive found on the forum but without success. Ive also tryed with diferent Firmware versions all the way from 1.13.0.b1 to the newest 1.20.3.b0 also both from legacy, pybytes, legacy-pybytes and development branches.

    Now, regarding code i have the following:

    from network import WLAN
    #other imports like machine, utime ...
    
    network = {   #not real user and pass.... obviously....
        "SSID": "eduroam",
        "USER": "someuser@ufp.pt",
        "PASS": "somepass"
        }
    
    print('[Wifi] Wifi starting...')
    wlan = WLAN(mode=WLAN.STA)
    wlan.antenna(WLAN.EXT_ANT)   #using the external antenna but even with the internal antenna this it doesnt work
    
    print('[Wifi] Connecting to ['+network["SSID"]+'] with User ['+network["USER"]+']...')
    wlan.connect(ssid=network["SSID"], auth=(WLAN.WPA2_ENT, network["USER"], network["PASS"]), identity=network["USER"], timeout=5000)   #also tryed other timeouts
    
    while not wlan.isconnected():
          machine.idle()   #also tryed with utime.sleep 
    print('[Wifi] Wifi connected to '+network["SSID"])
    

    Regarding the network itself (from the University website):
    Eduroam documentation from the admin

    Now, to my knowledge, i see no problem with the code or the settings, so what am i even doing wrong? is this type of network even compatible?
    All i get is either it gets stuck inside the loop if no timeout is given (or if FW version is too old) or it gives a timeout and reboots.
    I think this is a very old, very common problem that needs resolution.

    I dont think this is something that can be solved with just python code and might have to be solved in the firmware itself. However how.... thats the question



  • @jcaron said in [WPA2-ENT] Problem connecting to WPA2 Enterprise using PEAP-MSCHAPV2:

    @Alephus did you provide the LoPy4’s MAC address to your IT department so they can allow it to connect? It might be the key to it all...

    I actually questioned them about it since in the instructions it says that Teachers and non-Teachers must inform the IT departement about their MAC address, but they say that Student accounts and the 2 test accounts im using dont require it. But i will request another test account linked to the LoPy MAC address to see if thats the case.

    0e01ca55-1e27-4731-a4e1-3dee46a89c8e-image.png

    Translation:
    < Note: Teachers and non-Teachers of the
    University must inform in SI&C (Information
    and Comunication Sistem) the MAC address
    of the equipment, to be able to connect to the
    eduroam network. >



  • @Alephus did you provide the LoPy4’s MAC address to your IT department so they can allow it to connect? It might be the key to it all...



  • The wifi sniffer is actually a nice idea that i completely forgot about!
    Next time im at the university i will get as much info from the sniffer as possible and continue to try to work with the arduino code. (Due to COVID, my country is currently under mandatory homestay so i kinda can only go to university when justified)


  • Global Moderator

    NB: in your first post the screenshot says you need to send the MAC address of the device to the local IT/Network team so they can allow it to connect. Seems overkill to me, but have you tried that?

    This actually makes some sense thinking about it.
    From what I know about my university (they use the same kind of WPA2-enterprise with username/password/identity) is that they only allow a limited amount of wireless connections per username in some way, to avoid dealing with hundreds of unsecure raspberry pi's on the network. Not really sure how they handle it, but it could be through mac addresses.

    I would have tried the pycom device on that eduroam network, less im not allowed to go there.



  • @Alephus Probably time to get the Wi-Fi sniffer out :-)

    Before that, you could try doing a Wi-Fi scan and dumping the networks to see what auth settings that network has.

    You could also add add callbacks and log various events to see what the Wi-Fi stack says.

    NB: in your first post the screenshot says you need to send the MAC address of the device to the local IT/Network team so they can allow it to connect. Seems overkill to me, but have you tried that?


  • Global Moderator

    So after that it gets stuck trying to connect to the network and checking the credentials, Im looking into showing even more debug output from the esp-idf, so we would see the authentication process, but I have no further experience there (yet). It would be good if you were able to verify the connection does work with the Arduino script I sent before if you're able to! It seems to be quite tricky to get the settings exactly correct to reflect the specific wpa2-enterprise settings.



  • @Gijs here is what i get (credentials changed for safety reasons):

    [Wifi] Wifi starting...
    [Wifi] Connecting to [eduroam]...
    [modwlan] wlan_do_connect: WPA2 credentials 
             identity: convidado@ufp.pt, 
             username convidado@ufp.pt, 
             passkey: somepass
    [modwlan] wlan_do_connect: setting identity
    [modwlan] wlan_do_connect: setting username & password
    [modwlan] wlan_do_connect: enable wpa2_ent
    

    and then it gets stuck there after the enable wpa2_ent. Maybe something after that is getting it stuck?


  • Global Moderator

    Hi,
    Sorry, it took me some more time than I estimated, I have a firmware package here
    Where I made some additional changes and added debug output. Also I used this testscript: (I removed the timeout, from what I think, the WPA2_ent might need some time to get connected properly)

    from network import WLAN
    #other imports like machine, utime ...
    import machine
    network = {   #not real user and pass.... obviously....
        "SSID": "eduroam",
        "USER": "someuser@ufp.pt",
        "PASS": "somepass"
        }
    
    print('[Wifi] Wifi starting...')
    wlan = WLAN(mode=WLAN.STA)
    wlan.antenna(WLAN.EXT_ANT)   #using the external antenna but even with the internal antenna this it doesnt work
    
    print('[Wifi] Connecting to ['+network["SSID"]+'] with User ['+network["USER"]+']...')
    wlan.connect(ssid=network["SSID"], auth=(WLAN.WPA2_ENT, network["USER"], network["PASS"]), identity=network["USER"])   #also tryed other timeouts
    
    while not wlan.isconnected():
          machine.idle()   #also tryed with utime.sleep 
    print('[Wifi] Wifi connected to '+network["SSID"])
    

    Which gave this response:

    [Wifi] Wifi starting...
    [Wifi] Connecting to [eduroam] with User [someuser@ufp.pt]...
    [modwlan] wlan_do_connect: WPA2 credentials 
             identity: someuser@ufp.pt, 
             username someuser@ufp.pt, 
             passkey: somepass
    [modwlan] wlan_do_connect: setting identity
    [modwlan] wlan_do_connect: setting username & password
    [modwlan] wlan_do_connect: enable wpa2_ent 
    

    Unfortunately I still cannot test the wpa2 enterprise on this side,
    Let me know if this works for you!

    Gijs



  • @Gijs im afraid my experience with ESP32 in the arduino IDE is limited but i will see what i can do, considering at the moment im sort of the tester here

    Ill wait for your version and meanwhile see what i can do from my side

    best regards


  • Global Moderator

    @Alephus I'll work out some debug statements in the firmware on Friday that should give us more details about what is exactly happening on lower levels. Unfortunately Im not able to test the WPA2-ENT on this side so i'll have to go off of your feedback, but what I read from other users using WPA2-ENT on eduroam in C-code (https://github.com/martinius96/ESP32-eduroam)

    It seems we are following very similar procudures (the actual example is listed here: https://github.com/martinius96/ESP32-eduroam/blob/master/WifiClient/examples/WifiClientEnterprise/WifiClientEnterprise.ino, im not sure if you have any experience with ESP32 in the arduino IDE, else you could perhaps try if this works, so we can figure out if it is firmware related or network related, though I might have missed something)

    Gijs



  • @Gijs Well as promissed here is the feedback:

    Regarding the firmware, im afraid the behaviour is still exactly the same as before, it either times-out (if i give it a timeout ammount) or it just waits forever.

    Regarding the identity, ive talked with the ones taking care of the network and they say to pass the same as the user, so regarding that the code is fine.

    Regarding the process, i used the latest pycom firmware update tool to erase the flash memory and put the firmware you provided.

    Not sure what type of logs i can provide to give a better idea...

    Any ideas?


  • Global Moderator

    Sure, let me know what you get.

    I can also build a version for you that does not require the identity if that works better on your computer, but Im not sure if there is a lower level section that requires the identity to be set to at least something

    Best



  • First of all, thanks for the reply

    Regarding the credentials, yes i did use them on a computer and they do work, but just in case i have access to 3 of them. 1 is my own, 1 is for test purposes and 1 is a special one that bypasses some proxies in the network. None worked so far.

    Regarding the firmware, i will test it as soon as im back to the university wich will be next monday and i will be sure to put feedback here to make sure this matter is finally resolved

    Regarding identity, i honestly dont know if the University requires it or not but i still pass it just in case (besides, if i dont the command doesnt even work). I will test connecting my laptop to it with and without identity to see if it changes anything


  • Global Moderator

    Hi,
    Yes, I was sort of aware of an issue with WPA2-enterprise and did produce a fix for it in the past, but we had no way of verifying it actually worked (you're the second post in about 6 months, but I did not get any feedback last time). I attached the Lopy4 variant of the firmware here (you should be able to upload it using the firmware updater tool, with the flash from file option). If you could verify for me that the fix works, we can publish it in the next firmware release!
    Sorry for the inconvenience.

    Next to the above, were you able to connect to the eduroam through your computer with the credentials set? There seem to be some different methods for connecting (I notice the anonymous identity box is not filled in the linux form, but I know we do use it as the identity parameter, and leaving that parameter empty will cause an issue)
    Gijs


Log in to reply
 

Pycom on Twitter