Copyright © https://mongoose-os.com

Mongoose OS Forum

frame

Enterprise Authenticaction on Wi Fi

Hi, we have this customer wanting to use the ESP32 in places that enforce the Enterprise Authentication features of WiFi; he specifically asked for
1. Radius Authentication
2. PEAP
3. 802.1x EAP
4. CCKM

I'm not in deep into this, I understand (1) is done by the customer infrastructure using either (2) or (3) as a transport for authentication data; and (4) seems to be Cisco specific.
Mongoose-OS seems to support PEAP. I guess it is through de ESP-IDF; is it so ?
Is there specific info and/or some examples on configuring this ? Do I have to fallback to ESP-IDF ?

Regards

Comments

  • rojerrojer Dublin, Ireland
    edited January 2018

    assuming you're asking about station, i.e. connecting to WPA-ent protected APs, - yes, mOS supports that. you can configure certificate, key, CA certificate and identity in the wifi settings.

    {
      "wifi": {
        "sta": {
          "enable": true,
          "ssid": "EAP-test",
          "anon_identity": "user1",
          "user": "user2",
          "pass": "password2",
          "cert": "wpa2_client.crt",
          "key": "wpa2_client.key",
          "ca_cert": "wpa2_ca.pem"
        }
      }
    }
    

    i think this covers 802.1x and PEAP. my understanding is that radius is more about the backend, i.e. how AP authenticates stations, so it's not relevant here. and i'm not sure if IDF supports this cisco thing, you'll need to check that yourself.

  • Thanks,
    yes, this is station mode. I actually never imagined doing Enterprise as an Access Point on a product like this... good point.
    I've already browsed the structure and asked Espressif. When I get past their sales people and actually contact someone who understands, I will post the results if there is any news.

  • scaprilescaprile Argentina

    Since the device does not request a specific authentication type, I could perform some tests by setting the authentication server (RADIUS) default authentication type.
    So far

    I've tested PEAP-MSCHAPv2 and EAP-TLS
    They seem to be working on first connection, but I have yet to catch an elusive crash on reconnections after sleep (with RADIUS server down).

    I've tested TTLS-EAP-MD5 and TTLS-EAP-MSCHAPv2
    After receiving the server Access-Accept, I see a Guru Meditation (Amiga users ?) and a core dump, which you find attached

  • scaprilescaprile Argentina
    edited May 2018

    and these two were caught after removing a user name from the config file, while doing EAP-TLS. On restart, the device kept crashing until I reloaded the file system. Then I modified another time and it started crashing again. Once I reflashed, then the expected error indication was issued again. Attached.

  • scaprilescaprile Argentina
    edited May 2018

    ...and I caught the elusive one.
    After having successfully authenticated with PEAP (MSCHAPv2), I brought the RADIUS down. Some time later (one hour maybe) the ESP32 tried to reconnect and after a number of attempts, it crashed. Following that, some time later I noticed the logs and there was some memory allocation problems while trying to connect, until it finally crashed again. Then I brought the RADIUS up again and the device successfully connected on restart. Please find attached the core dump for each crash, the console log just before the second crash, and the wireshark (old) capture, so you can reference the timing (in case it helps)

  • ulsoulso Stockholm

    I was wondering if we should expect WPA2 EAP to work on the CC3220. We have a customer that supplied us with SSID, username, and password. They say their WiFi network is using 802.1x.

  • AFAIK that is provided by the chipset manufacturer and as long as his SDK (or however he names it) provides for it, MongooseOS will be using it (eventually).
    I'm very fond of TI but haven't used their wireless chipsets yet, nor checked their SDK

  • ulsoulso Stockholm

    Ok. I'll try it out tomorrow and see how it goes.

  • rojerrojer Dublin, Ireland
    edited November 2018

    @scaprile CC3220's NWP does support 802.1x auth but Mongoose OS currently does not provide support for configuring it. file a feature request here and it will get looked at eventually. you can also arrange contract development with us to implement it faster.

    Thanked by 1ulso
  • ulsoulso Stockholm

    I have now filed a feature request for 802.1x auth support on CC3220.

Sign In or Register to comment.