Copyright © https://mongoose-os.com

Mongoose OS Forum

frame

Enterprise Authenticaction on Wi Fi

Hi, we have this customer wanting to use the ESP32 in places that enforce the Enterprise Authentication features of WiFi; he specifically asked for
1. Radius Authentication
2. PEAP
3. 802.1x EAP
4. CCKM

I'm not in deep into this, I understand (1) is done by the customer infrastructure using either (2) or (3) as a transport for authentication data; and (4) seems to be Cisco specific.
Mongoose-OS seems to support PEAP. I guess it is through de ESP-IDF; is it so ?
Is there specific info and/or some examples on configuring this ? Do I have to fallback to ESP-IDF ?

Regards

Comments

  • rojerrojer Dublin, Ireland
    edited January 10

    assuming you're asking about station, i.e. connecting to WPA-ent protected APs, - yes, mOS supports that. you can configure certificate, key, CA certificate and identity in the wifi settings.

    {
      "wifi": {
        "sta": {
          "enable": true,
          "ssid": "EAP-test",
          "anon_identity": "user1",
          "user": "user2",
          "pass": "password2",
          "cert": "wpa2_client.crt",
          "key": "wpa2_client.key",
          "ca_cert": "wpa2_ca.pem"
        }
      }
    }
    

    i think this covers 802.1x and PEAP. my understanding is that radius is more about the backend, i.e. how AP authenticates stations, so it's not relevant here. and i'm not sure if IDF supports this cisco thing, you'll need to check that yourself.

  • scaprilescaprile Argentina

    Thanks,
    yes, this is station mode. I actually never imagined doing Enterprise as an Access Point on a product like this... good point.
    I've already browsed the structure and asked Espressif. When I get past their sales people and actually contact someone who understands, I will post the results if there is any news.

  • scaprilescaprile Argentina

    Since the device does not request a specific authentication type, I could perform some tests by setting the authentication server (RADIUS) default authentication type.
    So far

    I've tested PEAP-MSCHAPv2 and EAP-TLS
    They seem to be working on first connection, but I have yet to catch an elusive crash on reconnections after sleep (with RADIUS server down).

    I've tested TTLS-EAP-MD5 and TTLS-EAP-MSCHAPv2
    After receiving the server Access-Accept, I see a Guru Meditation (Amiga users ?) and a core dump, which you find attached

  • scaprilescaprile Argentina
    edited May 15

    and these two were caught after removing a user name from the config file, while doing EAP-TLS. On restart, the device kept crashing until I reloaded the file system. Then I modified another time and it started crashing again. Once I reflashed, then the expected error indication was issued again. Attached.

  • scaprilescaprile Argentina
    edited May 15

    ...and I caught the elusive one.
    After having successfully authenticated with PEAP (MSCHAPv2), I brought the RADIUS down. Some time later (one hour maybe) the ESP32 tried to reconnect and after a number of attempts, it crashed. Following that, some time later I noticed the logs and there was some memory allocation problems while trying to connect, until it finally crashed again. Then I brought the RADIUS up again and the device successfully connected on restart. Please find attached the core dump for each crash, the console log just before the second crash, and the wireshark (old) capture, so you can reference the timing (in case it helps)

Sign In or Register to comment.