Difficulty connecting Photon to WPA2-Enterprise network

Troubleshooting
1

I’ve been trying for a handful of hours to connect a photon to a university wireless network, with WPA2-Enterprise (PEAP-AES). I have checked the few other posts in this area, but unfortunately none seemed to help my situation.

I have tried connecting using both particle setup and particle serial wifi. I’ve tried letting the photon find the network itself, as well as manually entering the SSID. I suspect I may be having issues with the CA certificate, but it’s hard to be sure of anything, as the photon just gets stuck at the “attempting connection” phase.

  • Does anyone have suggestions for debugging this process?
  • I have tried many variations of config, but I know, from my phone’s connection, the correct username and password, as well as another confirmation that PEAP-AES is the correct strategy
  • Is the (y/n) prompt for “Do you want to upload a certificate?” prompt looking for an Additional cert, or is it asking whether I want to authenticate the network at all? (I don’t)

Thank you in advance for your insights!

Edit: I’m using firmware 0.7, just for reference

2

Just to make sure, you have followed the process as outlined here?
https://docs.particle.io/support/particle-devices-faq/wpa2-enterprise/

3

Yes I have, although it seems some of the prompts on that page are a bit out-of-date, and are phrased slightly differently in the most updated particle-cli

I hadn’t previously noticed the TinkerDebug070 troubleshooting firmware though. I’ll try flashing that shortly and get back to you when I do!

4

@ScruffR looks like I’m getting 1007 “Not Keyed”. Any ideas how to interpret that?

5

I have to defer to @rickkas7 for that

6

I have a custom Device OS build that was specifically made to debug WPA2 Enterprise issues – as you’ve discovered they’re very hard to troubleshoot due to all of the different possible configurations. If you continue to have issues and the TinkerDebug bin (which I am not familiar with) doesn’t get you there, file a ticket here and I’ll send it to you.

1 Like
7

Hi Dave, you will be familiar with my ask here. I am still trying to get a Photon connecting to a test AP (using a DrayTek Vigor AP902 with its own internal RADIUS server). I have gone through the setup of the DrayTek AP with a DrayTek support specialist and can log onto it from a Windows 10 PC, a Mac running Mojave but not a Particle Photon running V1.0.0. The DrayTek has the latest firmware and is using SHA-256 signatures. I have included the test application I am using below to see if anyone can spot the mistakes I am making.

The test software can be compiled to connect to 2 SSIDs - one running WPA2 Enterprise and the other WPA2.

The WPA2 connection works fine - log output below:

WPA Enterprise WiFi Credential Test
Step 1: Turn On Wifi module and confirm MAC address
e0:4f:43:36:b1:f1
Step 2: Clear WAP credentials if they exist
Device has no WAP credentials currently
Step 3: Set WiFi credentials
0000010239 [hal.wlan] INFO: Saving credentials
Credentials set for WPA2
Device has new WAP credentials stored
Step 4: Connect to WAP
0000012916 [hal.wlan] INFO: Joining ztestwpa2
0000012916 [hal.wlan] TRACE: Free RAM connect: 46648
0000016190 [hal.wlan] INFO: Bringing WiFi interface up with DHCP
Network Connection successful
Cloud Connection successful

The WPA2 Enterprise setup with EAP/TLS returns an error settings the device credentials [some details redacted]:

WPA Enterprise WiFi Credential Test
Step 1: Turn On Wifi module and confirm MAC address
e0:4f:43:36:b1:f1
Step 2: Clear WAP credentials if they exist
Device has no WAP credentials currently
Step 3: Set WiFi credentials
Set SSID : ztestent Security Type: WPA2_ENTERPRISE
Set EAP type : EAP/TLS
Set Cipher : AES
Set Client Certificate: ——BEGIN CERTIFICATE——
MIIEYT....Kbd——END CERTIFICATE——

0000007946 [hal.wlan] TRACE: Trying to set EAP credentials
Credentials set for WPA2 Enterprise EAP/TLS
Device error WAP credentials not stored
Step 4: Connect to WAP
0000010469 [hal.wlan] TRACE: connect cancel
Network Connection unsuccessful

Code minus the user names and passwords, etc.

SYSTEM_THREAD(ENABLED);
SYSTEM_MODE(SEMI_AUTOMATIC);

#define ENTSECTLS   false
#define ENTSECPEAP  false
#define WPA2SEC     true

#if ENTSECTLS
#define TEST_SSID "ztestent"
#define ENT_SEC_TYPE WPA2_ENTERPRISE
#define EAP_TYPE WLAN_EAP_TYPE_TLS
#define SEC_CIPHER WLAN_CIPHER_AES
#elif ENTSECPEAP
#define TEST_SSID "ztestent"
#define TEST_UNAM ""
#define TEST_UPWD ""
#define TEST_OUTR "anonymous"
#define ENT_SEC_TYPE WPA2_ENTERPRISE
#define EAP_TYPE WLAN_EAP_TYPE_PEAP
#define SEC_CIPHER WLAN_CIPHER_AES
#elif WPA2SEC
#define TEST_SSID "ztestwpa2"
#define TEST_UPWD ""
#define ENT_SEC_TYPE WPA2
#define SEC_CIPHER WLAN_CIPHER_AES
#endif

SerialLogHandler logHandler(115200, LOG_LEVEL_ALL);

bool isConnectOnce;
bool hasTriedConnectOnce;
byte mac[6];
uint32_t ms;
//client certificate SHA-256
const char* root_ca_cert = {"-----BEGIN CERTIFICATE-----\r\nMIIE...Kbd-----END CERTIFICATE-----\r\n\r\n"};

void setup()
{
    isConnectOnce = false;
    hasTriedConnectOnce = false;
    WiFi.on();
    Serial.begin(115200);
    while (!Serial.available()) delay(100);
    Serial.println("WPA Enterprise WiFi Credential Test");
    //
    Serial.println("Step 1: Turn On Wifi module and confirm MAC address ");
    WiFi.macAddress(mac);
    for (int i=0; i<6; i++) {Serial.printf("%02x%s", mac[i], i != 5 ? ":" : "");}
    Serial.println("");
    //
    Serial.println("Step 2: Clear WAP credentials if they exist");
    if (WiFi.hasCredentials())
    {
        Serial.println("Device has existing WAP credentials stored - delete these");
        if (WiFi.clearCredentials())    {Serial.println("Device WAP credentials cleared successfully");}
        else                            {Serial.println("Device WAP credentials not cleared");}
    }
    else
    {
        Serial.println("Device has no WAP credentials currently");
    }
    //
    Serial.println("Step 3: Set WiFi credentials");
    #if ENTSECTLS                                                   //WPA2 Enterprise with EAP-TLS
        WiFiCredentials credentials(TEST_SSID, ENT_SEC_TYPE);       //SSID and credentials type
        Serial.printlnf("Set SSID : %s Security Type: %s", TEST_SSID, ENT_SEC_TYPE == WPA2_ENTERPRISE ?"WPA2_ENTERPRISE":"WPA2");
        credentials.setEapType(WLAN_EAP_TYPE_TLS);                  //EAP type: EAP-TLS
        Serial.printlnf("Set EAP type : %s", EAP_TYPE == WLAN_EAP_TYPE_TLS?"EAP/TLS":"PEAP/MSCHAP");
        credentials.setCipher(SEC_CIPHER);                          //Should not be required
        Serial.printlnf("Set Cipher : AES");
        credentials.setClientCertificate(root_ca_cert);             //Client certificate in PEM format
        Serial.printlnf("Set Client Certificate: %s", root_ca_cert);
        //credentials.setPrivateKey(Private key);                   //Private key in PEM format
        //credentials.setRootCertificate(root CA certificate);      //Root (CA) certificate in PEM format (optional)
        credentials.setOuterIdentity("anonymous");                  //EAP outer identity (optional, default - "anonymous")
        WiFi.setCredentials(credentials);                           //Save credentials
        Serial.println("Credentials set for WPA2 Enterprise EAP/TLS");
    #elif ENTSECPEAP                                                //WPA2 Enterprise with PEAP/MSCHAPv2
        WiFiCredentials credentials(TEST_SSID, ENT_SEC_TYPE);       //SSID and credentials type
        Serial.printlnf("Set SSID : %s Security Type: %s", TEST_SSID, ENT_SEC_TYPE == WPA2_ENTERPRISE ?"WPA2_ENTERPRISE":"WPA2");
        credentials.setEapType(WLAN_EAP_TYPE_PEAP);                 //EAP type: PEAP/MSCHAPv2
        Serial.printlnf("Set EAP type : %s", EAP_TYPE == WLAN_EAP_TYPE_TLS?"EAP/TLS":"PEAP/MSCHAP");
        credentials.setCipher(SEC_CIPHER);                          //Should not be required
        Serial.printlnf("Set Cipher : AES");
        credentials.setIdentity(TEST_UNAM);                         //Set username
        Serial.printlnf("Set Username to : %s", TEST_UNAM);
        credentials.setPassword(TEST_UPWD);                         //Set password
        Serial.printlnf("Set Password to : %s", TEST_UPWD);
        credentials.setOuterIdentity(TEST_OUTR);                    //Set outer identity (optional, default - "anonymous")
        Serial.printlnf("Set Outer Identity to : %s", TEST_OUTR);
        credentials.setClientCertificate(root_ca_cert);             //Set the Root Certificate
        Serial.printlnf("Set Root Certificate: %s", root_ca_cert);
        WiFi.setCredentials(credentials);            
        Serial.println("Credentials set for WPA2 Enterprise PEAP/MSCHAPv2");
    #elif WPA2SEC
    WiFi.setCredentials(TEST_SSID, TEST_UPWD, ENT_SEC_TYPE, SEC_CIPHER);
    Serial.println("Credentials set for WPA2");
    #endif
    //
    delay(500);
    //
    if (WiFi.hasCredentials())
    {
        Serial.println("Device has new WAP credentials stored");
    }
    else
    {
        Serial.println("Device error WAP credentials not stored");
    }
    delay(2000);
    Serial.println("Step 4: Connect to WAP");
    WiFi.connect();
    if (WiFi.connecting()) Serial.println("Connecting");
    waitFor(WiFi.ready, 10000);      //wait for connected or timeout 10 seconds
    if (WiFi.ready())
    {
        Serial.println("Network Connection successful");
        if (!hasTriedConnectOnce)
        {
            hasTriedConnectOnce = true;
            Particle.connect();
        }
        waitFor(Particle.connected, 10000);
        if (Particle.connected())
        {
        Serial.println("Cloud Connection successful");
        }
    }
    else
    {
        Serial.println("Network Connection unsuccessful");
    }
}
//
void loop()
{
}
8

Hi again!

The engineering team tells me that we would have to have your exact networking hardware setup to troubleshoot this – we’ve done what we can on our end up to this point, but the situation is that we don’t have the resources or more time to help figure out what’s going on. I know that’s not what you want to hear, but it is the reality of the situation.

9

Dave - I wasn’t expecting that you would engage to setup the exact same network hardware. I believe I have followed the examples in the reference documentation in setting the credentials. If these are not correct then for the benefit of others I am willing to spend time to update them. At the moment answering the following specific questions would be an enormous help and

  1. Why is the Device OS not accepting the credentials given for EAP/TLS?
  2. Is setting the security cipher necessary and could doing so cause any issues?
  3. Is the client certificate structure causing a problem and how should/can the certificates be loaded? I have tried opening the certificate with Visual Studio Code and cutting and pasting into the serial WiFi setup and here programmatically with special attention to the \r\n after the “-----Start Certificate-----” and “-----End Certificate----”. I need something that works.
10

Last October, in the first ticket about this, Andrey pointed out use of MD5 and also some expired certs. It’s unclear to me whether those issues have been addressed in the DrayTek box. Did the DrayTek technician help you get valid certs installed? You mention SHA-256 so I’m presuming that MD5 is no longer in the picture – is that correct?

Assuming that you have valid certs, can you run the diagnostic system firmware that I sent you on Oct 31 again, with serial logging enabled?

11

Thanks for replying.
Certificate(s) definitely not expired and signature use SHA-256. I have got the credentials accepted for EAP/TLS by using the client certificate to set the PrivateKey. I can connect using EAP/TLS on the WAP with my mac but not when using PEAP/MSCHAPSv2. I read in one thread that the Device OS can only manage PEAP v0 and not PEAP v1. There is no way I can see to change this on the WAP. For now I will retry the test software from last October.