Problem connecting Photon to eduroam using WPA2 Enterprise

We are trying to connect a Photon (0.7.0-rc.6 firmware) to the university eduroam wireless network but are unable to make it work. Is there anyone who has already succeeded at this?

This is the output of ‘particle setup’

As the CA certificate we have provided this one:
DigiCertAssuredIDRootCA.pem downloaded from http://www.lan.kth.se/eduroam/ (this is where our IT department points us to).

Log output gives us this:

The response code 1006 is ‘NOT_AUTHENTICATED’ but that does not help much.

@rickkas7?

hi,

you probably need to talk to your IT just to check a few more details…i would assume that you need to at least
ensure that the username you are using has the full domain provided eg

username@kth.se (or whatever), rather than just username

you may also have more success if you define an outer Identity (eg anonymous@kth.se or username@kth.se - once again, check with your IT.

finally, your site may be using another EAP method rather than PEAP - might be EAP-TTLS (once again, check with your IT) .
note, from your provided URL

  1. You will need a special network secret to login to KTH’s wireless network. You cannot use the password you have for your ordinary KTH.SE login.
    Get your eduroam network secret at: https://login.sys.kth.se/peap.html

alan

Just to clarify something: I am not at KTH in Sweden but at UGent in Belgium. The website of our IT department only refers to the KTH website for the CA certificate. I have no idea why they don’t provide the certificate themselves.

you probably need to talk to your IT just to check a few more details…i would assume that you need to at least
ensure that the username you are using has the full domain provided eg
username@kth.se (or whatever), rather than just username

Yes, we are using: username@ugent.be (which we know to be working because we can connect with a laptop).

you may also have more success if you define an outer Identity (eg anonymous@kth.se or username@kth.se - once again, check with your IT.

Ok, that is something we can try/ask.

finally, your site may be using another EAP method rather than PEAP - might be EAP-TTLS (once again, check with your IT) .
note, from your provided URL

The settings at UGent are the following (from our IT department website):
Network Name/SSID: eduroam
Security Type: WPA2 in combination with IEEE 802.1X (also known as WPA2-Enterprise)
Encryption Type: AES
Authentication method: PEAP
Authentication protocol: MSCHAP / Sub authentication method: EAP-MSCHAP V2

  1. You will need a special network secret to login to KTH’s wireless network. You cannot use the password you have for your ordinary KTH.SE login.
    Get your eduroam network secret at: https://login.sys.kth.se/peap.html

Not applicable for UGent I think.

ah, well thats a little convoluted. okay, so you are a Ghent user? in that case, have you visited
https://cat.eduroam.org ? choose the big button on the bottom (I’m a user, let me download my installer) then
choose Belgium from right side, then your Uni - you can then change profile… but looking at the Linux installer,
theres a Root CA and intermediate. get both of those, concatenate them then use that PEM instead. I’m
not going to provide the certs here (such provision is risky as you dont know me, I could be nasty …and
it sets a poor precedent for others :wink: )

1 Like

Thanks for the info. Not much progress however. I extracted the certificates from the Linux installer and are using these now.
We are also running into a lot of problems with the ‘particle setup’ or ‘particle serial wifi’ command which keep crashing (version 1.27.0):

It also sometimes just skips the step to select the network security and goes directly to EAP Type.

Have you been able to connect a Photon on the eduroam network?

@dirkdepauw Were you successful in connecting to eduroam at your university?

I am trying to do the same thing in the U.S. and I think it would be the same process. I would love your feedback and would appreciate any help. Thanks

No, unfortunately we haven’t been able to make it work yet. We have basically given up trying for now. The next step will be to involve our IT department because we have no clue why it is not working.

@dirkdepauw I have started investigating WPA2 Enterprise for a customer who is selling devices with photons inside to UK Universities. The first thing I have found in testing this was that the Security Cipher needs to be set to WLAN_CIPHER_AES_TKIP. This at least allowed me to progress to the stage where the test WAP server was recognising the device’s requests. This is where I am stuck because server is expecting a response to confirm its identity (at least this is what happens if I try to access using my phone) and the device cannot do this. I would be interested if there is a way around this.

@armor, did you have a look at the tutorial steps for WPA2 Enterprise on the Photon in this thread: Setting up Photon/P1 on WPA Enterprise (0.7.0). And if so, which step in the process is failing?

Thanks for replying. I am using a corporate test WAP using Cisco Miraki - so I am not setting up my own RADIUS server as these instructions cover. I tried programatically to setup initially and found the credentials were never getting setup (photon LED was never flashing green). I then tried with the CLI $ particle setup --wifi and then realised that the cipher needed to be set to AES or TKIP. At this point the AP started to identify that the device was attempting to authenticate but it never got any further. I guess it is failing on root certificate. The administrator couldn’t help with what root certificate should be used and I was out of time for testing on that day.

It doesn’t sound like you have the same issue as the original post. I would recommend creating a new thread and pinging @rickkas7 and @BDub. It has been a while since I worked on WPA2 Enterprise and when I did I was using a radius server.

@dirkdepauw Any updates? I’m stuck with the same issue.

@oherik No sorry, we haven’t tried further.

Yeah I’m still having issues getting a photon to connect to eduroam at my university.

EDIT: I got it working by setting the outer identity to the same as the username.

I have now purchased a DrayTek AP 902 which usefully has its own RADIUS server so can create a WPA2 Enterprise WLAN for testing. I have setup a test WPA2 (802.x) WLAN with username and password and no certificate.

When connecting to this WAP (using either a mac or iPhone or Windows PC) after entering SSID, EAP type, username and password it then always asks whether you wish to trust the certificate. This is something that is possible to do on an phone or PC with a dialogue.

If I connect a new photon loaded with 0.8.0-RC.10 and tinker to the USB and connect via serial tools when I press w I go through the following dialogue.

SSID: ****TEST
EAP Type 0=PEAP/MSCHAPv2, 1=EAP-TLS: 0
Username: **test
Password: **test
Outer identity (optional): 
Root CA in PEM format (optional):

Thanks! Wait while I save those credentials…

Awesome. Now we’ll connect!

If you see a pulsing cyan light, your device
has connected to the Cloud and is ready to go!

If your LED flashes red or you encounter any other problems,
visit https://www.particle.io/support to debug.

The LED starts to flash green and after a while goes back to blinking dark blue. The feedback I received when testing on the Miraki setup was that the AP was waiting for confirmation of the certificate i.e. it will never work. I will raise a support ticket.

I think you will have to get the certificate from the router (in PEM format) and use the CLI to load it on to the Photon. Without that, they can’t talk to each other.

@bko I did not set it up with a certificate, and I am unclear how I would find the certificate. The dialogue was about trusting or accepting the AP’s certificate. Android phones handle this differently than Apple or Windows - but there still seems to be a dialogue necessary.

If you are using EAP TLS, there is always a certificate. It might be loaded in the router at the factory, but EAP does not work without one as I understand it.

Once you trusted the certificate on a PC etc., it must be stored there somewhere but where exactly is beyond me.

This is what the helpful instructions say:

Let the user to choose the authentication method for RADIUS server.
Radius EAP Type – There are two types, PEAP and EAP TLS, offered for selection. If EAP TLS is selected, a certificate must be installed or must be ensured to be trusted.
When the local client and remote server are required to make certificate authentication (e.g., Radius EAP-TLS authentication) for wireless connection and avoiding the attack of MITM, a trusted root certificate authority (Root CA) will be used to authenticate the digital certificates offered by both ends.

I am using PEAP so no certificate is required/is optional. There is a secret but advice on this was leave blank hence I though that the Root CA in PEM format was optional. I am hoping someone who has managed to navigate through this will know what to do.

1 Like