Setting up Photon/P1 on WPA Enterprise (0.7.0)

Firmware
2

Setting up a WPA2 Enterprise Test Environment with Raspberry Pi

Required Gear

  1. Raspberry Pi 2/3 for the RADIUS server
  2. Ethernet cable
  3. Wireless Access Point (WAP) that is capable of using WPA2 Enterprise mode, and pointing to a RADIUS server for authentication

Setup

  1. Download RASPBIAN JESSIE WITH PIXEL
  2. Unzip and Write to SD card using the appropriate software (ApplePi-Baker app on Mac)
  3. Boot up the Pi with the newly created SD card
  4. WAP should be in WPA2 Personal mode for initial configuration

The following commands need an HDMI, Keyboard and Mouse connection on the RasPi

  1. Connect to WAP over Wi-Fi (optional)
  2. Change resolution to 1280x720 (optional)
  3. Rename host to radiusserver so it's easy to recognize on your Access Point (optional)
  4. Change Keyboard to US alternative (optional)
  5. Enable ssh (required)

Plug the RasPi into the WAP with an ethernet cable (required)

  • This will remove the catch 22 necessity for the RasPi to have to authenticate with itself once we enable WPA2 Enterprise

Plug your host computer into the WAP with an ethernet cable as well, so you don't lose connection with it during configuration (required)

  1. Log into the WAP (192.168.1.1 or 10.0.0.1 typically)

  2. Find the list of clients, and grab the IP address for device "radiusserver"

    ssh pi@<ip_address>

  3. Add a password for root

    sudo passwd root

  4. Change PermitRootLogin without-password to PermitRootLogin yes in:

    sudo nano /etc/ssh/sshd_config

  5. Reboot the Pi and login as root, commands will be much easier.

    ssh root@<ip_address>

  6. If you have previously ssh'd into this address and get an error, you may need to:

    ssh-keygen -R <ip_address>

  7. Install freeradius

    apt-get install freeradius -y

  8. Edit the clients.conf file

    nano /etc/freeradius/clients.conf

    add to bottom and save with CTRL + X then ENTER

    client 0.0.0.0/0 {
        secret = "particle"
        nastype = other 
}

  9. Make a directory for new certificate files on the RasPi

    mkdir /etc/freeradius/certs2

  10. Edit the eap.conf file

    nano /etc/freeradius/eap.conf

    Page down twice with CTLR + V

    add certdir2, and cadir2 as shown

    certdir = ${confdir}/certs
certdir2 = ${confdir}/certs2
cadir = ${confdir}/ certs
cadir2 = ${confdir}/certs2

    modify these variables as shown

    private_key_file = ${certdir2}/server.key

certificate_file = ${certdir2}/server.crt

CA_file = ${cadir2}/ca.crt

  11. Copy certificate files

    1. Download the files from this Github Repo to your local machine https://github.com/avtolstoy/particle-wpa-enterprise-docker
    2. In terminal, navigate to this directory: cd particle-wpa-enterprise-docker/files/etc/freeradius/certs/
    3. Finally copy the files: scp -rv * root@<ip_address>:/etc/freeradius/certs2

  12. Edit the users file

    nano /etc/freeradius/users

    add to bottom and save with CTRL+X then ENTER

    particle Cleartext-Password := "particle2017"

  13. Restart freeradius in debugging mode so we can see what's going on

    service freeradius stop

    /usr/sbin/freeradius -X

Now let's switch the WAP to use WPA Enterprise

  1. Switch the Wireless Authentication Type to WPA2 Enterprise (apply)
  2. Under RADIUS Setting configuration:
    • Server IP Address: Enter the IP address of the radiusserver (our RasPi)
    • Server Port: 1812
    • Connection Secret: particle

Setup the Photon/P1

  1. Connect via USB cable

  2. Enter Listening Mode

  3. Connect via serial (screen /dev/cu.usbmodemXXXX on Mac or use Tera Term VT on Windows)

  4. Press w

    Example PEAP/MSCHAPv2 LOGIN / PASSWORD based setup (NOT SECURE!)

    Note: This is the easiest setup method to gain a connection, however be warned it is not secure. Use certificates to ensure maximum security.

    EAP Type 0=PEAP/MSCHAPv2, 1=EAP-TLS: 0 <ENTER>
Username: particle <ENTER>
Password: particle2017 <ENTER>
Outer identity (optional): <ENTER>
Root CA in PEM format (optional): <ENTER>

    Example PEAP/MSCHAPv2 LOGIN / PASSWORD with Root CA based setup (SECURE!)

    SSID: <WAP_SSID> <ENTER>
EAP Type 0=PEAP/MSCHAPv2, 1=EAP-TLS: 0 <ENTER>
Username: particle <ENTER>
Password: particle2017 <ENTER>
Outer identity (optional): <ENTER>
Root CA in PEM format (optional): <copy/paste in file ca.crt> <ENTER>
-----BEGIN CERTIFICATE-----
MIIFlDCCA3ygAwIBAgIJAI01a4ML65mlMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV
...
-----END CERTIFICATE-----

    Example EAP-TLS with Client Cert., Client Key and Root CA based setup (SECURE!!!)

    SSID: <WAP_SSID> <ENTER>
EAP Type 0=PEAP/MSCHAPv2, 1=EAP-TLS: 1 <ENTER>
Client certificate in PEM format: <copy/paste in file client1.crt>
-----BEGIN CERTIFICATE-----
MIIE3DCCAsSgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCVVMx
...
-----END CERTIFICATE-----

Private key in PEM format: <copy/paste in file client1.key>
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAy42H10w6nntp+Ti7Ts/czel8Gw4mz8Mh3N0R/sapRNLyznom
...
-----END RSA PRIVATE KEY-----

Outer identity (optional): <ENTER>
Root CA in PEM format (optional): <copy/paste in file ca.crt>
-----BEGIN CERTIFICATE-----
MIIFlDCCA3ygAwIBAgIJAI01a4ML65mlMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV
...
-----END CERTIFICATE-----

    OUTPUT in all cases

    Thanks! Wait while I save those credentials...

Awesome. Now we'll connect!

If you see a pulsing cyan light, your device
has connected to the Cloud and is ready to go!

If your LED flashes red or you encounter any other problems,
visit https://www.particle.io/support to debug.

Particle <3 you!

  5. If you are still SSH'd into your RasPi, you should see activity from the freeradius process, and your device should have an internet connection.

  6. If you don't see any activity, try rebooting your RasPi

1 Like