Setting up Photon/P1 on WPA Enterprise (0.7.0)

Hi Friends!

WPA Enterprise support is here! We have a pre-release firmware version 0.7.0-rc.x that is waiting for you to start using now. Also remember that it is not ready for production until it’s defaulted to 0.7.0.

Purpose

This thread will serve the purpose of creating a place to provide instructions for the WPA Enterprise setup process as it evolves, and help to answer any questions that come up about the process. Currently as of this writing we have two ways to run setup: 1) Serial setup over USB without the CLI, and 2) CLI support with v1.23.1 via particle serial wifi.

Required

WPA Enterprise requires a capable access point and a separate authentication server. We would love to see you try the various test methods below, and of course chime in and let us know if it’s working well in your already established WPA Enterprise environment (campuses, workplace, etc…).

Test Methods

  1. Setting up a WPA2 Enterprise Test Environment with Raspberry Pi Instructions Below
  2. Setting up a WPA2 Enterprise Test Environment with a local computer via Docker image Instructions Below
  3. Share your own test method! Please let us know which authentication types you used and what issues you might have run into.

More WPA Enterprise Docs links:

setCredentials()
WiFiCredentials class

5 Likes

Setting up a WPA2 Enterprise Test Environment with Raspberry Pi

Required Gear

  1. Raspberry Pi 2/3 for the RADIUS server
  2. Ethernet cable
  3. Wireless Access Point (WAP) that is capable of using WPA2 Enterprise mode, and pointing to a RADIUS server for authentication

Setup

  1. Download RASPBIAN JESSIE WITH PIXEL
  2. Unzip and Write to SD card using the appropriate software (ApplePi-Baker app on Mac)
  3. Boot up the Pi with the newly created SD card
  4. WAP should be in WPA2 Personal mode for initial configuration

The following commands need an HDMI, Keyboard and Mouse connection on the RasPi

  1. Connect to WAP over Wi-Fi (optional)
  2. Change resolution to 1280x720 (optional)
  3. Rename host to radiusserver so it's easy to recognize on your Access Point (optional)
  4. Change Keyboard to US alternative (optional)
  5. Enable ssh (required)

Plug the RasPi into the WAP with an ethernet cable (required)

  • This will remove the catch 22 necessity for the RasPi to have to authenticate with itself once we enable WPA2 Enterprise

Plug your host computer into the WAP with an ethernet cable as well, so you don't lose connection with it during configuration (required)

  1. Log into the WAP (192.168.1.1 or 10.0.0.1 typically)

  2. Find the list of clients, and grab the IP address for device "radiusserver"

    ssh pi@<ip_address>

  3. Add a password for root

    sudo passwd root

  4. Change PermitRootLogin without-password to PermitRootLogin yes in:

    sudo nano /etc/ssh/sshd_config

  5. Reboot the Pi and login as root, commands will be much easier.

    ssh root@<ip_address>

  6. If you have previously ssh'd into this address and get an error, you may need to:

    ssh-keygen -R <ip_address>

  7. Install freeradius

    apt-get install freeradius -y

  8. Edit the clients.conf file

    nano /etc/freeradius/clients.conf

    add to bottom and save with CTRL + X then ENTER

    client 0.0.0.0/0 {
            secret = "particle"
            nastype = other 
    }
    
  9. Make a directory for new certificate files on the RasPi

    mkdir /etc/freeradius/certs2

  10. Edit the eap.conf file

    nano /etc/freeradius/eap.conf

    Page down twice with CTLR + V

    add certdir2, and cadir2 as shown

    certdir = ${confdir}/certs
    certdir2 = ${confdir}/certs2
    cadir = ${confdir}/ certs
    cadir2 = ${confdir}/certs2
    

    modify these variables as shown

    private_key_file = ${certdir2}/server.key
    
    certificate_file = ${certdir2}/server.crt
    
    CA_file = ${cadir2}/ca.crt
    
  11. Copy certificate files

    1. Download the files from this Github Repo to your local machine https://github.com/avtolstoy/particle-wpa-enterprise-docker
    2. In terminal, navigate to this directory: cd particle-wpa-enterprise-docker/files/etc/freeradius/certs/
    3. Finally copy the files: scp -rv * root@<ip_address>:/etc/freeradius/certs2
  12. Edit the users file

    nano /etc/freeradius/users

    add to bottom and save with CTRL+X then ENTER

    particle Cleartext-Password := "particle2017"

  13. Restart freeradius in debugging mode so we can see what's going on

    service freeradius stop

    /usr/sbin/freeradius -X

Now let's switch the WAP to use WPA Enterprise

  1. Switch the Wireless Authentication Type to WPA2 Enterprise (apply)
  2. Under RADIUS Setting configuration:
    • Server IP Address: Enter the IP address of the radiusserver (our RasPi)
    • Server Port: 1812
    • Connection Secret: particle

Setup the Photon/P1

  1. Connect via USB cable

  2. Enter Listening Mode

  3. Connect via serial (screen /dev/cu.usbmodemXXXX on Mac or use Tera Term VT on Windows)

  4. Press w

    Example PEAP/MSCHAPv2 LOGIN / PASSWORD based setup (NOT SECURE!)

    Note: This is the easiest setup method to gain a connection, however be warned it is not secure. Use certificates to ensure maximum security.

    EAP Type 0=PEAP/MSCHAPv2, 1=EAP-TLS: 0 <ENTER>
    Username: particle <ENTER>
    Password: particle2017 <ENTER>
    Outer identity (optional): <ENTER>
    Root CA in PEM format (optional): <ENTER>
    

    Example PEAP/MSCHAPv2 LOGIN / PASSWORD with Root CA based setup (SECURE!)

    SSID: <WAP_SSID> <ENTER>
    EAP Type 0=PEAP/MSCHAPv2, 1=EAP-TLS: 0 <ENTER>
    Username: particle <ENTER>
    Password: particle2017 <ENTER>
    Outer identity (optional): <ENTER>
    Root CA in PEM format (optional): <copy/paste in file ca.crt> <ENTER>
    -----BEGIN CERTIFICATE-----
    MIIFlDCCA3ygAwIBAgIJAI01a4ML65mlMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV
    ...
    -----END CERTIFICATE-----
    

    Example EAP-TLS with Client Cert., Client Key and Root CA based setup (SECURE!!!)

    SSID: <WAP_SSID> <ENTER>
    EAP Type 0=PEAP/MSCHAPv2, 1=EAP-TLS: 1 <ENTER>
    Client certificate in PEM format: <copy/paste in file client1.crt>
    -----BEGIN CERTIFICATE-----
    MIIE3DCCAsSgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCVVMx
    ...
    -----END CERTIFICATE-----
    
    Private key in PEM format: <copy/paste in file client1.key>
    -----BEGIN RSA PRIVATE KEY-----
    MIIEpAIBAAKCAQEAy42H10w6nntp+Ti7Ts/czel8Gw4mz8Mh3N0R/sapRNLyznom
    ...
    -----END RSA PRIVATE KEY-----
    
    Outer identity (optional): <ENTER>
    Root CA in PEM format (optional): <copy/paste in file ca.crt>
    -----BEGIN CERTIFICATE-----
    MIIFlDCCA3ygAwIBAgIJAI01a4ML65mlMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV
    ...
    -----END CERTIFICATE-----
    

    OUTPUT in all cases

    Thanks! Wait while I save those credentials...
    
    Awesome. Now we'll connect!
    
    If you see a pulsing cyan light, your device
    has connected to the Cloud and is ready to go!
    
    If your LED flashes red or you encounter any other problems,
    visit https://www.particle.io/support to debug.
    
    Particle <3 you!
    
  5. If you are still SSH'd into your RasPi, you should see activity from the freeradius process, and your device should have an internet connection.

  6. If you don't see any activity, try rebooting your RasPi

1 Like

Setting up a WPA2 Enterprise Test Environment with a local computer via Docker image

Required Gear

  1. Local Computer for the RADIUS server
  2. Docker pre-installed
  3. Ethernet cable
  4. Wireless Access Point (WAP) that is capable of using WPA2 Enterprise mode, and pointing to a RADIUS server for authentication

Setup

  1. WAP should be in WPA2 Personal mode for initial configuration

  2. Plug the Local Machine into the WAP with an ethernet cable (required)

    This will remove the catch 22 necessity for the Local Computer needing to authenticate with itself once we enable WPA2 Enterprise

  3. Log into the WAP (192.168.1.1 or 10.0.0.1 typically)

  4. Find the list of clients, and grab the IP address for your Local Computer

  5. Clone this repo on your Local Machine GitHub - avtolstoy/particle-wpa-enterprise-docker: A Docker image with a test FreeRADIUS configuration to test EAP-TLS and PEAP/MSCHAPv2 authentication.

    git clone git@github.com:avtolstoy/particle-wpa-enterprise-docker.git

  6. Navigate to the particle-wpa-enterprise-docker directory on your Local Computer via terminal.

  7. Build the Docker Image (this will take a while)

    docker build --no-cache=true -t particle-wpa-enterprise .

  8. Run the Docker Image (you should see debugging output from the FreeRADIUS process)

    docker run -p 0.0.0.0:1812:1812/udp particle-wpa-enterprise

Now let's switch the WAP to use WPA Enterprise

  1. Switch the Wireless Authentication Type to WPA2 Enterprise (apply)
  2. Under RADIUS Setting configuration:
    • Server IP Address: Enter the IP address of the Local Machine
    • Server Port: 1812
    • Connection Secret: particle

Setup the Photon/P1

  1. Connect via USB cable

  2. Enter Listening Mode

  3. Connect via serial (screen /dev/cu.usbmodemXXXX on Mac or use Tera Term VT on Windows)

  4. Press w

    Example PEAP/MSCHAPv2 LOGIN / PASSWORD based setup (NOT SECURE!)

    Note: This is the easiest setup method to gain a connection, however be warned it is not secure. Use certificates to ensure maximum security.

    EAP Type 0=PEAP/MSCHAPv2, 1=EAP-TLS: 0 <ENTER>
    Username: particle <ENTER>
    Password: particle2017 <ENTER>
    Outer identity (optional): <ENTER>
    Root CA in PEM format (optional): <ENTER>
    

    Example PEAP/MSCHAPv2 LOGIN / PASSWORD with Root CA based setup (SECURE!)

    SSID: <WAP_SSID> <ENTER>
    EAP Type 0=PEAP/MSCHAPv2, 1=EAP-TLS: 0 <ENTER>
    Username: particle <ENTER>
    Password: particle2017 <ENTER>
    Outer identity (optional): <ENTER>
    Root CA in PEM format (optional): <copy/paste in file ca.crt> <ENTER>
    -----BEGIN CERTIFICATE-----
    MIIFlDCCA3ygAwIBAgIJAI01a4ML65mlMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV
    ...
    -----END CERTIFICATE-----
    

    Example EAP-TLS with Client Cert., Client Key and Root CA based setup (SECURE!!!)

    SSID: <WAP_SSID> <ENTER>
    EAP Type 0=PEAP/MSCHAPv2, 1=EAP-TLS: 1 <ENTER>
    Client certificate in PEM format: <copy/paste in file client1.crt>
    -----BEGIN CERTIFICATE-----
    MIIE3DCCAsSgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCVVMx
    ...
    -----END CERTIFICATE-----
    
    Private key in PEM format: <copy/paste in file client1.key>
    -----BEGIN RSA PRIVATE KEY-----
    MIIEpAIBAAKCAQEAy42H10w6nntp+Ti7Ts/czel8Gw4mz8Mh3N0R/sapRNLyznom
    ...
    -----END RSA PRIVATE KEY-----
    
    Outer identity (optional): <ENTER>
    Root CA in PEM format (optional): <copy/paste in file ca.crt>
    -----BEGIN CERTIFICATE-----
    MIIFlDCCA3ygAwIBAgIJAI01a4ML65mlMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV
    ...
    -----END CERTIFICATE-----
    

    OUTPUT in all cases

    Thanks! Wait while I save those credentials...
    
    Awesome. Now we'll connect!
    
    If you see a pulsing cyan light, your device
    has connected to the Cloud and is ready to go!
    
    If your LED flashes red or you encounter any other problems,
    visit https://www.particle.io/support to debug.
    
    Particle <3 you!
    
  5. If you still have the Docker process in Terminal open, you should see activity from the freeradius process, and your device should have an internet connection.

  6. If you don't see any activity, try restarting the Docker image (see kill command below, run is above).

  7. If you'd like to terminate the Docker image, follow these steps:

    Run:

    docker ps

    Find the Container ID for the particle-wpa-enterprise Image.

    docker kill <id>

1 Like

Saving a spot for CLI setup

This all looks very promising, will anybody be altering the SoftAP example to support this?
I would imagine it would need the user to have the key and certificate stored as files on their device and then a way of uploading them, tapping them in on a phone would be a disaster!

Thanks @Viscacha Do you mean the SoftAP HTTP Pages in firmware, or Photon Web Setup? There is released support for WPA Enterprise in the softap-setup-js library now, so this is on our radar along with support in the iOS and Android Tinker apps!

1 Like

I mean the SoftAP HTTP pages

1 Like

Oh holy cow I am happy about this. I haven’t tested it yet, and I have the infrastructure to test ALL of the scenarios you’ve (very helpfully) outlined.

not much of a requirement for me, but I suspect the next ask you’re going to receive in terms of enterprise compatibility is going to be proxy support. not everyone uses transparent proxies.

1 Like

@Viscacha actually I misinterpreted something and SoftAP HTTP Pages doesn’t require any firmware changes, just the example needs to be updated. Pull requests to the Docs repo for this example would be very welcome :slight_smile:

2 Likes

I figured I could probably call the relevant functions if I added them to the page but my HTML skills date back to the use of tags like <FRAME>`` and `` <BLINK> :wink:

1 Like

I’m having an issue on a Photon that I’ve upgraded to 0.7.0 with an ST-Link. I always get an error when it tries to save the credentials I have entered. No one else is reporting this (that I’ve found) so I’m pretty sure it’s something I’ve done wrong. I don’t know what it could be, though.

Anyone know?

How are you applying the credentials?

Since SoftAP is mentioned in this thread, there is an open issue about 0.7.0-xxx and SoftAP here

I’m using the serial interface, so I don’t think that bug applies to me.

What error would this be?
Is the network present and visible?
Are you using CLI or a serial terminal via the w command?

I can’t recall the error at the moment, and it is related to not being able to save the configuration. I can’t find one now to test with, and the one I’m having an issue with is at work. I’ll get you the exact error message tomorrow.

Network is present and visible.

Serial terminal via w command.

Here’s the error I see. I’m not prompted for credentials, which I imagine is the second stage of this procedure.

That’s something for @rickkas7 to look into (and maybe forward to the engineers)

Hello there!

I'm trying to connect my Photon to the WiFi of my university using WPA2-Enterprise/PEAP/MSCHAP2.
My code seems fine, I'm using the 0.7.0-rc2 firmware, but I get the following log:

0000005603 [hal.wlan] INFO: Clearing enterprise credentials
0000005684 [hal.wlan] INFO: EAP config valid: 0
0000005684 [hal.wlan] INFO: Writing EAP configuration

0000005850 [hal.wlan] INFO: EAP config valid: 1
0000005850 [hal.wlan] INFO: Writing EAP configuration
0000007269 [hal.wlan] ERROR: wiced_join_ap_specific(), result: 1025
0000007703 [hal.wlan] INFO: Joining CampusWLAN
0000008489 [hal.wlan] ERROR: wiced_join_ap_specific(), result: 1025
0000008924 [hal.wlan] INFO: Joining CampusWLAN

Sometimes i get a 1025 result, sometimes 1024 and sometimes 1006. But I don't even know if these numbers are relevant.

My code doesn't do anything special:

WiFiCredentials credentials("CampusWLAN", WPA2_ENTERPRISE);
// EAP type: PEAP/MSCHAPv2
credentials.setEapType(WLAN_EAP_TYPE_PEAP);
credentials.setIdentity("user");
credentials.setPassword("pass");
credentials.setCipher(WLAN_CIPHER_AES);
credentials.setOuterIdentity("anonymous");

WiFi.setCredentials(credentials);

Checking the settings i made in Ubuntu, it should work. Can I get a better a better log with more info or more details about this somehow?

Thanks for your help!

@naikrovek This one may indicate that you are out of heap needed for WPA Enterprise. Try reducing some of the static ram allocation in your user app, possibly moving things to flash with const. You can also use the System.freeMemory() to get an idea of where you are at.[quote="Visionary, post:20, topic:34167"]

Sometimes i get a 1025 result, sometimes 1024 and sometimes 1006. But I don't even know if these numbers are relevant.
[/quote]

@Visionary would you please try a few things for me? I'd like to know if you get the same issue if you use the serial based setup (see above). Also if you move to different locations on campus do you still have problems? What is the signal strength of the network as reported by your computer? Try commenting out credentials.setOuterIdentity("anonymous"); as well and leave this as the default setting. When trying serial based setup, just press enter for Outer Identity vs. typing "anonymous" first.

2 Likes