WPA Enterprise PEAP/MSCHAPv2 certificate

txrocks · August 21, 2023, 9:09pm

Is there a way to set the certificate to "do not validate" in the PEAP/MSCHAPv2 settings ?

Our network has this option when we are connecting to the WiFi and IT has told me it needs to be set to "Do not Validate"

I have not made it back there to try it with that whole line deleted.

THANKS!

// WPA Enterprise with PEAP/MSCHAPv2

// We are setting WPA Enterprise credentials
WiFiCredentials credentials("My_Enterprise_AP", WPA_ENTERPRISE);
// EAP type: PEAP/MSCHAPv2
credentials.setEapType(WLAN_EAP_TYPE_PEAP);
// Set username
credentials.setIdentity("username");
// Set password
credentials.setPassword("password");
// Set outer identity (optional, default - "anonymous")
credentials.setOuterIdentity("anonymous");
// I believe this is the setting that our network needs to be " Do not Validate "
// Root (CA) certificate in PEM format (optional)
credentials.setRootCertificate("-----BEGIN CERTIFICATE-----\r\n" \
                               /* ... */ \
                               "-----END CERTIFICATE-----\r\n\r\n"
                              );
// Save credentials
WiFi.setCredentials(credentials);

armor · August 22, 2023, 8:07am

@txrocks If I understand the setup of WPA2 Enterprise being used - there is an identity and a password but no certificate is required or used? It is while since I have done this for a client, in the credentials setup I would omit credentials.setRootCertificate() all together.

rickkas7 · August 22, 2023, 8:11am

Yes, skipping the root certificate is allowed, it's the identity, password, no cert option.

txrocks · August 22, 2023, 10:29am

Thank you everyone, I will give that a shot this afternoon.

txrocks · August 28, 2023, 4:17pm

I have not been able to get it to connect yet, still getting little to no support from our IT department.

When I try to add the credentials through the CLI "particle serial wifi" I do not get the options that are shown in the link from @rickkas7

It asks to scan for networks, I answered no and manually typed in the SSID, then on network security types I only have the option for

WPA2
WPA
WEP
unsecured

I can not setup for WPA enterprise through the CLI. Is there something I am missing? This is a Photon 2. It is on 5.4.1

rickkas7 · August 28, 2023, 4:19pm

The P2 and Photon 2 do not have support for WPA2 Enterprise yet. It should be added in a future version, but I don't know what version.

txrocks · August 28, 2023, 5:00pm

well that would be why.... Well back to the drawing board. I wish IT would just set me up a separate SSID for these.

txrocks · August 28, 2023, 6:48pm

so it appears that the Photon is the only device that can currently do WPA-Enterprise.

rickkas7 · August 28, 2023, 6:50pm

The Photon and P1 are currently the only devices that can do Enterprise Wi-Fi.

The Photon 2 and P2 will get it in the future.

The Argon will not get support for Enterprise Wi-Fi.

armor · February 4, 2024, 10:50pm

For a Photon - client has username and password and no certificate.

If the credentials are set with identity, outer identity and password - no root certificate and no client certificate then a test of WiFi.hasCredentials() returns false. Any explanation for this?

rickkas7 · February 5, 2024, 11:36am

It looks like the code only checks for a username in the inner identity, not the outer identity when using PEAP.

github.com

particle-iot/device-os/blob/release/v2.x/hal/src/photon/wlan_hal.cpp#L298


      
                                                          DCT_WIFI_CONFIG_SECTION, 0, sizeof(*wifi_config));
              if (result == WICED_SUCCESS)
              {
                  has_credentials = wifi_config->device_configured == WICED_TRUE &&
                                    is_ap_config_set(wifi_config->stored_ap_list[0]);
              }
              wiced_dct_read_unlock(wifi_config, WICED_FALSE);
              return !has_credentials;
          }
          
          bool check_enterprise_credentials(WLanCredentials* c)
          {
              bool is_valid = true;
              if (c && c->eap_type == WLAN_EAP_TYPE_PEAP) {
                  // Check if there is a username in inner_identity
                  if (!c->inner_identity || c->inner_identity_len > 64 || c->inner_identity_len == 0)
                      is_valid = false;
                  // Check if there is a stored password in security_key
                  if (!c->password || c->password_len > 64 || c->password_len == 0)
                      is_valid = false;
              } else if (c && c->eap_type == WLAN_EAP_TYPE_TLS) {

armor · February 5, 2024, 1:41pm

Thanks - even deeper mystery.
The identity being used is like XYZ not X.Y@Z.com - I wondered if the WICED was checking for a certain format in the identity.

[Update - indeed on the Photon the WICED stack checks the format of the identity and if it does not conform to a format such as X@Y.com then it will not store the credentials!]

DVDBE · February 8, 2024, 4:01pm

Already any idea when the P2 can do Enterprise Wi-Fi? We have a project in a university and their network is WPA2 Enterprise.
Thanks.

system · August 13, 2024, 6:27am

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problems connecting a Photon to a WPA2-Enterprise network WiFi photon	2	307	November 29, 2022
WPA2-Enterprise? General	9	3893	May 4, 2018
Error 1007 when connecting Photon to WPA2 Enterprise network Troubleshooting	3	471	October 28, 2019
Difficulty connecting Photon to WPA2-Enterprise network Troubleshooting	10	1791	February 12, 2019
Argon, particle-cli & WPA2 Enterprise (PEAP/MSCHAPv2) Troubleshooting	31	2644	October 5, 2021

WPA Enterprise PEAP/MSCHAPv2 certificate

Related topics