WIFI STA - WPA-PEAP mode

CJ_lokesh · November 10, 2020, 2:21pm

My goal is: I want to connect my device to WPA-PEAP enabled network
My actions are: I can able to set user name and password as per WiFi-STA configuration
The result I see is: When I provide SSID, username, and password, the device is failing to connect, whenever the device is trying to connect and disconnect it is giving different reasons(Ex: disconnected, reason 204),
but through config-get, I can cross-check the SSID,user name password is set.
My expectation & question is: How to make the device to connect to a network which has WPA-PEAP mode enabled.
The device I am using is ESP32.
Please help to achieve it.
Thanks and regards
Lokesh CJ

scaprile · November 11, 2020, 2:09pm

PEAP means Protected EAP. How is that “protected” ? by means of a TLS layer that encrypts the actual EAP authentication. How does TLS encryption work ? Using symmetric keys derived from asymmetric keys validated through certificates. How does that TLS connection get established and how does the device know it will be using PEAP ? That happens in the negotiation phase, using EAP, and your device will get a hint from your AP (Access Point) and from your configuration.

You will need a bogus user name for the wrapping EAP and a real user name for your inner (protected) EAP, plus your CA certificate to validate your RADIUS certificate, and perhaps your user certificate and private key if your network is using mutual authentication. Your provider should be able to explain to you what you need.
In our particular case, your device will not try to perform EAP negotiation if it does not have a CA certificate configured.

  - ["wifi.sta.enable", true]          # Enable Station mode
  - ["wifi.sta.ssid", "Sandbox"]       # WiFi network name
  - ["wifi.sta.user", "bob"]           # Username for auth in PEAP/TTLS
  - ["wifi.sta.pass", "hello"]         # Password
  - ["wifi.sta.anon_identity", "anonymous"] # Bogus identity for external EAP
  - ["wifi.sta.cert", "sandboxclient.crt"]  # Client certificate (*  optional)
  - ["wifi.sta.key", "sandboxclient.key"]   # Client key (EAP-TLS or optional)
  - ["wifi.sta.ca_cert", "ca.crt"]          # CA certificate

CJ_lokesh · November 17, 2020, 4:39am

@scaprile Thank you for the response.

CJ_lokesh · September 24, 2021, 1:12pm

@scaprile

I have tried setting the following to connect ESP32 to WPA-PEAP network

config_schema:
  - ["wifi.ap.enable", false] 
  - ["wifi.sta.enable", true] 
  - ["wifi.sta.ssid", "FT-Test"] 
  - ["wifi.sta.user", "prem"] 
  - ["wifi.sta.pass", "JumpCloud#123"] 
  - ["wifi.sta.ca_cert", "radius.jumpcloud.com-2021"]

but still device fails to connect and shows following error:

[Sep 24 18:41:31.557] e[0;32mI (479598) phy_init: phy_version 4660,0162888,Dec 23 2020e[0m
[Sep 24 18:41:31.557] I (479618) wifi:mode : sta (9c:9c:1f:c5:52:bc)
[Sep 24 18:41:33.682] mgos_wifi_sta.c:516     Trying FT-Test AP 6e:3a:1e:84:5e:f1 RSSI -61 cfg 0 att 20
[Sep 24 18:41:33.682] esp32_wifi.c:653        WiFi STA: protocol BGN (0x7)
[Sep 24 18:41:33.682] esp32_wifi.c:410        Failed to read radius.jumpcloud.com-2021
[Sep 24 18:41:33.682] mgos_net.c:89           WiFi STA: connecting
[Sep 24 18:41:35.721] mgos_wifi.c:70          WiFi STA: Disconnected, reason: 201
[Sep 24 18:41:35.721] mgos_wifi_sta.c:536     Connect failed
[Sep 24 18:41:35.721] I (483768) wifi:flush txq
[Sep 24 18:41:35.721] I (483768) wifi:stop sw txq
[Sep 24 18:41:35.721] I (483778) wifi:lmac stop hw txq
[Sep 24 18:41:35.721] mgos_net.c:84           WiFi STA: disconnected
[Sep 24 18:41:37.777] mgos_wifi_sta.c:516     Trying FT-Test AP 8e:15:44:a9:7a:16 RSSI -65 cfg 0 att 20
[Sep 24 18:41:37.777] esp32_wifi.c:653        WiFi STA: protocol BGN (0x7)
[Sep 24 18:41:37.777] esp32_wifi.c:410        Failed to read radius.jumpcloud.com-2021
[Sep 24 18:41:37.777] e[0;32mI (485808) phy_init: phy_version 4660,0162888,Dec 23 2020e[0m
[Sep 24 18:41:37.777] I (485828) wifi:mode : sta (9c:9c:1f:c5:52:bc)
[Sep 24 18:41:37.777] mgos_net.c:89           WiFi STA: connecting
[Sep 24 18:41:39.828] mgos_wifi.c:70          WiFi STA: Disconnected, reason: 201
[Sep 24 18:41:39.828] mgos_wifi_sta.c:536     Connect failed
[Sep 24 18:41:39.828] I (487868) wifi:flush txq
[Sep 24 18:41:39.828] I (487868) wifi:stop sw txq
[Sep 24 18:41:39.828] I (487868) wifi:lmac stop hw txq
[Sep 24 18:41:39.828] mgos_net.c:84           WiFi STA: disconnected
[Sep 24 18:41:41.812] mgos_wifi_sta.c:496     No candidate APs
C:/mos/esp32_wpa

scaprile · September 24, 2021, 2:18pm

Do you actually have a file with that name in your device that is a valid certificate ?