I'm trying to connect to a wpa2 enterprise network with an esp8266. I think there may be a bug in the EAP code in the esp8266 firmware (and if so, then probably also in the same module in the esp32 firmware).
I set up a build environment (described here) that can compile the following code using the SDK_2.1.0 + the relevant files from this github commit
I can successfully compile the following code
Code: Select all
#include <ESP8266WiFi.h>
extern "C" {
#include "user_interface.h"
#include "wpa2_enterprise.h"
}
// SSID to connect to
static const char* ssid = "eduroam";
// Username for authentification
static const char* username = "myusername@myinstitution";
// Password for authentication
static const char* password = "mypassword";
void setup() {
// put your setup code here, to run once:
Serial.begin(115200);
// Setting ESP into STATION mode only (no AP mode or dual mode)
wifi_set_opmode(STATION_MODE);
struct station_config wifi_config;
memset(&wifi_config, 0, sizeof(wifi_config));
strcpy((char*)wifi_config.ssid, ssid);
wifi_station_set_config(&wifi_config);
wifi_station_clear_cert_key();
wifi_station_clear_enterprise_ca_cert();
wifi_station_set_wpa2_enterprise_auth(1);
wifi_station_set_enterprise_identity((uint8*)username, strlen(username));
wifi_station_set_enterprise_username((uint8*)username, strlen(username));
wifi_station_set_enterprise_password((uint8*)password, strlen(password));
wifi_station_set_enterprise_new_password((uint8*)password, strlen(password));
wifi_station_connect();
// Wait for connection AND IP address from DHCP
Serial.println();
Serial.println("Waiting for connection and IP Address from DHCP");
while (WiFi.status() != WL_CONNECTED) {
delay(2000);
Serial.print(".");
}
Serial.println("");
Serial.println("WiFi connected");
Serial.println("IP address: ");
Serial.println(WiFi.localIP());
}
void loop() {
// put your main code here, to run repeatedly:
}
When I tried to connect to my WPA2 Enterprise network at home, I got the following error in the freeradius log:
Code: Select all
Found Auth-Type = EAP
# Executing group from file /etc/raddb/radiusd.conf
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] NAK asked for bad type 0
[eap] Failed in EAP select
++[eap] = invalid
I found that other people had experienced the same problem on ESP32, so I tried their fix: to set
Code: Select all
default_eap_type = mschapv2When I try the same thing at my work (an academic institution that uses the eduroam network, I cannot authenticate. I have no control over the radius server, nor can I see the logs, but it seems plausible to me that I am experiencing the same problem.
I am no expert in EAP, but it seems to me that the ESP firmware somehow does not make it clear to freeradius that it wants to authenticate using EAP-MSCHAPv2. I'm not sure at what point in the negotiation the EAP type is selected, but I see here that EAP-MSCHAPv2 is type 26, and from the freeradius log file, it seems that the ESP sends type 0.
Is that a bug, and if so, can that be fixed?