There is a longer discussion of this topic on the esp8266 forum http://www.esp8266.com/viewtopic.php?f=6&t=1243&start=15.

WPA2-enterprise is supported in SDK 1.5, so linking this to #1102.

I suspect only eap-tls is supported.

See http://bbs.espressif.com/download/file.php?id=988. The only reference to wpa2-enterprise is in
wifi_station_set_cert_key

Also:

$ ar -t esp_iot_sdk_v1/esp_iot_sdk_v1.5.0/lib/libwpa2.a
/
//
asn1.o/
base64.o/
bignum.o/
eap_common.o/
eap.o/
/0
eap_tls.o/
ext_password.o/
pkcs1.o/
pkcs5.o/
pkcs8.o/
rsa.o/
tls_internal.o/
tlsv1_client.o/
/18
/39
tlsv1_common.o/
tlsv1_cred.o/
tlsv1_record.o/
tlsv1_server.o/
/61
/82
x509v3.o/

HI guys. Finally WPA2 Enterprise is supported. But I cannot find any example. Actually I saw that only 1 person got it working.
My question is: I need to fill in a username (identity) and a password for the WPA2 and no private key or something like that. Where to fill in the "username" ? Or is this not supported yet. I know this is not an arduino question. But anyway here are the specialists :)

I have not yet added -lwpa2 to linker flag because I wasn't able to get WPA2-Enterprise to work.
If anyone wants to try, feel free to add this flag here

@igrr shouldn't that be line 33? Either way that doesn't work for me, I included

#include <user_interface.h>
...
wifi_station_clear_cert_key();

... in my code to see if that would build, but it doesn't:

sketch_dec20a.ino:5: undefined reference to `wifi_station_clear_cert_key()'
collect2: error: ld returned 1 exit status

But I'm not sure this is the right way to call those functions.

You need to wrap that include with extern "C":

extern "C" {
#include "user_interface.h"
}

Regarding line number: after I wrote that comment a few lines got added, so now compiler.c.elf.libs is on line 33.

@igrr extern "C" does get me further, except for this:

/Applications/Arduino.app/Contents/Java/hardware/esp8266com/esp8266/tools/sdk/lib/libcrypto.a(aes-internal-dec.o):(.irom0.text+0x4): undefined reference toTd0'
/Applications/Arduino.app/Contents/Java/hardware/esp8266com/esp8266/tools/sdk/lib/libcrypto.a(aes-internal-dec.o): In function aes_decrypt_init': (.irom0.text+0x134): undefined reference toTd4s'
collect2: error: ld returned 1 exit status`

I hope you know what's missing :-)

I also added the -lwpa2 parameter.
I have exact the same error as Paul.
Same result when I tried this new function: wifi_station_clear_cert_key();

Should be fixed by 70cf3c3

Yes, now it compiles. Thanks Igrr, Back to my first question. Where to put the username (Identity)?
How does it work? I am missing one part of the puzzle. And I do not know which

@igrr Great, that compiles and I've actually got it to authenticate. But: with the wrong User-Name, that seems to be set to "tianhao" and not taken from the certificate CN. Maybe it uses the Microsoft UPN attribute or a subjectAltName; I'll try to experiment with that, but suggestions are welcome.

I also need to connect to a WPA2 Enterprise secured network, it requirers user authentication that is Username + Password, no certificate.
The server certificate is a self signed one.

Did anyone got this to work? And if so is there a guide + example

So far only EAP-TLS is supported; so client-certificate based and not username/password. This works fine for me, but if you have no client-certificate and no control over the RADIUS server, I don't think you can do a lot (but wait for a series of other EAP-mechanisms to be supported).

I have full control over the RADIUS server just never configured anything else than user name based.
If I have to add certificate based (if that can coexist) than its doable.
Still how do I do that on the arduino side?

You can use something like https://github.com/joostd/esp8266-eduroam/blob/master/Arduino/eduroam/eduroam.ino. At the moment, it needs a patched esp8266 Arduino core (https://github.com/esp8266/Arduino/pull/1633)

FYI Espressif just released 1.5.3 which adds username/password support.

Alas, all that 1.5.3 adds are the missing prototypes in include/user_interface.h (wifi_station_set_username and wifi_station_clear_username). These are not used for username/password authentication, but for setting/clearing the username used in EAP. As such, EAP-TLS (i.e. using client certificates) is still the only supported EAP method.
(In fact lib/libwpa2.a has not changed since version 1.5.2).

It does mean that PR #1633 is no longer necessary once the SDK is upgraded to 1.5.3.

@joostd Yeah I didn't notice that at first.. got a bit excited. I haven't been able to get PEAP going at my workplace.

I'm very interested. Can someone give a quick run down of the step by step for what almost "works" as of right now so I could give it a try? I take it it's only certificate based and not identity/password based that works (would be nice, but ok).

Edit: Are we waiting on Espressif for the identity/password bit?

I'm interested in seeing the arduino implementation for username/password on 801.2x

What's the current status of this?

With the switch to V2.0 of the espressif sdk, EAP-TTLS and PEAP should now work as well.

Hi @ all,
but where is an example on how to use it?
I could not find one.
Does anybody has an example for WPA2 with PEAP?

If you look at the (eap-tls) code at
https://github.com/joostd/esp8266-eduroam/blob/master/Arduino/eduroam/eduroam.ino

you should be able to use PEAP instead of EAP-TLS by replacing a few lines, most notably replace calls like
wifi_station_set_cert_key
with calls to
wifi_station_set_wpa2_enterprise_auth
wifi_station_set_enterprise_username
wifi_station_set_enterprise_password

See also:
https://espressif.com/sites/default/files/documentation/2c-esp8266_non_os_sdk_api_reference_en.pdf

Hope this helps…

It appears to me that this framework doesn't yet use version 2 of the SDK, but there is an open pull request: https://github.com/esp8266/Arduino/pull/2440.

Hi @cmfcmf, there's a branch of Esp8266/Arduino that it uses SDK2 BUT WPA2-PEAP doesn't seem to work #2595
If you want to test it you can follow these directions: https://github.com/esp8266/Arduino/issues/2304#issuecomment-245849344

I tried to use ESP openSDK too, that it uses SDK2 but it doesn't seem to work neither.
Check here: https://github.com/pfalcon/esp-open-sdk/issues/220

Hi jjoostd,
I get: 'wifi_station_set_enterprise_password' was not declared in this scope.
I only included
If I try to include "wpa2_enterprise.h"
I get: wpa2_enterprise.h: No such file or directory

So the question is: Do I need to include wpa2_enterprise.h?
And where is the file located?

Sorry, there was a typo.
It should be
I only included

Sorry again
I pasted the name but it disappeared after sending.
I meant I only included ESP8266WiFi.h

@bospre You need to use another branch of this project.
Follow these directions: https://github.com/esp8266/Arduino/issues/2304#issuecomment-245849344

Thank you for this hint.
But how is this done with WIN-OS?
I think this only works for Linux?
Can't the files be downloaded manually?

I think you can clone a branch in Windows too (http://stackoverflow.com/questions/1778088/how-to-clone-a-single-branch-in-git) but you have to change the Arduino linux folder with yours.

how to connect to PEAP (source: sdk 2.0 documentation, page 133):

1. Call wifi_station_set_config to set the configuration of target AP.
2. Call wifi_station_set_wpa2_enterprise_auth(1); to enable WPA2_Enterprise authentication.
   
   
   
   • For EAP-TLS authentication, call wifi_station_set_enterprise_cert_key to set certificate and private key.
     
     wifi_station_set_enterprise_username is an optional choice, it can be called to set user name.
   
   
   • For EAP-TTLS or EAP-PEAP authentication, call wifi_station_set_enterprise_username and wifi_station_set_enterprise_password to set user name and password.
     
     wifi_station_set_enterprise_ca_cert is an optional choice, it can be called to set root certificate.
   
   
3. Call wifi_station_connect to connect to target AP.
4. After being connected to an AP, or failing to connect to AP and on stopped retries, please call the corresponding wifi_station_clear_enterprise_XXX APIs to release the resources.

@noerw That is what Gidrix (and me too) tried here: https://github.com/esp8266/Arduino/issues/2595
Something doesn't work

Do you have access to the radius server?
What does the logfile say?
I did not manage the installation of the sdk 2.0 with arduino.
Maybe if somebody can send me the complete package ready to use.
I found it lying under
C:\Usersreplaceyourusername\AppData\Roaming\Arduino15\packagesesp8266\

I am running my own radius server, so I have access to the logfiles and maybe I can find out, why it does not work.

@noerw I have done what you said, and I always get wrong password returned from wifi_station_get_connect_status. I know that the username and password supplied to wifi_station_set_enterprise_password and wifi_station_set_enterprise_username are correct, so I believe the problem to be in the wifi_station_set_config. Do I need to set anything other than the SSID in the station config?

Espressif wrote me yesterday.
They said:

Hi,
Please see sample code below.
And we are woking on an introduction about WPA2 enterprise. Please wait a couple of days, and we will release on our website.

void ICACHE_FLASH_ATTR
user_init(void)
{
int ret;

struct station_config wifi_config;
os_printf("User Init\n");
os_memset(&wifi_config,0,sizeof(wifi_config));
os_strcpy(wifi_config.ssid, "TP-LINK_92FC", os_strlen("TP-LINK_92FC"));
os_strcpy(wifi_config.password, "12345678", os_strlen("12345678"));
wifi_set_opmode(STATION_MODE);
wifi_station_set_config(&wifi_config);

wifi_station_set_wpa2_enterprise_auth(1);
os_printf("wpa2 set CA Certificate\n");
ret = wifi_station_set_enterprise_ca_cert(ca, os_strlen(ca) + 1);
wifi_station_set_enterprise_username("espressif", os_strlen("espressif"));
wifi_station_set_enterprise_password("test11", os_strlen("test11"));

wifi_station_disconnect();
wifi_station_connect();

}

Hi gorghino,
I'm working on the subjects since 2 days, and I think I have found the cause.
In order to "make it" working, so I setup the following system :

• A virutal machine to have a RADIUS server : FreeRADIUS (downloaded from RADIUSDesk)
• A small Wifi routeur that is configured to WPA2 Entreprise and pointing to the virtual machine which is running the RADIUS server.
• Wireshark packet analyzer.
• Arduino 1.6.9 , with esp8266 arduino SDK 2.0.0 Running on windows. (It was a bit difficult but managed to make it compile and work) a call to get_sdk_version shows : 2.0.0 (5a875ba)

So I tried sketchs from from Gidrix, Joostd (modified according his suggestion), the one that Espressif sent you, and many other combination derived from these with different call order for initialization.

Of course none of them worked.
By looking at the packets it's obvious : the esp always sends the same identifier, which is [email protected], instead of the one defined by wifi_station_set_enterprise_username

This string is present in libwpa2.a file, generated from eap.c.

If you change the string in this file, and recompile the sketch, the esp will send the identifier that you put in it.

Is it a default value ? The wifi_station_set_enterprise_username method is expected to change it, but it doesn't.
Have we access to the wifi_station_set_enterprise_username source code ? What is broken in it ?
or the modified eap.c (derived from https://w1.fi/wpa_supplicant/devel/eap_8c.html) file from espressif ?

Where is the default value of the password in this file ? maybe we can put the identifier in it and try if it is connecting.

Please post the sketch you want me to try, so I can look if it changes the identifier and send you the result.
Best regards,
René

Hi @rbmb
I was also working on this trying to connect to UPC Wi-Free. Edited libwpa2.a and replaced with my username but it didn't seem to help either but thanks for the tip. Hopefully soon someone makes a breakthru.
Peter

@Alviso,
The workaround with libwpa2.a is only half-way at the moment. We can only set the username, but the password is still missing.

• Either we know where it is in this file and know how it's encoded, so we can set it at compile time
• Either somebody from Espressif (or else) should tell the default password, but in this scenario we should have some control upon the RADIUS server to put the password that we want (the default one).

I don't know why set_username function won't work with Arduino.
SetAuthentification function is working.
According to Gidrix, it's working OK with NONOS SDK2.0.0. https://github.com/esp8266/Arduino/issues/2595

The file libwpa2.a is exactly the same, the header file wpa2_entreprise.h is also the same except the comments at the beginning between Arduino and NONOS SDK.
How can we progress in this issue ? Where should we look ?
Can it be the linking order in platform.txt (compiler.c.elf.libs)?

@rbmb Thanks for your nice explanation for why WPA2 Enterprise is not working in Arduino now. Do you have any progress for solving this identifier and password problem or any news from Espressif? Thank you again!

Hi Jimmy,
Unfortunately, i didn't solved the issue. I don't have any contacts with espressif nor with igor. Hope someone can route this findings to them.
Meanwhile, i was forced to change the board for this project due to this issue.
I ended using wired Leonardo eth. from.arduino.org. The ethernet connection isnot reliable (due to hardware i think) and 97% of program flash is used.

Actually, [email protected] is the "outer identity" which is used for routing RADIUS messages, not for user authentication, and it is not supposed to be set using wifi_station_set_enterprise_username. That function is used for setting the "inner identity" used in PEAP or TTLS. The reason why authentication fails (at least in my case) is that there is an issue with the method used for user authentication (usually MSCHAPv2).

I finally got an IP with WPA2 PEAP using the sdk 2.0.0 branch: see my comment at https://github.com/esp8266/Arduino/issues/2595#issuecomment-267809669

Hello,
just searched a while and still returned to this post, so I have to ask here !

I Try to connect a ESP8266-E12 to a WPA2-Enterprise Network, that uses PEAP und MSCHAPv2 for authentication with a username and a password, but i can'nt get it working.

So any one here has a working example for this configuration? Is is possible?

best regards

Jörg Tuttas

Hi @jtuttas

I got my esp8266 connected to the eduroam network which uses (AFAIK) PEAP MSCHAPv2.
It is sending data to a thingspeak graph and works well.

To do this you will need to

1. Follow @igrr instructions on how to install the update sdk 2.0 version into your arduino folder.

2. Go to the #2595 comment thread and copy the code at the top into a sketch. Be sure you make the changes to the code as @pepe79 has pointed out.

3. Complie the code to ensure it works.

4. Edit the binary file lipwpa2.a using a binary editor. hex edit for windows or bless for linux works well
   .When editing the binary file, you are looking for the string with "[email protected]"
   Once you find that string in your binary editor window, you must edit it to match your username for the network. NOTE: If you edit the file be sure to to fill any renaming space with "."s to ensure the file stays the same size .
   example
   "[email protected]"
   becomes

".....[email protected]...... "

you need to pad out the spaces left. in this case "anonymous" is 9 letters and "your" is 4, therefore you need 5 dots to make up the difference and stop the binary file becoming corrupted.

1. Once you have edited and saved the binary file you can now compile and upload your code to the esp8266 and it should work. Below is the code I used to get my readings from a pot and upload to things speak (my credentials have obviously been removed)

#include <Arduino.h>
#include <ESP8266WiFi.h>
#ifdef ESP8266
extern "C" {
#include "user_interface.h"
#include "wpa2_enterprise.h"
}
#endif

static u8 ent_username[] = "yourusername"; // same as the mdoification to lipwpa2.a file
static u8 ent_password[] = "your password";
const char* host = "api.thingspeak.com";

void setup(){
  pinMode(LED_BUILTIN, OUTPUT);
  char a[100];
  ip_info info;
  wifi_get_ip_info(0, &info);

  Serial.begin(115200);

  wifi_station_disconnect();
  wifi_set_opmode(STATION_MODE);

  char ssid[32] = "yourssid";
  char password[64] = {0x00};
  struct station_config stationConf;
  stationConf.bssid_set = 0;  //need not check MAC address of AP
  memcpy(&stationConf.ssid, ssid, 32);
  memcpy(&stationConf.password, password, 64);

  if(!wifi_station_set_config(&stationConf)){
    Serial.print("\r\nset config fail\r\n");
  }

  // switch to WPA2 Enterprise 
  wifi_station_set_wpa2_enterprise_auth(1); 

  if(wifi_station_set_enterprise_username (ent_username, strlen((char*)ent_username))){
    Serial.print("\r\nusername set fail\r\n");
  }
  if(wifi_station_set_enterprise_password (ent_password, strlen((char*)ent_password))){
    Serial.print("\r\npassword set fail\r\n");
  }

  if(!wifi_station_connect()){
    Serial.print("\r\nconnect fail\r\n");
  }

  Serial.print("\r\ntrying to connect...");

  while(info.ip.addr == 0){
    ESP.wdtFeed();
    Serial.print(".");
    delay(1000);
    wifi_get_ip_info(0, &info);
  }

  sprintf(a, "%"PRIu32,info.ip.addr);
  Serial.print("\r\nip addr: ");
  Serial.print(a);
  Serial.print("\r\n");
}


void loop()
{ 
  WiFiClient client;
  const int httpPort = 80;

  if (!client.connect(host, httpPort)) {
    Serial.println("connection failed");
    return;
  }
  else
  {
    Serial.println("connected !");
  }


  //client.print("GET /update?key=82RS9VJ7YHQGMWT1&field1=1000\n");

  char buffer[200];
  int adcValue = analogRead(A0);
  Serial.println(adcValue);
  sprintf(buffer, "GET /update?key=IYFDMJ5JMSCC8NP4&field1=%d\n", adcValue);
  client.print(buffer);

  while (client.available()) {
    String line = client.readStringUntil('\r');
    Serial.print(line);
  }

  client.stop();
  Serial.println("closing connection");
  digitalWrite(LED_BUILTIN, LOW);  // Turn the LED off by making the voltage HIGH
  delay(2000);
  digitalWrite(LED_BUILTIN, HIGH);  // Turn the LED off by making the voltage HIGH
  delay(2000);

delay(60000);
}

I hope this helps you or anyone else who was trying to get it connected.

This is my first ever post on Github so apologies if I have not followed certain conventions on this forum/thread in terms of posting/referencing

cheers

ninjabe86 :)

Hi @ninjabe86 ,
wow, this a a real good conclusion of all post I have read in the past about ESP8266 and WPA2 Enterprise connections, Congratulation ! I will try all the steps within the next week and give you and the community a feedback. I guess my main falt was step4 (edit the lipwap2.a).

best regards !

jtuttas

Hello
I tried what you wrote above, but it did not work for me.
At first I created at the RADIUS-Server a user "[email protected]" with password "test".
But the logfile of the RADIUS only showed login errors.
Then I tried to change libwpa2.a as you proposed, but that did not work either.
I am still hoping that sometimes there will be an update of the sdk.

@jtuttas I made a typo and corrected for it just there. be sure to edit the libwpa2.a file not lipwap2.a(i dont think this file even exists but just to be sure)

This is located (in my case) as follows arduino-1.6.5-r5/hardware/esp8266com/esp8266/tools/sdk/lib

@bospre if you have updated the sdk to 2.0.0 as above and have edited the binary file without corrupting it then I'm afraid I can't help you much more. I am fairly new to this myself.

As you said, hopefully this repo gets updated soon.

Hey guys,

I install the sdk 2.0 using git clone into Documents/Arduino/esp8266 and also think I modified the binary file successfully.

However, I created a new sketch file in the Arduino IDE and saved it in the Documents/Arduino/esp8266sketch and now it can't gain access to the wpa2_enterprise.h in the other folder. How exactly do I include the whole sdk in my project so my code has access to all the functions in the sdk?

Here is the error I'm getting.

/Users/saichintha/Documents/Arduino/esp8266sketch/esp8266sketch.ino:6:29: fatal error: wpa2_enterprise.h: No such file or directory
 #include "wpa2_enterprise.h"
                             ^
compilation terminated.
exit status 1
Error compiling for board Generic ESP8266 Module.

I managed to get a working configuration different from @ninjabe86 as I tried to modify libwpa2.a file unsuccessfully...

Here is my configuration

Global configuration

• A BELKIN Access point with WPA2 Enterprise support
• An ESP8266 nodeMCU v1.0
• Arduino v1.6.8 intalled with SDK2.0 integration as described by @igrr .
  Shortly, in folder _c:\users\USERNAME\AppData\Local\Arduino15\packages_ (in Windows, sorry about that, check you own _packages_ repository on your OS by downloading a random Board driver with the Arduino Board Manager. It should be somewhere!)

mkdir esp8266com
cd esp8266com
git clone -b update_sdk_2.0.0 https://github.com/esp8266/Arduino.git esp8266
cd esp8266\tools
python get.py

• A Virtual Machine with RADIUS + DHCP servers

Network configuration

VM IP address is 192.168.10.254, AP one is 192.168.10.2.
Both addresses are static and DHCP IP range is 192.168.10.10 to 192.168.10.150 with mask 255.255.255.0.
In the AP web server, I configured the WPA2 Enterprise security to point to the VM IP address with correct RADIUS port and you I also checked it's SSID.

RADIUS configuration

I configured my RADIUS server for EAP - PEAP MS-CHAPV2 authentification method (in _eap.conf_), then added the client IP (it's the AP) in _clients.conf_ and added a user in _users_ with login: "user1" and pass: "secret".
Files are at the end of this post.

Arduino code

PS: I did not modify the libwpa2.a file (in esp8266/tools/sdk directory)

/**
 *  Brief:
 *    This program connects to a remote WiFi Access Point with
 * WPA2 Enterprise security
 */
/*******************************************************************/
#include <ESP8266WiFi.h>
/*******************************************************************/
extern "C" {
  #include "user_interface.h"
  #include "wpa2_enterprise.h"
}
/*******************************************************************/
#define SERIAL_BAUD_RATE      57600
#define STARTUP_DELAY_MS      1000
/*******************************************************************/
// SSID to connect to
static const char* ssid = "MY_SSID";
// Username for authentification
static const char* username = "user1";
// Password for authentification
static const char* password = "secret";
/*******************************************************************/
void setup() {
  Serial.begin(SERIAL_BAUD_RATE);
  delay(STARTUP_DELAY_MS);

  // Setting ESP into STATION mode only (no AP mode or dual mode)
  wifi_set_opmode(STATION_MODE);

  struct station_config wifi_config;

  memset(&wifi_config, 0, sizeof(wifi_config));
  strcpy((char*)wifi_config.ssid, ssid);

  wifi_station_set_config(&wifi_config);

  wifi_station_clear_cert_key();
  wifi_station_clear_enterprise_ca_cert();

  wifi_station_set_wpa2_enterprise_auth(1);
  wifi_station_set_enterprise_username((uint8*)username, strlen(username));
  wifi_station_set_enterprise_password((uint8*)password, strlen(password));

  wifi_station_connect();

  // Wait for connection AND IP address from DHCP
  while (WiFi.status() != WL_CONNECTED) {
    delay(500);
    Serial.print(".");
  }

  // Now we are connected
  Serial.println("");
  Serial.println("WiFi connected");  
  Serial.println("IP address: ");
  Serial.println(WiFi.localIP());
}
/*******************************************************************/
void loop() {
  delay(5000);
}
/*******************************************************************/

Wireshark traces

I filtered incoming RADIUS packets on the VM and saved them for different configurations.

1. ESP8266 working configuration
2. My Smartphone with login: "user1" and password: "secret"
3. My Smartphone with login: "user1", password: "secret" and outer identity: "[email protected]"

We can see that first and third RADIUS discussion are very similar.

traces.zip

I also attach my radius configuration files - comments are in french as I got the VM from a french colleague :)

radius.zip

Feel free to follow those steps and tell if it is reproducible.

PS: I also tried a program in which I cleared all data with certificates, password, new_password, username methods (cf: https://www.espressif.com/sites/default/files/documentation/2c-esp8266_non_os_sdk_api_reference_en.pdf - section 3.14) before setting them and connecting to the AP but it did not work. Furthermore, I could not tell the difference between set_password and set_new_password functions. In SDK guide, one is supposed to be used for EAP-PEAP authentification and the other one for MSCHAPV2. Isn't it the same?

@saichintha : I guess you have got to wrap your include with extern "C". If not working, you may have problems with your SDK2.0 integration.

extern "C" {
 #include "wpa2_enterprise.h";
}

Using the code from @adriencapaine and modifying the libwpa2.a as @ninjabe86 did I managed to make a connection with a network secured with WPA EAP. I used the vi editor to edit the libwpa2.a file.

Hi cbrum11,

It looks like the Arduino IDE is looking for the compiler... but at the
wrong path.

Please, ensure that you really have the compiler in "C:\Program Files
(x86)\Arduino\hardwareesp...\xtensa-lx106-elf-g++".
In my Windows environement, the compiler is also in
"C:\Users\\AppData\Local\Arduino15\packagesesp8266com...".
I have downloaded and installed the SDK2.0 version in that "packages"
folder.

When you open Arduino and download a random Board with "Tools > Board >
Board Manager", check where that "packages" repository is created. If not
in *"C:\Program Files (x86)\Arduino\hardware..." *then it was created
somewhere else.

I suspect Arduino to look for the Boards in the "packages" repository
instead of the "Arduino" repository as I can see a few JSON files with the
same classification as in the "Board" Tool in the Arduino IDE.

I have the Arduino 1.6.8 portable version.

I hope this will help ;)

On Tue, Mar 21, 2017 at 3:54 AM cbrum11 notifications@github.com wrote:

@ninjabe86 https://github.com/ninjabe86

I have tried diligently to follow your very detailed procedure but have
run into a problem at step 3. When I go to verify the code I get the
following error message via the Arduino IDE.

"Arduino: 1.6.9 (Windows 10), Board: "WeMos D1 R2 & mini, 80 MHz, 921600,
4M (3M SPIFFS)"

exec: "C:\Program Files
(x86)\Arduino\hardwareesp8266comesp8266/tools/xtensa-lx106-elf/bin/xtensa-lx106-elf-g++":
file does not exist Error compiling for board WeMos D1 R2 & mini.

I have read all the subsequent threads I can find on getting WPA2
Enterprise to work and feel like I'm missing something really simple here.
If I go to .../esp8266/tools/sdk/version on my computer, it reads
2.0.0_16_08_09 ... so it appears I did successfully download version 2.0 as
required.

I'm a code novice but obviously it can't find a necessary folder/file
during the verify step. Any assistance from anyone is greatly appreciated.

Thanks,
-Chase

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/esp8266/Arduino/issues/1032#issuecomment-287961968,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AGi8jtC23ua4UA03tFD6SAzSm6tNVzRDks5rnzv_gaJpZM4Gj1mQ
.

I've been wondering for a long time now, why is there so much rigamarole involved with getting PEAP working? I could understand if it were merely an incomplete implementation from Espressif, or a wrong one, that there would have to be changes made to the source code that is compiled and uploaded. Perhaps some functions and classes in the wifi C++ files would have to be altered, replaced or finished (or you could just substitute the file with a complete version) but I don't understand why editing a (compiled binary?) file with a hex editor is required, or any of the other tricky steps that seem to be throwing people off. Is it possible that we could get to a point where it's just a matter of replacing a directory full of files, or are we bound to wait until Espressif get around to fixing things?

Typically we end up having to resort to editing binaries when we can only
freely acquire the relevant library as a compiled object, and the
distribution licence prohibits distribution of a modified version.
You can do it yourself, but it can't be put into a package because then
it's being distributed. Conceivably a script to automate the process is
acceptable, but licensing isn't my thing :)

On Fri, Mar 24, 2017 at 7:44 AM, Matt notifications@github.com wrote:

I've been wondering for a long time now, why is there so much rigamarole
involved with getting PEAP working? I could understand if it were merely an
incomplete implementation from Espressif, or a wrong one, that there would
have to be changes made to the source code that is compiled and uploaded.
Perhaps some functions and classes in the wifi C++ files would have to be
altered, replaced or finished (or you could just substitute the file with a
complete version) but I don't understand why editing a (compiled binary?)
file with a hex editor is required, or any of the other tricky steps that
seem to be throwing people off. Is it possible that we could get to a point
where it's just a matter of replacing a directory full of files, or are we
bound to wait until Espressif get around to fixing things?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/esp8266/Arduino/issues/1032#issuecomment-288822434,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAN_Az8xJOd-yaNMNoBSaZ9oIIPsyJcIks5ror2FgaJpZM4Gj1mQ
.

@adriencapaine

Thanks so much for the response!

You are absolutely correct that when I download a random board it creates an instance in....

C:\Users\\AppData\Local\Arduino15\packages...

In fact there are also esp8266comesp8266\hardware and tools folders in those directories. But they are all empty?

I will do my best to reinstall the 2.0 SDK to this packages directory and report back with an answer. Thanks again for your help... I certainly would have never known to look there.

So we have the libraries that are compiled and cannot be edited, and they have issues. Will Espressif (or others) eventually fix them? Can we substitute the broken parts (if not the whole library) with parts either written from scratch or equivalents obtained elsewhere? What are the specific issues we're having here with PEAP?

Are there any People who have successfully connected to the eduroam network using EAP-PEAPv0 (EAP-MSCHAPv2)???
I was able to install the SDK2.0 with Arduino 1.6.8 but the Code from adriencapaine/ninjabe86 was not working. It was not able to receive an ip. I edited the libwpa2.a file also with my login "..........[email protected]"

I sepnd a lot of time but it did not work with eduroam. I dont know why.
The anonymous id for my university have the same length as the one in the libwpa2.a file but it didn't work after change.
I get a timeout error during connection.
Mayby the esp can not connect with ciso wlan routers.

Hello,

Has anyone been able to get WPA2 user and pw working with the Sparkfun ESP8266 Shield? A little new at this, but from what I gather the Shield uses different libraries (certainly different commands) than other modules.

Hi everyone,

I was able to connect to my university wifi, however:
my whole setup does not behave stable.
I am constantly sending values via MQTT (lmroy's PubSub) and crashes happen almost every few seconds (and a reconnect only works 20% of the time). If I throttle the throughput maybe it lasts two minutes. When I tether via my phone it works flawlessly. (Wasted a week trying to make it stable, even tried to work with the SDK/native development... Now I appreciate Arduino Core even more).

Of course your mileage may vary, but I wanted to give a word of warning to whoever needs to rely on WPA 2 Enterprise with ESP8266. It might not be reliable.

Maybe ESP32 is the only choice? For my next project I will try to switch

Cheers

what should i do if my e-mail is longer than [email protected]?

Hey,

With my code, I managed to connect to the eduroam network by modifying the libwpa2.a library as mentioned by joostd in a similar issue. The directory is $SDK_2.0.0_DIRECTORY/tools/sdk/lib.

Here is what I have done.

1. Even though the domain name (after the @) was longer than those 23 hard-coded characters, I rewrote it without the subdomain.
2. As mentioned by joostd, the value before the @-sign does not matter. Therefore, I completed it using a random combination of my choice to get a 23-long outer identity. And it worked!

My ID was like [email protected] at first and I changed it to [email protected] (with total length = 23)

It seems Eduroam is checking out the outer identity to allow connection on the network. Which may not be the case for Radius-based identification with different configuration.

I guess if your domain name is still longer than 23, you will have to wait for ESP8266 SDK update with methods to change this outer identity.

Note: This has been done for ESP32 chips: in include/esp_wpa2.h file, you can see methods to clear and change the outer identity. Wait for it to be ported on ESP8266 chips ;)

@Grtschnk I'm not too caught-up on the state of things, but I'd actually offer the opposite advice. My impression is that a lot of the ESP32 stuff is less baked than the ESP8266 stuff.

@Matthew-Bradley Fair enough, my ESP32 arrived in the mail only last week, haven't had time to look at it yet.

I have opened a dialog with Espressif to see if we can have support added to the SDK to change the outer (anonymous) identity. It was clearly added to the ESP32 SDK, so should be trivial to port the simple change over to the ESP8266 SDK.

I have also requested if they will provide the source for these libraries freeing us from the binary blobs, which has been answered with "I will check it and give a response later", so a tinge of hope there.

It should also be noted that the ESP8266 at this time does not support radius certificates signed with > SHA256. Even if you opt not verify the server's cert by not specifying the root CA, it will still fail on these certificates, this took two days to track down since the SDK does not provide a meaningful error when this occurs.

After all this I managed to successfuly get EAP-PEAP with MSCHAPv2 authentication working on the v2.0.0 of the SDK. My radius (freeradius) server is configured to route unknown domains to the local domain, so the outer identity doesn't matter on my network.

Looks like Espressif have ported those changes to the Github copy of the current master of NONOS_SDK.

Pulled a copy of the arduino-esp8266 2.4.0-rc1 pre-release code into the arduino IDE and then replaced the libwpa2.a and wpa2_enterprise.h files from the latest files on github. Managed to get the esp8266 to connect to a 802.1x secured SSID off a Cisco WLC. Stability doesn't seem to be there at the moment however. Things work for a short period before I start seeing decrypt errors reported on the WLC and the ESP fails to connect to the web server.

There is a new API called "wifi_station_set_enterprise_identity" in the latest ESP8266_NONOS_SDK wpa2_enterpise.h. But I don't know how to integrate it to the esp8266 Arduino core.

I installed the latested sdk into arduino using preferences->additiona lboards manager->https://github.com/esp8266/Arduino/releases/download/2.4.0-rc1/package_esp8266com_index.json

The wpa2-enterprise.h file is now available and the following code compiles (so long as I use extern "C"), but it does not t find the eduroam (wpa2-enterprise) network at my University. Hopefully I am getting closer to a solution but assistance would be gratefully received...

include

extern "C" {
#include "user_interface.h"
#include "wpa2_enterprise.h"
}

// SSID to connect to
static const char* ssid = "eduroam";
// Username for authentification
static const char* username = "[email protected]";
// Password for authentication
static const char* password = "eduroampassword";

void setup() {
// put your setup code here, to run once:
Serial.begin(115200);

// Setting ESP into STATION mode only (no AP mode or dual mode)
wifi_set_opmode(STATION_MODE);

struct station_config wifi_config;

memset(&wifi_config, 0, sizeof(wifi_config));
strcpy((char*)wifi_config.ssid, ssid);

wifi_station_set_config(&wifi_config);

wifi_station_clear_cert_key();
wifi_station_clear_enterprise_ca_cert();

wifi_station_set_wpa2_enterprise_auth(1);
wifi_station_set_enterprise_username((uint8)username, strlen(username));
wifi_station_set_enterprise_password((uint8)password, strlen(password));

wifi_station_connect();

// Wait for connection AND IP address from DHCP
Serial.println();
Serial.println("Waiting for connection and IP Address from DHCP");
while (WiFi.status() != WL_CONNECTED) {
delay(2000);
Serial.print(".");
}
Serial.println("");
Serial.println("WiFi connected");
Serial.println("IP address: ");
Serial.println(WiFi.localIP());
}

void loop() {
// put your main code here, to run repeatedly:

}

Don't you need to set the outer identity also? With
wifi_station_set_enterprise_identity

On Jul 6, 2017 1:03 PM, "anwarbashir" notifications@github.com wrote:

I installed the latested sdk into arduino using preferences->additiona
lboards manager->https://github.com/esp8266/Arduino/releases/
download/2.4.0-rc1/package_esp8266com_index.json

The wpa2-enterprise.h file is now available and the following code
compiles (so long as I use extern "C"), but it does not t find the eduroam
(wpa2-enterprise) network at my University. Hopefully I am getting closer
to a solution but assistance would be gratefully received...

include

extern "C" {

include "user_interface.h"

include "wpa2_enterprise.h"

}

// SSID to connect to
static const char* ssid = "eduroam";
// Username for authentification
static const char* username = "[email protected]";
// Password for authentication
static const char* password = "eduroampassword";

void setup() {
// put your setup code here, to run once:
Serial.begin(115200);

// Setting ESP into STATION mode only (no AP mode or dual mode)
wifi_set_opmode(STATION_MODE);

struct station_config wifi_config;

memset(&wifi_config, 0, sizeof(wifi_config));
strcpy((char*)wifi_config.ssid, ssid);

wifi_station_set_config(&wifi_config);

wifi_station_clear_cert_key();
wifi_station_clear_enterprise_ca_cert();

wifi_station_set_wpa2_enterprise_auth(1);
wifi_station_set_enterprise_username((uint8)username, strlen(username));
wifi_station_set_enterprise_password((uint8)password, strlen(password));

wifi_station_connect();

// Wait for connection AND IP address from DHCP
Serial.println();
Serial.println("Waiting for connection and IP Address from DHCP");
while (WiFi.status() != WL_CONNECTED) {
delay(2000);
Serial.print(".");
}
Serial.println("");
Serial.println("WiFi connected");
Serial.println("IP address: ");
Serial.println(WiFi.localIP());
}

void loop() {
// put your main code here, to run repeatedly:

}

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/esp8266/Arduino/issues/1032#issuecomment-313365383,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AKqUHJ9pZERAJ_QcW9LrUboYNWrsBuH_ks5sLL79gaJpZM4Gj1mQ
.

@anwarbashir: It looks like you have correctly installed the right SDK version as your code does compile.
There could be 2 problems that you are facing:

1. You are not in range of Eduroam AP
2. The outer identity of the WPA2-Enterprise mechanism has not been changed

For the first point, you can run the WiFiScan example (in File > Examples > ESP8266WiFi) and check that the "Eduroam" SSID is seen by your mote.

For the second point, you can try (if the method exists in the SDK that you downloaded) to apply the remark from @JimmyTai (and @victorclaessen). I.e. using the method wifi_station_set_enterprise_identity().
Otherwise you can change the outer identity in the libwpa2.a file in $(SDK_DIR)/tools/sdk/lib using a text editor.
Look for the pattern "[email protected]" and replace it with a 23-long identity. The only constraint is that the domain must match your University domain for the identity to be accepted by Eduroam authentification server. You can try with something like "[email protected]" with len = 23!

Please, tell us if this solution does not work... Or if it does work ;)

Hey! Im not very familiar with esp8266 but i really need this to work! Im using this code:

`

include

extern "C" {
#include "user_interface.h"
#include "wpa2_enterprise.h"
}

define SERIAL_BAUD_RATE 57600

define STARTUP_DELAY_MS 1000

static const char* ssid = "network";
static const char* username = "user";
static const char* password = "pass";

void setup() {
Serial.begin(SERIAL_BAUD_RATE);
delay(STARTUP_DELAY_MS);

wifi_set_opmode(STATION_MODE);

struct station_config wifi_config;

memset(&wifi_config, 0, sizeof(wifi_config));
strcpy((char*)wifi_config.ssid, ssid);

wifi_station_set_config(&wifi_config);

wifi_station_clear_cert_key();
wifi_station_clear_enterprise_ca_cert();

wifi_station_set_wpa2_enterprise_auth(1);
wifi_station_set_enterprise_username((uint8)username, strlen(username));
wifi_station_set_enterprise_password((uint8)password, strlen(password));

wifi_station_connect();

// Wait for connection AND IP address from DHCP
while (WiFi.status() != WL_CONNECTED) {
delay(500);
Serial.print(".");
}

// Now we are connected
Serial.println("");
Serial.println("WiFi connected");
Serial.println("IP address: ");
Serial.println(WiFi.localIP());
}

void loop() {
delay(5000);
}
`

No compiler errors. But it outputs :

ets Jan 8 2013,rst cause:4, boot mode:(3,6)

wdt reset load 0x4010f000, len 1384, room 16 tail 8 chksum 0x2d csum 0x2d vf6d232f1 ~ld

i dont know how to use wifi_station_set_enterprise_identity(). or how to find libwpa2.a. Can someone help me?

Did you read the whole thread?
Which ESP do you use?
Which version of the ESP-library do you use?
Provide some more input.
Which version is your IDE?
Describe the settings.

I have the 2.0 sdk installed and running okay. I now have acess to the libwpa2.a file, I have a node mcu v1 (esp8266) i done everyting as igrr described to update the sdk. when i run the code it ouputs me that weird stuff.

You did not answer all of my questions. So how can I help?
Do not expect me to spend more time on answering than you spend on describing your problem.
For example: I am using Arduino IDE 1.8.2 and have installed ESP8266 library2.4.0-rc1 which uses SDK 2.1

Oops, Error: 2.4.0-rc1 is based on SDK2.0

Im sorry. Im using the ide 1.8.3 with the 2.0 sdk as igrr described. Im using the latest version i just cloned from github.

This instructions:

uninstall ESP core using boards manager
install git version of the core using the following instructions: https://github.com/esp8266/Arduino#using-git-version
when doing git clone in these instructions, add -b update_sdk_2.0.0 parameter after git clone to check out the branch with SDK 2.0.0

The code i sent above compiles with no errors and sends to board. But no ip assigned. just those errors i sent in output.

Ok, you don't want to answer all my questions (settings).
So I only can guess that you did not configure the size of Flash and SPIFFS correct.
The output comes from the watchdog, your ESP does not start

I have runned other programs in the mcu like the wifi scan and custom programs. I only get this error running this sketch. How can i solve it? What config are tou using in order to get this working?

So close and yet so far

This is what I did to get a working development environment:

• I took a fresh Debian 9 x64 VM
• I installed Arduino 1.8.3
• In Arduino's package manager I added this repository
  https://github.com/esp8266/Arduino/releases/download/2.4.0-rc1/package_esp8266com_index.json
• I installed the 2.4.0-rc1 version of the esp8266 library
• The 2.4.0-rc1 version of wpa2_enterprise.h does not yet contain the function wifi_station_set_enterprise_identity so I replaced ~/.arduino15/packages/esp8266/hardware/esp8266/2.4.0-rc1/tools/sdk/include/wpa2_enterprise.h with this newer file
  https://github.com/espressif/ESP8266_NONOS_SDK/blob/master/include/wpa2_enterprise.h

Now I think that the binary library ~/.arduino15/packages/esp8266/hardware/esp8266/2.4.0-rc1/tools/sdk/lib/libwpa2.a also has to be replaced with a newer version that contains the wifi_station_set_enterprise_identity function. So I replaced that file with the version from the expressif SDK https://github.com/espressif/ESP8266_NONOS_SDK/blob/master/lib/libwpa2.a.

I then tried to compile the following code:

#include <ESP8266WiFi.h>

extern "C" {
#include "user_interface.h"
#include "wpa2_enterprise.h"
}

// SSID to connect to
static const char* ssid = "eduroam";
// Username for authentification
static const char* username = "myusername@myinstitution";
// Password for authentication
static const char* password = "mypassword";

void setup() {
  // put your setup code here, to run once:
  Serial.begin(115200);

  // Setting ESP into STATION mode only (no AP mode or dual mode)
  wifi_set_opmode(STATION_MODE);

  struct station_config wifi_config;

  memset(&wifi_config, 0, sizeof(wifi_config));
  strcpy((char*)wifi_config.ssid, ssid);

  wifi_station_set_config(&wifi_config);

  wifi_station_clear_cert_key();
  wifi_station_clear_enterprise_ca_cert();

  wifi_station_set_wpa2_enterprise_auth(1);
  wifi_station_set_enterprise_identity((uint8*)username, strlen(username));
  wifi_station_set_enterprise_username((uint8*)username, strlen(username));
  wifi_station_set_enterprise_password((uint8*)password, strlen(password));

  wifi_station_connect();

  // Wait for connection AND IP address from DHCP
  Serial.println();
  Serial.println("Waiting for connection and IP Address from DHCP");
  while (WiFi.status() != WL_CONNECTED) {
  delay(2000);
  Serial.print(".");
  }
  Serial.println("");
  Serial.println("WiFi connected");
  Serial.println("IP address: ");
  Serial.println(WiFi.localIP());
}

void loop() {
// put your main code here, to run repeatedly:

}

However, that code will not succesfully build. The error I get is:

Archiving built core (caching) in: /tmp/arduino_cache_860640/core/core_esp8266_esp8266_nodemcuv2_CpuFrequency_80,UploadSpeed_115200,FlashSize_4M3M_70544e7f532728ad0288ae42554980f0.a
/root/.arduino15/packages/esp8266/tools/xtensa-lx106-elf-gcc/1.20.0-26-gb404fb9-2/bin/../lib/gcc/xtensa-lx106-elf/4.8.2/../../../../xtensa-lx106-elf/bin/ld: eduroam.ino.elf section `.text' will not fit in region `iram1_0_seg'
collect2: error: ld returned 1 exit status
exit status 1
Error compiling for board NodeMCU 1.0 (ESP-12E Module).

So apparently, the sketch is now too big to fit. (That doesn't seem that likely for a 4M module, especially since all that is added is an extra function to set the outer identity, right?)
Well ok, two things I noticed:

1. The newer libwpa2.a file (from the expressif SDK github) is larger (475K) than the arduino version (362K).
2. The readme.md file https://github.com/espressif/ESP8266_NONOS_SDK/blob/master/lib/readme.md discusses reducing the size of the .text section in rom code.

So I am wondering if the Arduino version of libwpa2.a has had a similar treatment in order to reduce its size. I tried searching the web on this topic but could not find anything that forced a breakthrough.

Stuck at this point. So close and yet so far. Ideas anyone?

Did u tried to install the sdk as igrr described?

I think we cant just change the files as you did. Im using the Node mcu as you. Try my setup to see what happens. Your setup here gives me your error too. Do you have a windows computer?

Did u tried to install the sdk as igrr described?

I did not. But I don't see how that will help, because the libwpa2.a file https://github.com/esp8266/Arduino/blob/update_sdk_2.1.0/tools/sdk/lib/libwpa2.a that (I think) contains the actual wpa2 code in the arduino-version of the sdk is dated May 23th, and the addition of the function wifi_station_set_enterprise_identity was done mid-June ("26 days ago", according to https://github.com/espressif/ESP8266_NONOS_SDK/commit/10138bdc0e37e4c364401de70e9ac402a1c3de55#diff-d0d411302a1b5498a06ca69c81780b62.)
So the new code would not have made it into that arduino-version of the sdk.

Do you have a windows computer?

I do. At first I was unable to produce a working build environment, but in the meantime I have managed. However, I get the exact same error now on windows.

Have you tried what ninjabe86 setup? Im trying his.

" Hi @jtuttas

I got my esp8266 connected to the eduroam network which uses (AFAIK) PEAP MSCHAPv2.
It is sending data to a thingspeak graph and works well.

To do this you will need to

Follow @igrr instructions on how to install the update sdk 2.0 version into your arduino folder.

Go to the #2595 comment thread and copy the code at the top into a sketch. Be sure you make the changes to the code as @pepe79 has pointed out.

Complie the code to ensure it works.

Edit the binary file lipwpa2.a using a binary editor. hex edit for windows or bless for linux works well
.When editing the binary file, you are looking for the string with "[email protected]"
Once you find that string in your binary editor window, you must edit it to match your username for the network. NOTE: If you edit the file be sure to to fill any renaming space with "."s to ensure the file stays the same size .
example
"[email protected]"
becomes

".....[email protected]...... "

you need to pad out the spaces left. in this case "anonymous" is 9 letters and "your" is 4, therefore you need 5 dots to make up the difference and stop the binary file becoming corrupted.

Once you have edited and saved the binary file you can now compile and upload your code to the esp8266 and it should work. Below is the code I used to get my readings from a pot and upload to things speak (my credentials have obviously been removed)

include

include

ifdef ESP8266

extern "C" {

include "user_interface.h"

include "wpa2_enterprise.h"

}

endif

static u8 ent_username[] = "yourusername"; // same as the mdoification to lipwpa2.a file
static u8 ent_password[] = "your password";
const char* host = "api.thingspeak.com";

void setup(){
pinMode(LED_BUILTIN, OUTPUT);
char a[100];
ip_info info;
wifi_get_ip_info(0, &info);

Serial.begin(115200);

wifi_station_disconnect();
wifi_set_opmode(STATION_MODE);

char ssid[32] = "yourssid";
char password[64] = {0x00};
struct station_config stationConf;
stationConf.bssid_set = 0; //need not check MAC address of AP
memcpy(&stationConf.ssid, ssid, 32);
memcpy(&stationConf.password, password, 64);

if(!wifi_station_set_config(&stationConf)){
Serial.print("\rnset config fail\r\n");
}

// switch to WPA2 Enterprise
wifi_station_set_wpa2_enterprise_auth(1);

if(wifi_station_set_enterprise_username (ent_username, strlen((char)ent_username))){
Serial.print("\r\nusername set fail\r\n");
}
if(wifi_station_set_enterprise_password (ent_password, strlen((char)ent_password))){
Serial.print("\r\npassword set fail\r\n");
}

if(!wifi_station_connect()){
Serial.print("\r\nconnect fail\r\n");
}

Serial.print("\r\ntrying to connect...");

while(info.ip.addr == 0){
ESP.wdtFeed();
Serial.print(".");
delay(1000);
wifi_get_ip_info(0, &info);
}

sprintf(a, "%"PRIu32,info.ip.addr);
Serial.print("\r\nip addr: ");
Serial.print(a);
Serial.print("\r\n");
}

void loop()
{
WiFiClient client;
const int httpPort = 80;

if (!client.connect(host, httpPort)) {
Serial.println("connection failed");
return;
}
else
{
Serial.println("connected !");
}

//client.print("GET /update?key=82RS9VJ7YHQGMWT1&field1=1000\n");

char buffer[200];
int adcValue = analogRead(A0);
Serial.println(adcValue);
sprintf(buffer, "GET /update?key=IYFDMJ5JMSCC8NP4&field1=%d\n", adcValue);
client.print(buffer);

while (client.available()) {
String line = client.readStringUntil('\r');
Serial.print(line);
}

client.stop();
Serial.println("closing connection");
digitalWrite(LED_BUILTIN, LOW); // Turn the LED off by making the voltage HIGH
delay(2000);
digitalWrite(LED_BUILTIN, HIGH); // Turn the LED off by making the voltage HIGH
delay(2000);

delay(60000);
}
I hope this helps you or anyone else who was trying to get it connected.

This is my first ever post on Github so apologies if I have not followed certain conventions on this forum/thread in terms of posting/referencing

cheers

ninjabe86 :) "

I did not try that. Don't get me wrong: that's a really cool hack to get things going, but I think what we really need is to find a way to use the wifi_station_set_enterprise_identity function. Also, my identity does not fit the 23 character limit :-S

Hey everyone,
I'm very new to Arduino and ESP8266. I'm trying to connect my NodeMCU to my company wifi which is protected with an enterprise wpa2. If I connect with my iPhone e.g. i do not have to enter something like [email protected], only username and password.

Is this possible with the NodeMCU, too? If yes, how can I do this?

Thanks!

EDIT: I found out, that our company wifi is working with GTC and that MSChap is not working. Any chance, to get the NodeMCU get working with this?

Sorry to disturb such a good git request. My last request was back in 2015.
So, still the same issue, I saw some results already on the ESP32 (->Joost). That will solve my issue (I don't care the 2 extra dollars and just switch to other hardware. Can someone point me out to a simple (Arduino environment) example that will do the job? Again, sorry for posting this in the wrong (8266) but strong git area.

@victorclaessen how do i know my identity? I think thats what im missing.

@bospre can you help me with the config?

@JeroenBeemster From what I read its way more easier in esp32. Check this: https://github.com/espressif/esp-idf/tree/master/examples/wifi/wpa2_enterprise

Thanks Andre, I tried that one (in Arduino environment) solved the compile errors Debugged a little bit. Removed some code et cetera. But the combination of an unknown area with "Ziggo"-enterprise network and a lack of understanding of events/tasks/nested structures makes it for me out of my leap (/time).... Still Stuck.

I can't test it my self since i dont own an esp32. Im afraid i dont have any knowlege to help you further. I am stuck too with the 8266. We need to wait for the esp experts to come here.

@Bart1909 I dont have one too. I am trying to get one from the it department. I think it is related to your domain.

@andre123aei In all likelihood, your outer identity is equal to your username (or to username@yourdomain). It's just used to let the authentication server know which domain will do the actual authentication (and/or to hide your identity from prying eyes). See explanation here for instance.

Sometimes when I am havving problems with compiling, I set SPIFFS to 1 MB instead of 3 MB. For me that worked sometimes.
BTW Editing libwapa2.a did not work for me. Also creating an user "[email protected]" in the configuration of my RADIUS-Server did not work. So I think the outer identity has to be set.

I dont have that option in my node mcu. @bospre How do i solve my

The output comes from the watchdog, your ESP does not start

I have succeeded on ESP32. (wow... that was easy). Good luck you guys for ESP8266. I will move over to the new hardware
Code can be found here: https://github.com/JeroenBeemster/ESP32-WPA2-enterprise/

I guess we´ll have to wait for the update...

The watchdog is no option...

@igrr Would you be able to comment on what has to be done to replace the 2.4.0-rc1 libwpa2.a
~/.arduino15/packages/esp8266/hardware/esp8266/2.4.0-rc1/tools/sdk/lib/libwpa2.a
with the version from the expressif SDK https://github.com/espressif/ESP8266_NONOS_SDK/blob/master/lib/libwpa2.a?
I'm not sure what to change so that this newer library can be used, but I'd like to, since it contains the wifi_station_set_enterprise_identity function. Or is the NONOS_SDK version incompatible with Arduino?

Ok, I got some help from @iggr and now I can compile the code with the wifi_station_set_enterprise_identity function. Apparently one way to do it is this:
(on Windows:)

• install Arduino
• install Python 2.7.13
• open command prompt with admin rights, and execute the following commands:
• cd "\Program Files (x86)\Arduino\hardware\"
• mkdir esp8266com
• cd esp8266com
• git clone https://github.com/esp8266/Arduino.git esp8266
• cd esp8266/tools
• python get.py
• cd ..
• git checkout update_sdk_2.1.0

then, overwrite
C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\tools\sdk\lib\libwpa2.a
with
https://github.com/espressif/ESP8266_NONOS_SDK/blob/10138bdc0e37e4c364401de70e9ac402a1c3de55/lib/libwpa2.a
and overwrite C:\Program Files (x86)\Arduino\hardware\esp8266com\esp8266\tools\sdk\include\wpa2_enterprise.h with https://github.com/espressif/ESP8266_NONOS_SDK/blob/10138bdc0e37e4c364401de70e9ac402a1c3de55/include/wpa2_enterprise.h

Then, I loaded the code from above, and that compiled (for me) using the NodeMCU 0.9 board setting, and it runs on my Witty Cloud board. Hope that helps anyone.

I actually had to add another line to the arduino code to set the password for the mschapv2 authentication: wifi_station_set_enterprise_new_password((uint8*)password, strlen(password));
And also, I had to set default_eap_type = mschapv2 in the eap-section of my freeradius server. But now I get authenticated and I get an IP address.
Apparently, the ESPs are not very clear on which authentication mechanism they want to use. The ESP32 also had this problem I believe.

(freeradius debug log before setting default_eap_type to mschapv2):

Found Auth-Type = EAP
# Executing group from file /etc/raddb/radiusd.conf
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] NAK asked for bad type 0
[eap] Failed in EAP select
++[eap] = invalid

Ok, so on the wifi network at my work (eduroam), I have no control over the radius server, and the ESP does not get authenticated. I believe that this is because of the problem from my post directly above.

Hi, I have successful to connect wpa2-enterprise with the "victorclaessen" tutorial.

But the esp8266 stay so more instable to send request to my API. please help me.

My code to connect wifi.

#include <ESP8266HTTPClient.h>
#include <ESP8266WiFi.h>

extern "C" {
#include "user_interface.h"
#include "wpa2_enterprise.h"
}

static const char* ssid = "XXXXXXXX";
static const char* username = "XXXXXXXXXXX";
static const char* password = "XXXXXXX";

HTTPClient http;

void setup() {

  Serial.begin(115200);

  if (WiFi.status() != WL_CONNECTED)
  {    
    wifi_set_opmode(STATION_MODE);

    struct station_config wifi_config;

    memset(&wifi_config, 0, sizeof(wifi_config));
    strcpy((char*)wifi_config.ssid, ssid);

    wifi_station_set_config(&wifi_config);

    wifi_station_clear_cert_key();
    wifi_station_clear_enterprise_ca_cert();

    wifi_station_set_wpa2_enterprise_auth(1);
    wifi_station_set_enterprise_identity((uint8*)username, strlen(username));
    wifi_station_set_enterprise_username((uint8*)username, strlen(username));
    wifi_station_set_enterprise_password((uint8*)password, strlen(password));

    wifi_station_connect(); 

    unsigned long startTime = millis();
    while (WiFi.status() != WL_CONNECTED && millis() - startTime < 10000)
    {
      Serial.write('.');
      delay(500);
    }

    if (WiFi.status() != WL_CONNECTED)
      ESP.restart();

    Serial.println("IP address: ");
    Serial.println(WiFi.localIP());
  } 
}

void loop() {
  String postData = "{\"Device\": \"5C:CF:7F:A2:E5:1B\", \"Token\": \"a5c6c7f3-e8bb-4f22-b6d6-9750e802c2ba\", \"Presenca\":0, \"Luminosidade\":0, \"Humidade\":0, \"Temp\":0}";     
  char payload[postData.length()];
  postData.toCharArray(payload, postData.length());

  if (http.begin("XXXXXXXXXXXXXX",80,"XXXXXXXXXXX"))  {
    Serial.println("connected");

    http.addHeader("Content-Type", "application/json");

    Serial.println(http.POST((uint8_t *)payload,strlen(payload)));

    http.end();
  }else{
    Serial.println("Failed");
  }    
  delay(3000);
}

Some requests are ok, but anothers generate a exception(28)

....................IP address: 
10.206.16.92
connected
200
connected

Exception (28):
epc1=0x40219532 epc2=0x00000000 epc3=0x00000000 excvaddr=0x00d00284 depc=0x00000000

ctx: sys 
sp: 3ffffd90 end: 3fffffb0 offset: 01a0

>>>stack>>>
3fffff30:  40215fa5 3ffea654 3fff1d24 00000000  
3fffff40:  3fff2f0c 4022040b 3ffeb734 3ffeb740  
3fffff50:  3ffeb740 000000fd 00000000 00000026  
3fffff60:  00000002 00000018 40214a6b 3ffee238  
3fffff70:  3ffeb734 3fffdcc0 3ffea940 3ffea940  
3fffff80:  00000000 3ffee238 00000000 3fff2144  
3fffff90:  40214337 3fffdab0 00000000 40229fb7  
3fffffa0:  3ffea940 40000f49 3fffdab0 40000f49  
<<<stack<<<

 ets Jan  8 2013,rst cause:2, boot mode:(1,6)


 ets Jan  8 2013,rst cause:4, boot mode:(1,6)

wdt reset

I tried WiFiClient and ESP8266HTTPClient but I dont know where I wrong.

thank you.

I tried using that code from @terossigames and it is not connecting to my radius server. I'm getting it just looping this:

ets Jan 8 2013,rst cause:2, boot mode:(3,6)

load 0x4010f000, len 1384, room 16
tail 8
chksum 0x2d
csum 0x2d
vf6d232f1
~ld
................
....

I am trying to connect to a freeradius server with all the default settings and I'm getthing the following logs:

rad_recv: Access-Request packet from host 192.168.0.1:49862, id=219, length=171
User-Name = "testuser"
NAS-IP-Address = 192.168.0.1
NAS-Port = 0
Called-Station-Id = "50-C7-BF-28-FC-6A:TP-LINK_FC6A"
Calling-Station-Id = "60-01-94-2B-6A-D2"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x020300061a03
State = 0xa8a459381c1c7ec9ba9a4578d5008f15
Message-Authenticator = 0xfd3bd7171f0c298f9f7899cae27bd30a
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1041
modcall[authorize]: module "preprocess" returns ok for request 1041
radius_xlat: '../var/log/radius/radacct/192.168.0.1/auth-detail-20171002.log'
rlm_detail: ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log expands to ../var/log/radius/radacct/192.168.0.1/auth-detail-20171002.log
modcall[authorize]: module "auth_log" returns ok for request 1041
modcall[authorize]: module "chap" returns noop for request 1041
modcall[authorize]: module "mschap" returns noop for request 1041
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1041
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1041
users: Matched entry testuser at line 83
modcall[authorize]: module "files" returns ok for request 1041
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module "pap" returns noop for request 1041
modcall: leaving group authorize (returns updated) for request 1041
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1041
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 1041
modcall: leaving group authenticate (returns ok) for request 1041
Login OK: [testuser/] (from client private-network-1 port 0 cli 60-01-94-2B-6A-D2)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 1041
radius_xlat: '../var/log/radius/radacct/192.168.0.1/reply-detail-20171002.log'
rlm_detail: ../var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d.log expands to ../var/log/radius/radacct/192.168.0.1/reply-detail-20171002.log
modcall[post-auth]: module "reply_log" returns ok for request 1041
modcall: leaving group post-auth (returns ok) for request 1041
Sending Access-Accept of id 219 to 192.168.0.1 port 49862
EAP-Message = 0x03030004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "testuser"
Finished request 1041
Going to the next request

I can't find any problems in this, but it just isn't connecting.

Hi,

I tried many a many stuffs. The last one is by this comment "victorclaessen commented on Jul 11 @"
We WPA2 enterprise but without passord and username. The program hangs in Waiting for connection and IP Address from DHCP.

Please, any Ideas?

with best regards, jiri

I tried it yesterday with the hints from @victorclaessen but i couldn't connect to the eduroam network in my university. We are using MSCHAPV2. I replaced the anonymous identity, because the username and the identity are not the same. And i replaced the password function with the new_password function. But it didn't worked. Have anyone tried to connect to eduroam?

Latest git is on sdk 2.1.0, which is supposed to have an added api to set the identity.

There is a bug in the firmware. If I remember correctly, the client (ESP-firmware) does not make a valid selection from the authentication methods that the RADIUS server offers. I reported the bug to Expressif a while ago at http://bbs.espressif.com/viewtopic.php?f=66&t=5962, but to my knowledge they have not released a fix yet.
That's why it doesn't work with eduroam (at least not at my institution).

Thanks @victorclaessen for this information. So i will wait for the bug fix.

@victorclaessen I am also looking into the authentication mode selection bug in the EAP firmware as well because it is crucial for a side-project I am working on and I may have a lead. Here, the issue you referenced in your ESP8266 forum post, @TimXia mentioned that the bug may have been fixed for the ESP32's firmware. If you have the know-how to sift through the esp-idf change log around his post, and can narrow down where the bug was supposedly patched, it could be possible that we could manually port the patch over to the ESP8266's firmware.

Hi @gofex, good idea but won't work (as far as I understand it). ExpressIf releases some parts of their code as binary blobs, including the wireless library. Those are the .a files you see (like libwpa2.a that contains the code for wpa2 authentication). So, that bugfix in ESP32 firware was published as binary code in a library for ESP32 that isn't compatible with the ESP8266. Therefore it is impossible for us to port that to the ESP8266. Only ExpressIf can do it, from their source code.

//speculation mode on

I think it may actually not be a lot of work, as they could supposedly just copy it from the ESP32 code base where they already fixed it. But apparently it's not a priority for them. It seems they are focusing more on developing their ESP32 platform.

//speculation mode off

I couldn't find any igrr instructions on how to install the update sdk 2.0 version into your arduino folder... Please help i'm trying to connect ESP8266 to eduroam

@unclewen you don't need to include it any more you could use the pre release https://github.com/esp8266/Arduino/releases/tag/2.4.0-rc2

I tried 2.4.0-rc but It looks, that WPA2 enterprise doesnt work. Did I mistake?

@svatos-jirka WPA2 enterprise doesn't work is a very broad statement. Which authentication method are you trying to use (PEAP, TLS, etc.)? What code are you using and types of errors are you getting? Also, do note the previous comment by @victorclaessen where we were talking about a bug in the firmware with WPA2 auth selection which I hope they fix soon.

@ninjabe86 and @victorclaessen As the code you mentioned, you directly upload programs to ESP8266 and treat it like Arduino. Is there a way to talk to ESP8266 via Arduino? (Arduino controls ESP8266 to connect to _eduroam?)_

Hi,

I am not sure, if my answer is correct. It is wpa2-enterprise AES, network
authentication Microsoft: smart card or other certificates ... so I should
Ilso somehow download certifiacte from PKI card? or ask for certificate or
It department. But, How should I upload certificate to esp8266?

wit best regards, jiri

2017-11-10 13:06 GMT+01:00 gofex notifications@github.com:

@svatos-jirka https://github.com/svatos-jirka WPA2 enterprise doesn't
work is a very broad statement. Which authentication method are you trying
to use (PEAP, TLS, etc.)? What code are you using and types of errors are
you getting? Also, do note the previous comment by @victorclaessen
https://github.com/victorclaessen where we were talking about a bug in
the firmware with WPA2 auth selection which I hope they fix soon.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/esp8266/Arduino/issues/1032#issuecomment-343456826,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AIYG0pzG-P5F7ID50Dmq6wfv-EAalGqHks5s1Dw8gaJpZM4Gj1mQ
.

Hey, I'm watching this topic for a long time now... I also want to use WPA2 Enterprise, but in my case, I want to use EAP-PWD. Problem with MSCHAPv2 is, that it is actually very unsecure if not used right. And as far as I can tell from the conversations above, noone is using it correctly.
If you don't actually check that the radius servers certificate is issued by a trusted CA and also check that the certificate is issued for the radius server you want to connect to, you will actually leak your credentials to any fake access point that pretends to be one of your organisation... This is a huge problem with eduroam because most mainstream clients allow unsecure configurations, too.
However, I haven't found any hints for EAP-PWD implementation or good secure MSCHAPv2/TTLS examples. Is this still a topic for espressif, or might this never be usable?

@xsrf that is a question best asked directectly to Espressif.

I'm afraid ExpressIf may not have any interest left in this topic, since
they have stopped responding completely to any of my contact attempts.

On Dec 21, 2017 23:44, "Develo" notifications@github.com wrote:

@xsrf https://github.com/xsrf that is a question best asked directectly
to Espressif.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/esp8266/Arduino/issues/1032#issuecomment-353476587,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AKqUHA7IQcGhesEE-FNs5sFK1hY8J1sAks5tCt9pgaJpZM4Gj1mQ
.

To reiterate what others have stated, the ESP8266 has an authentication type selection bug. In my case, using a freeradius server, the mode set as default_eap_type is the only type that ESP8266 will try to communicate with. I was able to authenticate with default_eap_type set to ttls, peap, or tls, and not able to authenticate with the nominal default_eap_type of md5. Totally different from the eapol_test program that exists in the Linux wpa_supplicant source package. Although tls worked well enough to authenticate, I found that my ESP8266 software crashed always about one minute after authentication succeeded. ttls and peap had no problems.

Is there a github issue which tracks this Bug? This Issue here is closed. I dont think they will respond here

I don't think so. Might be worth a shot. Feel free to link to this post on their own message board:
http://bbs.espressif.com/viewtopic.php?p=18595&sid=e8e14cd6f97ee908d96ca75d0d47edd8#p15165

@fti7 no, since it's an issue with the underlying sdk of espressif, not with ESP8266 core for Arduino. There's also a post on espressifs forum for EAP+PWD: https://bbs.espressif.com/viewtopic.php?f=7&t=8802

@xsrf. That is, of course, very true and a really good point. But at this stage, what other options do we have to get this issue some more attention?

I don't know :( But I lost all hope espressif will ever address this issue. Maybe someone is actually implementing WPA2-Enterprise without the help of the SDK... I don't see other options.

Hello there, some working sketch for WPA2 EAP OR PEAP?

Hi there, is there any working sketch for Arduino for WPA2 EAP for the current version : SDK:2.2.1(cfd48f3)/Core:2.4.1/lwIP:2.0.3(STABLE-2_0_3_RELEASE/glue:arduino-2.4.1)
I have been trying to connect my huzzah esp8266 to my school network for my project but still not succesful.

It seems some people were able to make it work, does anyone have a working sketch yet? I'm trying to connect my NodeMCU to a WPA2-Enterprise hotspot and it doesn't work using wifi_station_set_config etc.

It seems to depend on authentication protocol. It may work when using MSCHAPv2 but not PAP.
You should try first espressif's native SDK with their example.
I've made a repo to ease trying https://github.com/d-a-v/esp8266-nonos-easy-sdk
I still have no time to pursue, but I will at some point.
Best would be to setup a local (linux+hostapd) access point with WPA2+TTLS+MSCHAPv2 and test with SDKv3. Next step would be to setup a WPA2+TTLS+PAP and try it out too. With this feedback, open a new detailed issue with all the details on nonos-sdk repo.
There is already there an opened issue which is quite polluted. A nice and concise new issue with SDKv3 example and possibly hostapd conf files would be necessary. Without any mention to arduino in it, of course.

Do not forget my January result above with the free radius server; unfortunately the default eap type was the only one the ESP8266 would authenticate with. So it helps to be able to change that setting in your server when you are testing things out.

Hello together,
good news.
I found a working sketch for wpa2 enterprise with username and password (PAP)
Look here:
https://github.com/jtuttas/ESP8266-WPA2-Enterprise/blob/master/ino/webserver/webserver.ino
I think the difference is resetting (or initialise) the certificate.
2 years of waiting are now ending....

I tried it, it doesn’t work for me and just kicks my board into a boot loop.

On Mon 17. Dec 2018 at 21:06, bospre notifications@github.com wrote:

Hello together,
good news.
I found a working sketch for wpa2 enterprise with username and password
(PAP)
Look here:

https://github.com/jtuttas/ESP8266-WPA2-Enterprise/blob/master/ino/webserver/webserver.ino
I think the difference is resetting (or initialise) the certificate.
2 years of waiting are now ending....

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/esp8266/Arduino/issues/1032#issuecomment-447980524,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AATp8pGiCv2lE8EK3Ljynq7nbU2yTcdiks5u5_lHgaJpZM4Gj1mQ
.

>

Mit freundlichen Grüßen

Tobias Timpe

almost nobody is using PAP...
Most users are looking for sketch for network similar to Eduroam with PEAP method

I think i had a typo and the authentication PEAP.
At least i can now login with username and password.
@ ttimpe
Do you use the latest Arduino sdk?
I use 2.5.0-beta2
Maybe that makes a difference?

Most eduroam / enterprise networks also support EAP-PWD which should be easier to implement than EAP-PEAP-MSCHAPV2 or EAP-TTLS-MSCHAPV2. EAP-TTLS-PAP shouldn't be used anyways because it leaks your password quite easily if not configured 100% right.

Okay it was a typo (PAP =>PEAP)
That is the log of the radiusserver:
Mon Dec 17 21:38:47 2018 : Auth: Login OK: [userESP8266/] (from client WLANxxxxx port 1 cli 5C-CF-7F-C8-80-01)

Huh, the server hides some part of the line.
Mon Dec 17 21:37:21 2018 : Auth: Login OK: [ESP8266/] (from client WLANxxx port 1 cli 5C-CF-7F-C8-80-01)

Still missing the part: via Auth-Type = EAP