How connect ESP32 to WPA/WPA2 Enterprise network?
Thi article is a brief tutorial on how to integrate a development IoT board with WPA / WPA2 Enterprise networks.
Hello, Today I would like to present exclusively a software project that I have been working on for more than half a year. My university runs the eduroam network, which is under the Enterprise Standard. This means that when connecting to this wifi network, I must provide a name, a so-called identity and password. The wifi network verifies my identity and my password for agreeing to one user account - a client who tries to connect to the wifi network.
I was looking for a platform that would allow me. I grew up on Arduine and ESP8266. However, as long as ESP8266 does not support Enterprise wifi networks with PEAP + MsCHAPv2 or EAP-TTLS + MsCHAPv2 authentication methods. I discovered the ESP32 board that already contained Enterprise Wifi Network support. I decided to build a first functional sketch that would allow me to connect to the eduroam wifi network so I could use all the ports on the net without limitation and build my own IoT application on a protected wifi network.
I was creating a different sketches and trying to build a working prototype. I managed it very quickly, since almost everything was done in ESP32 libraries, it was just enough to fold, add some features. I used the Arduino core for ESP32 from June 2018. This version is the only one supported by Enterprise wifi networks. The first release version of July 2018 has a problem with connecting to the Enterprise wifi network because it does not have properly ported features from ESP-IDF.
Over time, I've improved the program and added the ability to choose an anonymous identity. Most often, the user subscribes to their wifi network under the Enterprise standard with their names and their realm of identity. Realm means the organization to which the user belongs. For example: peter.smith@example.com - that means peter.smith belongs to example.com. Most often, however, the nickname is used as a username and the realm defines the organization by its domain, such as the university.domain.
Anonymous identity and how eduroam network working?
In the factory settings of the devices, they apply this visible identity to anonymous identity, which can also be changed. It's not quite right, but it's tolerated. However, if the user wants to hide their identity in an anonymous identity, they will use it in the anonymous@example.com format. Let's take an example in the eduroam network. The @ example1.com user wants to log in to the eduroam wifi network at @ example2.org. The user enters the anonymous identity anonymous@example1.com, a visible identifier as user@example1.com, and sets his password.
The RADIUS authentication server checks the realm of the anonymous identity whether it is the same as its realm. If not, the request will be performed on the national RADIUS domain server. This one checks the realm of the domain. We see that the domain RADIUS server for .org has crashed on .com. Requests the RADIUS Root server in the Netherlands, which has a database of all RADIUS servers in the world.
He makes a request for a RADIUS domain server for .com, and he then contacts the RADIUS server of @ example1.com, to which the user transfers the data in a visible identifier. Verifies the user, returns the ACCESS request, and the user at @ example2.org is successfully connected to the eduroam network. Connectivity (IP address) is provided by @ example2.org.
Sketch
I have created several programs for ESP32 that will allow you to connect to the eduroam wifi network and also perform an HTTP or HTTPS request on a website after receiving the IP address from the DHCP server. For HTTPS connections, I used the HTTPClient and WifiClientSecure libraries. All of the programs have been tested in several places around the world under various ESP32 chipboard development boards.
A set of programs is available in my Github repository (Still in development): https://github.com/martinius96/ESP32-eduroam
Some examples have been included in the official ESP32 - Arduino core repository: https://github.com/espressif/arduino-esp32/blob/master/libraries/WiFiClientSecure/examples/WiFiClientSecureEnterprise/WiFiClientSecureEnterprise.ino
Conclusion
Huge advantage of these programs is their ability to use them in the university sphere to create advanced IoT applications in bachelor or diploma thesis. Thanks to the connectivity you will now have, you can use your project at any university or organization that is in eduroam. Remember the things that were explained in the article.
The Sketch works with the Arduino core version of June 2018, which was before the first official release of July 2018. Protect your identity by using anonymous identity. (It is contained in the examples). You can also help Github community with software development, dismantle eduroam, or other Enterprise wifi network with your ESP32 and let me know if the connection was successful. The connection takes slightly longer than the standard PSK wifi network, up to 6 seconds.
In the attachments, you can see an example of a successful wifi network connection with an IP address and an HTTPS request on a remote site. In the second image, you can see a failed connection where the organization did not support either PEAP + MsCHAPv2 or EAP-TTLS + MsCHAPv2 methods. So the client was not authorized and expired the time for authentication.
I was looking for a platform that would allow me. I grew up on Arduine and ESP8266. However, as long as ESP8266 does not support Enterprise wifi networks with PEAP + MsCHAPv2 or EAP-TTLS + MsCHAPv2 authentication methods. I discovered the ESP32 board that already contained Enterprise Wifi Network support. I decided to build a first functional sketch that would allow me to connect to the eduroam wifi network so I could use all the ports on the net without limitation and build my own IoT application on a protected wifi network.
I was creating a different sketches and trying to build a working prototype. I managed it very quickly, since almost everything was done in ESP32 libraries, it was just enough to fold, add some features. I used the Arduino core for ESP32 from June 2018. This version is the only one supported by Enterprise wifi networks. The first release version of July 2018 has a problem with connecting to the Enterprise wifi network because it does not have properly ported features from ESP-IDF.
Over time, I've improved the program and added the ability to choose an anonymous identity. Most often, the user subscribes to their wifi network under the Enterprise standard with their names and their realm of identity. Realm means the organization to which the user belongs. For example: peter.smith@example.com - that means peter.smith belongs to example.com. Most often, however, the nickname is used as a username and the realm defines the organization by its domain, such as the university.domain.
Anonymous identity and how eduroam network working?
In the factory settings of the devices, they apply this visible identity to anonymous identity, which can also be changed. It's not quite right, but it's tolerated. However, if the user wants to hide their identity in an anonymous identity, they will use it in the anonymous@example.com format. Let's take an example in the eduroam network. The @ example1.com user wants to log in to the eduroam wifi network at @ example2.org. The user enters the anonymous identity anonymous@example1.com, a visible identifier as user@example1.com, and sets his password.
The RADIUS authentication server checks the realm of the anonymous identity whether it is the same as its realm. If not, the request will be performed on the national RADIUS domain server. This one checks the realm of the domain. We see that the domain RADIUS server for .org has crashed on .com. Requests the RADIUS Root server in the Netherlands, which has a database of all RADIUS servers in the world.
He makes a request for a RADIUS domain server for .com, and he then contacts the RADIUS server of @ example1.com, to which the user transfers the data in a visible identifier. Verifies the user, returns the ACCESS request, and the user at @ example2.org is successfully connected to the eduroam network. Connectivity (IP address) is provided by @ example2.org.
Sketch
I have created several programs for ESP32 that will allow you to connect to the eduroam wifi network and also perform an HTTP or HTTPS request on a website after receiving the IP address from the DHCP server. For HTTPS connections, I used the HTTPClient and WifiClientSecure libraries. All of the programs have been tested in several places around the world under various ESP32 chipboard development boards.
A set of programs is available in my Github repository (Still in development): https://github.com/martinius96/ESP32-eduroam
Some examples have been included in the official ESP32 - Arduino core repository: https://github.com/espressif/arduino-esp32/blob/master/libraries/WiFiClientSecure/examples/WiFiClientSecureEnterprise/WiFiClientSecureEnterprise.ino
Conclusion
Huge advantage of these programs is their ability to use them in the university sphere to create advanced IoT applications in bachelor or diploma thesis. Thanks to the connectivity you will now have, you can use your project at any university or organization that is in eduroam. Remember the things that were explained in the article.
The Sketch works with the Arduino core version of June 2018, which was before the first official release of July 2018. Protect your identity by using anonymous identity. (It is contained in the examples). You can also help Github community with software development, dismantle eduroam, or other Enterprise wifi network with your ESP32 and let me know if the connection was successful. The connection takes slightly longer than the standard PSK wifi network, up to 6 seconds.
In the attachments, you can see an example of a successful wifi network connection with an IP address and an HTTPS request on a remote site. In the second image, you can see a failed connection where the organization did not support either PEAP + MsCHAPv2 or EAP-TTLS + MsCHAPv2 methods. So the client was not authorized and expired the time for authentication.
Discussion (3 comments)