WPA2 Enterprise on Libreelec 11

    Hi,

    The support for WPA2 Enterprise Wifi authentication is not available in the LE11 GUI, but there must be a way to get this working with manual configuration. I can get a wifi connection running, by supplying these 2 files, and storing the CA cert file in /storage/certs/fullchain.pem

    1. /var/lib/iwd/<ssid>.8021x

    [Security]

    EAP-Method=PEAP

    EAP-Identity=anonymous

    EAP-PEAP-CACert=/storage/certs/fullchain.pem

    EAP-PEAP-Phase2-Method=MSCHAPV2

    EAP-PEAP-Phase2-Identity=<user>

    EAP-PEAP-Phase2-Password=<password>

    [Settings]

    AutoConnect=true

    2. /storage/.cache/connman/<ssid>.config

    [service_wifi_<ssid>]

    Type = wifi

    IPv4 = dhcp

    IPv6 = auto

    Name = <ssid>

    Passphrase = <password>

    Security = ieee8021x

    EAP = peap

    Phase2 = MSCHAPV2

    Identity = <user>

    CACertFile = /storage/certs/fullchain.pem

    AnonymousIdentity=anonymous

    Sadly, /var/lib/iwd is on tmpfs, so I can not get this persistent, and I have not found out how to get this parameters in the connman configuration.

    Any ideas how to make this configuration persistant?

    Regards,
    Karel.

    Connman actively manages content in its cache folder (means you shouldn't add stuff there when connman is running) so you need to stop the service before adding a correctly formatted profile directory and settings file and then restart the service. You shouldn't need to configure anything in iwd; the config should be passed from connman.

    Note that ConnMan names the profile directory in a structured way (not plain SSID) and the SSID in the directory name and in the settings file must be a base64 encoded string; connman will not auto-convert plaintext SSID details, and since passphrase (with a non EAP) connection is the same I'd make an educated-guess that username/password in an EAP connection file also will be the same. If all else fails, the long-winded route I've seen others take for EAP connections in the past is to boot a normal desktop distro that also uses ConnMan and get the connection and config working there; then transfer the profile/settings over.

    Thanks for the reply chewitt!

    Is there a way to stop connman without losing the ssh network connection to the LE box? My expirements so far resulted in a loss of connectivity when I stop connman. And since there is no direct console access in LE, is the only way really mounting the SD in other system?

    If you know others have achieved connection, Would it be possible to publish a working example in the Wiki?

    Code
    (systemctl stop connman && mkdir -p /storage/.cache/connman/myservice && cp /storage/settings /storage/.cache/connman/myservice/settings && systemctl start connman)&

    ^ You can always run stop/copy/restart commands in the background so they complete (else termination of session stops commands) to do things .. beware the line-wrap. Or put them in a script and execute the script in the background.

    There are some other threads in this forum from people seeking EAP connections - search should find them - and the wiki is open for anyone to contribute some markdown content to. If you find something that works then it can be written up.

    Mmmm. Any directory I create under .cache/connman gets deleted as soon as connman starts.

    When I run iwd in debug mode, I see that when I try to connect to an PSK wifi, iwd reacts as soon as connman gets the connect command. But with the 8021x wifi, iwd just tells 'network_connect()', but does noting (without my config in /var/lib/iwd). With my config file in /var/lib/iwd, I get a connection as soon as I tell connman to connect.

    Somehow the interaction between connman and iwd doesn't work correctly for 8021x networks.

    I'have solved this for now that I use autostart.sh in /storage/.config to copy my correct <ssid>.8021x to /var/lib/iwd, and my wifi connection survives a reboot.

    Edited once, last by Karelvh: Found a workaroud. (July 30, 2023 at 4:24 PM).