Using Enterprise Wi-Fi with a local proxy server - how-do?

Help
1

Hi guys,

Having trouble getting my Pi to behave within my work’s enterprise network.

I’ve been looking around and I think I have to edit some config files in the /etc/ directory, but I have no idea how I can do that with info-beamer as the login doesn’t appear to be the default pi:raspberry.

I’ve added a wpa.conf file in the /config folder which has the following information:

network={
     ssid="MyWiFi"
     key_mgmt=WPA-EAP
     eap=PEAP
     identity="NetworkUsername"
     password="NetworkPassword"
     ca_cert="/sd/config/cert.pem"
	 phase1="peaplabel=auto peapver=0"
     phase2="auth=MSCHAPV2"
}

And the cert.pem points to the root certificate for the network (it was a .cer which I just changed the extension to a .pem)

But I’m guessing that the proxy is where this is stumbling - I was hoping it would be able to work it out from the identity/password fields, but no dice.

Here’s where I’m getting my advice from:

https://info-beamer.com/doc/device-configuration#completelycustomconfiguration
(+ a few websites recommending editing files in /etc/ to point to the proxy such as here)

Any ideas? The Pi is offline unless I hotspot my phone.

Cheers,

Andrew

2

Could only post 2 links as a new user for some reason - I was getting more info from here too.

3

network={…}

I’m no expert in this whatsoever, but as far as I can tell this looks good. Is there any way you can find out if the Pi managed to connect to the specified access point? You might be able to find this out if you import this package (click the Run on info-beamer button), create a setup and assign that to the device while it’s connected via your hotspot. If you then switch over to the enterprise network, you should hopefully see an ip address in the network section:

image

If that’s the case, at least the WiFi configuration works correctly.

So there is a proxy as well? What kind of proxy is that? Does it need authentication? NTLM? If the proxy is without authentication, you can create a new configuration file /config/proxy and enter the IP/port like this:

proxy.company.com:3128
4

Thanks for the response.

I’m off-site today, so I will have a play tomorrow - it’s a local IP address which uses the same authentication as the wi-fi

(domain\username and password).

So you’re saying there should be a way I can connect this to an enterprise network with the proxy server?

5

Can you confirm with your IT people that the proxy uses NTLM for authentication? In that case, there might also be a solution. But the first step is still to get WiFi working. Once that’s done, we can try using the proxy.

6

Wi-Fi spat out an error with the “daemon.notice.wpa_supplicant”

wlan0 Trying to associate with SSID
cannot send using ws: not connected. waiting...

Can you confirm with your IT people that the proxy uses NTLM for authentication?

I am the IT people :slight_smile:

We’re using Kerberos authentication.

EDIT: it does recognise the .conf file though as it tells me the SSID I put in there.

7

Unfortunately Kerberos is not supported. Only authentication that has been uses successful in combination with a proxy server is NTLM.

I don’t know if that’s viable in your environment, but sometimes companies have either visitor WiFi or maybe even IoT environment with less restrictive methods of reaching the internet. If that happens to exist as well, you could place the Pi in there. It’s designed for “hostile” environments (See also this security documentation).

8

Damn - I’m in a public primary school, so don’t have the means to change infrastructure like that - between our wifi and router, sits the proxy server and all traffic in and out comes through that.

If I had access to certain directories, I might be able to work out where to put the proxy information.

Otherwise, am I able to request support for Kerberos in some way - do you guys have a request form or something? I presume you guys have locked down being able to access the root directory for security on your end?

Thanks for your time,

Andrew

9

There’s no software on the info-beamer OS that would allow Kerberos support. And you cannot manually install software as the system is not designed for supporting that. Unfortunately it looks like you cannot use info-beamer within your network environment. Kerberos support is also not planned at the moment.