CCS/CC3200-LAUNCHXL: SlSecParamsExt_t User appears to be truncated and limited to 10 char

Hi,

Is there any output on the EAP server side that you are able to access? Looking at why the radius server rejects the connection for example would be useful to understand what could be set incorrectly on the CC3200.

What exact EAP method does your enterprise network use? Have you provided the client cert, key, and server root CA to the CC3200 through Uniflash if needed for your security method? Please see section 9.1.2 of the CC3200 NWP user's guide for details:

http://www.ti.com/lit/swru368

As the for the extParams.user not copying the full length of USER_ID, have you looked at the memory pointed to directly by that pointer in the memory browser? Sometimes the preview shown in the variables view does not show the full length of longer strings. To do this, simply use View -> Memory Browser in an active debug session, then paste in the address pointed to by extParams.User. You can then change the displayed encoding to 'Character' in order to see the character data in memory directly. Do you see the full "usr.new.PerfUser" string in memory, or is is still the truncated "usr.new.Pe"?

Regards,

Michael

Hi Michael,

Thanks for the quick response.  I'm inquiring to our IT department about the exact security on the system, my local guy says a certificate should not be needed, but we are never sure what corporate IT is actually doing.

From the memory viewer, if I look at the location shown in the Value column for User, under extParams, the entire UID is there.

Menory Location: 0x200061F0
u s r . n e w . P e r U s e r .

If I look at the location for extParams as a whole, there is not much in the Character view, but there is in the 32-bit Hex (TI Style)

Given the first byte at the extParams location is the memory location from above, I'm assuming they are linked together

Menory Location: 0x20012F84

Character View

. a . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . a . . . . . . $ . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . 1 . . . . .
. . . . . . . . . . 1 . . . 9 . .
. . . . .
task1Stack
. . . .

32-Bit Hex

200061F0 BEBEBE04 BEBEBEBE BEBEBE00 00000005 BEBEBEBE BEBEBEBE
BEBEBEBE BEBEBEBE 00D59F80 00000003 00000000 BEBEBE02 200061E4
BEBEBE08 20018424 00000000 FFFFFF10 20008197 00000000 00000000
FFFFFFFF FFFFFFFF FFFFFFFF 2000B631 00000000 00000000 20008189
2000B631 2000FA39 BEBEBEBE
task1Stack
BEBEBEBE

Kind of tells me the issue is in the negotiations between the server and the CC3200.  I'll let know what I find out from the IT group.

I appreciate the help, it's been about 3 years since I've touch this stuff, just a little rusty.

KS

Afternoon update: The during the wait for connect loop a General Event 1 is reported.  Stepping thru the code in Debug it appears this is a SL_ERR_SENDER_WILINK (AbortType: 536937875, AbortData: 120).  Looking thru the forums I found this may indicate a de-authorization form the AP.  Hopefully I can find someone at corporate IT to help quickly.

KS

Hi,

It's good to confirm that the entire UID is present in memory correctly, so that shouldn't be the cause of your issue.

Depending on your corporate IT setup, a client certificate may not be needed. However, providing the root CA needed to verify the server is generally required for all variants of EAP. I would appreciate it if you could take a look and see what exact WPA enterprise methods are used on your network. That will give some clarity as to which files are needed.

The general event may be due to the AP deauthenticating you due to the RADIUS server rejecting your credentials/certificate/EAP method. Something which could help be get a clearer picture of what's going on would be the NWP logs of your device. The logs will have the EAP connect sequence for me to check. See the instructions here for how to collect those NWP logs:

https://processors.wiki.ti.com/index.php/CC3100_%26_CC3200_Capture_NWP_Logs

Thanks,

Michael

Thank Michael,

I'll try the NWP stuff when I get back in the office.  Because of the pandemic, I'm splitting time between home and work, at least until the Governor or corporate calls a total lock down.  Things work fine on my home network, of course I'm the one who set it up and have full access to it.

KS

Still waiting for corporate IT to respond.  I have found the following thru some of the instruction for connecting mobile devices:

The Security selection is "WPA2 Enterprise"

At the Join of Connect action it looks like the server send a cert to be accepted by the use before allowing the connection.

KS

Hi,

Given that you say that the server appears to send a cert that you need to accept on your mobile device before use, you will need to provide the root CA used to verify to the CC3200 using Uniflash. This isn't the server cert, but instead is the root of trust that validates the server cert. If you can connect to this enterprise network with your PC, you should be able to get that server cert and its root CA by using wireshark to capture the EAP authentication sequence as your PC connects to the network.

After you have identified the needed root CA cert, you can copy it from your PC using my instructions here:

https://e2e.ti.com/support/wireless-connectivity/wifi/f/968/p/673247/2478357#2478357

Then, you can flash that file onto the CC3200, as /cert/ca.pem.

Let me know if you need more clarification or if you still run into issues after providing that root CA cert to the CC3200.

Regards,

Michael

I'll take a look at what you laid out above.  I did talk with one of the corporate network guys today the he thinks if I could set the security type to WPA2-Enterprise things would work without anything further.  However, the WPA2-Ent is not one of the defined in the wlan.h. (from tirtos_cc32xx_2_16_01_14)

He's going to check the router logs for the Launchpad's Mac Address to see what going on his side of things.

I'll let know if your suggest get us farther down the road, thanks.

Kevin

Hi Kevin,

WPA2 enterprise uses SL_SEC_TYPE_WPA_ENT, which is defined in wlan.h.

You can take a look at the ent_wlan example if you haven't already to see how to setup that sl_WlanConnect() call to an enterprise network.

Regards,

Michael

Hi Michael,

I add the Event ID and Sender to the out string in the General Event macro to get some more details

The Event ID = -109

Sender = 5

If I am interpreting these number correctly, looking at device.h

-109 =  SL_ERROR_CON_MGMT_STATUS_DISCONNECT_DURING_CONNECT 

5 = SL_ERR_SENDER_WILINK

From the cryptic phasing, it appears to me the connection is dropped during the connection attempt, from the AP side.

Comments?

I'm still working with the corporate IT group to get an idea of what is happening on the AP side to the system.

Regards,

Kevin

Hi Kevin,

As you bring up, error -109 generally indicates that the CC3200 is using settings that are not compatible with your AP/radius server. You will need to see what your IT says about the allowable EAP methods and authentication schemes before we can get a better idea of why this connection may be failing.

The NWP logs would also be useful, if you can get those. 

Regards,

Michael

Hi Michael,

I heard back form corporate IT on the certs. (text below).  They have supplied a ROOT cert and 2  intermediate certs.  If you can relate that to what or can happen on the CC3200 side?  We are getting to details that are a pit outside my current knowledge base.

Thanks,

Kevin

Text from Corp IT:

So on our side (NPS) uses PEAP for UL Wireless (this one specifically from your list Kevin: EAP-PEAP with MSCHAP).

This means at a certificate level, when the client connects to the NPS/Radius server – the server presents its certificate.  So the client must be able to validate/trust the certificate.  So you should have the cert chain installed on your end Kevin.

I have attached it, if you would like it in a different format please let me know – base64 is the most common for appliances.  There is one ROOT cert and two INT certs.

Hi Kevin,

So based on the message back from your IT org, you will need to set the eapMethod to one of SL_ENT_EAP_METHOD_PEAP0_MSCHAPv2 or SL_ENT_EAP_METHOD_PEAP1_MSCHAPv2. Not sure precisely which one your network is configured, so I would try both.

Also, you need to provide the root CA cert to the CC3200 through Uniflash, as /cert/ca.pem. More details on this can be found in section 9.1.2 of the CC3200 NWP user's guide:

http://www.ti.com/lit/swru368

Regards,

Michael

Hi Michael,

I think we may be there.  The ent_wlan example appears to connect by watching the LED indicator.  Unfortunately the UART is not active in the example app, but I'll add it, so I can confirm the ip address acquired by the connect.  I'm looking at morphing the example code process into my RTOS app.

I've asked the IT guys to check the log and to confirm there were connections by my board's MAC address to the system.

I'll let you know when I know.  Hopefully we can put the "green box" around this subject.

Thanks for all the help

Kevin

Michael,

The non-RTOS example programs works every time and there is a connection with in a few seconds.  This was confirmed by the logs from the AP.

I can't get my RTOS app to make the connection, even though no errors are returned by any of the Wlan or Net functions.

With the RTOS code I never see any network related Event reported.  It's as if the Callbacks are not set.  I've attached to section of code from the RTOS app, which is based on the TI-RTOS TCP Echo example.  The socketStartUp (snip it in first file attached) get's call by my TCP thread as part of the initialization before the forever loop of the TCP server section.  It calls the WiFi setup functions based on the state of an GPIO input.  If the input is low it call the setStationMode, the 2nd file attached.  The AP mode setup works and I had the non-enterprise station mode working, have seen to have broken that also.  In short setStationMode is suppose to do the configuration and socketStartUp starts the connection and waits. So it get down to the loop under "//Wait for WLAN Event" and stays there because the events that change the flags never are sensed.  I'm sure it something simple that I forgot to turn on.

Regards,

Kevin

Variable defines use in the STA Enterprise macros

#define SSID_NAME           Enterprise SSID NAME    /* AP SSID */
#define SECURITY_KEY        User enterprise pwd    /* Password of the secured AP */
#define SECURITY_TYPE       SL_SEC_TYPE_WPA_ENT	  /* Security type (ENT or WPA_WPA2*/
#define EAP_METHOD	    SL_ENT_EAP_METHOD_PEAP0_MSCHAPv2  /* EAP type Assumed to be PEAP type*/
#define SSID_LEN_MAX        32
#define BSSID_LEN_MAX       6
#define USER_ID		    enterprise UID	//UID is needed
#define UID_LEN_MAX	    32

*********************************


void *socketsStartUp(void)
{
    WiFi_Params        wifiParams;
    WiFi_Handle        handle;

    int                result;


    /*
     * Board_LED1 is used as a connection indicator.  It will blink until a
     * connection is establish with the AP.
     */
    GPIO_write(Board_LED1, Board_LED_OFF);

    /* Open WiFi driver */
    WiFi_Params_init(&wifiParams);
    wifiParams.bitRate = SPI_BIT_RATE;
    handle = WiFi_open(Board_WIFI, Board_WIFI_SPI, NULL, &wifiParams);
    if (handle == NULL)
    {
        System_abort("WiFi driver failed to open.");
    }

   /* Set the CC3X00 into station mode for this example */
    if(APM == 0)
    {
    	setStationMode(); //Call the station setup

		/* Host driver starts the network processor */
		result = sl_Start(0, 0, 0);
		if (result < 0 || ROLE_STA != result)
		{
			System_abort("Could not initialize SimpleLink Wi-Fi");
		}
		/* get MAC ADDR */
		_u8 macAdd[SL_MAC_ADDR_LEN];
		_u8 macAddLen =SL_MAC_ADDR_LEN;
		sl_NetCfgGet(SL_MAC_ADDRESS_GET,NULL,&macAddLen,(_u8 *)macAdd);
		System_printf("Mac Address %x-", macAdd[0]);
		System_printf("%x-", macAdd[1]);
		System_printf("%x-", macAdd[2]);
		System_printf("%x-", macAdd[3]);
		System_printf("%x-", macAdd[4]);
		System_printf("%x\n", macAdd[5]);
		System_flush();

		//Set log in parameters for network
		SlSecParams_t secParams;
		secParams.Key = (signed char*)SECURITY_KEY;
		secParams.KeyLen = strlen(SECURITY_KEY);
		secParams.Type = SECURITY_TYPE;

		/* Connection action is UID is used - Uncomment if UID is used  */

		SlSecParamsExt_t extParams;
		extParams.User = (_i8 *)USER_IS;
		extParams.UserLen = sizeof(USER_ID);
		extParams.AnonUserLen = 0;
		extParams.EapMethod = EAP_TYPE;

		sl_Stop(10);
		sl_Start(0,0,0);
		result = sl_WlanConnect((signed char*)SSID_NAME, strlen(SSID_NAME), 0, &secParams, &extParams);

		if (result < 0) {
			System_abort("Could not Connect Wi-Fi");
		}

		// Wait for WLAN Event
		while((!deviceConnected) || (!ipAcquired))
		{
			// Toggle LEDs to Indicate Connection Progress
			GPIO_write(Board_LED1, Board_LED_ON);
			Task_sleep(1000);
			GPIO_write(Board_LED1, Board_LED_OFF);
			Task_sleep(1000);
		}
			GPIO_write(Board_LED1, Board_LED_OFF);
			wifi_icon = true;

			/* Print IP address */
			_u8 len = sizeof(SlNetCfgIpV4Args_t);
			_u8 dhcpIsOn = 0;
			SlNetCfgIpV4Args_t ipV4 = {0};
			sl_NetCfgGet(SL_IPV4_STA_P2P_CL_GET_INFO, &dhcpIsOn, &len,(unsigned char *)&ipV4);
			System_printf(
					"CC3X00 has connected to an AP and acquired an IP address.\n");
			System_printf("IP Address: %d.", SL_IPV4_BYTE(ipV4.ipV4, 3));
			System_printf("%d.", SL_IPV4_BYTE(ipV4.ipV4, 2));
			System_printf("%d.", SL_IPV4_BYTE(ipV4.ipV4, 1));
			System_printf("%d", SL_IPV4_BYTE(ipV4.ipV4, 0));
			System_printf("\n");
			System_flush();
    }
    else
    {
		setApMode(); //Call the AP configure mode

		/* Host driver starts the network processor */
		result = sl_Start(NULL, NULL, NULL);
		if (result < 0) {
			System_abort("Could not initialize SimpleLink Wi-Fi");
		}
		/*   Configure the DHCP server and start */
		SlNetAppDhcpServerBasicOpt_t dhcpParams;
		_u8 outLen = sizeof(dhcpParams);
		dhcpParams.lease_time      = 4096;                         // lease time (in seconds) of the IP Address
		dhcpParams.ipv4_addr_start =  SL_IPV4_VAL(192,168,3,10);   // first IP Address for allocation. IP Address should be set as Hex number - i.e. 0A0B0C01 for (10.11.12.1)
		dhcpParams.ipv4_addr_last  =  SL_IPV4_VAL(192,168,3,16);   // last IP Address for allocation. IP Address should be set as Hex number - i.e. 0A0B0C01 for (10.11.12.1)
		sl_NetAppStop(SL_NET_APP_DHCP_SERVER_ID);                  // Stop DHCP server before settings
		sl_NetAppSet(SL_NET_APP_DHCP_SERVER_ID, NETAPP_SET_DHCP_SRV_BASIC_OPT, outLen, (_u8* )&dhcpParams);  // set parameters
		sl_NetAppStart(SL_NET_APP_DHCP_SERVER_ID);                 // Start DHCP server with new settings

		//Wait for station to connect
		while((deviceConnected != true) || (ipLeased != true))
		{
			// Toggle LEDs to Indicate Connection Progress
			GPIO_write(Board_LED1, Board_LED_ON);
			Task_sleep(50);
			GPIO_write(Board_LED1, Board_LED_OFF);
			Task_sleep(50);
		}
		wifi_icon = true;
    }

    /* pass back the handle to our WiFi device */
    return ((void *)handle);
}

*
 *  ======== setStationMode ========
 *  Sets the SimpleLink Wi-Fi in station mode and enables DHCP client
 */
void setStationMode(void) {

    int           response;

#ifdef dhcp
    unsigned char param; //Used with DHCP config
#endif

    mode = sl_Start(0, 0, 0);
    if (mode < 0)
    {
        System_abort("Could not initialize SimpleLink Wi-Fi");
    }

    /* Change network processor to station mode */
    if (mode != ROLE_STA) //if not in STA mode
    {
        sl_WlanSetMode(ROLE_STA); //Set Mode

        /* Restart network processor */
        sl_Stop(0xFF);	//Stop processor
        mode = sl_Start(0, 0, 0);	//Restart and get Mode
        if (mode != ROLE_STA)	//if not STA Abort
        {
            System_abort("Failed to set SimpleLink Wi-Fi to Station mode");
        }
        sl_Stop(0XFF); //Stop processor
    }

    sl_WlanDisconnect();

    response = sl_WlanPolicySet(SL_POLICY_CONNECTION,SL_CONNECTION_POLICY(1,0,0,0,0),NULL,0);
    if(response < 0) {
        System_abort("Could not set policy");
    }
    response = sl_WlanProfileDel(0xFF);
    if(response < 0) {
        System_abort("Could not delete profiles");
    }


    /* Enable DHCP client */
    param = 1;
    response = sl_NetCfgSet(SL_IPV4_STA_P2P_CL_DHCP_ENABLE, 1, 1, &param); //Config WiFi as station with dynamic IP address
    if(response < 0) {
        System_abort("Could not enable DHCP client");
    }


    sl_Stop(10);

    /* Set connection variables to initial values */
    deviceConnected = false;
    ipAcquired = false;
}

Hi Kevin,

Its great to hear that you got the EAP connection working on the CC3200.

As for the remaining RTOS issue you are seeing, did you ensure you are calling VStartSimpleLinkSpawnTask() and ensuring that it has a high priority? That will start a task to handle async events from the CC3200, including the wlan events needed for connection to your AP.

Are you creating the RTOS project from scratch, or if your project based off of an existing example in the SDK? I suggest you take a look at an RTOS SDK example, such as the idle_profile example to see what modifications you have to make for RTOS projects, or simply use that as the base of your RTOS project.

Regards,

Michael

Hi Michael,

My app is based on the tcpEchoCC3X00_CC3200_LAUNCHXL_TI_CC3200, TI-RTOS example and the code is pretty much char for char for the station mode setup.  My define variable names vary some.  "USER_ID" as apposed to "USER_NAME".

My app also has 2 other task running, one is an I2C that quires a sensor set and update an OLED display and the second is an UART "heartbeat" task that spits out the last read sensor readings.  The code for these 2 task were taken from their respective TI-RTOS examples. The TCP task has the highest priority of the 3 task

I've defined the 3 task both with discrete code in the main function and within the .cfg file interface, both methods work.

My app as 3 possible network config's: AP Mode - connect directly to it, Non-Enterprise STA Mode - to a "home" router and Enterprise STA Mode - connect to the corporate system.  The AP and Non-ENT Modes will connect in their respective manner, the ENT continues to sit and waits for a connection or an ip acquired interrupt.  I've shutdown the I2C and UART task, leaving the TCP tack as the only thing running and there was no change in the response.

I have independently loaded tcpEchoCC3X00_CC3200_LAUNCHXL_TI_CC3200 with the SmartConnect commented out and a sl_WlanConnect command with the enterprise param's and the Non-OS "ent_wlan" example from the SDK.  Both will connect to in all 3 configs.

It kind of frustrating out of 6 config's over 3 different codes only the one you really need to work is the one that doesn't.

Any more insights are welcome, you've been a great help.

Kevin