• State TI Thinks Resolved
  • Locked Locked
  • Replies 13 replies
  • Answers 2 answers
  • Subscribers 42 subscribers
  • Views 505 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3200MOD: how to connect wifi enterprise mode without certification files.

robin Moon
Expert 1210 points
Part Number: CC3200MOD
Other Parts Discussed in Thread: CC3200

Hello Experts,

My customer is developing equipment that supports wifi enterprise mode.

they are developing using cc3200mod, and they would like to know if cc3200mod supports wifi enterprise mode without certificate.

they confirmed that in the test environment below, it is connected to enterprise mode without a certificate.

- - RADIUS server : TLS 1.2, WPA2-ENT(no certification)
- - smart phone(samsung) : PEAP, Fixed IP

1. I attached the NWP LOG, but the text seems to be corrupted, can you check the log?

RN400_NWP.log

2. Please let me know how to connect to enterprise mode without certificate in CC3200mod.3200mod.

3. is there a limit to TLS version when using Wifi enterprise mode without certificate on cc3200?

thanks

best regards,

Robin.

  • 0
    Guru 77475 points

    Hi Robin,

    1. For analysing NWP log please wait for answer from TI, because I don't have tool for analysing NWP log. But structure of log file seems to be correct.

    2. Following EAP PEAP methods should without certificates SL_ENT_EAP_METHOD_PEAP0_MSCHAPv2, SL_ENT_EAP_METHOD_PEAP0_PSK, SL_ENT_EAP_METHOD_PEAP1_MSCHAPv2, SL_ENT_EAP_METHOD_PEAP1_PSK. But uploaded CA file for RADIUS server verification is still required. This verification can be disabled but at newer devices (CC3220 and CC3235).

    3. EAP at CC3200 devices supports only TLS 1.0. Same limitation is at CC3220 and CC3235. Make sure that TLS 1.0 is enabled at RADIUS server. Unfortunately many companies have policy which does not allow to use TLS 1.0. And this widely limits usage of EAP security at CC32xx devices.

    Jan

  • 0
    TI__Guru 59305 points

    Hi,

    Just to add on Jan's response, TLS1.0 is the only supported TLS for enterprise so please make sure it can be set accordingly.

    As for the NWP log, it starts OK but then crash when I try to decode it. However, from the fractions of log that is decodable, I can notice that the wlanconnect() API you used is the regular one and not the EAP one (I can see it from the SL_OPCODE_WLAN_WLANCONNECTCOMMAND instead of SL_OPCODE_WLAN_WLANCONNECTEAPCOMMAND). To use the EAP one you need to fill the enterprise structure. See the NWP guide, chapter 8.1.2 (https://www.ti.com/lit/ug/swru368c/swru368c.pdf?ts=1687757295886&ref_url=https%253A%252F%252Fwww.google.com%252F ).

    Shlomi

  • 0
    Prodigy 60 points

    Robin, Thanks for asking the issue. 

  • 0 in reply to Shlomi Itzhak
    Prodigy 60 points

    Shlomi,

    Thanks for your decoding,

    I have question for this sucure environment.

    the log file was captured from the theses parametrers. (SlSecParams_t , SlSecParamsExt_t)

    We set the below params before calling sl_WlanConnect(),  

    SL_WLAN_GENERAL_PARAM_DISABLE_ENT_SERVER_AUTH  = 1, (without Certificate)

    EapMethod = SL_ENT_EAP_METHOD_PEAP0_MSCHAPv2,

    AnonUserLen = 0

    type = SL_SEC_TYPE_WPA_ENT

    key = *** (radius ID)

    user=*** (radius pw)

    Question

    1.I'm not sure for SL_WLAN_GENERAL_PARAM_DISABLE_ENT_SERVER_AUTH . 

       was it correct? does "1" means No certificate in WPA ENT.?

    2.For the no certificate file in WPA-ENT, I removed all the certificate files( CA.PEM, Client.pem,private.key  ) in the NWP filesystem. 

       is it corrrect? OR  do I have put dummny files? 

  • 0 in reply to andy Woo
    Guru 77475 points

    Hi,

    What device do you use? At your fist question is stated CC3200MOD, but macro SL_WLAN_GENERAL_PARAM_DISABLE_ENT_SERVER_AUTH  is from CC32xx SDK with is NOT compatible with CC3200 devices. This SDK is for CC3220 and CC3235 devices.

    Jan

  • 0 in reply to andy Woo
    TI__Guru 59305 points

    The configuration looks OK but from the partial NWP log it seems that the OPCODE used is for regular connection.

    You can look at the sl_WlanConnect() API implementation (under wlan.c) and see that if SlSecParamsExt_t is set, the OPCODE used is SL_OPCODE_WLAN_WLANCONNECTEAPCOMMAND. Can you double check or even step through the code and make sure it happens?

    This is the first step we need to understand before we continue.

    Did it ever work or this is the first time you try enterprise connection?

  • 0 in reply to Jan D
    Prodigy 60 points

    I'm usding CC3200MOD module. Oh... SL_WLAN_GENERAL_PARAM_DISABLE_ENT_SERVER_AUTH is not for CC3200MOD..

    Then I have to remove sl_WlanSet(SL_WLAN_CFG_GENERAL_PARAM_ID, SL_WLAN_GENERAL_PARAM_DISABLE_ENT_SERVER_AUTH, 1, &pValues); 

    Thanks

  • 0 in reply to andy Woo
    Guru 77475 points

    Hi,

    That line should not be possible to compile unless you are using CC32xx SDK which is not compatible with CC3200MOD. You should not use CC32xx SDK for CC3200 device.

    Jan

  • 0 in reply to Shlomi Itzhak
    Prodigy 60 points

    Shlomi,

    WPA-ENTERPRISE with Certificate file is working fine. But Without certificate file, We could not make it. 

    First of all, I will double check the code if there is any change to have normal connection. 

    But Do I have to remove the certi files in the NWP file system? or using dummy files?

  • 0 in reply to andy Woo
    TI__Guru 59305 points

    Actually, this API was added as a patch so it should be valid.

    It may be confusing but in order to disable the check you need to set it to value 0.

    param = 0; /* 0 means disable the server authentication */
Status = sl_WlanSet(SL_WLAN_CFG_GENERAL_PARAM_ID, SL_WLAN_GENERAL_PARAM_DISABLE_ENT_SERVER_AUTH, 1, &param);

    If I am not mistaken, at least the rootCA file is required (could be a dummy file) and the other files are not required.

  • 0 in reply to Shlomi Itzhak
    Guru 77475 points

    Hi Shlomi,

    Thank for update, I didn't know this. Maybe documentation for CC3200 should be updated...

    btw ... macro at CC32xx SDK is WLAN_GENERAL_PARAM_DISABLE_ENT_SERVER_AUTH not a SL_WLAN_GENERAL_PARAM_DISABLE_ENT_SERVER_AUTH.

    Jan

  • 0 in reply to Shlomi Itzhak
    Prodigy 60 points

    OK,  Thank for information.

    For SL_WLAN_GENERAL_PARAM_DISABLE_ENT_SERVER_AUTH  Param,

    0:  disable the servier authentication. (without server certi file)

    1:  Enable the servier authentication. (with server certi file) 

    //Conditions For connecting WPA-ENT(no certi file) in CC3200MOD.

    1.  SL_WLAN_GENERAL_PARAM_DISABLE_ENT_SERVER_AUTH is "0".,

    2. dummy  ca.pem (root CA file) should be existed in the NWP for connecting WPA-ENT(no certi file) 

    3. TLS 1.0 need to be enable in the Radius Server. 

     

    is there any other options for WPA-Ent (no certi file) ?

  • 0 in reply to andy Woo
    TI__Guru 59305 points

    no additional settings is required. WLAN_GENERAL_PARAM_DISABLE_ENT_SERVER_AUTH is the right define as Jan mentioned.

    With this, you need to see that the connection attempt is for enterprise and not a regular connection (hopefully).