CC3235SF: What are the exact requirements for EAP-TLS Certificates and Keys?

Hi,

At the beginning few important things:

• Do you have enabled TLS 1.0 at FreeRADIUS server? CC3235 supports only TLS 1.0. TLS 1.0 is by default disabled at FreeRADIUS server. You need to set option tls_min_version = "1.0" at mods-enabled/eap.
• What CC32xx SDK version do you use? Do you have uploaded latest ServicePack inside sFlash?
• It seems that you have two certificates inside file client.der. Please use only one certificate inside this file.
• Do you have uploaded CA, certificate and private key into right path inside filesystem (/sys/cert/private.key, /sys/cert/client.der, /sys/cert/ca.der)?
• Make sure that you have set proper time inside CC32xx RTC or disabled validation against CA file (set by proper sl_ API).

Jan

• TLS 1.0 is enabled, this can be verified in the Wireshark capture
• According to the ccstudio project settings, the CC32xx SDK version is "cc32xx_sdk_7_10_00_13". For the ServicePack, we have enabled the "Use ServicePack from SDK" option in "image.syscfg".
• Since we do not know how it is supposed to be, we have added the full certificate chain in "client.der". But we can also change this. I have tested it again and it fails in the same way.
• The CA certificate, client certificate and client key are located in the right path in the userFiles directory in the project, so they should be uploaded automatically.
• The time is set correctly. If it was set incorrectly, it would fail with "SL_WLAN_DISCONNECT_CERTIFICATE_EXPIRED" instead.

For the test with the new files, I have captured the communication again. I upload the capture and the files.

userFiles-and-wireshark-capture.zip

Hi,

• From the provided information I am not able determine why your authentication with RADIUS server is failing. I did not deeply dig into your certificates but according quick look certificates looks OK. You have RSA 2048 which should be OK even without uploaded ServicePack (support for RSA4096 for EA was added at SDK version 3.30). Do you see any error at FreeRADIUS server log? To eliminate other possible issues can you test with EAP-PEAP0-MSCHAPv2? To eliminate potential issue with CA file, you can test with disabled CA by this:

  caDis = 0;
  retVal = sl_WlanSet(SL_WLAN_CFG_GENERAL_PARAM_ID, SL_WLAN_GENERAL_PARAM_DISABLE_ENT_SERVER_AUTH, 1, &caDis);

• You can validate that CA, certificate and private key are properly uploaded inside filesystem using Uniflash software.
• ServicePack version can be validated using sl_ API call sl_DeviceGet() options SL_DEVICE_GENERAL -> SL_DEVICE_GENERAL_VERSION.

Jan

I just found out the weirdest thing: Replacing the userFiles in ccstudio and flashing the board does not seem to replace the files on the board. Instead, I need to delete the userFiles (certificates/keys), flash the board, put the new userFiles in the file system and flash the board again.

After uploading the correct files like this, the connection procedure fails with a FatalErrorEvent. The SlDeviceFatal_t.Id is 1, i.e. SL_DEVICE_EVENT_FATAL_DEVICE_ABORT. Any idea what that could mean? How can I further investigate the abort reason?

Nevertheless, I want to respond to your comments:

• Currently, we do not have a PEAPv0-MSCHAPv2 setup so we will have to look into that, if a test is possible. What insights could be gained from that test?
• We have tested with enabled and disabled CA checking. Btw, caDis needs to be 1 to disable server authentication, at least according to the documentation.
• In Uniflash, we can not download the certificates/keys again because the files are protected and Uniflash asks for a token. Where can we get the right token?

Checking the ServicePack version yields:

CHIP 823132185
MAC 31.3.7.0.1
PHY 3.1.0.26
NWP 4.13.0.2
ROM 8738
HOST 3.0.1.71

Hi,

Hard so say why you see fatal abort of NWP. For more details it will needed to capture NWP log (see SWRU455 chapter 20). Unfortunately I don't have tool for decoding NWP log. You will need to wait for answer from TI side.

• by test with PEAPv0-MSCHAPv2 I want to validate that EAP authentication works properly with RADIUS server at your case. And we will be sure that culprit are your certificates.
• No. caDis needs to be set to 0. At documentation is mistake. TI knows about this issue in the documentation. But don't ask me why they are not updating documentation.
• please create file as secure with vendor token (your will choice your own token). After that you will be able manipulate with this file by Uniflash of from your code using sl_ API calls.
• your have uploaded right ServicePack inside device

Jan

Where and how can we "create file as secure with vendor token"?

For the other parts: I am really out of ideas here. Will there be any support from TI's side? We see the device aborting but we have no idea why.

Hi,

For deeper understanding why you see NWP about will be needed to capture NWP log. There is no other option. Once you will have captured the NWP log, you can upload binary file into this thread.

Please create and uplaod your certificate file(s) using Uniflash. You can use unsecured files or secured files with vendor token (check Secure, check Vendor and add number of your token).

Jan

Hi Tobee,

For more information on how to create files with tokens please reference the Network Processor guide Section 8.

https://www.ti.com/lit/ug/swru455m/swru455m.pdf

In reference to the Abort error, could you share how you are setting up your device and initiating the connection. Maybe share your code if possible, or pseudo code it. Also if you can send the NWP logs I can take a look at the error. If you need help getting the logs setup please let me know.

Best,

Rogelio

• When ccstudio uploads the certificates/key files, which token(s) does it use?
• We will remove customer-specific parts from the firmware and share it afterwards.

I will post the code of our Connect_To_Wlan function and upload the NWP logs. In the main loop, we just run the ProcessEvents function and output some event/error logging:

void Connect_To_Wlan() {
 char *ssid = "RADIUSTEST";
 char *key = "";
 char *user = "user@example.org";
 char *anon_user = "";

 int16_t status;

 SlDeviceVersion_t ver;
 _u8 pConfigOpt;
 _u16 pConfigLen;
 pConfigLen = sizeof(ver);
 pConfigOpt = SL_DEVICE_GENERAL_VERSION;
 status = sl_DeviceGet(SL_DEVICE_GENERAL,&pConfigOpt,&pConfigLen,(_u8 *)(&ver));
 if (status) {
 Term_write("sl_DeviceGet failed with error: %d\n\r", status);
 } else {
 Term_write("sl_DeviceGet ok\n");
 Term_write("CHIP %d\nMAC 31.%d.%d.%d.%d\nPHY %d.%d.%d.%d\nNWP %d.%d.%d.%d\nROM %d\nHOST %d.%d.%d.%d\n",
 ver.ChipId,
 ver.FwVersion[0],ver.FwVersion[1],
 ver.FwVersion[2],ver.FwVersion[3],
 ver.PhyVersion[0],ver.PhyVersion[1],
 ver.PhyVersion[2],ver.PhyVersion[3],
 ver.NwpVersion[0],ver.NwpVersion[1],ver.NwpVersion[2],ver.NwpVersion[3],
 ver.RomVersion,
 SL_MAJOR_VERSION_NUM,SL_MINOR_VERSION_NUM,SL_VERSION_NUM,SL_SUB_VERSION_NUM);
 }

 _u8 param = 0; // 1 means disable the server authentication
 status = sl_WlanSet(SL_WLAN_CFG_GENERAL_PARAM_ID, SL_WLAN_GENERAL_PARAM_DISABLE_ENT_SERVER_AUTH, 1, &param);
 if (status) {
 Term_write("sl_WlanSet failed with error: %d\n\r", status);
 } else {
 Term_write("sl_WlanSet ok\n");
 }

 SlDateTime_t dateTime= {0};
 dateTime.tm_day = (_u32)11;
 dateTime.tm_mon = (_u32)7;
 dateTime.tm_year = (_u32)2024;
 dateTime.tm_hour = (_u32)12;
 dateTime.tm_min = (_u32)00;
 dateTime.tm_sec = (_u32)00;
 status = sl_DeviceSet(SL_DEVICE_GENERAL, SL_DEVICE_GENERAL_DATE_TIME, sizeof(SlDateTime_t), (_u8*)(&dateTime));
 if( status )
 {
 Term_write("sl_DeviceSet failed with error: %d\n\r", status);
 } else {
 Term_write("sl_DeviceSet ok\n");
 }

 // Connect WPA-Enterprise, see SimpleLink Wi-Fi® CC3x20, CC3x3x Network Processor (Rev. M) User Guide page 76
 SlWlanSecParams_t SecParams;
 SlWlanSecParamsExt_t SecExtParams;
 SecParams.Type = SL_WLAN_SEC_TYPE_WPA_ENT;
 SecParams.Key = key;
 SecParams.KeyLen = strlen(key);
 SecExtParams.User = user;
 SecExtParams.UserLen = strlen(user);
 SecExtParams.AnonUser = anon_user;
 SecExtParams.AnonUserLen = strlen(anon_user);
 SecExtParams.EapMethod = SL_WLAN_ENT_EAP_METHOD_TLS;
 status = sl_WlanConnect((_i8*)ssid, strlen(ssid), 0, &SecParams, &SecExtParams);

 if (status) {
 Term_write("sl_WlanConnect failed with error: %d\n\r", status);
 } else {
 Term_write("sl_WlanConnect ok\n");
 }
}

2024-07-11 14-44-17-cc3235sf-nwp-log.txt.zip

Thanks, give me some time to look through the logs.

Best,

Rogelio