• State Resolved
  • Locked Locked
  • Replies 5 replies
  • Subscribers 41 subscribers
  • Views 3970 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3200 WPA2 PEAP CA Certificate format

Seth Johnson
Intellectual 380 points
Other Parts Discussed in Thread: CC3200, UNIFLASH

I'm attempting to get a CC3200 to connect to a WPA2 enterprise WiFi network running FreeRADIUS, and does not require a User certificate. Upon installation, FreeRADIUS generates/provides a ca.pem certificate, which I have uploaded to the cert/ca.pem file on the CC3200. I am running the ent_wlan example code with: 

eapParams.EapMethod = SL_ENT_EAP_METHOD_PEAP0_MSCHAPv2;
g_SecParams.Type = SL_SEC_TYPE_WPA_ENT;

Yet, when I try connecting, the radius logs show: 

[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca  
TLS Alert read:fatal:unknown CA
    TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.

The provided ca.pem file is already in base64 format, but includes several BEGIN and END sections. I believe I only need one of these sections, is that correct? I have tried two methods for transferring the provided ca.pem certificate into the correct format:

1. On the Linux machine running the following command: 

openssl x509 -inform PEM -in /etc/freeradius/certs/ca.pem -outform PEM -out ca.cer

This gives a file with only a single BEGIN and END with the base64 string between. I notice that the line ends have only a Line Feed character.

2. On Windows, opening the full ca.pem file, Details tab -> Copy to File... -> Base-64 encoded X.509 (.CER) which provides exactly the same file (single BEGIN-END section) as the openssl command above, *except* now the line ends have both Carriage Return & Line Feed characters.

I have tried uploading each of these to the CC3200, however I get the same radius log error regardless of which one I upload.

My questions:

1) Which type of line ending does the CC3200 expect in the ca.pem file, or doesn't it matter?

2) Is SL_ENT_EAP_METHOD_PEAP0_MSCHAPv2 the version which requires a password but not user certificate, and SL_ENT_EAP_METHOD_PEAP1_MSCHAPv2 the version which requires a user certificate? If so, I should be using the PEAP0 version since I'm not using a user cert, correct? In this case I don't need a client.pem on the CC3200, right?

Thanks for any assistance you may be able to provide!

  • 0
    TI__Guru* 85400 points
    Hi,

    We will check and get back to you.

    Regards,
    Gigi Joseph.
  • 0 in reply to Joseph Gigi
    TI__Mastermind 18455 points
    Hi Seth,

    1. The certificates we have worked with had only LF at the end of the lines
    2. As far as I know, PEAP0 doesn't mean you don't need certificates. This depends on your security server configuration. If client authentication is required then you will be required to provide certificate in both PEAP0 and PEAP1

    Thanks,
    Alon
  • 0
    Intellectual 540 points
    Hi Seth

    I am having this same problem. My Radius log shows the same error reporting.

    Did you ever get this working in your system? If you did can you share your solution?

    Best,
    Steve Smith
  • 0 in reply to Steven Smith80
    Intellectual 380 points

    Hi Steve,

    Yes I did manage to get this working. I'll give you the steps I used. Note that I used an Ubuntu 14.04.2 64-bit VMware image for running FreeRADIUS, so your instructions may vary if you're using something else.

    FreeRADIUS Setup
    (Follow http://opentodo.net/2012/07/configuring-peap-authentication-with-freeradius/

    1. Install freeradius:
    sudo apt-get install freeradius

    2. Edit EAP method:
    sudo nano /etc/freeradius/eap.conf
    Set the following line:
    default_eap_type = peap

    3. Adding new users:
    sudo nano /etc/freeradius/users
    Add to top of file:
    MyUsername Cleartext-Password := "MyPassword"

    4. Enabling and configuring mschap-v2 protocol:
    sudo nano /etc/freeradius/modules/mschap
    Set the following lines:
    use_mppe = yes
    require_encryption = yes
    require_strong = yes
    with_ntdomain_hack = yes

    5. Reload new libraries:
    sudo ldconfig

    6. Add new radius clients (Access point):
    sudo nano /etc/freeradius/clients.conf
    Add to top of file:
    client 192.168.1.10 {
           secret = testing123
           shortname = NameOfAP
    }

    Note: the 192.168.1.10 IP address here should be set to the AP's IP address. The secret should match the one set on the access point.

    7. Certificate Stuff
    cd /usr/share/doc/freeradius/examples/certs
    sudo make
    sudo make client

    move client.key, client.pem, ca.pem, and server.pem as follows:

    sudo mv /usr/share/doc/freeradius/examples/certs/client.key /etc/freeradius/certs
    sudo mv /usr/share/doc/freeradius/examples/certs/client.pem /etc/freeradius/certs
    sudo mv /usr/share/doc/freeradius/examples/certs/ca.pem /etc/freeradius/certs
    sudo mv /usr/share/doc/freeradius/examples/certs/server.pem /etc/freeradius/certs

    Copy client.key, client.pem, and ca.pem to Windows (the host OS).

    Upload to CC3200 using UniFlash. (where client.key = private.key)

    8. Run FreeRADIUS
    sudo /usr/sbin/freeradius -X
    This should result in this message: "Ready to process requests."

    9. Run the ent_wlan example code in CCS:
    Use the following settings:
    [Line ~92]       #define ENT_NAME    "NetworkName"
                             #define USER_NAME   "MyUsername"        /* set user name */
                            #define PASSWORD    "MyPassword"       /* set password  */
    [Line ~619]    eapParams.EapMethod = SL_ENT_EAP_METHOD_PEAP0_MSCHAPv2;
                            g_SecParams.Type = SL_SEC_TYPE_WPA_ENT;

    This is the expected result from the terminal console from the CC3200 (115200 baud):

    Host Driver Version: 1.0.0.10
    Build Version 2.4.7.2.31.1.3.4.1.1.5.3.34
    Device is configured in default state
    Device started as STATION
    [WLAN EVENT] STA Connected to the AP: NetworkName , BSSID: 11:22:33:44:55:66
    [NETAPP EVENT] IP Acquired: IP=192.168.1.102 ,Gateway=192.168.1.1
    Connected!!!

    I'm not sure which of those steps is absolutely needed as I mostly just followed the steps from that link and it works. I hope this helps, and good luck.

    -Seth

  • 0 in reply to Seth Johnson
    Intellectual 540 points

    Hey Seth

    This was very useful. With your help I got my WPA2 Enterprise connection working. Thank you very much.

    Best,

    Steve