• State
  • Locked Locked
  • Replies 2 replies
  • Subscribers 41 subscribers
  • Views 685 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

ent_wlan example - certs and key

Dennis Quill
Prodigy 180 points
Other Parts Discussed in Thread: CC3200

I'm trying to get the ent_wlan example to work. Like many others, it goes into station mode but never authenticates. The network uses PEAP/MSCHAPv2. I have the service pack loaded on my cc3200. 

Do I need to have all 3 files as listed in section 9.1.2.2 in the CC3200 User Guide: /cert/ca.pem, /cert/client.pem and /cert/private.key? 

I have the dummy ca.pem in flash that came with the service pack. I could put in our real root ca certificate instead if needed.

RSA Private Keys (/cert/private.key) are generated in pairs. To what server am I generating that key to share the public key with? The authenticating server? 

If my network isn't going to check for my client certificate, do I still need /cert/client.pem? If so, what should I use for that?

Was there an update to the ent_wlan example that was supposed to come with the service pack? I saw in this thread:

e2e.ti.com/.../1625512

That "disable server authentication" section is not in my example. I tried adding it but it didn't help either. 

  • 0
    Prodigy 180 points
    An update:

    I found where the documentation is for that section of code to disable server certificate verification is. I didn't see the PDF in the directory at first.

    I guess my main confusion comes from why I would need a client certificate (/cert/client.pem), and a private RSA key (/cert/private.key) if I'm using PEAP and MSCHAPv2 set up for user authentication? PEAP/MSCHAPv2 for user authentication doesn't require those, and they are not available for my network as a result. The client certificate (/cert/client.pem) never actually needs to exist outside of the Authenticating Server (RADIUS) in this case. So having a /cert/client.pem on my device at all just doesn't make any sense. Technically, the client certificate is tied to the user account in RADIUS.

    Having a private RSA key in my CC3200 device also does not make any sense for this. In my understanding of it, part of the reason people use PEAP with MSCHAPv2 is so that there is no need to manage private RSA keys on the clients. Between seeing the cert that the server sent, and knowing the username/password, the supplicant has all it needs to set up a secure encrypted tunnel. I understand that not every site is set up this way, but many are. It's a way to avoid having to manage private RSA keys for 8000 client machines. The server holds the one private key that only itself knows. The public part was handed to the CC3200 supplicant already, and offered up for verification/accepting.

    I have put our real trusted root CA certificate on the flash as /cert/ca.pem. I'm not using the dummy file there. Do the other two files need to be there in order for the CC3200 to even try to connect? If so, why, and what should they be since they have no meaning in this context?
  • 0 in reply to Dennis Quill
    Intellectual 385 points

    Has this been put in the too hard basket by TI? Any update would be appreciated.