• State Resolved
  • Locked Locked
  • Replies 9 replies
  • Subscribers 39 subscribers
  • Views 724 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3100MOD: bin file(/tmp/pac.bin) stored in serial flash

weiyiho
Prodigy 80 points
Part Number: CC3100MOD
Other Parts Discussed in Thread: UNIFLASH, CC3100

Hi,

SDK version: 1.2.0

servicepack version: 1.0.1.6-2.6.0.5

ENT_SEC_METHOD_: SL_ENT_EAP_METHOD_FAST_UNAUTH_PROVISIONING

 

I tried to use CC3100MOD to connect to AP through EAP-FAST-MSCHAPv2 including phase 0 auto-provisioning support.

At the beginning, I check the serial flash of CC3100MOD and make sure there is no file(/tmp/pac.bin) in the flash by CCS UniFlash(v3.4.1)

The file(/tmp/pac.bin) appeared in the flash after I succeed connecting to AP.

I thought that is the protected access credential(PAC) generated in phase 0 of EAP-FAST.

 

The PROBLEM is:

1. If I changed the username of (SlSecParamsExt_t eapParams) which is also legal in the user list of Radius Server. I failed to connect to AP.

And the Error message is MSCHAP username does not match inner method EAP-Response/Identity.

 

2. Therefore, I tried to use the File System API:

sl_FsDel((_u8 *)"/tmp/pac.bin", NULL) to delete the file(/tmp/pac.bin) in the flash. But it always return SL_FS_ERR_TOKEN_IS_NOT_VALID(-50).

 

3. If I used the api:

sl_FsOpen((_u8 *)"/tmp/pac.bin", FS_MODE_OPEN_CREATE( 4096, _FS_FILE_OPEN_FLAG_COMMIT|_FS_FILE_PUBLIC_WRITE ), NULL, &fileHandle )

to create the file first before connected to AP. Then, I did have the right to modify this file. But if I made this file create by CC3100MOD itself,

I could not modify the file at all. If always return SL_FS_ERR_TOKEN_IS_NOT_VALID(-50).

            

 

  • 0
    TI__Guru 64555 points

    Hello,

    The PAC file is internal secured file and it is not accessible to the user.

    Are you saying that you successfully connect to a radius server with EAP-FAST and then change the user/pass which fails?

    Are you also changing the user/pass on the host to reflect the change in the radius server?

    Regards,

    Shlomi

  • 0 in reply to Shlomi Itzhak
    Prodigy 80 points

    Hi Shlomi,

    Yes. For example, if the PAC file don't exist in the flash of CC3100MOD, I can connect to a radius server with EAP-FAST by user 1. Under the same configuration, I just changed to user 2 and then I failed to

    establish connection to the radius server. It could reflect this change in the radius server.

    If I create a PAC file on my own which is empty and accessible to write, I still can connect to the radius server. After that, I can find that the PAC file is modified by CC3100MOD.

    If I want to connect to radius server with user 2, I just delete the file and create a new empty one and I success connecting to the radius server.

    If the PAC file is created by CC3100MOD during the authentication process, then the PAC file is not accessible to me.

    Therefore, I want to know the correct way to use CC3100MOD with EAP-FAST.

    Best,

    Weiyi

  • 0 in reply to weiyiho
    TI__Guru 64555 points

    Hello,

    The PAC file should be created automatically and managed by the device.

    I need to investigate internally why changing the user/pass on the radius side does not update this file.

    Just to make sure, you are changing the user/pass on the CC3100 side as well?

    Additionally, when you say you create an empty file, what flags are you using for the file open?

    Regards,

    Shlomi

  • 0 in reply to Shlomi Itzhak
    Prodigy 80 points
    Hi Shlomi,

    Yes, I change the user/pass on the CC3100 side as well.

    _FS_FILE_OPEN_FLAG_COMMIT -> for fail safe
    _FS_FILE_PUBLIC_WRITE -> for public write without token

    The two flag above are using for file open.

    Regards,

    Weiyi
  • 0 in reply to weiyiho
    TI__Guru 64555 points

    Hello Weiyi,

    I understand and it needs to be taken with R&D to ubderstand if this is a bug and if so how to repair it.

    Please note though that the current generation has 2 limitations that relaes to your use case:

    1. enterprise security is not supported as part of WFA (as a result of a missing feature)
    2. secured file system is also not supported. As you probably noticed, all security related file system is deprecated from Uniflash and should also not be used with file system API

    Having said that, I can recommend just for the test that you create your pac file with the security flag, i.e. _FS_FILE_OPEN_FLAG_SECURE. Also, please capture the master token and use it when you want to erase the file.

    Regards,

    Shlomi

  • 0 in reply to Shlomi Itzhak
    Prodigy 80 points
    Hi Shlomi,

    Thanks for your answer !

    By the way, Do you suggest that create the pac file with the security flag(_FS_FILE_OPEN_FLAG_SECURE and _FS_FILE_OPEN_FLAG_NO_SIGNATURE_TEST) at the same time?

    Regards,

    Weiyi
  • 0 in reply to weiyiho
    TI__Guru 64555 points

    Hello Weiyi,

    Basically you should go with _FS_FILE_OPEN_FLAG_COMMIT, _FS_FILE_OPEN_FLAG_SECURE, FS_FILE_OPEN_FLAG_NO_SIGNATURE_TEST and _FS_FILE_PUBLIC_WRITE under the flags. This is just like the flags used for the servicepack file.

    In this mode, you should be able to write to this file with no token. You could also erase it if you capture the token returned to you upon first creation.

    Regards,

    Shlomi

  • 0 in reply to Shlomi Itzhak
    TI__Guru 64555 points

    Hello,

    Any update on the post?

    Regards,
    Shlomi

  • 0 in reply to Shlomi Itzhak
    TI__Guru 64555 points

    Hello,

    I am closing the thread, if issue still exist or you have further related doubts please open a new thread and add a link to this one for reference.

    Regards,
    Shlomi