• State Resolved
  • Locked Locked
  • Replies 6 replies
  • Subscribers 40 subscribers
  • Views 1463 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3120: Having trouble connecting to an enterprise network

Ed Ferrari SD
Expert 2690 points
Part Number: CC3120
Other Parts Discussed in Thread: CC3100,

We are having trouble connecting to an enterprise network with the CC3120. This all works fine with the CC3100. Here is what I am seeing:

1) With a known good Server Root CA file, after I call sl_WlanConnect(), I get a SL_WLAN_EVENT_DISCONNECT event with reason code of 210 (SL_WLAN_DISCONNECT_CERTIFICATE_EXPIRED). The certificate we're using has an expiration of November 2017, and I verified that I set the date/time correctly.

2) I tried to disable server authentication just before the call to sl_WlanConnect(), but I still get the disconnect with reason of 210.

3) I tried reformatting the flash and not storing the Server Root CA file, and then connecting with server authentication disabled, but then I get a disconnect with reason of 209 (SL_WLAN_DISCONNECT_MISSING_CERT).

Any idea what could be going on here? I should also add that I am able to successfully perform a WPA2 connection, so the framework seems to be good.

  • 0
    TI__Guru 63006 points
    Hi Ed,

    Did you move the certificate to the new CC3220 location: "/sys/cert/ca.der"?
    Even if you disable the Server Authentication, a valid certificate (any valid certificate - not necessary the one that matches the radius server) should exist in this location.

    Br,
    Kobi
  • 0 in reply to Kobi Leibovitch
    Expert 2690 points
    Hi Kobi,

    Yes, I had moved the certificate to the new location. I also just tried the same certificate in DER format, thinking that maybe the documentation wasn't updated from the old PEM format. The same thing happens -- disconnect event with reason 210.

    Do you know if the CC3120 is checking the Server Root CA certificate that is loaded into the device for expiration, or the server side? The reason I ask is that our Server Root CA is valid from 2014 to 2029, so it's *really* not expired :)

    Thanks,
    -Ed
  • 0 in reply to Ed Ferrari SD
    TI__Guru 63006 points

    Hi, Ed,

    It is the CC3120 that checks the Server Certificate time (CC3100 didn't verify the date).

    Assuming the certificate date range (of the entire chain) is valid, you should verify your date setting, for example using the following code:

    {

    SlDateTime_t dateTime = {0};
    _i16 configLen = sizeof(SlDateTime_t);
    _i8 configOpt = SL_DEVICE_GENERAL_DATE_TIME;
    sl_DeviceGet(SL_DEVICE_GENERAL,&configOpt, &configLen,(_u8 *)(&dateTime));

    printf("Day %d,Mon %d,Year %d,Hour %,Min %d,Sec %d\n",dateTime.tm_day,dateTime.tm_mon,dateTime.tm_year,
    dateTime.tm_hour,dateTime.tm_min,dateTime.tm_sec);

     }

    br,

    Kobi

  • 0 in reply to Kobi Leibovitch
    Expert 2690 points
    Hi Kobi,

    I added code to check the date on the CC3120 just before the call to sl_WlanConnect(), and it was what I had loaded (March 22 2017, 12:05), and I still get the disconnect event with reason 210. I realized that I had created the /sys/cert/ca.der file unsecured, so I fixed that this morning, but still get the same failure.

    We're very sure the server certificate is not expired. When I initialized the device, I told Image Creator to use the default certstore. Our certificates were generated by Comodo -- is there any chance I need to load a custom certstore? Any other things I can look at?

    By the way, I'm using the following service pack:

    NwpVersion: 3.3.0.0
    MacVersion: 2.0.0.0
    PhyVersion: 2.2.0.4
    ChipId: 31000000
    RomVersion: 0
    Host: 2.0.1.15

    Thanks,
    -Ed
  • 0 in reply to Ed Ferrari SD
    Expert 2690 points
    1 mystery solved -- the argument to sl_WlanSet() to disable server authentication seems to be reversed. When I ran the following code, it worked. Still have the mystery of why server authentication results in an expired cert error.

    uint8_t param = 0; /* 1 means disable the server authentication */
    sl_WlanSet( SL_WLAN_CFG_GENERAL_PARAM_ID,
    SL_WLAN_GENERAL_PARAM_DISABLE_ENT_SERVER_AUTH,
    sizeof(param),
    (uint8_t *)&param );
  • 0 in reply to Ed Ferrari SD
    Expert 2690 points
    OK, we figured out what was wrong. We were looking at the wrong certificate in the chain... the one that apparently is looked at by the CC3120 is indeed expired. Thank you for the help and sorry about the confusion.