CCS/CC3120BOOST: Connecting to Enterprise WIFI

Christopher Weber

Part Number: CC3120BOOST
Other Parts Discussed in Thread: UNIFLASH, CC3120

Tool/software: Code Composer Studio

Hello,

I can successfully make the module connect to a regular AP using the SSID and passkey.

Now I am trying to connect to an AP which uses a RADIX server, and have done so with other devices. However, nothing is clear on this material, compared to other devices and PC's that we are using (and successfully connected to the RADIX Enterprise authentication).

1. Section 4.6.2 of the swru455j document indicates the user SlWlanSecParamsExt_t->user as the user, and SlWlanSecParamsExt_t->AnonUser as ?? "anonymous" ? Isn't that a default?

2. Our existing TLS configuration connects with "anonymous" then sends a secure user and password. Where is the password supposed to be set in this, as none of the structures contain such a field?

3. Document swru469f section 6.10 is unclear as to where our CA cert should be stored. There is nothing explaining "certificate catalog" (it's a LST file... ?) It does mention certificates in section 6.12

4. Document swru455j section 4.6.2 says keys, client certs, and the CA must be stored in PEM format. Then says they must be in files named sys/cert/xxx.der. A DER file is not the same as a PEM file.

5. Do I use Uniflash, and store the necessary files using the "User Files" as described in section 6.12? Or do they get stored somewhere else?

6. When I attempt to connect using only the user (because that's the only field available to set), at one time I received a 210 error: "SL_WLAN_DISCONNECT_CERTIFICATE_EXPIRED" How does it know what the date is if it has yet to connect to a network? And has no RTC setting the time? Our CA is valid from Jan 2020 to Jan 2021.

7. The example code in swru455j section 4.6.2 has "KEY" What is that? The same as the user's password?

Here is the code, although I have tried several permutations (users, anonymous, key, passwords...)

    memset(&security,0,sizeof(SlWlanSecParams_t));
    strcpy(key,RADIX_PWD);
    security.Key = (signed char *) key;
    security.KeyLen = strlen(key);
    security.Type = SL_WLAN_SEC_TYPE_WPA_ENT;

    memset(&extsecurity,0,sizeof(SlWlanSecParamsExt_t));
    extsecurity.User = (signed char *) RADIX_USER;
    extsecurity.UserLen = sizeof(RADIX_USER);
    extsecurity.AnonUser = (signed char *) ANONYMOUS;
    extsecurity.AnonUserLen = sizeof(ANONYMOUS) - 1;
    extsecurity.EapMethod = SL_WLAN_ENT_EAP_METHOD_TTLS_TLS;
    /*  or SL_WLAN_ENT_EAP_METHOD_PEAP0_MSCHAPv2  */
    result = sl_WlanConnect(SSID,sizeof(SSID)-1,NULL,&security, &extsecurity );

Any help to clear up this doc would be appreciated.

over 4 years ago

0 Hnz over 4 years ago

Guru 39650 points

Hi,

Just a one quick comment. Go get length of string you should use strlen() not a sizeof().

Jan

0 Christopher Weber over 4 years ago in reply to Hnz

Genius 4995 points

Thanks, but no change in behavior.

0 Hnz over 4 years ago in reply to Christopher Weber

Guru 39650 points

Hi,

Please read this two answers:

Jan

0 Kobi Leibovitch over 4 years ago

TI__Guru 61326 points

Hi Christopher,

Document "swru469f " talks in general about setting user files. Certificates are just user files.

When you set a TLS you can provide any name (and path) to the certificate files as long as the secure socket options (sl_SetSockOpt) refer to the right paths.

In an enterprise case the names are hard-coded as following:

• Root CA – sys/cert/ca.der

• Client certificate – sys/cert/client.der

• Private key – sys/cert/private.key

So in Uniflash, the certificate files ("ca.der", "client.der:, "private.key") must be created under the /sys/cert/ folder.

To make this more interesting - the content should be PEM format regardless the file name (this is a bug). In general, the NWP doesn't look at the file extension and detects the certificate type from the internal content.

You can use the command sl_DeviceSet to set the SL_DEVICE_GENERAL_DATE_TIME.


SlDateTime_t dateTime= {0};

dateTime.tm_day = (_u32)23; // Day of month (DD format) range 1-31
dateTime.tm_mon = (_u32)6; // Month (MM format) in the range of 1-12 
dateTime.tm_year = (_u32)2014; // Year (YYYY format) 
dateTime.tm_hour = (_u32)17; // Hours in the range of 0-23
dateTime.tm_min = (_u32)55; // Minutes in the range of 0-59
dateTime.tm_sec = (_u32)22; // Seconds in the range of 0-59
sl_DeviceSet(SL_DEVICE_GENERAL,
SL_DEVICE_GENERAL_DATE_TIME,
sizeof(SlDateTime_t),
(_u8 *)(&dateTime));

The date can be read from external source (e.g. mobile phone connected to the device before the enterprise connection starts), through SNTP (require that the device is connected to the internet through some regular AP), or hard-coded.

Br,

Kobi

0 Christopher Weber over 4 years ago in reply to Hnz

Genius 4995 points

No change.

The device powers up with a default date of 01/01/2013 midnight.

I executed the command to disable server auth. No difference. But the doc says it is only to cancel the validation for a single manual connection, by not loading the CA.

I don't think it's getting that far. Our server wants a user/password. Nothing in the doc tells me what field to put a password in.

Digging deeper...

When I use EapMethod = SL_WLAN_ENT_EAP_METHOD_TTLS_TLS I get a cert expired... How exactly is the device supposed to get the time and date from a cold start if the host MCU doesn't have an RTC?

When I use EapMethod = SL_WLAN_ENT_EAP_METHOD_TLS I do not get a cert expired, but it never connects. Our test authentication server is using just TLS... However, we will not have control over the EapMethos customers may use.

Specifically, we have a small AP with a RADIX server for everification. The scan results gives me:

00 ->: DCC802TEST Channel: 1 SecurityInfo: 3208

Of course the documentation does NOT explain what the SecurityInfo is. It just tells me the useless information that is it an signed 16 bit value. Search on it, all you get is this:

http://software-dl.ti.com/ecs/SIMPLELINK_CC3220_SDK/1_50_00_06/exports/docs/wifi_host_driver_api/html/group___wlan.html#struct_sl_wlan_network_entry__t

So, what is 3208, 0xC88 (b 1100 1000 1000) anyway? That might help determine what this unit wants that none of the other devices had any issue with.

0 Kobi Leibovitch over 4 years ago in reply to Christopher Weber

TI__Guru 61326 points

You need to know the exact method that server uses (EAP TLS for example will only use certificates and not user/password).

You'll need to set the date with the command I provided (you'll get the time from an external resources or other connection as explained before).

The securityInfo doc is indeed missing, You can check the following code for parsing info:

#define SL_WLAN_SCAN_RESULT_GROUP_CIPHER(SecurityInfo) (SecurityInfo & 0xF) 
       /* Possible values: NONE,SL_WLAN_CIPHER_BITMAP_TKIP,SL_WLAN_CIPHER_BITMAP_CCMP */

#define SL_WLAN_SCAN_RESULT_UNICAST_CIPHER_BITMAP(SecurityInfo) ((SecurityInfo & 0xF0) >> 4 ) 
       /* Possible values: NONE,SL_WLAN_CIPHER_BITMAP_WEP40,SL_WLAN_CIPHER_BITMAP_WEP104,SL_WLAN_CIPHER_BITMAP_TKIP,SL_WLAN_CIPHER_BITMAP_CCMP*/

#define SL_WLAN_SCAN_RESULT_HIDDEN_SSID(SecurityInfo) (SecurityInfo & 0x2000 ) >> 13 
       /* Possible values: TRUE/FALSE */ 

#define SL_WLAN_SCAN_RESULT_KEY_MGMT_SUITES_BITMAP(SecurityInfo) (SecurityInfo & 0x1800 ) >> 11 
       /* Possible values: SL_WLAN_KEY_MGMT_SUITE_802_1_X, SL_WLAN_KEY_MGMT_SUITE_PSK */

#define SL_WLAN_SCAN_RESULT_SEC_TYPE_BITMAP(SecurityInfo) (SecurityInfo & 0x700 ) >> 8 
       /* Possible values: SL_WLAN_SECURITY_TYPE_BITMAP_OPEN, SL_WLAN_SECURITY_TYPE_BITMAP_WEP, SL_WLAN_SECURITY_TYPE_BITMAP_WPA, 
                            SL_WLAN_SECURITY_TYPE_BITMAP_WPA2, 0x6 (mix mode) SL_WLAN_SECURITY_TYPE_BITMAP_WPA | SL_WLAN_SECURITY_TYPE_BITMAP_WPA2 */

3208 (0xc88) -

bits 0-3:  Group Cipher = 0x8 (CCMP)

bits 4-7:  Unicast Cipher = 0x8 (CCMP)

bit 8-10: Security Type = 4 (WPA2)

bit 11-12: Management Key Suite = 1 (802.11X - Enterprise)

bits 13: Is Hidden SSID = 0 (not hidden)

br,
Kobi

0 Christopher Weber over 4 years ago in reply to Kobi Leibovitch

Genius 4995 points

Okay, this is not working. And I only have access to the RADIX server once a week, maybe twice if I'm lucky. So this 24-48 hour turn around is super annoying too.

We chose this device because it is supposed to provide support for enterprise authentication. That was a better option than having to invest the effort into writing our own challenge/response packets and dealing with all the low level coding.

Except at this rate, and bad doc, it might be better to just find another vendor.

I have already installed the CA, client certificate, and private key per the previous instructions, using the Uniflash app and CC3120 EMU board. And I am setting the module date to a time that is during the CA valid window.

Except this isn't working...

Kobi Leibovitch said:

You need to know the exact method that server uses (EAP TLS for example will only use certificates and not user/password).

We are, and have been using EAP_TLS... So that is in conflict with the behavior that I am seeing. When I leave the credential fields empty, I get an error -2061 "Username length error" from the sl_WlanConnect call:

    SlWlanSecParamsExt_t extsecurity;
    memset(&security,0,sizeof(SlWlanSecParams_t));
    security.Type = SL_WLAN_SEC_TYPE_WPA_ENT;

    memset(&extsecurity,0,sizeof(SlWlanSecParamsExt_t));
    extsecurity.EapMethod = SL_WLAN_ENT_EAP_METHOD_TLS;
    result = sl_WlanConnect(SSID,strlen(SSID),NULL,&security, &extsecurity );

So clearly it does require a username and password. Somewhere... for something.

Using an established username and password while testing several other clients, we were able to easily have those clients connect to the EAP test system. And we can see in the server logs that it initially sent an anonymous user, got a certificate back, verified it against the CA, sent in the real user credentials, and was granted access.

Similar code should look like this:

    SlWlanSecParamsExt_t extsecurity;
    memset(&security,0,sizeof(SlWlanSecParams_t));
    security.Key = (signed char *) RADIX_PWD;
    security.KeyLen = strlen(RADIX_PWD);
    security.Type = SL_WLAN_SEC_TYPE_WPA_ENT;

    memset(&extsecurity,0,sizeof(SlWlanSecParamsExt_t));
    extsecurity.User = (signed char *) RADIX_USER;
    extsecurity.UserLen = strlen(RADIX_USER);
    extsecurity.AnonUser = (signed char *) ANONYMOUS;
    extsecurity.AnonUserLen = strlen(ANONYMOUS);
    extsecurity.EapMethod = SL_WLAN_ENT_EAP_METHOD_TLS;
    result = sl_WlanConnect(SSID,strlen(SSID),NULL,&security, &extsecurity );

However, although the sl_WlanConnect call returns 0 in this case, it takes about 15 minutes for the event to fire. And it fires with a SL_WLAN_EVENT_DISCONNECT and a reason code of 1 (SL_WLAN_DISCONNECT_UNSPECIFIED). Another case of useless information.

The server log is reporting that the module never responded. Specifically the log content is:

Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.1 port 46163, id=1, length=75
	User-Name = "scott"
	EAP-Message = 0x0201000a0173636f7474
	Service-Type = Framed-User
	Framed-MTU = 1420
	NAS-IP-Address = 192.168.0.1
	Message-Authenticator = 0xecb9789cb459807a9ef20be60d0369e0
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[digest] = noop
[suffix] No '@' in User-Name = "scott", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry scott at line 191
++[files] = ok
++[expiration] = noop
++[logintime] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 1 to 192.168.0.1 port 46163
	EAP-Message = 0x010200060d20
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x85e4664e85e66bbe99be884c04eedaa1
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 1 with timestamp +1518
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x85e4664e85e66bbe did not finish!
WARNING: !! Please read wiki.freeradius.org/.../Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.

So, apparently the module is not responding to the second request.

By the way, the above log snip was repeated twice. Even though the call to sl_WlanConnect was only made once.

Is there anyone willing to help?

(Also, by the way, we are able to connect non-EAP, and are communicating with no issues. We have also put the module into bypass and are reading the raw Ethernet packets and routing them to the NIMU and NDK stack on the Sitara MCU. EAP is the ONLY test this device is failing on )

0 Christopher Weber over 4 years ago in reply to Christopher Weber

Genius 4995 points

This has been resolved.

There was an error in the transcoded key file (going from DER to PEM - but still named DER). The one used was encrypted.

Would have been useful if there was something from the module telling the MCU that the key couldn't be opened. Or just a generic "Key or Cert problem". You know... like an "event" ...?

Wi-Fi

Wi-Fi forum

CCS/CC3120BOOST: Connecting to Enterprise WIFI