CC3235SF: WPA-EAP TLS example

Hi,

There is unfortunately no dedicated WPA enterprise example in the SDK. However, in the network terminal example there is WPA enterprise functionality built-in. I suggest you import that example and test the WPA enterprise functionality using the wlanconnect and addprofile commands.

I have some instructions on how to use that example with WPA-ENT here:

https://e2e.ti.com/support/wireless-connectivity/wifi/f/wi-fi-forum/900299/compiler-cc3235s-how-to-config-cc3235s-enterprise-wifi/3329939#3329939

Do note that you will need to flash your client cert + key and root CA cert to the CC3235 first. Please refer to section 4.3.3.2 of the NWP user's guide for more info: www.ti.com/lit/swru455

Regards,

Michael

Hi Michael,

thank you for your help! Can you please confirm that the NWP UG is accessible through the link? It seems to me that the link might be broken.

Hi,

The link seems accessible to me. The NWP user's guide full title is "SimpleLink Wi-Fi® CC3x20, CC3x3x Network Processor User's Guide". If you search for that in your search engine of choice you should get the link to it as well.

Regards,
Michael

Hi Michael,

thank you, after lots of server errors, I was able to dl the document. In 4.3.3.2 there is:
"Only one enterprise profile is supported. Before adding the profile, write certificate files to the following
system files:
– /sys/cert/ca.der - CA for the server authentication
– /sys/cert/client.der - Optional, if server requests client authentication
– /sys/cert/private.key - Optional, if server requests client authentication"

In the network terminal example I only see a 'user files' folder but no sys/cert. I'm not sure whether I'm on the right track or the example folder structure have changed since the docoument had been released.

Hi,

As WPA-EAP is an atypical network setup, it is not added to the user files by default in the SDK examples. In order to add to the user files, you can simply create new folders within user files to create the sys/cert file structure. Some instructions are here:

https://dev.ti.com/tirex/explore/node?node=AIAEL8ziVI8bmN94gWII8w__fc2e6sr__LATEST

Regards,

Michael

Hi Michael,

sorry for the late reply I need some time to understand the concept. I created the sys/cert folder in user files folder. I placed ca.der, client.der and private.key files which were generated/signed by me. I've rebuilt the network terminal project and flashed it to a 3235 SF LP board. In the terminal I tried the following:

wlanconnect -s "MikroTik" -t WPA -ent "DEMO_USER" -p "12345678"

please note that the password is just a dummy to get the command work.

The device replied with:

[WLAN ERROR] Device disconnected from the AP: ,
BSSID: 0:0:0:0:0:0

and the radius log is:

(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) eap: ERROR: EAP-Identity Unknown
(0) eap: Identity Unknown, authentication failed
(0) eap: Failed in handler
(0) [eap] = invalid
(0) } # authenticate = invalid
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> \000\000\000\000\000\000\000\000
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) eap: ERROR: EAP-Identity Unknown
(0) eap: Identity Unknown, authentication failed
(0) eap: Failed to get handler, probably already removed, not inserting EAP-Failure
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
(0) (0) Discarding duplicate request from client DEMO_USER port 41002 - ID: 157 due to delayed response
Waking up in 0.6 seconds.
(0) (0) Discarding duplicate request from client DEMO_USER port 41002 - ID: 157 due to delayed response
Waking up in 0.3 seconds. 

What can be wrong with the EAP identity?

Hi,

Looking through the logs it looks like the EAP-Identity, that is the username, is null.

Did you apply the fix needed in network terminal to ensure entusername is copied correctly? There is a bug in the demo code, where a needed strcpy() is missing. You need the following code in the parser:

    if(entUserName)
    {
        ConnectParams->secParamsEnt.UserLen = strlen(entUserName);
        ConnectParams->secParamsEnt.User = calloc(
            sizeof(uint8_t), ConnectParams->secParamsEnt.UserLen);
        strcpy(ConnectParams->secParamsEnt.User, entUserName);
        ConnectParams->secParamsEnt.AnonUser = NULL;
        ConnectParams->secParamsEnt.EapMethod =
                SL_WLAN_ENT_EAP_METHOD_TLS;
        ConnectParams->secParams.Type = SL_WLAN_SEC_TYPE_WPA_ENT;
        ConnectParams->dateTime.tm_year = DEVICE_YEAR;
        ConnectParams->dateTime.tm_mon = DEVICE_MONTH;
        ConnectParams->dateTime.tm_day = DEVICE_DATE;
    }

Please take a look at the post I linked in my original reply for more info.

Let me know if you still get the EAP-Identity unknown message after making that adjustment to the network terminal example.

Regards,

Michael