CC3100: Connecting using PEAP/MSCHAPv2 to a radius server returns error -109

Hi Kristen,

the issue is still present. I flashed a dummy CA certificate and enabled the option not to verify it. With that setup I was able to join the Aerohive AP. Then I changed the SSID, username and password to join our internal radius server, again PEAP/MSCHAPv2, but without success. The problem is that we are having more and more customers using a radius server and they also cannot connect to their AP with the CC3100.

Had you a chance to look at the capture files? If you need any more data I am glad to assist you.

Best regards, Peter

Sure, we have flashed the latest service pack v1.0.1.11-2.10.0.0. We even tried with the older ones, but without success.

Best regards, Peter

Hi Kristen,

We loaded only the CA certificate as for PEAP you do not need the private/public keys.

this is our code for the PEAP method:

void connect(void)
{
char password[10] = "pass";
char username[10] = "user";
char ssid[10] = "myssid";
char en_sa = 0;
SlSecParams_t secParams = {0};
SlSecParamsExt_t eapParams = {0};

secParams.Type = SL_SEC_TYPE_WPA_ENT;
secParams.Key = (_i8 *)password;
secParams.KeyLen = strlen(password);

eapParams.User = (_i8 *)username;
eapParams.UserLen = strlen(username);
eapParams.AnonUserLen = 0;

eapParams.EapMethod = SL_ENT_EAP_METHOD_PEAP0_MSCHAPv2;
sl_WlanSet((_u16)SL_WLAN_CFG_GENERAL_PARAM_ID, (_u16)19, (_u16)1 ,(_u8 *)&en_sa );
sl_WlanConnect((const _i8 *)ssid, strlen(ssid), 0, &secParams, &eapParams);
}

Please note that this implementation works on the Aerohive AP.

Does the implementation looks ok to you?

Best regards, Peter

Hi Peter,

Sorry for the delay. Yes, that does look right. A few questions:
1) Are you disabling server authentication (using sl_WlanSet) before EVERY time you call sl_WlanConnect?
2) Is the dummy cert loaded into flash as '/sys/cert/ca/pem '/sys/cert/ca.pem'?
3) This might be a long shot, but the CC3100 Enterprise Connection documentation says in sl_common.h to modify the values from for DATE to SECOND. Have you done this?

There is also this e2e thread (e2e.ti.com/.../353814 of someone listing the steps for successfully connecting the CC3100 via EAP-PEAP protocol, it might be helpful to read through that as well.

Best regards,
Kristen

Hi Kristen,

Let me answer your questions:

1) Yes, we disable the server authentication EVERY time before calling sl_WlanConnect()

2) No. We load the certificates/key in the following folder/files:

• Private key: "/cert/private.key"
• Public key: "/cert/client.pem"
• CA: "/cert/ca.pem"

We use the sl_FsOpen() API call to load the certificates into the flash.

3) The ca certificate we use has the valid date from July 21, 2016 to July 19, 2026. The sl_common.h file contains the following defines:

#define DATE        4       /* Current Date */
#define MONTH       6       /* Month */
#define YEAR        2018    /* Current year */
#define HOUR        14      /* Time - hours */
#define MINUTE      55      /* Time - minutes */
#define SECOND      0       /* Time - seconds */

I hope this information can help you.

Best regards, Peter

#define FLASH_CHUNK_LEN        1024

enum vp_cert_type
{
        VP_CERT_TYPE_PRIVATE_KEY = 0,   ///< Private key
        VP_CERT_TYPE_PUBLIC_KEY,        ///< Public key
        VP_CERT_TYPE_CA,                ///< CA Certificate
        VP_CERT_TYPE_FAST_PAC,          ///< FAST PAC file
        VP_CERT_TYPE_END
};

static const char* cc3100_cert_name[VP_CERT_TYPE_END] = {
        [VP_CERT_TYPE_PRIVATE_KEY] = "/cert/private.key",
        [VP_CERT_TYPE_PUBLIC_KEY] = "/cert/client.pem",
        [VP_CERT_TYPE_CA] = "/cert/ca.pem",
};

static uint32_t cc3100_load_certificate(enum vp_cert_type type, uint8_t *data, uint32_t length)
{
        int32_t retVal;
        int32_t fileHandle = -1;
        uint32_t movingOffset, chunkLen;

        if (0 == cc3100_power_state)
        {
                msg("CC3100: Not powered up\n");
                return VP_GENERIC_ERROR;
        }

        if (type >= VP_CERT_TYPE_END || NULL == cc3100_cert_name[type])
        {
                return VP_DRIVER_CC3100_ERROR_CERTIFICATE_LOAD_FAILED;
        }

        retVal = sl_FsOpen((const _u8*)cc3100_cert_name[type],
                           FS_MODE_OPEN_CREATE(length, _FS_FILE_OPEN_FLAG_COMMIT | _FS_FILE_PUBLIC_WRITE),
                           NULL, &fileHandle);

        if (retVal < 0)
        {
                msg("Cannot open certificate file: %d\n", retVal);
                return VP_DRIVER_CC3100_ERROR_CERTIFICATE_LOAD_FAILED;
        }

        movingOffset = 0;

        /* Flashing must be done in 1024 bytes chunks */
        do
        {
                chunkLen = (_u32)find_min(FLASH_CHUNK_LEN, length);
                retVal = sl_FsWrite(fileHandle, movingOffset, (_u8 *)&data[movingOffset], chunkLen);
                if (retVal < 0)
                {
                        msg("Cannot program certificate to %s. Error code: %d\n", cc3100_cert_name[type], retVal);
                        return VP_DRIVER_CC3100_ERROR_CERTIFICATE_LOAD_FAILED;
                }

                length -= chunkLen;
                movingOffset += chunkLen;
                vTaskDelay(1);
        } while (chunkLen > 0);

        msg("Closing certificate file %s\n", cc3100_cert_name[type]);
        retVal = sl_FsClose(fileHandle, NULL, NULL, 0);

        if (retVal < 0)
        {
                msg("Cannot close certificate file. Error code: %d\n", retVal);
                return VP_DRIVER_CC3100_ERROR_CERTIFICATE_LOAD_FAILED;
        }

        return VP_NO_ERROR;
}

Could you try flashing the certificates with Uniflash and letting me know how that goes? Also have you tried getting the base CC3100 Enterprise Network Connection example working? 

Best regards,
Kristen

Hi Kirsten,

Thank you for our response.

 We've made our own WiFi module based on the CC3100 chip and we can only download certificates via the host microcontroller (but we did this many times and it works).

We've tested the CC3100 WiFi module with the TLS, TTLS and PEAP enterprise security mode (inner method MSCHAPv2) with the Aerohive access point (has an integrated RADIUS server) and the CC3100 always successfully connected. Several other customers also successfully connected the CC3100 to their access points using EAP, therefore the certificate download mechanism can't be the problem.

The FreeRADIUS setup (using PEAP/MSCHAPv2) was used with several mobile phones and all successfully connected to the FreeRADIUS server. We've also tried with RS9113 WiFi module from Redpine and it successfully connects to FreeRADIUS.

We're using a dummy CA certificate on the CC3100 (no actual certificate checking) with PEAP0/MSCHAPv2 security.

Based on the upper description we believe the problem is somewhere in CC3100 compatibility with FreeRADIUS

-> Was CC3100 tested with the FreeRADIUS?

-> Could you provide example configuration files for FreeRADIUS?

Best,

Kristen,

Replying here because I have the exact same issue with the CC3200 Mod. I did use Uniflash to flash the certificate. I did use the ent_wlan example code. It appears as though the issue is with both parts, 3100 and 3200.

 John

Hello John,

Recently I just walked through the example ent_wlan and wrote it down in my blog.

Here's the walkthrough

Although it's written in Mandarin but you can refer the snapshot. I think the key point is certificate files for ca.pem and server.pem, you can test it with my certificate which is downloadable in my article.

regards,

Jo

Jo,

Thanks for the reply. I already flashed a certificate using uniflash onto the module. I also bypassed the server certificate check with:

// 0 - Disable the server authnetication | 1 - Enable (this is the deafult)
pValues = 0;
sl_WlanSet(SL_WLAN_CFG_GENERAL_PARAM_ID, 19, 1 , &pValues);

before calling sl_WlanConnect(). Still no success.

Dear Jo,

Thank you for the detailed walkthrough.

I've seen that you're using a valid CA certificate, but can you confirm that your setup is also working for CC3100 with disabled EAP certificate checking?

I've tried to setup Radius on our side from scratch (also tried using CA on existing Radius setup), but it still doesn't work (on FreeRADIUS we see: eap: Peer NAK'd indicating it is not willing to continue).

Best,

Hi Gasper,

I disabled the CA certificate checking and was able to connect to ENT network without problem; and was not able to connect to when enabling certificate checking. My platform is TM4C123GH6PM launchpad + CC3100 boosterpack.

Note that I got NAKs at beginning of my experiments, after several times formatting and reprogramming the cc3100 (servicepack & ca.pem) it worked!  I think that  data in external Flash is easily corrupted.

Below figure is bad ca.pem loaded on cc3100 and with enabling server certificate check.

rgds,ent_wlan_tiva.zip

Grasper,

This is what I have been seeing as well, peer NAK'd indicating it is not willing to continue. Basically the walk through is identical to the steps I took so far. Everything in my house that supports enterprise security connects to my simple setup except the CC3200 MOD on the launchpad running the example code. I think I am going to start looking at other modules. Does the CC3220 exhibit this issue?

John

Hi Gasper,
How about this?
1. you upload the cert files to cc3100 and Radius server that I created, and modify the date in your code to one day in 2017, because I remember those cert files were created in mid of 2017 and probably have been expired recently.
2. make sure the radius server uses the server.pem you specify (check the path)

Hi Kirsten,

My colleague Peter already attached FreeRADIUS logs and TCP dumps (captured between the access point and the FreeRADIUS) in his first post. On this FreeRADIUS the mobile phone was able to connect without problems whereas CC3100 failed.

I tried to setup FreeRADIUs according to instructions from Jo on my PC, but on this setup, even the mobile phone couldn't connect so I'm suspecting the access point (TPLink)

Best,

Hi Gasper,

I attached my radius config files for your reference.

In sl_common.h

• #define DATE        10       /* Current Date */
• #define MONTH       8       /* Month */
• #define YEAR        2020    /* Current year */
• #define HOUR        15      /* Time - hours */
• #define MINUTE      10      /* Time - minutes */
• #define SECOND      0       /* Time - seconds */

and main.c is from C:\ti\CC3100SDK_1.3.0\cc3100-sdk\examples\enterprise_network_connection

I've checked that cert files' expiration date is 2027 July for server.pem and 2037 July for ca.pem. So this shouldn't be relevant to the problem, just in case I list down the difference in code between yours and mine.

Dear Jo,

I've tried the FreeRADIUS with the Aerohive AP (originally TPLink was used and this AP to be the problem) and your instructions/certificates (also changed date in sl_common.h as instructed) but no luck.

The mobile phone or the WiFi module from another vendor successfully establishes link to this FreeRADIUS whereas CC3100 always fails:

(71) eap: Expiring EAP session with state 0xa5c016c2a5be0f45
(71) eap: Finished EAP session with state 0xa5c016c2a5be0f45
(71) eap: Previous EAP request found for state 0xa5c016c2a5be0f45, released from the list
(71) eap: Peer sent packet with method EAP NAK (3)
(71) eap: Peer NAK'd indicating it is not willing to continue
(71) eap: Sending EAP Failure (code 4) ID 126 length 4
(71) eap: Failed in EAP select

Best,