Does Wiced support device authentication, if so is there an example of how to setup enterprise security?

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
JoSt_3481606
Level 4
Level 4
First like received

I'm working on a project where I need to use a certificate and device authentication to join a wireless network.  Does wiced support this and are there examples of this?

I also have a .pfx that I have exported to a .pem file.  Trying to figure out how to use it.

0 Likes
1 Solution

It is true that the documentation is limited for enterprise security especially to understand the supplicant. However, it is possible to create and test basic setup. I had tested it on WICED 6.2.1 and freeradius 3.0.16. You need to divide your work into the following tasks:

1. Install the latest version of freeradius. Don't use apt-get install but install it from source. Instructions are given here http://wiki.freeradius.org/building/Home. Ensure that radiusd -X passes without any error.

2. Configure freeradius to allow 802.1x authentication. The Getting Started guide http://wiki.freeradius.org/guide/Getting%20Started would be helpful. You also need to configure the Access Point to support WPA2 enterprise and enter the IP address of radius server and shared secret.

3. To support EAP-TLS, you need to correctly set up certificates and private key. On WICED side, the certificate.h would contain the rootCA, client certificate and private key in .pem format. Also the certificate is defined in string format with each line ending in \r\n. Use the script certs_to_h.pl available at tools/text_to_c/ to convert .pem to C readable string. Perl to run this script is available at tools/common/Win32/perl.exe. Here is an example command:

perl.exe C:\Users\grsr\Documents\WICED\WICED-Studio-6.2.1\43xxx_Wi-Fi\tools\text_to_c\certs_to_h.pl CA_CERT ca_crt_rsa.pem

Issuing CA is not needed. I'm assuming that the certificate is not expired or revoked. On freeradius side, the CA certificate, server certificate, server key shall be placed in raddb/certs directory (certificate in .pem formate and key in .key format). Does the certificate support RSA encryption? Use the command openssl x509 -in <cert_filename>.pem -text -noout to parse the CA certificate and verify. Accordingly use RSA private key.

4. Go to raddb/mods-available and open eap file. The private_key_file should point to the server private key file, certificate_file should point to server certificate file and ca_file should point to the CA certificate file. Save these changes and exit. Again verify that radiusd -X works.

5. Build and run test.console. In my setup, I wrote the command join_ent NETGEAR22 eap_tls testing password eap mschapv2 client-cert wpa2 to test EAP-TLS. Note that testing and password have been configured as testing Cleartext-Password := "password" in raddb/users file.

View solution in original post

6 Replies
RaktimR_11
Moderator
Moderator
Moderator
500 replies posted 250 replies posted 100 replies posted

You can follow this WICED Enterprise Security Demo help article along with the help document shipped with WICED Studio as located in 43xxx_Wi-Fi/doc/WICED-Enterprise-Security-User-Guide.pdf

I have been looking at that demo and it is still a bit confusing.  There doesn't seem to be any documentation for the core functions such as besl_supplicant_init

Where are the docs for that?  That example is also complex and would like to do something more basic such as in the wifi101 demos.  The security in the wii101 chapter 6 only deals with certificates after user authentication.

Is there more extensive documentation or detailed examples anywhere?

0 Likes

I have been trying to set up certificate.h properly with no luck

I was given a .pfx file which I exported to a .pem using openssl

There is 1 x509 private key, 1 device cert, 1 root CA, and 1 issuing CA.

I tried putting the key, device cert adn root CA in certificate.h

How would i deal with the issuing CA?  Is it needed and if so how?

I also tried it with converting the private key to an RSA key using open ssl with no luck. 

I run the console program and call "join_ent ssid eap_tls wpa2" and it fails to join with result 1007

Any thoughts?

0 Likes

strickon_3481606 wrote:

I run the console program and call "join_ent ssid eap_tls wpa2" and it fails to join with result 1007

Any thoughts?

I'm wondering if you are using FreeRTOS+LwIP build?

If so, it's a bug in wiced sdk which is not yet fix.

https://community.cypress.com/thread/30356

sdk-6.1: EAP-TTLS test failure

0 Likes

Im using the test console app in the wiced sdk so  I am not sure what it uses.  You would think that the cypress test app should work. I am also not using eap-ttls but using eap-tls

0 Likes

It is true that the documentation is limited for enterprise security especially to understand the supplicant. However, it is possible to create and test basic setup. I had tested it on WICED 6.2.1 and freeradius 3.0.16. You need to divide your work into the following tasks:

1. Install the latest version of freeradius. Don't use apt-get install but install it from source. Instructions are given here http://wiki.freeradius.org/building/Home. Ensure that radiusd -X passes without any error.

2. Configure freeradius to allow 802.1x authentication. The Getting Started guide http://wiki.freeradius.org/guide/Getting%20Started would be helpful. You also need to configure the Access Point to support WPA2 enterprise and enter the IP address of radius server and shared secret.

3. To support EAP-TLS, you need to correctly set up certificates and private key. On WICED side, the certificate.h would contain the rootCA, client certificate and private key in .pem format. Also the certificate is defined in string format with each line ending in \r\n. Use the script certs_to_h.pl available at tools/text_to_c/ to convert .pem to C readable string. Perl to run this script is available at tools/common/Win32/perl.exe. Here is an example command:

perl.exe C:\Users\grsr\Documents\WICED\WICED-Studio-6.2.1\43xxx_Wi-Fi\tools\text_to_c\certs_to_h.pl CA_CERT ca_crt_rsa.pem

Issuing CA is not needed. I'm assuming that the certificate is not expired or revoked. On freeradius side, the CA certificate, server certificate, server key shall be placed in raddb/certs directory (certificate in .pem formate and key in .key format). Does the certificate support RSA encryption? Use the command openssl x509 -in <cert_filename>.pem -text -noout to parse the CA certificate and verify. Accordingly use RSA private key.

4. Go to raddb/mods-available and open eap file. The private_key_file should point to the server private key file, certificate_file should point to server certificate file and ca_file should point to the CA certificate file. Save these changes and exit. Again verify that radiusd -X works.

5. Build and run test.console. In my setup, I wrote the command join_ent NETGEAR22 eap_tls testing password eap mschapv2 client-cert wpa2 to test EAP-TLS. Note that testing and password have been configured as testing Cleartext-Password := "password" in raddb/users file.