AN1030: WPA2/WPA Enterprise

Similar documents
UG103.8: Application Development Fundamentals: Tools

AN962: Implementing Master-Slave Timing Redundancy in Wireless and Packet- Based Network Applications

Figure 1. 8-Bit USB Debug Adapter

Figure 1. Proper Method of Holding the ToolStick. Figure 2. Improper Method of Holding the ToolStick

AN111: Using 8-Bit MCUs in 5 Volt Systems

AN486: High-Side Bootstrap Design Using ISODrivers in Power Delivery Systems

AN580 INFRARED GESTURE SENSING. 1. Introduction. 2. Hardware Considerations

TS1005 Demo Board COMPONENT LIST. Ordering Information. SC70 Packaging Demo Board SOT23 Packaging Demo Board TS1005DB TS1005DB-SOT

UG129: ZigBee USB Virtual Gateway Reference Design (RD ) User's Guide

AN952: PCIe Jitter Estimation Using an Oscilloscope

AN803. LOCK AND SETTLING TIME CONSIDERATIONS FOR Si5324/27/ 69/74 ANY-FREQUENCY JITTER ATTENUATING CLOCK ICS. 1. Introduction

AN862. OPTIMIZING Si534X JITTER PERFORMANCE IN NEXT GENERATION INTERNET INFRASTRUCTURE SYSTEMS. 1. Introduction

UG103-13: Application Development Fundamentals: RAIL

AN922: Using the Command Line Interface (CLI) for Frequency On-the-Fly with the Si5346/47

Making Prototyping Boards for the EFM32 kits

Current Digital to Analog Converter

Bootloader with AES Encryption

ETRX3USB ETRX3USB-LRS ETRX3USB+8M ETRX3USB-LRS+8M PRODUCT MANUAL

AN583: Safety Considerations and Layout Recommendations for Digital Isolators

Telegesis is a trademark of Silicon Laboratories Inc. Telegesis ZigBee Communications Gateway. Product Manual

QSG108: Blue Gecko Bluetooth Smart Software Quick-Start Guide

RoHs compliant, Pb-free Industrial temperature range: 40 to +85 C Footprint-compatible with ICS , 2.5, or 3.3 V operation 16-TSSOP

Selecting the Right MCU Can Squeeze Nanoamps out of Your Next Internet of Things Application

AN614 A SIMPLE ALTERNATIVE TO ANALOG ISOLATION AMPLIFIERS. 1. Introduction. Input. Output. Input. Output Amp. Amp. Modulator or Driver

UG103.14: Application Development Fundamentals: Bluetooth Smart Technology

UG103.8 APPLICATION DEVELOPMENT FUNDAMENTALS: TOOLS

Backup Power Domain. AN Application Note. Introduction

APPLICATION NOTE. AT16268: JD Smart Cloud Based Smart Plug Getting. Started Guide ATSAMW25. Introduction. Features

AN0822: Simplicity Studio User's Guide

How to Access Coast Wi-Fi

AN104 I NTEGRATING KEIL 8051 TOOLS INTO THE SILICON LABS IDE. 1. Introduction. 2. Key Points. 3. Create a Project in the Silicon Labs IDE

Configuring WPA-Enterprise/WPA2 with Microsoft RADIUS Authentication

AN220 USB DRIVER CUSTOMIZATION

WiFi troubleshooting. How s your WiFi signal? Android WiFi settings. ios WiFi settings

Wireless Network Configuration Guide

AN220 USB DRIVER CUSTOMIZATION

Automatic Setup... 1 Manual Setup... 2 Installing the Wireless Certificates... 18

How To Develop A Toolstick

Airnet-Student is a new and improved wireless network that is being made available to all Staffordshire University students.

QSG105 GETTING STARTED WITH SILICON LABS WIRELESS NETWORKING SOFTWARE

APPLICATION NOTE. AT07175: SAM-BA Bootloader for SAM D21. Atmel SAM D21. Introduction. Features

AN335 USB DRIVER INSTALLATION UTILITY. 1. Description. 2. Installation Install Package

A Division of Cisco Systems, Inc. GHz g. Wireless-G. PCI Adapter with RangeBooster. User Guide WIRELESS WMP54GR. Model No.

USB FM Radio-RD USB FM RADIO USER S GUIDE. 1. USB FM Radio Setup. One-time set-up enables configuration of presets and region specific FM band

PC Base Adapter Daughter Card UART GPIO. Figure 1. ToolStick Development Platform Block Diagram

Nokia E90 Communicator Using WLAN

802.1X Client Software

A Division of Cisco Systems, Inc. GHz g. Wireless-G. PCI Adapter. User Guide WIRELESS WMP54G. Model No.

ZigBee-2.4-DK 2.4 GHZ ZIGBEE DEVELOPMENT KIT USER S GUIDE. 1. Kit Contents. Figure GHz ZigBee Development Kit

Securing Wireless LANs with LDAP

Installation Guide Wireless 4-Port USB Sharing Station. GUWIP204 Part No. M1172-a

Server Installation ZENworks Mobile Management 2.7.x August 2013

WIRELESS SETUP FOR WINDOWS 7

Wireless-G Business PCI Adapter with RangeBooster

CPU. PCIe. Link. PCIe. Refclk. PCIe Refclk. PCIe. PCIe Endpoint. PCIe. Refclk. Figure 1. PCIe Architecture Components

TECHNICAL BULLETIN. Configuring Wireless Settings in an i-stat 1 Wireless Analyzer

IT Quick Reference Guides Connecting to SU-Secure using Windows 8

A Division of Cisco Systems, Inc. GHz g. Wireless-G. USB Network Adapter with RangeBooster. User Guide WIRELESS WUSB54GR. Model No.

Table 1. RF Pico Boards of the EZRadioPRO Development Kits. Qty Description Part Number

Instructions for connecting to winthropsecure. Windows 7/8 Quick Connect Windows 7/8 Manual Wireless Set Up Apple Quick Connect Apple Settings Check

Configure WorkGroup Bridge on the WAP131 Access Point

Wireless-N. User Guide. PCI Adapter WMP300N (EU) WIRELESS. Model No.

Global VPN Client Getting Started Guide

GPC JagTalk Secure Wireless Network. Connection Instructions

How to connect to NAU s WPA2 Enterprise implementation in a Residence Hall:

Lepide Software. LepideAuditor for File Server [CONFIGURATION GUIDE] This guide informs How to configure settings for first time usage of the software

AN335 USB DRIVER INSTALLATION METHODS. 1. Introduction. 2. Relevant Documentation. 3. DPInst Installation and Customization

Certificate Management

Connecting to Secure Wireless (iitk-sec) on Fedora

CP2110-EK CP2110 EVALUATION KIT USER S GUIDE. 1. Kit Contents. 2. Relevant Documentation. 3. Software Setup

USER GUIDE EDBG. Description

1 Software Overview ncp-uart ash-v3-test-app ash-v3-test-app Command Line Options Testing... 2

Table of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

WiFi for mobile devices

Instructions for connecting to the FDIBA Wireless Network. (Windows XP)

WIRELESS LAN SECURITY FUNDAMENTALS

Avaya, Trapeze and Nokia Mobility Solution Abstract

Deploying and Configuring Polycom Phones in 802.1X Environments

Implicit Sync. Professional Edition Users Guide

ClickShare Network Integration

Infinity Controller. Guide. Revision 1.0 June 19, Copyright 2016 LigoWave

Application Note. Onsight Device Certificate Management

Configuring connection settings

Creating and Installing a Self Signed Certificate for PEAP/EAP-TLS Authentication

Internet Access: Wireless WVU.Encrypted Network Connecting a Windows 7 Device

Windows PEAP-GTC Supplicant Plug-In

WRE6505. User s Guide. Quick Start Guide. Wireless AC750 Range Extender. Default Login Details. Version 1.00 Edition 1,

Touchless switch Object detection Handsets Intrusion/tamper detection. Reflectance-Based Proximity Detection PRX. Signal processing SREN

GSU JagTalk Secure Wireless Network. Connection Instructions

Configuration Guide. SafeNet Authentication Service AD FS Agent

NetMotion Mobility XE


Technical Certificates Overview

Tivoli Endpoint Manager BigFix Dashboard

NETWORK USER S GUIDE. Multi-Protocol On-board Ethernet Multi-function Print Server and Wireless Ethernet Multi-function Print Server

Nokia E61i Configuring connection settings

AN75. Si322X DUAL PROSLIC DEMO PBX AND GR 909 LOOP TESTING SOFTWARE GUIDE. 1. Introduction

APPLICATION. si32library. Callback CMSIS HARDWARE. Figure 1. Firmware Layer Block Diagram

NovaBACKUP xsp Version 12.2 Upgrade Guide

Transcription:

This document describes how to connect to a network using WPA2/WPA Enterprise security features in the Wizard Gecko WGM110 Wi-Fi Module. KEY POINTS Setting up PEAP-MSCHAPv2 EAP-TLS Testing WPA2/WPA Enterprise functionality on WGM110 using BGTool Connecting to an Access Point using PEAP-MSCHAPv2 EAP-TLS Troubleshooting advice silabs.com Smart. Connected. Energy-friendly. Rev. 0.1

Introduction 1. Introduction This application note introduces the usage of WPA2/WPA Enterprise features in the WGM110. WPA2/WPA Enterprise is an extension of Wi-Fi Protected Access, requiring an authentication server e.g. RADIUS, designed for corporate networks requiring extra security which the normal pre-shared passkey networks cannot provide. The security setting requires an Extensible Authentication Protocol (EAP) type to be used for authentication. The WGM110 offers two EAP types, PEAP-MSCHAPv2 and EAP-TLS. WPA2/WPA Enterprise security is only supported in client/ station mode with the WGM110. silabs.com Smart. Connected. Energy-friendly. Rev. 0.1 1

PEAP-MSCHAPv2 2. PEAP-MSCHAPv2 MSCHAPv2 is an insecure authentication method on its own but PEAP creates a secure tunnel between the devices using TLS. The WGM110 supports PEAP v0 and v1. Client authentication using username and password is mandatory in PEAP-MSCHAPv2. To verify the identity of the authentication server it uses a CA (certificate authority) certificate, also commonly referred to as root certificate. Verifying the identity of the client using a certificate is optional in the authentication server. Note: For more information on how to load certificates into WGM110, please refer to AN974: TLS and SMTP. To setup the WGM110 client to connect to a network using PEAP-MSCHAPv2, you must configure the MSCHAP username, password and the outer identity. Before connecting to a WPA2/WPA Enterprise enabled network access point, the configurations need to be activated in the WGM110. Using the BGAPI EAP commands, like in the example below, the username, password and other EAP required settings are activated. Once these configurations have been entered successfully to the stack, a network connection can be established with the connect SSID or connect BSSID commands. Please note that the debug output is optional. # SSID ssid_len = 9 ssid(0:ssid_len) = "test_ssid" # MSCHAPv2 username username_len = 4 username(0:username_len) = "test" #MSCHAPv password password_len = 8 password(0:password_len) = "testtest" # Outer identity identity_len = 9 identity(0:identity_len) = "anonymous" # Endpoint for debugging via UART0 output_ep = 0 # Activate MSCHAPv2 username call sme_set_eap_type_username (sme_eap_type_mschapv2, username_len, username(0:username_len))(cmd_result) call endpoint_send(output_ep, 31, "EAP: invalid MSCHAPv2 username\r\n") # Activate MSCHAPv2 password call sme_set_eap_type_password(sme_eap_type_mschapv2, password_len, password(0:password_len))(cmd_result) call endpoint_send(output_ep, 31, "EAP: invalid MSCHAPv2 password\r\n") # Activate EAP configuration to PEAP-MSCHAPv2 call sme_set_eap_configuration(sme_eap_type_peap, sme_eap_type_mschapv2, identity_len, identity(0:identity_len))(cmd_result) call endpoint_send(output_ep, 32, "EAP: invalid EAP configuration\r\n") # Connect to the network. # This call will trigger either sme_connected() event if the attempt succeeds or # sme_connect_failed() event if it fails. call sme_connect_ssid(ssid_len, ssid(0:ssid_len))(cmd_result, cmd_interface, cmd_bssid) call endpoint_send(output_ep, 34, "EAP: Wi-Fi connect command failed\r\n") silabs.com Smart. Connected. Energy-friendly. Rev. 0.1 2

PEAP-MSCHAPv2 The WGM110 then checks the internal certificate store for a suitable certificate to validate the identity of the authentication server, but this can also be set explicitly with the command sme_set_eap_type_ca_certificate(). silabs.com Smart. Connected. Energy-friendly. Rev. 0.1 3

EAP-TLS 3. EAP-TLS EAP-TLS also uses a CA certificate to verify the identity of the authentication server. Unlike PEAP-MSCHAPv2 it is mandatory for the authentication server to verify the identity of the client, which requires a user certificate and a private key. Username and password are not used in EAP-TLS so the commands sme_set_eap_type_password() and sme_set_eap_type_username() should not be used. The user certificate can be stored in flash or RAM but the corresponding private key can only be stored in RAM due to security reasons and therefore it can only be initialized using API commands. The private key should be stored in a secure external storage and sent to the module either by directly calling the required BGAPI commands from an external host or as plain data in which case the commands must be called through BGScript. The corresponding user certificate fingerprint must be provided when loading the private key, as well as the password used to encrypt the private key data. If the private key is sent unencrypted then the password length should be 0. Once both the certificate and private key have been initialized then the certificate must be set as a user certificate. That will select both the certificate and private key, which have already been associated with each other (by providing the associated certificate fingerprint when loading the private key). When the certificate has been set as user certificate and the EAP settings activated the network connection can be established with the connect SSID or connect BSSID commands as shown in the example below. # SSID ssid_len = 9 ssid(0:ssid_len) = "test_ssid" # Outer identity identity_len = 9 identity(0:identity_len) = "anonymous" # Endpoint for debugging via UART0 output_ep = 0 # The following three commands are used to add a private key to the certificate store. The fingerprint given in the command parameters must be the associated user certificate. call x509_add_private_key(size, fingerprint_len, fingerprint_data) # The next command must be called multiple times until all the private key data has been added. call x509_add_private_key_data(data_len, data_data) # Finally when all the data has been added the following command must be called call x509_add_private_key_finish(password_len, password) # Now we need to set the certificate as a user certificate using its fingerprint which will automatically select its associated private key. call sme_set_eap_type_user_certificate(sme_eap_type_tls, fingerprint_len, fingerprint_data) # Activate EAP configuration to EAP-TLS call sme_set_eap_configuration(sme_eap_type_tls, sme_eap_type_none, identity_len, identity(0:identity_len))(cmd_result) call endpoint_send(output_ep, 32, "EAP: invalid EAP configuration\r\n") # Connect to the network. This call will trigger either sme_connected() event if the attempt succeeds or sme_connect_failed() event if it fails. call sme_connect_ssid(ssid_len, ssid(0:ssid_len))(cmd_result, cmd_interface, cmd_bssid) call endpoint_send(output_ep, 34, "EAP: Wi-Fi connect command failed\r\n") silabs.com Smart. Connected. Energy-friendly. Rev. 0.1 4

Using BGTool 4. Using BGTool BGTool can be used to test WPA2/WPA Enterprise functionality on WGM110. The WPA settings can be accessed by clicking on [Open WPA settings] button in the "STA mode" section as depicted below. silabs.com Smart. Connected. Energy-friendly. Rev. 0.1 5

Using BGTool 4.1 Connecting to an AP using PEAP-MSCHAPv2 To connect to a network using PEAP-MSCHAPv2 requires a CA certificate, which can be loaded through the WPA Settings window by browsing for the certificate file and adding it to the certificate store through the [Add] button. One the certificate is loaded, it will be listed in the certificate store as depicted in the image below. The "EAP type" must be selected as PEAP-MSCHAP and the anonymous identity written to the "Anonymous Identity" text box. Then launch the iapi command sme_set_eap_configuration() by pressing the [Set EAP configuration] button. The CA certificate can be explicitly set to be the one that was loaded or the firmware can automatically look for the correct one as explained earlier in this document. To set the CA certificate it must be selected from the "CA certificate" drop-down list, "EAP type" must be set to PEAP_MSCHAP, and then you must click [Set CA certificate]. The user certificate is optional, and for this example the authentication server that is being used does not ask for client authentication. Finally, the username and password must be written in to the "User name" and "Password" text input fields, and the buttons [Set user name] and [Set password] must be pressed. Once the WPA settings are configured, the module is ready to connect to the network. This can be done back in the BGTool main window by scanning and selecting the network to which you wish to connect. silabs.com Smart. Connected. Energy-friendly. Rev. 0.1 6

Using BGTool 4.2 Connecting to an AP using EAP-TLS To connect to a network using EAP-TLS requires a CA and user certificates. Additionally, the user private key must be also loaded, and it will be stored in RAM by default. To load the private key, the associated user certificate must be selected from the "User certificate" drop-down list, and the password and private key file must be given after. Clicking [Add] will run the private key loading command set. The "EAP type" must be selected as TLS and the anonymous identity written to the "Identity" text input field. Then [Set EAP configuration] must be pressed. The CA certificate can be explicitly set to be the one that was loaded or the firmware can automatically look for the correct one as explained earlier in this document. To set the CA certificate, it must be selected from the "CA certificate" drop-down list, "EAP type" must be set to TLS, and then press [Set CA certificate]. The user certificate is mandatory in EAP-TLS. The correct user certificate must be selected from the "User certificate" drop-down list, "EAP type" must be set to EAP-TLS, and then press [Set user certificate]. Once the WPA settings are configured, the module is ready to connect to the network. This can be done back in the BGTool main window by scanning and selecting the network to which you wish to connect. 4.3 Troubleshooting If the connection is not successful, these are the most common errors that might occur and hints on what the root cause could be: 0x018B (ap_note_in_scanlist): The SSID of the AP is misspelled, length doesn t match the string size or the scan has been limited to a channel which is not being used by the AP. 0x081D (authentication failure): The WPA/WPA certificates have not been properly loaded or are missing, private key is missing (in case of EAP-TLS), EAP configuration is not set properly. silabs.com Smart. Connected. Energy-friendly. Rev. 0.1 7

Revision History 5. Revision History 5.1 Revision 0.1 August 3rd, 2016 Initial release. silabs.com Smart. Connected. Energy-friendly. Rev. 0.1 8

Smart. Connected. Energy-Friendly. Products www.silabs.com/products Quality www.silabs.com/quality Support and Community community.silabs.com Disclaimer Silicon Laboratories intends to provide customers with the latest, accurate, and in-depth documentation of all peripherals and modules available for system and software implementers using or intending to use the Silicon Laboratories products. Characterization data, available modules and peripherals, memory sizes and memory addresses refer to each specific device, and "Typical" parameters provided can and do vary in different applications. Application examples described herein are for illustrative purposes only. Silicon Laboratories reserves the right to make changes without further notice and limitation to product information, specifications, and descriptions herein, and does not give warranties as to the accuracy or completeness of the included information. Silicon Laboratories shall have no liability for the consequences of use of the information supplied herein. This document does not imply or express copyright licenses granted hereunder to design or fabricate any integrated circuits. The products are not designed or authorized to be used within any Life Support System without the specific written consent of Silicon Laboratories. A "Life Support System" is any product or system intended to support or sustain life and/or health, which, if it fails, can be reasonably expected to result in significant personal injury or death. Silicon Laboratories products are not designed or authorized for military applications. Silicon Laboratories products shall under no circumstances be used in weapons of mass destruction including (but not limited to) nuclear, biological or chemical weapons, or missiles capable of delivering such weapons. Trademark Information Silicon Laboratories Inc., Silicon Laboratories, Silicon Labs, SiLabs and the Silicon Labs logo, Bluegiga, Bluegiga Logo, Clockbuilder, CMEMS, DSPLL, EFM, EFM32, EFR, Ember, Energy Micro, Energy Micro logo and combinations thereof, "the world s most energy friendly microcontrollers", Ember, EZLink, EZRadio, EZRadioPRO, Gecko, ISOmodem, Precision32, ProSLIC, Simplicity Studio, SiPHY, Telegesis, the Telegesis Logo, USBXpress and others are trademarks or registered trademarks of Silicon Laboratories Inc. ARM, CORTEX, Cortex-M3 and THUMB are trademarks or registered trademarks of ARM Holdings. Keil is a registered trademark of ARM Limited. All other products or brand names mentioned herein are trademarks of their respective holders. Silicon Laboratories Inc. 400 West Cesar Chavez Austin, TX 78701 USA http://www.silabs.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information