WPA2 Enterprise on ATWINC1500

Go To Last Post
5 posts / 0 new
Author
Message
#1
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Hi,

 

I've spend a good week now trying to get the ATWINC1500 to connect to a WPA2 Enterprise network using PEAP and MSCHAPV2. 
I've learned a lot but unfortunately I still haven't been able to connect. I will share my steps bellow in the hope someone can sopt a mistake or point me in a new direction.

I understand that this is the Atmel forum and I'm trying to use the Arduino IDE.

However the code uses the Atmel drivers and I don't have the tools to connect my board (Adafruit feather M0 WiFi) to Atmel Studio. 

I'm hoping someone here can spot an error or point me in the right direction.

 

1. I've updated the firmware on the feather to 19.6.1 using the firmware update tool in the Arduino IDE and a binary from Atmel. 
According to the release notes from Atmel this firmware version should now support WPA2 enterprise PEAP.

2. The changes from the 19.6.1 drivers are ported to the WiFi101 library. 

The above was done with the help of Joe Cicchiello whom I had hired to help me with this issue. 
It is documented in more detail on his GitHub here.

 

The WPA2 Enterprise network is an ISP hotspot network. The ISP provides a root certificate to download and instructs to install it for Android and Windows systems although I can connect fine on Android without it. 

To get this certificate loaded manually I downloaded the firmware updater from GitHub here.
I then removed some certificates from the "certs" folder to make space for the new certificate (as storage is apparently maxed out by default.) 
Using the command line version of the uploader I issued:

.\winc1500-uploader.exe -certs certs -port COM7 (on Windows VM as the updater would not work under Mac OS) 

This seemed to work fine so I ran the WPA2 enterprise example sketch made by Joe again but no luck. (find the sketch code bellow) I keep getting error code "6" 

I'm hoping someone can shed some new light on this. 

Thanks in advance.

<br />
/*</p>
<p> This example connects to a WPA Enterprise Wifi network.<br />
 Then it prints the  MAC address of the Wifi shield,<br />
 the IP address obtained, and other network details.</p>
<p> Circuit:<br />
 * WiFi shield attached</p>
<p> created 13 July 2010<br />
 by dlf (Metodo2 srl)<br />
 modified 31 May 2012<br />
 by Tom Igoe<br />
modified 29 June 2016<br />
by Tim Dicus<br />
 */<br />
#include <SPI.h><br />
#include <WiFi101.h></p>
<p>char ssid[] = "Ziggo";     //  your network SSID (name)<br />
int status = WL_IDLE_STATUS;     // the Wifi radio's status</p>
<p>#define MAIN_WLAN_DEVICE_NAME "Ziggo"<br />
#define MAIN_WLAN_802_1X_USR_NAME "myUser"<br />
#define MAIN_WLAN_802_1X_PWD "myPass!"</p>
<p>// change these to your user/password<br />
static tstr1xAuthCredentials auth;</p>
<p>void setup() {<br />
  //Configure pins for Adafruit ATWINC1500 Feather<br />
  WiFi.setPins(8,7,4,2);<br />
    <br />
  //Initialize serial and wait for port to open:<br />
  Serial.begin(9600);<br />
  while (!Serial) {<br />
    ; // wait for serial port to connect. Needed for native USB port only<br />
  }</p>
<p>  // check for the presence of the shield:<br />
  if (WiFi.status() == WL_NO_SHIELD) {<br />
    Serial.println("WiFi shield not present");<br />
    // don't continue:<br />
    while (true);<br />
  }</p>
<p>  strcpy((char*) auth.au8UserName, MAIN_WLAN_802_1X_USR_NAME);<br />
  strcpy((char*) auth.au8Passwd, MAIN_WLAN_802_1X_PWD);</p>
<p>  // attempt to connect to Wifi network:<br />
  while ( WiFi.status() != WL_CONNECTED) {<br />
    Serial.print("Attempting to connect to WPA SSID: ");<br />
    Serial.println(ssid); </p>
<p>    // Connect to WPA/WPA2 Enterprise network:<br />
    //  WiFi.begin(ssid,ENC_TYPE_CCMP, &pass);<br />
    //m2m_wifi_connect((char *)MAIN_WLAN_DEVICE_NAME, sizeof(MAIN_WLAN_DEVICE_NAME), M2M_WIFI_SEC_802_1X, (char *)&pass, M2M_WIFI_CH_ALL);<br />
    uint8_t stat = WiFi.begin(ssid, &auth);<br />
    Serial.print("Status after WiFi::begin: ");<br />
    Serial.println(stat);<br />
    <br />
    delay(2000);<br />
    Serial.print(".");<br />
  }</p>
<p>  // you're connected now, so print out the data:<br />
  Serial.print("You're connected to the network");<br />
  printCurrentNet();<br />
  printWifiData();</p>
<p>}</p>
<p>void loop() {<br />
  // check the network connection once every 10 seconds:<br />
  delay(10000);<br />
  printCurrentNet();<br />
}</p>
<p>void printWifiData() {<br />
  // print your WiFi shield's IP address:<br />
  IPAddress ip = WiFi.localIP();<br />
  Serial.print("IP Address: ");<br />
  Serial.println(ip);<br />
  Serial.println(ip);</p>
<p>  // print your MAC address:<br />
  byte mac[6];<br />
  WiFi.macAddress(mac);<br />
  Serial.print("MAC address: ");<br />
  Serial.print(mac[5], HEX);<br />
  Serial.print(":");<br />
  Serial.print(mac[4], HEX);<br />
  Serial.print(":");<br />
  Serial.print(mac[3], HEX);<br />
  Serial.print(":");<br />
  Serial.print(mac[2], HEX);<br />
  Serial.print(":");<br />
  Serial.print(mac[1], HEX);<br />
  Serial.print(":");<br />
  Serial.println(mac[0], HEX);</p>
<p>}</p>
<p>void printCurrentNet() {<br />
  // print the SSID of the network you're attached to:<br />
  Serial.print("SSID: ");<br />
  Serial.println(WiFi.SSID());</p>
<p>  // print the MAC address of the router you're attached to:<br />
  byte bssid[6];<br />
  WiFi.BSSID(bssid);<br />
  Serial.print("BSSID: ");<br />
  Serial.print(bssid[5], HEX);<br />
  Serial.print(":");<br />
  Serial.print(bssid[4], HEX);<br />
  Serial.print(":");<br />
  Serial.print(bssid[3], HEX);<br />
  Serial.print(":");<br />
  Serial.print(bssid[2], HEX);<br />
  Serial.print(":");<br />
  Serial.print(bssid[1], HEX);<br />
  Serial.print(":");<br />
  Serial.println(bssid[0], HEX);</p>
<p>  // print the received signal strength:<br />
  long rssi = WiFi.RSSI();<br />
  Serial.print("signal strength (RSSI):");<br />
  Serial.println(rssi);</p>
<p>  // print the encryption type:<br />
  byte encryption = WiFi.encryptionType();<br />
  Serial.print("Encryption Type:");<br />
  Serial.println(encryption, HEX);<br />
  Serial.println();<br />
}<br />

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

The WPA2 Enterprise network is an ISP hotspot network. The ISP provides a root certificate to download and instructs to install it for Android and Windows systems although I can connect fine on Android without it.

The reason you can connect on Android is probably because it already has the right Root CA installed. If you double-click on the certificate from the ISP, assuming this is a Windows machine, and go to the tab that says Certification Path, what do you see? Do you see a chain of trust? Anyway, what you need to install is the Root CA that signs the ISP's RADIUS server certificate for WPA2 Enterprise application. If you launch a terminal program on the debug port (460800 8N1), the same port you did firmware upgrade, does it tell you why it fails?

 

Here is an example of a good connection:

(0)(M2M)DriverInfo: 0x13301361: 19.6.1
(0)(M2M)ChMapV(1)
(0)Chip ID = 1503a0
(0)Flash ID = c21320c2, Size = 4 MBit
(0)MAC:efuse
(0)MAC_ADDR  = F8:F0:05:E7:13:C3
(0)Shr_buf static: 0, 5, 5, 22, 9, 10
(10)NMI M2M SW  VER 19.6.1 REV 16761
(10)NMI MIN DRV VER 19.3.0
(10)FW URL branches/rel_1500_19.6.1
(10)Built May 23 2018   14:39:16
(10)ROM VER_2
(10)__HW_AES__
(20)(M2M)LOAD SEC
(20)(TLS)TLS Sess Sz=1572
(40)PSM off
(40)(M2M)(ERR)(m2m_wifi_handle_gain_table_idx)(5229)Invalid Gain Tab idx 1
(40)(M2M)Device Name "xxxxxxxxxxxxxxx"
(40)(M2M)Scan NS 2 TS 30 CL 3fff
(40)Reset MAC
(60)SERR(C8)
(60)(GP_REG)USE PMU
(60)AIC CORR (FW) = 17d1
(60)PIC CORR (FW) = fb9
(60)PSM on
(60)MAC State <3>
(930)MAC State <4>
(930)PSM off
(930)MAC State <0>
(980)(M2M)LOAD CON
(980)(M2M)Wifi Connect
(980)(M2M)SSID: xxxxxxxxx
(980)(M2M)BSSID: 00:00:00:00:00:00
(980)(M2M)AUTH: WPA-Enterprise
(980)(M2M)Ch: 255
(980)(M2M)LOAD SEC
(980)Reset MAC
(990)(GP_REG)USE PMU
(990)AIC CORR (FW) = 17d1
(990)PIC CORR (FW) = fb9
(990)PSM on
(990)MAC State <3>
(1830)MAC State <4>
(1830)Join on 11 xxxxxxxxx Bss xx:xx:xx:xx:xx:xx Rssi -55
(1830)MAC State <5>
(1830)MAC State <6>
(1830)MAC State <7>
(1830)MAC State <9>
(1830)MAC State <10>
(1830)(EAP)Stop
(1830)MAC State <1>
(1830)(EAP)<- Start
(1850)Tsf join
(1850)(M2M)LOAD TLS
(1860)(EAP)-> Layer:0 Code:1 Type:1
(1860)(EAP)<- Layer:0 Type:1
(1950)Tsf join Done
(2860)(EAP)Auth TO
(2860)(EAP)<- Start
(2870)(EAP)-> Layer:0 Code:1 Type:1
(2870)(EAP)<- Layer:0 Type:1
(2890)(EAP)-> Layer:0 Code:1 Type:25
(2890)(TLS)Creating EAP
(2890)()<- ClientHello
(2890)(EAP)<- Layer:0 Type:25
(2910)(EAP)-> Layer:0 Code:1 Type:25
(2910)(EAP)<- Layer:0 Type:25
(2930)(EAP)-> Layer:0 Code:1 Type:25
(2930)(EAP)<- Layer:0 Type:25
(2940)(EAP)-> Layer:0 Code:1 Type:25
(2940)()-> ServerHello
(2940)>> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
(2950)()-> Certificate
(2960)(TLS)*=*=* X509 *=*=*
(2960)(TLS)     Subject <xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
(2960)(TLS)     Issuer  <xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
(2960)(TLS)     <2018-05-15 21:07:41> to <2023-05-14 21:07:41>
(2960)(TLS)Root Cert <RSA>
(2960)(TLS)     <2017-06-20 20:26:40> to <2116-11-16 23:12:53>
(2960)(TLS)Root Valid
(2960)()-> ServerKeyExchange
(2970)()-> CertificateRequest
(2970)()-> ServerHelloDone
(7370)()<- Certificate
(7370)()<- ClientKeyExchange
(7370)()<- ChangeCipherSpec
(7370)()<- Finished
(7380)(EAP)<- Layer:0 Type:25
(7400)(EAP)-> Layer:0 Code:1 Type:25
(7400)()-> ChangeCipherSpec
(7400)()-> ServerFinished
(7410)(TLS)Sess() Established==>TLSv1.2
(7410)(EAP)<- Layer:0 Type:25
(7420)(EAP)-> Layer:0 Code:1 Type:25
(7420)(EAP)-> Layer:1 Code:1 Type:1
(7420)(EAP)<- Layer:1 Type:1
(7430)(EAP)<- Layer:0 Type:25
(7440)(EAP)-> Layer:0 Code:1 Type:25
(7440)(EAP)-> Layer:1 Code:1 Type:1
(7440)(EAP)<- Layer:1 Type:1
(7450)(EAP)<- Layer:0 Type:25
(7460)(EAP)-> Layer:0 Code:1 Type:25
(7460)(EAP)-> Layer:1 Code:26 Type:26
(7470)(EAP)<- Layer:1 Type:26
(7480)(EAP)<- Layer:0 Type:25
(7490)(EAP)-> Layer:0 Code:1 Type:25
(7500)(EAP)-> Layer:1 Code:26 Type:26
(7500)(EAP)<- Layer:1 Type:26
(7500)(EAP)<- Layer:0 Type:25
(7510)(EAP)-> Layer:0 Code:1 Type:25
(7520)(EAP)-> Layer:1 Code:1 Type:1
(7520)(EAP)<- Layer:1 Type:33
(7520)(EAP)<- Layer:0 Type:25
(7520)(EAP)Success Ind
(7520)(EAP)Stop
(7530)(M2M)LOAD SEC
(7560)(M2M)LOAD CON
(7560)(M2M)WIFI Connected
(7560)(DHCP)<-DIS
(7580)(HwEr)BRx8, 3338
(8020)Rate UP (MCS-6)
(8060)(DHCP)<-DIS
(8300)>> detected

(8300)(DHCP)->OFFER
(8300)(DHCP)<-REQ
(8550)(DHCP)->ACK
(8550)(DHCP)Self IP     : "xx.xx.xx.xx"
(8550)(M2M)Time Of Day
        11/12/2018 23:16:44 GMT

 

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Thanks for your response!

 

This is what I see, The ISP signs the certificate themselves. 

 

Installing the certificate is a difficult task as I'm unable to connect the Adafruit ATWINC1500 directly to Atmel studio. I have to use the Arduino tools which are not setup for manually loading one, the can only fetch certs by entering a domain. 

While I previously thought to have loaded the certificate using the firmware updater from Github it now seems this was unsuccessful.

The firmware update tool includes a command to read the contents of the flash memory, when I compare the contents after loading 0,1 or multiple certificates the content remains the same. 
If I use the firmware update tool included in the Arduino IDE the content does look different. 

 

I would love to get a log like yours but I'm unsure how to get it, what do you mean by: "If you launch a terminal program on the debug port (460800 8N1)"

I can launch the terminal and monitor serial output but I'm unaware of a debug port a specific address. 

 

If it helps at all you can find the certificate from the ISP here

 

Thanks for your help thus far. 

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

ATWINC1500 has a set of serial debug lines  coming out of pin #14 and #19. Prior to FW 19.6.1, the baud rate was 115200. The same TX/RX lines can be used to download firmware and certificates. I don't know anything about Adafruit/Arduino.

 

The certificate in your case is RSA 4096 and default cipher suites should support that. I think your problem, as you have already guessed, is that the certificate hasn't been loaded into WINC properly.

 

 

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

I will work on trying to confirm weather the certificate is loaded or not and report back.

 

Thanks for your help thus far.