ToqAN Fixes Android 5.0 Notification Bug on Qualcomm Toq

The Qualcomm Toq is probably one of the lesser known smartwatches on the market … more

How to Root and Unlock the Google Nexus 6 on a Mac – XDA TV

In the past, XDA Developer TV Producer droidmodd3rx has shown you how to … more

Set Up Your MediaTek Device with Comprehensive Beginner’s Guide

As can be seen with the use of MediaTek chips in Android One devices … more

Sony Updates AOSP Sources to Android 5.0.1

Just a few days ago, Sony did an utterly fantastic job by pushing out numerous device trees for … more

Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

[How-to] Set up EAP-TLS or other advanced Wifi connections on NT (root only!)

OP admiralspark

13th February 2012, 03:54 PM   |  #1  
OP Member
Flag Fairbanks, AK
Thanks Meter: 37
 
82 posts
Join Date:Joined: Jul 2011
More
Hello all,
I figured this tutorial may come in handy to a few people out there since the documentation for getting this to work is quite atrocious.

What this tutorial is:
A step-by-step walkthrough of setting up wpa_supplicant.conf to access advanced networking protocols that we otherwise don't have access to (note, this will ONLY work with root at the moment).

What this tutorial is not:
A wireless troubleshooting thread for any wireless issues not related to wpa_supplicant, EAP-TLS, EAP-TTLS, etc.

Thanks ahead of time.

NOTE: This tutorial will be giving instructions for a Windows 7 machine, but 90% of the code I provide can easily be copied over to Linux/BSD/OSX, just replace with the Bash equivalents.

To begin, you will need a few things:
--ADB, with working drivers, though you don't NEED root access through it it is nice to have, since it cuts the typing in half, and the setup for that can be found here: [App]: ADB Root Hijack [ADB Runs as Root now]
--openSSL, for converting certificates to the proper formats.
Windows instructions: Requires Cygwin, see this link here. This will install several other useful tools, and you'll love Cygwin if you're a power user
Linux/BSD/OSX instructions: install using your favorite repositories or from binaries (in the case of OSX). For Ubuntu/Debian: sudo apt-get install openssl
--You will need access to the Development menu (use an app or the Any Cut app to make a shortcut), as well as Root Browser lite (or Root Explorer).
--Alot of patience, and a bit of time. This should be straightforward, but don't expect a perfect solution for everyone.


1) The most important step, since this will cause you no end of headaches for possibly an hour or two as you trace it down: Go into the Development menu, UNCHECK USB Debugging and RECHECK it, then UNCHECK Auto Mount. So, even if debugging is checked, uncheck and check it anyway. And make SURE Auto Mount is unchecked, otherwise this will automatically install the "normal" NT drivers and screw up the entire process.

2) Plug in the Nook, and bring up the command line (cmd.exe). Run:
Code:
adb devices
If this returns an alphanumeric string (or anything), your device is in and you're good to go. Otherwise, check the other forum topics for troubleshooting (link to come).

3) To begin, we need to convert our tickets to the correct format. For this we will use OpenSSL. To make this easy, I piled all of my working space into a folder in the root of the C: drive, called "certs". For this example, I will assume that you were given a root certificate named rootCA.crt and a private certificate names username@email.com.p12 (because I was, for the eduroam worldwide network).
This example also assumes EAP-TLS authentication. To convert the files:
Code:
openssl x509 -in rootCA.crt -out rootCA.der -outform DER
openssl x509 -in rootCA.der -inform DER -out rootCA.pem -outform PEM
then
openssl pkcs12 -in username@email.com.p12 -out cert.pem -clcerts -nokeys 
openssl pkcs12 -in username@email.com.p12 -out key.pem -nocerts
Note: even if your business/Uni doesn't use a separate hashed key normally (For example, the University of Alaska system), you will need it here. Normally a certificate app handles all of this (on AOSP and custom builds).

4) Thanks to good ol' FSTAB, we will have to remount /system so we can read/write to it:
Code:
adb shell
su
mount -o remount,rw /system /system
5) Now, we have three new files: rootCA.pem, cert.pem and key.pem in the C:\certs folder. We push them to their proper directory on the NT:
Code:
adb push rootCA.pem /system/etc/wifi/ 
adb push cert.pem /system/etc/wifi/ 
adb push key.pem /system/etc/wifi/
Note: This is where it gets tricky without root ADB access...the option is to push them to "/media/My Files/My Downloads/" (including quotes) and then use a terminal or root browser to move them to /system/etc/wifi/

6) Next, we get to pull wpa_supplicant finally!
Code:
adb pull /system/etc/wifi/wpa_supplicant.conf .
Note: Make sure to include the . at the end, this means 'copy it to the current directory'

7) Open wpa_supplicant.conf in Wordpad (NOT notepad, wrapping issues), and build a profile based on the examples located here.
Here is an edited version of mine, if you use EAP-TLS this will work for you:
Code:
network={ 
ssid="YourAPNameHere" 
scan_ssid=1
key_mgmt=WPA-EAP 
pairwise=CCMP TKIP
group=CCMP TKIP
eap=TLS 
identity="username@address.edu" 
ca_cert="/system/etc/wifi/rootCA.pem" 
client_cert="/system/etc/wifi/cert.pem"
private_key="/system/etc/wifi/key.pem" 
private_key_passwd="yourPassHere" 
priority=20
}
Change ssid, identity, and private_key_passwd to your respective information.
NOTE: priority, near the bottom, determines when it will connect to the network when others are around. Compare it to the values of the priority's set in /data/misc/wifi/wpa_supplicant.conf, the higher the value the higher the priority when they're all within range.
Now save and close the file.

8) Now, we push and reboot:
Code:
adb push wpa_supplicant.conf /system/etc/wifi/
then reboot the nook.

Now, after reboot, it should be good to go!

Notice, one bit of trouble I ran into, if you just get "error" when turning on the wireless after reboot, double-check that your certificates are correct and in the correct places, and wpa_supplicant.conf points at them. If thats fine, try erasing /data/misc/wifi/wpa_supplicant.conf, then reboot, and the list will be rebuilt and your AP will automatically connect.

Please let me know if there are any issues with the instructions, it's 6am and I haven't slept more than 8 hours in the last 3 days troubleshooting this, building kernels and playing Skyrim
13th February 2012, 03:54 PM   |  #2  
OP Member
Flag Fairbanks, AK
Thanks Meter: 37
 
82 posts
Join Date:Joined: Jul 2011
More
reserved for future things
Also of note: I'm working on making this into scripts, don't worry everyone. And, if you bork your wifi, I will have a wireless fix in the works too.
Last edited by admiralspark; 13th February 2012 at 03:56 PM.
25th February 2012, 03:07 AM   |  #3  
Member
Thanks Meter: 7
 
34 posts
Join Date:Joined: Sep 2011
Hi

First of all, thanks for this tutorial

I'm pretty sure this should be very straightforward but not to mess this thing up what do I need to change for a network with the following definitions:

Network SSID: eduroam
Security: 802.1x Enterprise
EAP method: PEAP
Phase 2 authentication: MSCHAPV2

Cheers
25th February 2012, 01:48 PM   |  #4  
OP Member
Flag Fairbanks, AK
Thanks Meter: 37
 
82 posts
Join Date:Joined: Jul 2011
More
Quote:
Originally Posted by LacerdaPT

Hi

First of all, thanks for this tutorial

I'm pretty sure this should be very straightforward but not to mess this thing up what do I need to change for a network with the following definitions:

Network SSID: eduroam
Security: 802.1x Enterprise
EAP method: PEAP
Phase 2 authentication: MSCHAPV2

Cheers

Hey, it's not a problem at all. Pulled from the source here: NookDevs.com wpa_supplicant.conf I built this skeleton here:
Code:
network={ 
ssid="eduroam" 
scan_ssid=1 
key_mgmt=WPA-EAP 
pairwise=CCMP TKIP 
group=CCMP TKIP 
eap=PEAP 
identity="username@youremail.com" 
password="YOUR-PASSWORD" 
ca_cert="/system/etc/wifi/cacert.pem" 
phase1="peapver=0" 
phase2="MSCHAPV2" }
As you can see, you'll need to enter your University email in the identity field and your password in the password field, and if you don't have the needed certificates/password/etc you can get that from your local IT office (I would ask to speak with your network technicians though, helpdesk may not have it). Make SURE to read the instructions in that link, the openssl bit is different than the guide above!
26th February 2012, 03:48 AM   |  #5  
Member
Thanks Meter: 7
 
34 posts
Join Date:Joined: Sep 2011
Thanks!

On monday I will try that and will report the outcome.

Cheers
1st March 2012, 11:49 PM   |  #6  
Member
Thanks Meter: 7
 
34 posts
Join Date:Joined: Sep 2011
Hi.

It worked like a charm! No problem at all.

Thanks!

Cheers
2nd March 2012, 02:27 PM   |  #7  
OP Member
Flag Fairbanks, AK
Thanks Meter: 37
 
82 posts
Join Date:Joined: Jul 2011
More
Awesome! Glad to hear it.

Post Reply Subscribe to Thread

Tags
eap-tls, how-to, nook tablet, wifi, wpa_supplicant
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes