5,604,686 Members 37,909 Now Online
XDA Developers Android and Mobile Development Forum

[How-to] Set up EAP-TLS or other advanced Wifi connections on NT (root only!)

Tip us?
 
admiralspark
Old
#1  
Member - OP
Thanks Meter 37
Posts: 80
Join Date: Jul 2011
Location: Fairbanks, AK
Default [How-to] Set up EAP-TLS or other advanced Wifi connections on NT (root only!)

Hello all,
I figured this tutorial may come in handy to a few people out there since the documentation for getting this to work is quite atrocious.

What this tutorial is:
A step-by-step walkthrough of setting up wpa_supplicant.conf to access advanced networking protocols that we otherwise don't have access to (note, this will ONLY work with root at the moment).

What this tutorial is not:
A wireless troubleshooting thread for any wireless issues not related to wpa_supplicant, EAP-TLS, EAP-TTLS, etc.

Thanks ahead of time.

NOTE: This tutorial will be giving instructions for a Windows 7 machine, but 90% of the code I provide can easily be copied over to Linux/BSD/OSX, just replace with the Bash equivalents.

To begin, you will need a few things:
--ADB, with working drivers, though you don't NEED root access through it it is nice to have, since it cuts the typing in half, and the setup for that can be found here: [App]: ADB Root Hijack [ADB Runs as Root now]
--openSSL, for converting certificates to the proper formats.
Windows instructions: Requires Cygwin, see this link here. This will install several other useful tools, and you'll love Cygwin if you're a power user
Linux/BSD/OSX instructions: install using your favorite repositories or from binaries (in the case of OSX). For Ubuntu/Debian: sudo apt-get install openssl
--You will need access to the Development menu (use an app or the Any Cut app to make a shortcut), as well as Root Browser lite (or Root Explorer).
--Alot of patience, and a bit of time. This should be straightforward, but don't expect a perfect solution for everyone.


1) The most important step, since this will cause you no end of headaches for possibly an hour or two as you trace it down: Go into the Development menu, UNCHECK USB Debugging and RECHECK it, then UNCHECK Auto Mount. So, even if debugging is checked, uncheck and check it anyway. And make SURE Auto Mount is unchecked, otherwise this will automatically install the "normal" NT drivers and screw up the entire process.

2) Plug in the Nook, and bring up the command line (cmd.exe). Run:
Code:
adb devices
If this returns an alphanumeric string (or anything), your device is in and you're good to go. Otherwise, check the other forum topics for troubleshooting (link to come).

3) To begin, we need to convert our tickets to the correct format. For this we will use OpenSSL. To make this easy, I piled all of my working space into a folder in the root of the C: drive, called "certs". For this example, I will assume that you were given a root certificate named rootCA.crt and a private certificate names username@email.com.p12 (because I was, for the eduroam worldwide network).
This example also assumes EAP-TLS authentication. To convert the files:
Code:
openssl x509 -in rootCA.crt -out rootCA.der -outform DER
openssl x509 -in rootCA.der -inform DER -out rootCA.pem -outform PEM
then
openssl pkcs12 -in username@email.com.p12 -out cert.pem -clcerts -nokeys 
openssl pkcs12 -in username@email.com.p12 -out key.pem -nocerts
Note: even if your business/Uni doesn't use a separate hashed key normally (For example, the University of Alaska system), you will need it here. Normally a certificate app handles all of this (on AOSP and custom builds).

4) Thanks to good ol' FSTAB, we will have to remount /system so we can read/write to it:
Code:
adb shell
su
mount -o remount,rw /system /system
5) Now, we have three new files: rootCA.pem, cert.pem and key.pem in the C:\certs folder. We push them to their proper directory on the NT:
Code:
adb push rootCA.pem /system/etc/wifi/ 
adb push cert.pem /system/etc/wifi/ 
adb push key.pem /system/etc/wifi/
Note: This is where it gets tricky without root ADB access...the option is to push them to "/media/My Files/My Downloads/" (including quotes) and then use a terminal or root browser to move them to /system/etc/wifi/

6) Next, we get to pull wpa_supplicant finally!
Code:
adb pull /system/etc/wifi/wpa_supplicant.conf .
Note: Make sure to include the . at the end, this means 'copy it to the current directory'

7) Open wpa_supplicant.conf in Wordpad (NOT notepad, wrapping issues), and build a profile based on the examples located here.
Here is an edited version of mine, if you use EAP-TLS this will work for you:
Code:
network={ 
ssid="YourAPNameHere" 
scan_ssid=1
key_mgmt=WPA-EAP 
pairwise=CCMP TKIP
group=CCMP TKIP
eap=TLS 
identity="username@address.edu" 
ca_cert="/system/etc/wifi/rootCA.pem" 
client_cert="/system/etc/wifi/cert.pem"
private_key="/system/etc/wifi/key.pem" 
private_key_passwd="yourPassHere" 
priority=20
}
Change ssid, identity, and private_key_passwd to your respective information.
NOTE: priority, near the bottom, determines when it will connect to the network when others are around. Compare it to the values of the priority's set in /data/misc/wifi/wpa_supplicant.conf, the higher the value the higher the priority when they're all within range.
Now save and close the file.

8) Now, we push and reboot:
Code:
adb push wpa_supplicant.conf /system/etc/wifi/
then reboot the nook.

Now, after reboot, it should be good to go!

Notice, one bit of trouble I ran into, if you just get "error" when turning on the wireless after reboot, double-check that your certificates are correct and in the correct places, and wpa_supplicant.conf points at them. If thats fine, try erasing /data/misc/wifi/wpa_supplicant.conf, then reboot, and the list will be rebuilt and your AP will automatically connect.

Please let me know if there are any issues with the instructions, it's 6am and I haven't slept more than 8 hours in the last 3 days troubleshooting this, building kernels and playing Skyrim
 
admiralspark
Old
(Last edited by admiralspark; 13th February 2012 at 02:56 PM.)
#2  
Member - OP
Thanks Meter 37
Posts: 80
Join Date: Jul 2011
Location: Fairbanks, AK
reserved for future things
Also of note: I'm working on making this into scripts, don't worry everyone. And, if you bork your wifi, I will have a wireless fix in the works too.
 
LacerdaPT
Old
#3  
Member
Thanks Meter 7
Posts: 34
Join Date: Sep 2011
Hi

First of all, thanks for this tutorial

I'm pretty sure this should be very straightforward but not to mess this thing up what do I need to change for a network with the following definitions:

Network SSID: eduroam
Security: 802.1x Enterprise
EAP method: PEAP
Phase 2 authentication: MSCHAPV2

Cheers
 
admiralspark
Old
#4  
Member - OP
Thanks Meter 37
Posts: 80
Join Date: Jul 2011
Location: Fairbanks, AK
Quote:
Originally Posted by LacerdaPT View Post
Hi

First of all, thanks for this tutorial

I'm pretty sure this should be very straightforward but not to mess this thing up what do I need to change for a network with the following definitions:

Network SSID: eduroam
Security: 802.1x Enterprise
EAP method: PEAP
Phase 2 authentication: MSCHAPV2

Cheers
Hey, it's not a problem at all. Pulled from the source here: NookDevs.com wpa_supplicant.conf I built this skeleton here:
Code:
network={ 
ssid="eduroam" 
scan_ssid=1 
key_mgmt=WPA-EAP 
pairwise=CCMP TKIP 
group=CCMP TKIP 
eap=PEAP 
identity="username@youremail.com" 
password="YOUR-PASSWORD" 
ca_cert="/system/etc/wifi/cacert.pem" 
phase1="peapver=0" 
phase2="MSCHAPV2" }
As you can see, you'll need to enter your University email in the identity field and your password in the password field, and if you don't have the needed certificates/password/etc you can get that from your local IT office (I would ask to speak with your network technicians though, helpdesk may not have it). Make SURE to read the instructions in that link, the openssl bit is different than the guide above!
Team Ignition Kernel Developer
linux-ideapad developer/maintainer for Arch Linux/Ubuntu Linux
Flame Kernel developer for Galaxy Nexus and Galaxy S3
 
LacerdaPT
Old
#5  
Member
Thanks Meter 7
Posts: 34
Join Date: Sep 2011
Thanks!

On monday I will try that and will report the outcome.

Cheers
 
LacerdaPT
Old
#6  
Member
Thanks Meter 7
Posts: 34
Join Date: Sep 2011
Hi.

It worked like a charm! No problem at all.

Thanks!

Cheers
 
admiralspark
Old
#7  
Member - OP
Thanks Meter 37
Posts: 80
Join Date: Jul 2011
Location: Fairbanks, AK
Awesome! Glad to hear it.
Team Ignition Kernel Developer
linux-ideapad developer/maintainer for Arch Linux/Ubuntu Linux
Flame Kernel developer for Galaxy Nexus and Galaxy S3

Tags
eap-tls, how-to, nook tablet, wifi, wpa_supplicant
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


TRENDING IN THEMER...