[How-to] Set up EAP-TLS or other advanced Wifi connections on NT (root only!)
Hello all,
I figured this tutorial may come in handy to a few people out there since the documentation for getting this to work is quite atrocious.
What this tutorial is:
A step-by-step walkthrough of setting up wpa_supplicant.conf to access advanced networking protocols that we otherwise don't have access to (note, this will ONLY work with root at the moment).
What this tutorial is not:
A wireless troubleshooting thread for any wireless issues not related to wpa_supplicant, EAP-TLS, EAP-TTLS, etc.
Thanks ahead of time.
NOTE: This tutorial will be giving instructions for a Windows 7 machine, but 90% of the code I provide can easily be copied over to Linux/BSD/OSX, just replace with the Bash equivalents.
To begin, you will need a few things:
--
ADB, with working drivers, though you don't NEED root access through it it is nice to have, since it cuts the typing in half, and the setup for that can be found here: [App]:
ADB Root Hijack [ADB Runs as Root now]
--
openSSL, for converting certificates to the proper formats.
Windows instructions: Requires Cygwin, see
this link here. This will install several other useful tools, and you'll love Cygwin if you're a power user
Linux/BSD/OSX instructions: install using your favorite repositories or from binaries (in the case of OSX). For Ubuntu/Debian: sudo apt-get install openssl
--You will
need access to the
Development menu (use an app or the Any Cut app to make a shortcut), as well as
Root Browser lite (or Root Explorer).
--Alot of
patience, and a bit of time. This should be straightforward, but don't expect a perfect solution for everyone.
1)
The most important step, since this will cause you no end of headaches for possibly an hour or two as you trace it down: Go into the Development menu, UNCHECK USB Debugging and RECHECK it, then UNCHECK Auto Mount. So, even if debugging is checked, uncheck and check it anyway. And make SURE Auto Mount is unchecked, otherwise this will automatically install the "normal" NT drivers and screw up the entire process.
2) Plug in the Nook, and bring up the command line (cmd.exe). Run:
If this returns an alphanumeric string (or anything), your device is in and you're good to go. Otherwise, check the other forum topics for troubleshooting (link to come).
3) To begin, we need to convert our tickets to the correct format. For this we will use OpenSSL. To make this easy, I piled all of my working space into a folder in the root of the C: drive, called "certs". For this example, I will assume that you were given a root certificate named rootCA.crt and a private certificate names
username@email.com.p12 (because I was, for the eduroam worldwide network).
This example also assumes EAP-TLS authentication. To convert the files:
Code:
openssl x509 -in rootCA.crt -out rootCA.der -outform DER
openssl x509 -in rootCA.der -inform DER -out rootCA.pem -outform PEM
then
openssl pkcs12 -in username@email.com.p12 -out cert.pem -clcerts -nokeys
openssl pkcs12 -in username@email.com.p12 -out key.pem -nocerts
Note: even if your business/Uni doesn't use a separate hashed key normally (For example, the University of Alaska system), you will need it here. Normally a certificate app handles all of this (on AOSP and custom builds).
4) Thanks to good ol' FSTAB, we will have to remount /system so we can read/write to it:
Code:
adb shell
su
mount -o remount,rw /system /system
5) Now, we have three new files: rootCA.pem, cert.pem and key.pem in the C:\certs folder. We push them to their proper directory on the NT:
Code:
adb push rootCA.pem /system/etc/wifi/
adb push cert.pem /system/etc/wifi/
adb push key.pem /system/etc/wifi/
Note: This is where it gets tricky without root ADB access...the option is to push them to "/media/My Files/My Downloads/" (including quotes) and then use a terminal or root browser to move them to /system/etc/wifi/
6) Next, we get to pull wpa_supplicant finally!
Code:
adb pull /system/etc/wifi/wpa_supplicant.conf .
Note: Make sure to include the . at the end, this means 'copy it to the current directory'
7) Open wpa_supplicant.conf in Wordpad (NOT notepad, wrapping issues), and build a profile based on the
examples located here.
Here is an edited version of mine, if you use EAP-TLS this will work for you:
Code:
network={
ssid="YourAPNameHere"
scan_ssid=1
key_mgmt=WPA-EAP
pairwise=CCMP TKIP
group=CCMP TKIP
eap=TLS
identity="username@address.edu"
ca_cert="/system/etc/wifi/rootCA.pem"
client_cert="/system/etc/wifi/cert.pem"
private_key="/system/etc/wifi/key.pem"
private_key_passwd="yourPassHere"
priority=20
}
Change ssid, identity, and private_key_passwd to your respective information.
NOTE: priority, near the bottom, determines when it will connect to the network when others are around. Compare it to the values of the priority's set in /data/misc/wifi/wpa_supplicant.conf, the higher the value the higher the priority when they're all within range.
Now save and close the file.
8) Now, we push and reboot:
Code:
adb push wpa_supplicant.conf /system/etc/wifi/
then reboot the nook.
Now, after reboot, it should be good to go!
Notice, one bit of trouble I ran into, if you just get "error" when turning on the wireless after reboot, double-check that your certificates are correct and in the correct places, and wpa_supplicant.conf points at them. If thats fine, try erasing /data/misc/wifi/wpa_supplicant.conf, then reboot, and the list will be rebuilt and your AP will automatically connect.
Please let me know if there are any issues with the instructions, it's 6am and I haven't slept more than 8 hours in the last 3 days troubleshooting this, building kernels and playing Skyrim
Introducing XDA:DevCon – A Conference For Developers By Developers
>
[How-to] Set up EAP-TLS or other advanced Wifi connections on NT (root only!)
Print
Email
View Profile
View Forum Posts
Linear Mode
