Could WPA2 enterprise on boarding be done through BLE?

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
GrCa_1363456
Level 6
Level 6
50 likes received Beta tester First comment on KBA

What specific examples and lessons learned are available for setting up secure WiFi enterprise connections using BLE?

Are there issues trying to pass certificate via BLE applications?

Greg

0 Likes
2 Replies
MichaelF_56
Moderator
Moderator
Moderator
250 sign-ins 25 comments on blog 10 comments on blog

In theory, this could be implemented manually within custom SW as the certificates themselves appear to the BLE connection as nothing more than bits within the secure connection that would need to be established.

We have never tried this ourselves, so there are no examples or past experiences that we can draw from which can be leveraged in your custom implementation.

I am adding GauravS_31​ to see if he knows of other forms of on-boarding we can recommend where a certificate server can not be used, such as within a consumer application.

saad.khan_4019046tcutler_2020706

0 Likes
GauravS_31
Moderator
Moderator
Moderator
10 questions asked 250 solutions authored 250 sign-ins

We can consider extending the concept used in BLE WiFi introducer demo to WPA2 enterprise. In that demo, basically the network credentials are sent over BLE as characteristic write to the WICED device working as GATT server. Similarly, for enterprise, the network credientials such as certificate, user name, password can be sent as characteristic write over BLE to the WICED device. You will need to know the byte size of certificate to determine whether it is a long characteristic or not based on the GATT MTU size limitation. These credentials will be required in the join_ent implementation shown in command_console_wifi.c. For instance, the rootCA certificate is required by conn_info.trusted_ca_certificates. Likewise, the EAP type, auth type is required and depending on the EAP type, specific credentials (such as client certificate and private key for EAP-TLS) are required. At minimum, a rootCA certificate would be mandatory because our supplicant implementation requires the same and it expects a server certificate from the RADIUS server. Please note that this is our understanding and we have not implemented this concept.