2 Replies Latest reply on Apr 12, 2019 5:20 AM by GauravS_31

    Could WPA2 enterprise on boarding be done through BLE?


      What specific examples and lessons learned are available for setting up secure WiFi enterprise connections using BLE?


      Are there issues trying to pass certificate via BLE applications?



        • 1. Re: Could WPA2 enterprise on boarding be done through BLE?

          In theory, this could be implemented manually within custom SW as the certificates themselves appear to the BLE connection as nothing more than bits within the secure connection that would need to be established.


          We have never tried this ourselves, so there are no examples or past experiences that we can draw from which can be leveraged in your custom implementation.


          I am adding GauravS_31 to see if he knows of other forms of on-boarding we can recommend where a certificate server can not be used, such as within a consumer application.


          sakhc_4019046 TiCu_2020706

          • 2. Re: Could WPA2 enterprise on boarding be done through BLE?

            We can consider extending the concept used in BLE WiFi introducer demo to WPA2 enterprise. In that demo, basically the network credentials are sent over BLE as characteristic write to the WICED device working as GATT server. Similarly, for enterprise, the network credientials such as certificate, user name, password can be sent as characteristic write over BLE to the WICED device. You will need to know the byte size of certificate to determine whether it is a long characteristic or not based on the GATT MTU size limitation. These credentials will be required in the join_ent implementation shown in command_console_wifi.c. For instance, the rootCA certificate is required by conn_info.trusted_ca_certificates. Likewise, the EAP type, auth type is required and depending on the EAP type, specific credentials (such as client certificate and private key for EAP-TLS) are required. At minimum, a rootCA certificate would be mandatory because our supplicant implementation requires the same and it expects a server certificate from the RADIUS server. Please note that this is our understanding and we have not implemented this concept.

            1 of 1 people found this helpful