Page tree
Skip to end of metadata
Go to start of metadata

ON THIS PAGE


This object provides various methods for configuring the network interfaces on a BrightSign player.

Object Creation: The roNetworkConfiguration object is created with a single parameter.

CreateObject("roNetworkConfiguration", network_interface as Dynamic)

The network_interface parameter can be any of the following: 

  • 0 or "eth0": The Ethernet port on the BrightSign player
  • 1 or "wlan0": The internal WiFi
  • 2 or "ppp0": A connected modem

If the network_interface is specified as an integer, the interface must currently exist on the player; otherwise, the object-creation function will return Invalid. Conversely, specifying the network_interface as a string allows you to create a roNetworkConfiguration instance for an interface that is not currently present on the player.

The network interface can be configured as a VLAN using the following string format: "[parent_interface].[vlan_id]". Once the VLAN interface(s) are configured, they must be enabled on the parent network interface (e.g. "eth0") using the SetVlanIds() method. VLAN interfaces use DHCP by default. They are supported on Series 4 (XTx44, XDx34) and Series 3 (XTx43, XDx33, HDx23, LS423, HO523) players only.

Example
 n6 = CreateObject("roNetworkConfiguration", "eth0.6")

 

Some of the settings below are specific to the network interface, while others are used by the BrightSign host for all network interfaces.

ifNetworkConfiguration

Apply() As Boolean

Applies the requested changes to the network interface. This method returns false if the changes could not be applied to the network interface, though changes made using "Set" and "Reset" methods will be preserved through future reboots even if Apply() fails. Configuration may take several seconds to complete.

Note

"Set" and "Reset" methods do not take effect until Apply() is called.

SetupDWS(settings As roAssociativeArray) As Boolean

Configures the Diagnostic Web Server (DWS). This method returns true if a restart is required for the changes to take effect. It will return false if a restart is not required or if the method failed–the GetFailureReason() method returns a non-empty string in event of failure.

By default, the Diagnostic Web Server is enabled on port 80, with the player serial number as password. Settings for the DWS are specified in an associative array. These properties are written to the registry and persist after reboot:

  • port: The port number of the Diagnostic Web Server, located at the IP address of the player. Setting this value to 0 will disable the DWS, while setting it to "default" will make the DWS accessible on the default port (80). Specifying only this parameter in the associative array is equivalent to enabling the DWS without password protection.
  • password: An obfuscated password for the DWS. This method uses digest access authentication. Specifying this parameter without setting a port number will make the DWS accessible on the default port.
  • open: An unobfuscated password for the DWS. This method uses digest access authentication. Specifying this parameter without setting a port number will make the DWS accessible on the default port.
  • basic: A flag indicating whether basic authentication should be used or not. Setting this parameter to true allows the password set with the open parameter to be validated using basic authentication, rather than digest access authentication. This option allows for backwards compatibility with older platforms; most, if not all, modern browsers require basic authentication to be disabled in order to communicate with the DWS.

The user name is "admin" for all authentication configurations.

EnableLEDs(enable As Boolean) As Boolean

Enables or disables the Ethernet activity LED (i.e. flashing during link and activity behavior). The Ethernet LED is enabled by default. Changes to this setting do not persist across reboots. This method returns true upon success and false upon failure. Note that this method is not available on HDx10, HDx20, and LSx22 models.

SetClientIdentifier(a As String) As Boolean

Sets the DHCP client identifier. 

GetClientIdentifier() As String

Returns the DHCP client identifier.

SetLoginPassword(password As String) As Boolean

Specifies a login password for the SSH connection (if SSH has been enabled in the registry). This method accepts a plain-text password.

SetObfuscatedLoginPassword(password As String) As Boolean

Specifies a login password for the SSH connection (if SSH has been enabled in the registry). This method accepts a password that has been obfuscated using a shared secret.

Note

Contact support@brightsign.biz to learn more about generating a key for obfuscation and storing it on the player.

SetInboundShaperRate(rate As Integer) As Boolean

Sets the bandwidth limit for inbound traffic in bits per second. For the default bandwidth limit, pass -1 to the method; for no bandwidth limit, pass 0 (though these two settings are functionally the same). You will need to call Apply() for this setting to take effect, and changing this setting at any time will cause the network interface to be taken down and reinitialized.

Note

Because of overhead on the shaping algorithm, attempting to limit the bandwidth at rates greater than approximately 2Mbit/s will reduce speeds to less than the specified rate.

SetMTU(mtu As Integer) As Boolean

Sets the maximum transmission unit (MTU) for the network interface in bytes. Currently, the MTU setting is not returned when the GetCurrentConfig() method is called.

SetRoutingMetric(a As Integer) As Boolean 

Configures the metric for the default gateway on the current network interface. Routes with lower metrics are preferred over routes with higher metrics. This function returns true upon success.

SetDHCP() As Boolean (interface)

Enables DHCP and disables all other settings. This function returns true if successful.

SetIP4Address(ip As String) As Boolean (interface)
 
SetIP4Netmask(netmask As String) As Boolean (interface)
 
SetIP4Broadcast(broadcast As String) As Boolean (interface)
 
SetIP4Gateway(gateway As String) As Boolean (interface)

Sets the IPv4 interface configuration. All values must be specified explicitly. Unlike the ifconfig shell command, there is no automatic inference. The parameter is a string dotted decimal quad (i.e. "192.168.1.2" or similar). It returns true upon success.

Example
nc = CreateObject("roNetworkConfiguration",0) 
nc.SetIP4Address("192.168.1.42")
nc.SetIP4Netmask("255.255.255.0")
nc.SetIP4Broadcast("192.168.1.255")
nc.SetIP4Gateway("192.168.1.1")
SetVlanIds(vlan_ids As roArray) As Boolean

Enables the specified VLAN IDs (and only those IDs) on the network interface (the VLAN interfaces must be configured first). This method accepts an array of integers. 

Example
' Configure the VLANs first. Use defaults for VLAN6.
n6=CreateObject("roNetworkConfiguration", "eth0.6")
print n6.ResetInterfaceSettings()
print n6.Apply()

' Use defaults for VLAN11.
n11=CreateObject("roNetworkConfiguration", "eth0.11")
print n11.ResetInterfaceSettings()
print n11.Apply()

' Use static IP for VLAN15.
n15=CreateObject("roNetworkConfiguration", "eth0.15")
print n15.SetIP4Address("192.168.15.100")
print n15.SetIP4Netmask("255.255.255.0")
print n15.Apply()

' Now enable VLANs 6, 11 and 15 on eth0.
n0=CreateObject("roNetworkConfiguration", "eth0")
print n0.SetVlanIds([6, 11, 15])
print n0.Apply()

Note

VLAN configuration is persistent, even when VLAN is not enabled. If you use the SetVlanIds() method to remove and then add VLAN IDs, they will return with the previous configuration by default. You can use the ResetInterfaceSettings() method to remove any previous configuration.

SetWiFiESSID(essid as String) As Boolean

Configures the WiFi ESSID of the wireless network that the player will connect to. This method returns true on success.

GetWiFiESSID() As String

Retrieves the configured WiFi ESSID, even if the player is not currently connected to that wireless network. Use the GetCurrentConfig().wifi_essid value to retrieve the ESSID of the wireless network that the player is currently connected to.

SetWiFiPassphrase(passphrase as String) As Boolean

Configures the passphrase or key for the wireless network. This method accepts a plain-text passphrase. It returns true if the passphrase is successfully set.

SetWiFiPassphraseAndObfuscate(a As String) As String

Configures the passphrase or key for the wireless network. This method accepts a plain-text passphrase and returns the obfuscated result. If the passphrase is not set, an empty string is returned instead.

SetObfuscatedWiFiPassphrase(password As String) As Boolean

Configures the passphrase or key for the wireless network. This method accepts a passphrase that has been obfuscated using a shared secret. It returns true if the password is successfully set.

Note

Contact support@brightsign.biz to learn more about generating a key for obfuscation and storing it on the player.

SetWiFiAccessPointMode(enable as Boolean) As Boolean

Enables or disables WiFi access-point mode: Passing true to this method instructs the player to act as a wireless access point, which uses the ESSID and passphrase set with the SetWiFiESSID() and SetWiFiPassphrase() (or SetObfuscatedWiFiPassphrase()) methods. If a passphrase has been set, the wireless access point will use WPA2 authentication–otherwise, it will use no authentication. This method returns true on success and false on failure; use the GetFailureReason() method to return more information in case of failure.

WiFi access-point mode should be used for configuration only. It offers a minimal DHCP server, but does not provide DNS servers or routing to the Ethernet. We recommend assigning a static IP address to the wireless interface, though this is not enforced by the firmware.

Note

WiFi access-point mode is not available on Series 2 (4Kx42, XDx32, HDx22) or earlier models.

SetAccessPointFrequencyMHz(frequency As Integer) As Boolean

Sets the frequency of the wireless access point (in MHz). This method returns true on success and false on failure; use the GetFailureReason() method to return more information in case of failure.

Note

The following SetWifi* methods are used to configure WPA Enterprise with EAP-TLS. 

SetWiFiIdentity(identity As String) As Boolean

Sets the RADIUS identity. In EAP-TLS mode, the identity will be taken from the client certificate if this method is not called ("subjectAltName" will be used if present; otherwise, the "commonName" is used). In EAP-PEAP/MSCHAP mode, this method must be called to set the identity.

SetWiFiEapTlsOptions(options As String) As Boolean

Sets EAP-specific options. Currently, this method can be used to enable or disable MD5 support ("md5=enable" or "md5=disable") and to set an anonymous identity for EAP-PEAP/MSCHAP configurations ("anonymous_identity=anon@brightsign.biz"). Multiple parameters can be set with a space-separated list. To clear previous settings, pass an empty string to this method.

SetWiFiCACertificates(certificates As Dynamic) As Boolean

Sets the CA certificate file for EAP-TLS (certificates can also be sent from an EAP peer). The certificate data can be specified as an roByteArray of Base64 data (for .cer.pfx, or .p12 file formats) or an roString (for the .pem file format ). The supported binary formats are ASN.1 DER (for seperate certificates and keys) and PKCS#12 (for a single file that may contain both certificates and keys). The supported text format is PEM. 

SetWiFiClientCertificate(certificate As Dynamic) As Boolean

Sets the client certificate for EAP-TLS. The certificate data can be specified as an roByteArray of Base64 data or an roString.

SetWiFiPrivateKey(key As Dynamic) As Boolean

Sets the private key for authentication. The certificate data can be specified as an roByteArray of Base64 data or an roString. If the private key is password protected, use the SetWiFiPassphrase() method to set the password.

Note

 If the client certificate and associated private key are in the same PKCS#12 file, the file contents should be specified using the SetWiFiPrivateKey() method and the SetWiFiClientCertificate() value should be left empty.

SetWiFiSecurityMode(mode As String) As Boolean

Sets the WiFi encryption method. By default, both WPA (TKIP) and WPA2 (CCMP) encryption are permitted. This method accepts a space-separated, case-insensitive list that can include either "tkip" or "ccmp" values. Passing an empty string sets the default mode. If both CCMP and TKIP are allowed, CCMP always has priority.

ConfigureDHCPServer(config As roAssociativeArray) As Boolean

Configures a DHCP server on the Ethernet port or wireless access point. This method accepts an associative array with the following parameters:

  • [string] ip4_start:(Required) The beginning of the range of offered IP addresses
  • [string] ip4_end:(Required) The end of the range of offered IP addresses
  • [roArray] name_servers: An array of strings containing the IPv4 addresses of name servers (IPv6 addresses are not currently supported)
  • [string] domain: The domain suffix to be used by clients
  • [string] ip4_gateway: The IPv4 address of the gateway to be used by clients

To disable the DHCP server, pass an empty associative array ({}) to this method. This method returns true on success and false on failure; use the GetFailureReason() method to return information in case of failure.

Tip

DHCP lease information can be viewed by accessing either of the following IP addresses using a web browser on the local network: http://<brightsign-ip>/dhcp-server.html or http://<brightsign-ip>/dhcp-server.txt

SetForwardingPolicy(parameters As roAssociativeArray) As Boolean

Configures the host-wide forwarding policy (this method applies to all network interfaces, no matter which roNetworkConfiguration instance it is called on). This method accepts an associative array with the following parameters:

  • [Boolean] forwarding_enabled: A flag that enables or disables IP forwarding. This value is false by default.
  • [Boolean] nat_enabled: A flag that enables or disables address translation with IP forwarding. If this parameter is false (the default value), and forwarding_enabled is true, IP datagrams are forwarded between all interfaces and no address translation is done. If this parameter is true, and forwarding_enabled is true, IP datagrams are forwarded between all interfaces, but SNAT is applied to any datagrams that are sent out of the "upstream" interface. In this case, an "upstream" interface is defined as any interface on which the default route is set. Note that there can be multiple interfaces that meet this criteria. Datagrams that are destined for an interface that has no default route are forwarded without NAT.
SetDomain(domain As String) As Boolean (host)

Sets the device domain name. This will be appended to names to fully qualify them, though it is not necessary to call this. This method returns true on success.

Example
nc.SetDomain("brightsign.biz")
SetDNSServers(servers As roArray) As Boolean (host)

Sets the list of DNS servers if there were no DNS servers when the object was created. This method accepts an array of strings, each containing the dotted-quad IP address of a DNS server, and it returns true on success. There is currently a maximum of three servers; the method will return false if you attempt to add more than three servers.

Tip

To clear the list of DNS servers, call SetDNSServers([]).

AddDNSServer(server As String) As Boolean (host)

Adds another DNS server to the list if there were no DNS servers when the object was created. This method accepts the dotted-quad IP address of a DNS server as a string, and it returns true on success. There is currently a maximum of three servers; the method will return false if you attempt to add more than three servers. 

SetTimeServer(time_server As String) As Boolean (host)

Sets the default time server, which is "time.brightsignnetwork.com". You can disable the use of NTP by calling SetTimeServer(""). You can use URL syntax to specify that the player use an HTTP or HTTPS server to synchronize the clock. The following are valid time server addresses:

  • http://time.brightsignnetwork.com/
  • https://time.brightsignnetwork.com/
  • ntp://time.brightsignnetwork.com/
  • time.brightsignnetwork.com

Note

The last two addresses are equivalent.
GetTimeServer() As String

Retrieves the (host) time server currently in use.

SetTimeServerIntervalSeconds(interval_in_seconds As Integer) As Boolean

Specifies how often the player should communicate with the time server and adjust its clock. The default interval is 12 hours; passing a value of 0 specifies the default interval. The minimum interval allowed is 120 seconds.

GetTimeServerIntervalSeconds() As Integer

Returns the current interval for time-server renewal (in seconds).

SetHostName(name as String) As Boolean (host)

Sets the device host name. If no host name has been explicitly set, then a host name is automatically generated based on the device serial number. Passing an empty string to this method resets the device host name to its automatically generated value.

GetHostName() As String (host)

Retrieves the host name currently in use.

SetProxy(proxy as String) As Boolean (host)

Sets the name or address of the proxy server used for HTTP and FTP requests. The proxy string should be formatted as "http://user:password@hostname:port". The hostname can contain up to four "*" characters; each "*" character can be used to replace one octet from the current IP address. For example, if the IP address is currently 192.168.1.2, and the proxy is set to "proxy-*-*", then the player will attempt to use a proxy named "proxy-192.168".

GetProxy() As String (host)

Returns the name or address of the proxy server.

SetProxyBypass(hostnames As Array) As Boolean

Exempts the specified hosts from the proxy setting. The passed array should consist of one or more hostnames. The player will attempt to reach the specified hosts directly rather than using the proxy that has been specified with the SetProxy() method. For example, the hostname "example.com" would exempt "example.com", "example.com:80", and "www.example.com" from the proxy setting.

GetProxyBypass() As roArray

Returns an array of hostnames that have been exempted from the proxy setting using the SetProxyBypass() method.

GetRecoveryUrl() As String

Returns the current recovery URL, which is stored in the "ru" entry of the "networking" registry section. If the recovery URL is set via DHCP Option 43, it will take precedence over the "ru" registry entry.

ResetInterfaceSettings() As Boolean

Clears all interface-specific settings (e.g. IP address, default gateway). This method is ideal for resetting an interface to a known, empty state before configuring specific settings.

ResetHostSettings() As Boolean

Clears all host settings (i.e. settings that don't take the interface number into account and that don't affect the specified network interface; e.g. the time server). 

GetFailureReason() As String

Returns additional information when a member function returns false.

GetCurrentConfig() As Object

Retrieves the entire current configuration as an associative array containing the following members:

ValueTypeHost/InterfaceDescription

metric

Integer

Interface

Returns the current routing metric for the interface. See the SetRoutingMetric() entry for more details.

dhcp

Boolean

Interface

Returns true if the system is currently configured to use DHCP. Returns false otherwise.

hostname

String

Host

The currently configured host name

mdns_hostname

String

Host

The Zeroconf host name currently in use. This may be longer than the host name if there is a collision on the current network.

ethernet_mac

String

Interface

The Ethernet MAC address

ip4_address

String

Interface

The current IPv4 address. If none is currently set, the string will be empty.

ip4_netmask

String

Interface

The current IPv4 network mask. If none is currently set, the string will be empty.

ip4_broadcast

String

Interface

The current IPv4 broadcast address. If none is currently set, the string will be empty.

ip4_gateway

String

Interface

The current IPv4 gateway address. If none is currently set, the string will be empty.

domain

String

Host

The current domain suffix

dns_servers

roArray of Strings

Host

The currently active DNS servers

time_server

String

Host

The current time server

configured_proxy

String

Host

The currently configured proxy. This may contain magic characters as explained under SetProxy() above.

current_proxy

String

Host

The currently active proxy. Any magic characters will have been replaced as explained under SetProxy() above.

shape_inbound

Integer

Interface

The current bandwidth shaping for inbound traffic determined by the SetInboundShaperRate() method.

type

String

Interface

Either "wired" or "wifi"

link

Boolean

Interface

Indicates whether the network interface is currently connected.

wifi_essid

String

Interface

The name of the current Wi-Fi network (if any)

wifi_signal

Integer

Interface

An indication of the received signal strength. The absolute value of this field is usually not meaningful, but it can be compared with the reported value on other networks or in different locations.

TestInterface() As Object

Performs various tests on the network interface to determine whether it appears to be working correctly. It reports the results via an associative array containing the following members:

ValueTypeDescription

ok

Boolean

This value is true if the tests find no problems, or false if at least one problem was identified.

diagnosis

String

A single-line diagnosis of the first problem identified in the network interface.

log

roArray of strings

A complete log of all the tests performed and their results.

TestInternetConnectivity() As Object

Performs various tests on the Internet connection (via any available network interface, not necessarily the one specified when the roNetworkConfiguration object was created) to determine whether it appears to be working correctly. It reports the results via an associative array containing the following members:

ValueTypeDescription

ok

Boolean

This value is true if the tests find no problems, or false if at least one problem was identified.

diagnosis

String

A single line diagnosis of the first problem identified with the Internet connection.

log

roArray of strings

A complete log of all the tests performed and their results.

GetNeighborInformation() As roAssociativeArray

Retrieves location information from the network infrastructure using the LLDP-MED protocol. The information is returned as an associative array of strings corresponding to civic-address types, which are defined as follows according to the LLDP-MED specification: 

CAtype

Label

Description

1

A1

national subdivisions (state, region, province, prefecture)

2

A2

county, parish, gun(JP), district(IN)

3

A3

city, township, shi(JP)

4

A4

city division, borough, city district, ward, chou(JP)

5

A5

neighborhood, block

6

A6

street

CAtype

NENA

PIDF

Description

Examples

0

 

 

language

i-default [3]

16

PRD

PRD

leading street direction

N

17

POD

POD

trailing street suffix

SW

18

STS

STS

street suffix

Ave, Platz

19

HNO

HNO

house number

123

20

HNS

HNS

house number suffix

A, 1/2

21

LMK

LMK

landmark or vanity address

Columbia University

22

LOC

LOC

additional location information

South Wing

23

NAM

NAM

name (residence and office occupant)

Joe's Barbershop

24

ZIP

PC

postal/ZIP code

10027-1234

25

 

 

building (structure)

Low Library

26

 

 

unit (apartment, suite)

Apt 42

27

 

FLR

floor

4

28

 

 

room number

450F

29

 

 

placetype

office

30

PCN

 

postal community name

Leonia

31

 

 

post office box (P.O Box)

12345

32

 

 

additional code

13203000003

128

 

 

script

Latn

255

 

 

reserved

 

ifWiFiConfiguration

ScanWiFi() As roArray

Scans for available wireless networks. The results are reported as an roArray containing one or more associative arrays with the following members:

ValueTypeDescription

essid

String

Network name

bssid

String

Access point BSSID

signal

Integer

Received signal strength indication. The absolute value of this field is not usually relevant, but it can be compared with the reported value on other networks or in different locations.

Network Authentication

BrightSign players support most commonly used wireless encryption formats: WEP (64 & 128), WPA (TKIP), and WPA2 (AES).

WPA Enterprise is supported using EAP-TLS (with DER, PEM, or PKCS#12 certificates) and PEAPv0/MSCHAPv2 (with a username and passphrase). Wired authentication via 802.1x is also supported. The configuration instructions below apply to both WiFi and wired authentication via 802.1x; the only difference is the wired/wireless parameter (0/1) passed during roNetworkConfiguration initialization.

EAP-TLS

EAP-TLS authentication requires a client certificate and private key. There are two ways to accomplish this:

  • Packaging the client certificate and private key in a single file in PKCS#12 format (using PEM or DER encoding), usually with a .p12 file extension. To do this, set the PKCS#12 file using the SetWiFiPrivateKey() method and pass a blank string to the SetWiFiClientCertificate() method.
  • Packaging the client certificate as a X.509 certificate (using PEM or DER encoding) and optionally securing the key with a passphrase (instead of the usual WiFi passphrase). To do this, set the client certificate using the SetWiFiClientCertificate() method and the key using the SetWiFiPrivateKey() method. If the key is protected with a passphrase, you should then call SetWiFiPassphrase().

Certificate keys may contain binary data if not PEM formatted. In this case, they must be provided as an roByteArray object. Text formats may be passed using a string or roByteArray.

Example: Setting EAP-TLS with a .p12 file
nc = CreateObject("roNetworkConfiguration",1)
 
p12 = CreateObject("roByteArray")
p12.ReadFile("client.p12")

nc.SetWiFiClientCertificate("")
nc.SetWiFiPrivateKey(p12)
nc.SetWiFiPassphrase("passwordgoeshere") 

During authentication, the Radius server is passed an identity. By default, the identity will be taken from the client certificate. If the certificate has a "subjectAltName", it will be used; otherwise, the "CommonName" is used. If neither of these are correct, the identity may be overridden. This default behavior can be overridden by calling SetWiFiIdentity(), or it can be specified by passing a blank string to SetWiFiIdentity().

PEAP/MSCHAP

This mode requires an identity (username) and passphrase, rather than a client certificate. There may also be a second, "outer", identity–see the Special Cases section below for configuration details.

nc = CreateObject("roNetworkConfiguration",1)
nc.SetWiFiIdentity("user@brightsign-example.com")
nc.SetWifiPassphrase("passwordgoeshere")

Common Variants

Additional Certificates

Additional CA certificates are often required (and using a custom CA for authentication is potentially more secure). Also, some CA hierarchies require intermediate certificates, which are sometimes supplied via EAP. If the server does not supply them, they may be added to the CA file using the SetWiFiCACertififcates() method. This method supports PEM and DER certificates.

nc = CreateObject("roNetworkConfiguration",1)
ca = CreateObject("roByteArray")
ca.ReadFile("ca.pem")
nc.SetWiFiCACertificates(ca)

Obfuscated WiFi Passphrase

If an obfuscated WiFi passphrase is required, you can substitute the SetObfuscatedWiFiPassphrase() method for the SetWiFiPassphrase() method. Contact support@brightsign.biz to learn more about generating a key for obfuscation and storing it on the player.

TKIP/CCMP Encryption

By default, both WPA (TKIP) and WPA2 (CCMP) encryption is permitted. You can alter this behavior using the SetSecurityMode() method, which accepts a space-separated, case-insensitive list of allowed modes ("ccmp" and "tkip"). If both CCMP and TKIP are allowed, CCMP always has priority.

nc = CreateObject("roNetworkConfiguration",1)
nc.SetWiFiSecurityMode("") 'Sets the default mode
nc.SetWiFiSecurityMode("ccmp tkip") 'Explicitly allows both modes (same as the default mode)
nc.SetWiFiSecurityMode("ccmp") 'Requires the use of CCMP

Special Cases

MD5 Support

MD5 support is enabled by default for backwards-compatibility reasons. This behavior can be modified by passing the "md5=enable" or "md5=disable" string to the SetWiFiEapTlsOptions() method.

nc = CreateObject("roNetworkConfiguration",1)
nc.SetWiFiEapTlsOptions("md5=disable")

Anonymous Identity

Some EAP-PEAP/MSCHAP configurations require an anonymous identity. By default, the BrightSign player uses the same inner and outer identity. An anonymous identity can be configured with the SetWiFiEaptTlsOptions() method:

nc = CreateObject("roNetworkConfiguration",1)
nc.SetWiFiEapTlsOptions("anonymous_identity=anon@brightsign.biz")

Tip

If neither MD5 or identity options are being used, the setting should be cleard by passing a blank string to the SetWiFiEaptTlsOptions() method.

Validity Dates

Validity dates are required for both EAP-TLS and PEAP/MSCHAP. The current time is required to check the certificate. If the player clock has not been set, it will typically set its time using the network, but this requires EAP authentication first. To avoid this problem, there are two special exceptions:

  • EAP-TLS: When the clock is not set, the time is set to ten seconds after the client certificate becomes valid, which is usually sufficient to authenticate (though this may not be sufficient for servers with newer certificates than the client). 
  • PEAP/MSCHAP: There is no client certificate, and the server certificate time is not checked when the date is not set.

The clock can also be set via the Diagnostic Web Server, which prevents either of the above exceptions from being used. Typically, the clock is also set from the network once it is available, so these exceptions are only used on first boot or when the clock battery has been completely emptied.

Examples

The following script disables WPA Enterprise configuration (which is otherwise persistent):

nc = CreateObject("roNetworkConfiguration", 1)
nc.SetWiFiSecurityMode("")
nc.SetWiFiESSID("")
nc.SetWiFiIdentity("")
nc.SetWiFiCaCertificates("")
nc.SetWiFiClientCertificate("")
nc.SetWiFiPrivateKey("")
nc.SetWiFiPassphrase("")
nc.SetWiFiEapTlsOptions("")
ok = nc.Apply()

 

The following script configures the WiFi for EAP-TLS using a PKCS#12 (.p12) file, without additional CA certificates:

essid = "brightwifi"
pkcs12file = "client.p12"
pkcspass = "passwordgoeshere"

nc = CreateObject("roNetworkConfiguration", 1)
nc.SetWiFiESSID(essid)

p12 = CreateObject("roByteArray")
ok = p12.ReadFile(pkcs12file)

if ok then
    nc.SetWiFiClientCertificate("")
    nc.SetWiFiPrivateKey(p12)
    nc.SetWiFiPassphrase(pkcspass)

    nc.SetWiFiCaCertificates("")
    nc.SetWiFiSecurityMode("")
    nc.SetWiFiIdentity("")
    nc.SetWiFiEapTlsOptions("")

    ok = nc.Apply()
end if

 

The following script configures the WiFi for EAP-TLS with additional certificates:

essid = "brightwifi"
cafile = "cacert.pem"
pkcs12file = "client.p12"
pkcspass = "passwordgoeshere"

nc = CreateObject("roNetworkConfiguration", 1)
nc.SetWiFiESSID(essid)

p12 = CreateObject("roByteArray")
ok = p12.ReadFile(pkcs12file)

ca = CreateObject("roByteArray")
ok = ca.ReadFile(cafile) and ok

if ok then
    nc.SetWiFiClientCertificate("")
    nc.SetWiFiPrivateKey(p12)
    nc.SetWiFiPassphrase(pkcspass)

    nc.SetWiFiCaCertificates("")
    nc.SetWiFiSecurityMode("")
    nc.SetWiFiIdentity("")
    nc.SetWiFiEapTlsOptions("")

    ok = nc.Apply()
end if

 

The following script configures the WiFi for PEAP/MSCHAP with additional CA files:

essid = "brightwifi"
cafile = "ca.pem"
user = "someuser@brightsign.biz"
pass = "whatever"
ca = CreateObject("roByteArray")
ok = ca.ReadFile(cafile)

if ok then
    nc = CreateObject("roNetworkConfiguration", 1)
    nc.SetWiFiESSID(essid)
    nc.SetWiFiIdentity(user)
    nc.SetWiFiPassphrase(pass)
    nc.SetWiFiCaCertificates(ca)
    nc.SetWiFiClientCertificate("")
    nc.SetWiFiPrivateKey("")
    'Use this if an anonymous outer identity is required
    'nc.SetWiFiEapTlsOptions("anonymous_identity=anon@brightsign.biz")
    nc.SetWiFiEapTlsOptions("")

    ok = nc.Apply()
    if not ok then
        fail = "Unable to set configuration: " + nc.GetFailureReason()
    end if
else
    fail = "Unable to read file " + cafile
end if

' if not ok, do something with the failure message

 

The following script performs various VLAN configurations on the Ethernet interface:

' Configure the VLANs first. Use defaults for VLAN6
n6=CreateObject("roNetworkConfiguration", "eth0.6")
print n6.ResetInterfaceSettings()
print n6.Apply()

' Use defaults for VLAN11
n11=CreateObject("roNetworkConfiguration", "eth0.11")
print n11.ResetInterfaceSettings()
print n11.Apply()

' Use static IP for VLAN15
n15=CreateObject("roNetworkConfiguration", "eth0.15")
print n15.SetIP4Address("192.168.15.100")
print n15.SetIP4Netmask("255.255.255.0")
print n15.Apply()

' Now enable VLANs 6, 11 and 15 on eth0.
n0=CreateObject("roNetworkConfiguration", "eth0")
print n0.SetVlanIds([6, 11, 15])
print n0.Apply()
  • No labels