Wi-Fi Certificate Support

When connecting Vivi devices running firmware version 3.8.0 or higher to a WPA2 Enterprise network, administrators have the option to upload a Certificate Authority (CA) certificate. This certificate enables the Vivi device to authenticate to the Wi-Fi network, providing an additional layer of security. If no CA certificate is uploaded, the device will not perform this extra validation check. However, an incorrect or expired CA certificate will prevent the Vivi device from joining the network.

Limitations

If an incorrect or expired CA certificate is uploaded, the Vivi will fail to join the network.

The Wi-Fi Easy Installer does not support certificate authentication or WPA3 Personal.

Certificate Types

CA Certificate: Accepted in either PEM or DER format. On Windows systems, these are typically .cer files, which can be either PEM or DER certificates. On Unix systems, these files may have extensions such as .der, .pem, or no extension at all.

User Certificate: Accepted in PKCS12 format. On Windows, these are .pfx files. On Unix systems, these are usually .p12 files or may have no extension.

Connecting to a Network with Certificate Authentication

Prerequisites

  • Firmware version 3.8.0 or higher.

  • Wi-Fi network utilizing PEAP-MSCHAPv2 or EAP-TLS for enterprise authentication.

Steps:

  • Connect to the Vivi Box’s local Web Console by clicking the box’s IP Address under Devices in Vivi Central

image-20240718-013205.png

 

  • Upload your user certificate file (typically a .pfx or .p12 file)

  • Enter the certificate’s private key password (set when the user certificate file was created).

  • Enter the username of the account associated with the certificate.

  • Optionally, upload a CA certificate (typically a .cer, .pem, or .der file).

    • If uploaded, the Vivi device will use it for server certificate validation.

    • If not uploaded, server certificate validation will not be performed.

    • If an incorrect CA certificate is uploaded, the device will fail to connect.

Managing Certificates with Bulk Configuration

Requirements:

  • Please contact Support to enable the ‘Bulk Wi-Fi Configuration’ feature flag for your school

Steps:

  • In Vivi Central, navigate to Devices → Configure Devices.

 

image-20240718-013539.png
  • Toggle between “Device Information” and “Network Information” views using the middle-right buttons.

  • The “Network Information” view shows detailed network configuration information, including current certificates.

  • Select one or more devices and click “Edit Device Settings,” then choose “Configure Network Settings.”

To enter certificate details once within Network Settings, please select Wi-Fi (it defaults to Ethernet) and then choose Enterprise. Please note that all devices will need to be in range of the same network/SSID. The box used to do the scanning will be the first box selected in the group:

If all selected devices support certificate authentication, you will be able to upload certificates.

 

A success message will appear if the configuration is accepted, indicating that all devices have received their new settings. Devices will disconnect from the network and attempt to reconnect with their new configuration, potentially changing IP addresses. Manually refresh the ‘Configure Devices’ page and wait for all devices to come back online.

Recommendations for Bulk Configuration:

  • Test your configuration on a single device first to ensure it is correct.

  • Use the “Show” checkbox when entering passwords to visually confirm accuracy.

  • If possible, uncheck the “Manual SSID” checkbox and scan for Wi-Fi networks to avoid misconfigurations or typos.

Using Certificate Authentication with Fallback to Username/Password

  • Configure all devices to connect using username/password.

  • Confirm successful connection of all devices to the Wi-Fi network.

  • Configure all devices to connect using certificate authentication, ensuring the “Replace Fallback Configuration” option is checked.

  • Confirm successful connection of all devices using certificate authentication.

Ensuring Fallback Configuration Works:

  • Configure all devices to use configuration-B as the primary Wi-Fi configuration and confirm successful connections.

  • Configure all devices to use configuration-A as the primary Wi-Fi configuration, ensuring the “Replace Fallback Configuration” option is checked during this step.

  • Confirm successful connections for all devices.

After this setup, configuration-B will act as the fallback configuration, proving that it works as intended.