Versions Compared

Old Version 1

changes.mady.by.user BrightSign TechDocs

Saved on

compared with

New Version Current

changes.mady.by.user BrightSign TechDocs

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This object provides various methods for configuring the network interfaces on a BrightSign player. The JavaScript equivalent is networkconfiguration (see BrightScript-JavaScript Migration Guide for the method equivalents).

Object Creation: The roNetworkConfiguration object is created with a single parameter.

Code Block
CreateObject("roNetworkConfiguration", network_interface as Dynamic)

The network_interface parameter can be any of the following: 

Anchor
network_interface
network_interface

  • 0 or "eth0": The Ethernet port on the BrightSign player

  • 1 or "wlan0": The internal WiFi

  • 2 or "ppp0": A connected modem

  • "usb0", "usb1", etc: USB ethernet interfaces

If the network_interface is specified as an integer, the interface must currently exist on the player; otherwise, the object-creation function will return Invalid. Conversely, specifying the network_interface as a string allows you to create a roNetworkConfiguration instance for an interface that is not currently present on the player.

The network interface can be configured as a VLAN using the following string format: "[parent_interface].[vlan_id]" (e.g "eth0.42"). Once the VLAN interface(s) are configured, they must be enabled on the parent network interface (e.g. "eth0") using the SetVlanIds() method. VLAN interfaces use DHCP by default. They are supported on Series 4 (XTx44, XDx34, HDx24, LS424) and Series 3 (XTx43, XDx33, HDx23, LS423, HO523) players only.

Example:

Code Block
 n6 = CreateObject("roNetworkConfiguration", "eth0.6")

Some of the settings below are specific to the network interface, while others are used by the BrightSign host for all network interfaces.

ifNetworkConfiguration

Apply() As Boolean

Applies the requested changes to the network interface. This method returns false if the changes could not be applied to the network interface, though changes made using "Set" and "Reset" methods will be preserved through future reboots even if Apply() fails. Configuration may take several seconds to complete.

"Set" and "Reset" methods do not take effect until Apply() is called.

SetupDWS(settings As roAssociativeArray) As Boolean

Configures the Diagnostic Web Server (DWS). This method returns true if a restart is required for the changes to take effect. It will return false if a restart is not required or if the method failed–the GetFailureReason() method returns a non-empty string in event of failure.

By default, the Diagnostic Web Server is enabled on port 80, with the player serial number as password. Settings for the DWS are specified in an associative array. These properties are written to the registry and persist after reboot:

  • port: The port number of the Diagnostic Web Server, located at the IP address of the player. Setting this value to 0 will disable the DWS, while setting it to "default" will make the DWS accessible on the default port (80). 

  • password: An obfuscated password for the DWS. This method uses digest access authentication. Specifying this parameter without setting a port number will make the DWS accessible on the default port.

  • open: An unobfuscated password for the DWS. This method uses digest access authentication. Specifying this parameter without setting a port number will make the DWS accessible on the default port. Specifying this parameter in the associative array with an empty string is equivalent to enabling the DWS without password protection.

  • basic: A flag indicating whether basic authentication should be used or not. Setting this parameter to true allows the password set with the open parameter to be validated using basic authentication, rather than digest access authentication. This option allows for backwards compatibility with older platforms; most, if not all, modern browsers require basic authentication to be disabled in order to communicate with the DWS.

The user name is "admin" for all authentication configurations

  • most, if not all, modern browsers require basic authentication to be disabled in order to communicate with the DWS.

The user name is "admin" for all authentication configurations.

ReassociateWiFi(enable As Boolean) As Boolean

This method takes no parameters and attempts to disconnect from and reconnect to the currently-configured WiFi network. This should not normally be necessary, but could be useful when diagnosing network problems. Returns true on success or false on failure. When false is returned calling GetFailureReason() may provide more information as to why.

This method is present in BOS 8.4.20 and above, BOS 8.5.26 and above, and in all BOS 9.0 versions.

EnableLEDs(enable As Boolean) As Boolean

Enables or disables the Ethernet activity LED (i.e. flashing during link and activity behavior). The Ethernet LED is enabled by default. Changes to this setting do not persist across reboots. This method returns true upon success and false upon failure. Note that this method is not available on HDx10, HDx20, and LSx22 models.

SetClientIdentifier(a As String) As Boolean

Sets the DHCP client identifier. 

GetClientIdentifier() As String

Returns the DHCP client identifier.

SetLoginPassword(password As String) As Boolean

Specifies a login password for the SSH connection (if SSH has been enabled in the registry). This method accepts a plain-text password.

When a recent SSH client attempts to connect to the SSHD on a BrightSign player, the connection must specify the host key algorithms to try, otherwise the player will not find a compatible algorithm.

“ssh -o HostKeyAlgorithms=ssh-rsa,ssh-dss  brightsign@172.22.200.74” offers a list of possible host keys.

SetObfuscatedLoginPassword(password As String) As Boolean

Specifies a login password for the SSH connection (if SSH has been enabled in the registry). This method accepts a password that has been obfuscated using a shared secret.

Contact support@brightsign.biz to learn more about generating a key for obfuscation and storing it on the player.


FlushDNSCache()

Flushes the player's DNS cache. This method is available in BrightSign OS 8.3.32 and later releases. Note that certain objects (such as roUrlTransfer) may continue to use the old results for a short period of time after the OS 8.3.32 release.

To use this method:

Code Block
languagejs
nc = CreateObject("roNetworkConfiguration", 0)
if not nc.FlushDNSCache() then
  print "Flush DNS cache failed: "; nc.GetFailureReason()
end if
SetInboundShaperRate(rate As Integer) As Boolean

Sets the bandwidth limit for inbound traffic in bits per second. For the default bandwidth limit, pass -1 to the method; for no bandwidth limit, pass 0 (though these two settings are functionally the same). You will need to call Apply() for this setting to take effect, and changing this setting at any time will cause the network interface to be taken down and reinitialized.

SetMTU(mtu As Integer) As Boolean

Sets the maximum transmission unit (MTU) for the network interface in bytes. Currently, the MTU setting is not returned when the GetCurrentConfig() method is called.

SetRoutingMetric(a As Integer) As Boolean 
Anchor
SetRoutingMetric
SetRoutingMetric

Configures the metric for the default gateway on the current network interface. Routes with lower metrics are preferred over routes with higher metrics. This function returns true upon success.

SetDHCP() As Boolean (interface)

Enables DHCP and disables all other settings. This function returns true if successful.

SetEnabledProtocols(protocols as roArray) As Boolean

Enables or disables IPv4/IPv6 support on a network interface. By default, both protocol versions are supported, and the local-network configuration determines which version the interface uses. This method allows you to restrict support to one IP version.

The array passed to this method can have the following string values: "IPv4" or "IPv6". If the array contains both values, both protocols are supported; if it contains neither, the network interface will come up but not provide connectivity.

This method returns true on success and false on failure; use the GetFailureReason() method to return more information in case of failure.

Example
Code Block
 ' Disable IPv6 and leave IPv4 enabled
 n1=CreateObject("roNetworkConfiguration", 1)
 print n1.SetEnabledProtocols(["IPv4"])
 print n1.Apply()
GetEnabledProtocols() As roArray

Returns enabled IP versions on the interface. The array can contain the "IPv4" and "IPv6" string values.

SetIP4Address(ip As String) As Boolean (interface)
 
SetIP4Netmask(netmask As String) As Boolean (interface)
 
SetIP4Broadcast(broadcast As String) As Boolean (interface)
 
SetIP4Gateway(gateway As String) As Boolean (interface)

Sets the IPv4 interface configuration. All values must be specified explicitly. Unlike the ifconfig shell command, there is no automatic inference. The parameter is a string dotted decimal quad (i.e. "192.168.1.2" or similar). It returns true upon success.

Example
Code Block
nc = CreateObject("roNetworkConfiguration",0) 
nc.SetIP4Address("192.168.1.42")
nc.SetIP4Netmask("255.255.255.0")
nc.SetIP4Broadcast("192.168.1.255")
nc.SetIP4Gateway("192.168.1.1")
SetVlanIds(vlan_ids As roArray) As Boolean

Enables the specified VLAN IDs (and only those IDs) on the network interface (the VLAN interfaces must be configured first). This method accepts an array of integers. 

The physical interface (eth0 in the example) is disabled by default when VLANs are enabled. To use both the physical interface (that is, without VLAN tags) and VLANs, users should specify a VLAN ID of zero in the array when calling SetVlanIds.

Example
Code Block
' Configure the VLANs first. Use defaults for VLAN6.
n6=CreateObject("roNetworkConfiguration", "eth0.6")
print n6.ResetInterfaceSettings()
print n6.Apply()

' Use defaults for VLAN11.
n11=CreateObject("roNetworkConfiguration", "eth0.11")
print n11.ResetInterfaceSettings()
print n11.Apply()

' Use static IP for VLAN15.
n15=CreateObject("roNetworkConfiguration", "eth0.15")
print n15.SetIP4Address("192.168.15.100")
print n15.SetIP4Netmask("255.255.255.0")
print n15.Apply()

' Now enable VLANs 6, 11 and 15 on eth0.
n0=CreateObject("roNetworkConfiguration", "eth0")
print n0.SetVlanIds([6, 11, 15])
print n0.Apply()

VLAN configuration is persistent, even when VLAN is not enabled. If you use the SetVlanIds() method to remove and then add VLAN IDs, they will return with the previous configuration by default. You can use the ResetInterfaceSettings() method to remove any previous configuration.

SetWiFiESSID(essid as String) As Boolean

Configures the WiFi ESSID of the wireless network that the player will connect to. This method returns true on success.

GetWiFiESSID() As String

Retrieves the configured WiFi ESSID, even if the player is not currently connected to that wireless network. Use the GetCurrentConfig().wifi_essid value to retrieve the ESSID of the wireless network that the player is currently connected to.

SetWiFiPassphrase(passphrase as String) As Boolean

Configures the passphrase or key for the wireless network. This method accepts a plain-text passphrase. It returns true if the passphrase is successfully set.

SetWiFiPassphraseAndObfuscate(a As String) As String

Configures the passphrase or key for the wireless network. This method accepts a plain-text passphrase and returns the obfuscated result. If the passphrase is not set, an empty string is returned instead.

SetObfuscatedWiFiPassphrase(password As String) As Boolean

Configures the passphrase or key for the wireless network. This method accepts a passphrase that has been obfuscated using a shared secret. It returns true if the password is successfully set.

Contact support@brightsign.biz to learn more about generating a key for obfuscation and storing it on the player.

SetWiFiFrequencies(frequencies As String) As Boolean

Sets valid WiFi frequencies to specified range. Supports 2GHz, 5GHz, or list of frequencies written in MHz("2412 2417"). It returns true if the frequency is successfully set.

SetWiFiAccessPointMode(enable as Boolean) As Boolean

Enables or disables WiFi access-point mode: Passing true to this method instructs the player to act as a wireless access point, which uses the ESSID and passphrase set with the SetWiFiESSID() and SetWiFiPassphrase() (or SetObfuscatedWiFiPassphrase()) methods. If a passphrase has been set, the wireless access point will use WPA2 authentication–otherwise, it will use no authentication. This method returns true on success and false on failure; use the GetFailureReason() method to return more information in case of failure.

WiFi access-point mode should be used for configuration only. It offers a minimal DHCP server, but does not provide DNS servers or routing to the Ethernet. We recommend assigning a static IP address to the wireless interface, though this is not enforced by the firmware.

SetWiFiAccessPointHidden(BOOL hidden)

If hidden is true, the SSID is hidden, if false then it is visible. The default is non-hidden, which was the previous behavior.

WiFi access-point mode is not available on Series 2 (4Kx42, XDx32, HDx22) or earlier models.

SetWiFiAccessPointFrequencyMHz(frequency As Integer) As Boolean

Sets the frequency of the wireless access point (in MHz). This method returns true on success and false on failure; use the GetFailureReason() method to return more information in case of failure.

The following SetWifi* methods are used to configure WPA Enterprise with EAP-TLS. 

SetWiFiIdentity(identity As String) As Boolean

Sets the RADIUS identity. In EAP-TLS mode, the identity will be taken from the client certificate if this method is not called ("subjectAltName" will be used if present; otherwise, the "commonName" is used). In EAP-PEAP/MSCHAP mode, this method must be called to set the identity.

SetWiFiEapTlsOptions(options As String) As Boolean

Sets EAP-specific options. Currently, this method can be used to enable or disable MD5 support ("md5=enable" or "md5=disable") and to set an anonymous identity for EAP-PEAP/MSCHAP configurations ("anonymous_identity=anon@brightsign.biz"). Multiple parameters can be set with a space-separated list. To clear previous settings, pass an empty string to this method.

SetWiFiCACertificates(certificates As Dynamic) As Boolean

Sets the CA certificate file for EAP-TLS (certificates can also be sent from an EAP peer). The certificate data can be specified as an roByteArray of Base64 data (for .cer.pfx, or .p12 file formats) or an roString (for the .pem file format ). The supported binary formats are ASN.1 DER (for seperate certificates and keys) and PKCS#12 (for a single file that may contain both certificates and keys). The supported text format is PEM. 

SetWiFiClientCertificate(certificate As Dynamic) As Boolean

Sets the client certificate for EAP-TLS. The certificate data can be specified as an roByteArray of Base64 data or an roString.

SetWiFiPrivateKey(key As Dynamic) As Boolean

Sets the private key for authentication. The certificate data can be specified as an roByteArray of Base64 data or an roString. If the private key is password protected, use the SetWiFiPassphrase() method to set the password.

If the client certificate and associated private key are in the same PKCS#12 file, the file contents should be specified using the SetWiFiPrivateKey() method and the SetWiFiClientCertificate() value should be left empty.

SetWiFiSecurityMode(mode As String) As Boolean

Sets the WiFi encryption method. By default, both WPA (TKIP) and WPA2 (CCMP) encryption are permitted. This method accepts a space-separated, case-insensitive list that can include either "tkip" or "ccmp" values. Passing an empty string sets the default mode. If both CCMP and TKIP are allowed, CCMP always has priority.

ConfigureDHCPServer(config As roAssociativeArray) As Boolean

Configures a DHCP server on the Ethernet port or wireless access point. This method accepts an associative array with the following parameters:

  • [string] ip4_start:(Required) The beginning of the range of offered IP addresses

  • [string] ip4_end:(Required) The end of the range of offered IP addresses

  • [roArray] name_servers: An array of strings containing the IPv4 addresses of name servers (IPv6 addresses are not currently supported)

  • [string] domain: The domain suffix to be used by clients

  • [string] ip4_gateway: The IPv4 address of the gateway to be used by clients

To disable the DHCP server, pass an empty associative array ({}) to this method. This method returns true on success and false on failure; use the GetFailureReason() method to return information in case of failure.

Tip

Tip

DHCP lease information can be viewed by accessing either of the following IP addresses using a web browser on the local network: http://<brightsign-ip>/dhcp-server.html or http://<brightsign-ip>/dhcp-server.txt

SetForwardingPolicy(parameters As roAssociativeArray) As Boolean

Configures the host-wide forwarding policy (this method applies to all network interfaces, no matter which roNetworkConfiguration instance it is called on). The return value is true on success or false on failure. This method accepts an associative array with the following parameters: 

  • [Boolean] forwarding_enabled: (Required) A flag that enables or disables IP forwarding. Forwarding_enabled must be specified as either true or false. If forwarding_enabled is false, no IP forwarding takes place. This is the default and matches previous behavior.  

  • [Boolean] nat_enabled: (Required) A flag that enables or disables address translation with IP forwarding. If forwarding_enabled is truenat_enabled must be specified as true or false

    • If forwarding_enabled is true and nat_enabled is false, IP datagrams are forwarded between all interfaces and no address translation is done. 

    • If forwarding_enabled is true and nat_enabled is true, IP datagrams are forwarded between all interfaces but SNAT is applied to any datagrams which are sent out of an "upstream" interface. For this purpose, an "upstream" interface is any one on which a default route is set. Note that there can be more than one such interface. Datagrams which are destined for an interface that has no default route are forwarded without NAT. 

    Note that the forwarding policy is a host-wide setting and it makes no difference which interface was selected when the roNetworkConfiguration object was created. 

SetDomain(domain As String) As Boolean (host)

Sets the device domain name. This will be appended to names to fully qualify them, though it is not necessary to call this. This method returns true on success.

Example
Code Block
nc.SetDomain("brightsign.biz")
SetDNSServers(servers As roArray) As Boolean (host)

Sets the list of DNS servers if there were no DNS servers when the object was created. This method accepts an array of strings, each containing the dotted-quad IP address of a DNS server, and it returns true on success. There is currently a maximum of three servers; the method will return false if you attempt to add more than three servers.

Tip

Tip

To clear the list of DNS servers, call SetDNSServers([]).

AddDNSServer(server As String) As Boolean (host)

Adds another DNS server to the list if there were no DNS servers when the object was created. This method accepts the dotted-quad IP address of a DNS server as a string, and it returns true on success. There is currently a maximum of three servers; the method will return false if you attempt to add more than three servers. 

SetTimeServer(time_server As String) As Boolean (host)

Sets the default time server, which is "time.brightsignnetwork.com". You can disable the use of NTP by calling SetTimeServer(""). You can use URL syntax to specify that the player use an HTTP or HTTPS server to synchronize the clock. The following are valid time server addresses:

The last two addresses are equivalent.

Panel
borderColor#3D3D3D
bgColor#F4F4F4
titleColor#3D3D3D
borderWidth0
titleBGColor#3D3D3D
borderStylesolid

ON THIS PAGE

Table of Contents
indent20px
GetTimeServer() As String

Retrieves the (host) time server currently in use.

SetTimeServerIntervalSeconds(interval_in_seconds As Integer) As Boolean

Specifies how often the player should communicate with the time server and adjust its clock. The default interval is 12 hours; passing a value of 0 specifies the default interval. The minimum interval allowed is 120 seconds.

GetTimeServerIntervalSeconds() As Integer

Returns the current interval for time-server renewal (in seconds).

SetHostName(name as String) As Boolean (host)

Sets the device host name. If no host name has been explicitly set, then a host name is automatically generated based on the device serial number. Passing an empty string to this method resets the device host name to its automatically generated value.

GetHostName() As String (host)

Retrieves the host name currently in use.

SetProxy(proxy as String) As Boolean (host)

Sets the name or address of the proxy server used for HTTP and FTP requests. The proxy string should be formatted as "http://user:password@hostname:port". The hostname can contain up to four "*" characters; each "*" character can be used to replace one octet from the current IP address. For example, if the IP address is currently 192.168.1.2, and the proxy is set to "proxy-*-*", then the player will attempt to use a proxy named "proxy-192.168".

The following characters must be percent-encoded for the user name and password:

SPC

%20

"

%22

#

%23

%

%25

/

%2F

<

%3C

>

%3E

?

%3F

@

%40

[

%5B

\

%5C

]

%5D

^

%5E

`

%60

{

%7B

|

%7C

}

%7D

GetProxy() As String (host)

Returns the name or address of the proxy server.

SetProxyBypass(hostnames As Array) As Boolean

Exempts the specified hosts from the proxy setting. The passed array should consist of one or more hostnames. The player will attempt to reach the specified hosts directly rather than using the proxy that has been specified with the SetProxy() method. For example, the hostname "http://example.com " would exempt "http://example.com ", "http://example.com:80 ", and "http://www.example.com " from the proxy setting.

GetProxyBypass() As roArray

Returns an array of hostnames that have been exempted from the proxy setting using the SetProxyBypass() method.

GetRecoveryUrl() As String

Returns the current recovery URL, which is stored in the "ru" entry of the "networking" registry section. If the recovery URL is set via DHCP Option 43, it will take precedence over the "ru" registry entry.

ResetInterfaceSettings() As Boolean

Clears all interface-specific settings (e.g. IP address, default gateway). This method is ideal for resetting an interface to a known, empty state before configuring specific settings.

ResetHostSettings() As Boolean

Clears all host settings (i.e. settings that don't take the interface number into account and that don't affect the specified network interface; e.g. the time server). 

GetFailureReason() As String

Returns additional information when a member function returns false.

GetCurrentConfig() As Object

Retrieves the entire current configuration as an associative array containing the following members:

Value

Type

Host/Interface

Description

metric

Integer

Interface

Returns the current routing metric for the interface. See the SetRoutingMetric() entry for more details.

dhcp

Boolean

Interface

Returns true if the system is currently configured to use DHCP. Returns false otherwise.

hostname

String

Host

The currently configured host name

mdns_hostname

String

Host

The Zeroconf host name currently in use. This may be longer than the host name if there is a collision on the current network.

ethernet_mac

String

Interface

The Ethernet MAC address

ip4_address

String

Interface

The current IPv4 address. If none is currently set, the string will be empty.

ip4_netmask

String

Interface

The current IPv4 network mask. If none is currently set, the string will be empty.

ip4_broadcast

String

Interface

The current IPv4 broadcast address. If none is currently set, the string will be empty.

ip4_gateway

String

Interface

The current IPv4 gateway address. If none is currently set, the string will be empty.

domain

String

Host

A whitespace-separated list of domains that will be appended to unqualified names when resolving them

domains

roArray of Strings

Host

The domains that will be appended to uniqualified names when resolving name

dns_servers

roArray of Strings

Host

The currently active DNS servers

time_server

String

Host

The current time server

configured_proxy

String

Host

The currently configured proxy. This may contain magic characters as explained under SetProxy() above.

current_proxy

String

Host

The currently active proxy. Any magic characters will have been replaced as explained under SetProxy() above.

shape_inbound

Integer

Interface

The current bandwidth shaping for inbound traffic determined by the SetInboundShaperRate() method.

type

String

Interface

Either "wired" or "wifi"

link

Boolean

Interface

Indicates whether the network interface is currently connected.

wifi_essid

String

Interface

The name of the current Wi-Fi network (if any)

wifi_signal

Integer

Interface

An indication of the received signal strength. The absolute value of this field is usually not meaningful, but it can be compared with the reported value on other networks or in different locations.

TestInterface() As Object

Performs various tests on the network interface to determine whether it appears to be working correctly. It reports the results via an associative array containing the following members:

Value

Type

Description

ok

Boolean

This value is true if the tests find no problems, or false if at least one problem was identified.

diagnosis

String

A single-line diagnosis of the first problem identified in the network interface.

log

roArray of strings

A complete log of all the tests performed and their results.

TestInternetConnectivity() As Object

Performs various tests on the Internet connection (via any available network interface, not necessarily the one specified when the roNetworkConfiguration object was created) to determine whether it appears to be working correctly. It reports the results via an associative array containing the following members:

Value

Type

Description

ok

Boolean

This value is true if the tests find no problems, or false if at least one problem was identified.

diagnosis

String

A single line diagnosis of the first problem identified with the Internet connection.

log

roArray of strings

A complete log of all the tests performed and their results.

GetNeighborInformation() As roAssociativeArray

Retrieves location information from the network infrastructure using the LLDP-MED protocol. The information is returned as an associative array of strings corresponding to civic-address types, which are defined as follows according to the LLDP-MED specification: 

Anchor
lldp
lldp

CAtype

Label

Description

1

A1

national subdivisions (state, region, province, prefecture)

2

A2

county, parish, gun(JP), district(IN)

3

A3

city, township, shi(JP)

4

A4

city division, borough, city district, ward, chou(JP)

5

A5

neighborhood, block

6

A6

street


CAtype

NENA

PIDF

Description

Examples

0



language

i-default [3]

16

PRD

PRD

leading street direction

N

17

POD

POD

trailing street suffix

SW

18

STS

STS

street suffix

Ave, Platz

19

HNO

HNO

house number

123

20

HNS

HNS

house number suffix

A, 1/2

21

LMK

LMK

landmark or vanity address

Columbia University

22

LOC

LOC

additional location information

South Wing

23

NAM

NAM

name (residence and office occupant)

Joe's Barbershop

24

ZIP

PC

postal/ZIP code

10027-1234

25



building (structure)

Low Library

26



unit (apartment, suite)

Apt 42

27


FLR

floor

4

28



room number

450F

29



placetype

office

30

PCN


postal community name

Leonia

31



post office box (P.O Box)

12345

32



additional code

13203000003

128



script

Latn

255



reserved


ifWiFiConfiguration

ScanWiFi() As roArray

Scans for available wireless networks. The results are reported as an roArray containing one or more associative arrays with the following members:

Value

Type

Description

essid

String

Network name

bssid

String

Access point BSSID

signal

Integer

Received signal strength indication. The absolute value of this field is not usually relevant, but it can be compared with the reported value on other networks or in different locations.

ScanWiFi may fail if a previous scan has not completed, or a background scan is in progress. This potential failure should be handled in the script, and the script should retry ScanWifi if it does fail.

Network Authentication

BrightSign players support most commonly used wireless encryption formats: WEP (64 & 128), WPA (TKIP), and WPA2 (AES).

WPA Enterprise is supported using EAP-TLS (with DER, PEM, or PKCS#12 certificates) and PEAPv0/MSCHAPv2 (with a username and passphrase). Wired authentication via 802.1x is also supported. The configuration instructions below apply to both WiFi and wired authentication via 802.1x; the only difference is the wired/wireless parameter (0/1) passed during roNetworkConfiguration initialization.

EAP-TLS

EAP-TLS authentication requires a client certificate and private key. There are two ways to accomplish this:

  • Packaging the client certificate and private key in a single file in PKCS#12 format (using PEM or DER encoding), usually with a .p12 file extension. To do this, set the PKCS#12 file using the SetWiFiPrivateKey() method and pass a blank string to the SetWiFiClientCertificate() method.

  • Packaging the client certificate as a X.509 certificate (using PEM or DER encoding) and optionally securing the key with a passphrase (instead of the usual WiFi passphrase). To do this, set the client certificate using the SetWiFiClientCertificate() method and the key using the SetWiFiPrivateKey() method. If the key is protected with a passphrase, you should then call SetWiFiPassphrase().

Certificate keys may contain binary data if not PEM formatted. In this case, they must be provided as an roByteArray object. Text formats may be passed using a string or roByteArray.

Example: Setting EAP-TLS with a .p12 file
Code Block
nc = CreateObject("roNetworkConfiguration",1)
 
p12 = CreateObject("roByteArray")
p12.ReadFile("client.p12")

nc.SetWiFiClientCertificate("")
nc.SetWiFiPrivateKey(p12)
nc.SetWiFiPassphrase("passwordgoeshere") 

During authentication, the Radius server is passed an identity. By default, the identity will be taken from the client certificate. If the certificate has a "subjectAltName", it will be used; otherwise, the "CommonName" is used. If neither of these are correct, the identity may be overridden. This default behavior can be overridden by calling SetWiFiIdentity(), or it can be specified by passing a blank string to SetWiFiIdentity().

PEAP/MSCHAP

This mode requires an identity (username) and passphrase, rather than a client certificate. There may also be a second, "outer", identity–see the Special Cases section below for configuration details.

Code Block
nc = CreateObject("roNetworkConfiguration",1)
nc.SetWiFiIdentity("user@brightsign-example.com")
nc.SetWifiPassphrase("passwordgoeshere")

Common Variants

Additional Certificates

Additional CA certificates are often required when using a private or internal CA for authentication. Also, some CA hierarchies require intermediate certificates, which are sometimes supplied via EAP. If the server does not supply them, they may be added to the CA file using the SetWiFiCACertififcates() method. This method supports PEM certificates.

If a CA is not supplied, no peer verification will be done and an unvalidated authentication/connection will occur.

Code Block
nc = CreateObject("roNetworkConfiguration",1)
ca = CreateObject("roByteArray")
ca.ReadFile("ca.pem")
nc.SetWiFiCACertificates(ca)

Obfuscated WiFi Passphrase

If an obfuscated WiFi passphrase is required, you can substitute the SetObfuscatedWiFiPassphrase() method for the SetWiFiPassphrase() method. Contact support@brightsign.biz to learn more about generating a key for obfuscation and storing it on the player.

TKIP/CCMP Encryption

By default, both WPA (TKIP) and WPA2 (CCMP) encryption is permitted. You can alter this behavior using the SetSecurityMode() method, which accepts a space-separated, case-insensitive list of allowed modes ("ccmp" and "tkip"). If both CCMP and TKIP are allowed, CCMP always has priority.

Code Block
nc = CreateObject("roNetworkConfiguration",1)
nc.SetWiFiSecurityMode("") 'Sets the default mode
nc.SetWiFiSecurityMode("ccmp tkip") 'Explicitly allows both modes (same as the default mode)
nc.SetWiFiSecurityMode("ccmp") 'Requires the use of CCMP

Special Cases

MD5 Support

MD5 support is enabled by default for backwards-compatibility reasons. This behavior can be modified by passing the "md5=enable" or "md5=disable" string to the SetWiFiEapTlsOptions() method.

Code Block
nc = CreateObject("roNetworkConfiguration",1)
nc.SetWiFiEapTlsOptions("md5=disable")

Anonymous Identity

Some EAP-PEAP/MSCHAP configurations require an anonymous identity. By default, the BrightSign player uses the same inner and outer identity. An anonymous identity can be configured with the SetWiFiEaptTlsOptions() method:

Code Block
nc = CreateObject("roNetworkConfiguration",1)
nc.SetWiFiEapTlsOptions("anonymous_identity=anon@brightsign.biz")
Tip

Tip

If neither MD5 or identity options are being used, the setting should be cleard by passing a blank string to the SetWiFiEaptTlsOptions() method.

Validity Dates

Validity dates are required for both EAP-TLS and PEAP/MSCHAP. The current time is required to check the certificate. If the player clock has not been set, it will typically set its time using the network, but this requires EAP authentication first. To avoid this problem, there are two special exceptions:

  • EAP-TLS: When the clock is not set, the time is set to ten seconds after the client certificate becomes valid, which is usually sufficient to authenticate (though this may not be sufficient for servers with newer certificates than the client). 

  • PEAP/MSCHAP: There is no client certificate, and the server certificate time is not checked when the date is not set.

The clock can also be set via the Diagnostic Web Server, which prevents either of the above exceptions from being used. Typically, the clock is also set from the network once it is available, so these exceptions are only used on first boot or when the clock battery has been completely emptied.

Examples

The following script disables WPA Enterprise configuration (which is otherwise persistent):

Code Block
nc = CreateObject("roNetworkConfiguration", 1)
nc.SetWiFiSecurityMode("")
nc.SetWiFiESSID("")
nc.SetWiFiIdentity("")
nc.SetWiFiCaCertificates("")
nc.SetWiFiClientCertificate("")
nc.SetWiFiPrivateKey("")
nc.SetWiFiPassphrase("")
nc.SetWiFiEapTlsOptions("")
ok = nc.Apply()

The following script configures the WiFi for EAP-TLS using a PKCS#12 (.p12) file, without additional CA certificates:

Code Block
essid = "brightwifi"
pkcs12file = "client.p12"
pkcspass = "passwordgoeshere"

nc = CreateObject("roNetworkConfiguration", 1)
nc.SetWiFiESSID(essid)

p12 = CreateObject("roByteArray")
ok = p12.ReadFile(pkcs12file)

if ok then
    nc.SetWiFiClientCertificate("")
    nc.SetWiFiPrivateKey(p12)
    nc.SetWiFiPassphrase(pkcspass)

    nc.SetWiFiCaCertificates("")
    nc.SetWiFiSecurityMode("")
    nc.SetWiFiIdentity("")
    nc.SetWiFiEapTlsOptions("")

    ok = nc.Apply()
end if

The following script configures the WiFi for EAP-TLS with additional certificates:

Code Block
essid = "brightwifi"
cafile = "cacert.pem"
pkcs12file = "client.p12"
pkcspass = "passwordgoeshere"

nc = CreateObject("roNetworkConfiguration", 1)
nc.SetWiFiESSID(essid)

p12 = CreateObject("roByteArray")
ok = p12.ReadFile(pkcs12file)

ca = CreateObject("roByteArray")
ok = ca.ReadFile(cafile) and ok

if ok then
    nc.SetWiFiClientCertificate("")
    nc.SetWiFiPrivateKey(p12)
    nc.SetWiFiPassphrase(pkcspass)

    nc.SetWiFiCaCertificates("")
    nc.SetWiFiSecurityMode("")
    nc.SetWiFiIdentity("")
    nc.SetWiFiEapTlsOptions("")

    ok = nc.Apply()
end if

The following script configures the WiFi for PEAP/MSCHAP with additional CA files:

Code Block
essid = "brightwifi"
cafile = "ca.pem"
user = "someuser@brightsign.biz"
pass = "whatever"
ca = CreateObject("roByteArray")
ok = ca.ReadFile(cafile)

if ok then
    nc = CreateObject("roNetworkConfiguration", 1)
    nc.SetWiFiESSID(essid)
    nc.SetWiFiIdentity(user)
    nc.SetWiFiPassphrase(pass)
    nc.SetWiFiCaCertificates(ca)
    nc.SetWiFiClientCertificate("")
    nc.SetWiFiPrivateKey("")
    'Use this if an anonymous outer identity is required
    'nc.SetWiFiEapTlsOptions("anonymous_identity=anon@brightsign.biz")
    nc.SetWiFiEapTlsOptions("")

    ok = nc.Apply()
    if not ok then
        fail = "Unable to set configuration: " + nc.GetFailureReason()
    end if
else
    fail = "Unable to read file " + cafile
end if

' if not ok, do something with the failure message

The following script performs various VLAN configurations on the Ethernet interface:

Code Block
' Configure the VLANs first. Use defaults for VLAN6
n6=CreateObject("roNetworkConfiguration", "eth0.6")
print n6.ResetInterfaceSettings()
print n6.Apply()

' Use defaults for VLAN11
n11=CreateObject("roNetworkConfiguration", "eth0.11")
print n11.ResetInterfaceSettings()
print n11.Apply()

' Use static IP for VLAN15
n15=CreateObject("roNetworkConfiguration", "eth0.15")
print n15.SetIP4Address("192.168.15.100")
print n15.SetIP4Netmask("255.255.255.0")
print n15.Apply()

' Now enable VLANs 6, 11 and 15 on eth0.
n0=CreateObject("roNetworkConfiguration", "eth0")
print n0.SetVlanIds([6, 11, 15])
print n0.Apply()