WPA2 Enterprise Example
This example shows how ESP32 connects to AP with wpa2 enterprise encryption. Example does the following steps:
- Install CA certificate which is optional.
- Install client certificate and client key which is required in TLS method and optional in PEAP and TTLS methods.
- Set identity of phase 1 which is optional.
- Set user name and password of phase 2 which is required in PEAP and TTLS methods.
- Enable wpa2 enterprise.
- Connect to AP.
Note: 1. The certificates currently are generated and are present in examples.wifi/wpa2_enterprise/main folder. 2. The expiration date of the certificates is 2027/06/05.
The steps to create new certificates are given below.
The file wpa2_ca.pem, wpa2_ca.key, wpa2_server.pem, wpa2_server.crt and wpa2_server.key can be used to configure AP with wpa2 enterprise encryption.
How to use Example
Configuration
idf.py menuconfig
- Set SSID of Access Point to connect in Example Configuration.
- Select EAP method (TLS, TTLS or PEAP).
- Select Phase2 method (only for TTLS).
- Enter EAP-ID.
- Enter Username and Password (only for TTLS and PEAP).
- Enable or disable Validate Server option.
Build and Flash the project.
idf.py -p PORT flash monitor
Steps to create wpa2_ent openssl certs
- make directry tree
mkdir demoCA mkdir demoCA/newcerts mkdir demoCA/private sh -c "echo '01' > ./demoCA/serial" touch ./demoCA/index.txt touch xpextensions
add following lines in xpextensions file
[ xpclient_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
-
ca.pem: root certificate, foundation of certificate verigy openssl req -new -x509 -keyout wpa2_ca.key -out wpa2_ca.pem
-
generate rsa keys for client and server openssl genrsa -out wpa2_client.key 2048 openssl genrsa -out wpa2_server.key 2048
-
generate certificate signing req for both client and server openssl req -new -key wpa2_client.key -out wpa2_client.csr openssl req -new -key wpa2_server.key -out wpa2_server.csr
-
create certs (.crt) for client nd server openssl ca -batch -keyfile wpa2_ca.key -cert wpa2_ca.pem -in wpa2_client.csr -key (password) -out wpa2_client.crt -extensions xpserver_ext -extfile xpextensions openssl ca -batch -keyfile wpa2_ca.key -cert wpa2_ca.pem -in wpa2_server.csr -key (password) -out wpa2_server.crt -extensions xpserver_ext -extfile xpextensions
-
export .p12 files openssl pkcs12 -export -out wpa2_client.p12 -inkey wpa2_client.key -in wpa2_client.crt openssl pkcs12 -export -out wpa2_server.p12 -inkey wpa2_server.key -in wpa2_server.crt
-
create .pem files openssl pkcs12 -in wpa2_client.p12 -out wpa2_client.pem openssl pkcs12 -in wpa2_server.p12 -out wpa2_server.pem
Example output
Here is an example of wpa2 enterprise(PEAP method) console output.
I (1352) example: Setting WiFi configuration SSID wpa2_test...
I (1362) wpa: WPA2 ENTERPRISE VERSION: [v2.0] enable
I (1362) wifi: rx_ba=1 tx_ba=1
I (1372) wifi: mode : sta (24:0a:c4:03:b8:dc)
I (3002) wifi: n:11 0, o:1 0, ap:255 255, sta:11 0, prof:11
I (3642) wifi: state: init -> auth (b0)
I (3642) wifi: state: auth -> assoc (0)
I (3652) wifi: state: assoc -> run (10)
I (3652) wpa: wpa2_task prio:24, stack:6144
I (3972) wpa: >>>>>wpa2 FINISH
I (3982) wpa: wpa2 task delete
I (3992) wifi: connected with wpa2_test, channel 11
I (5372) example: ~~~~~~~~~~~
I (5372) example: IP:0.0.0.0
I (5372) example: MASK:0.0.0.0
I (5372) example: GW:0.0.0.0
I (5372) example: ~~~~~~~~~~~
I (6832) event: ip: 192.168.1.112, mask: 255.255.255.0, gw: 192.168.1.1
I (7372) example: ~~~~~~~~~~~
I (7372) example: IP:192.168.1.112
I (7372) example: MASK:255.255.255.0
I (7372) example: GW:192.168.1.1
I (7372) example: ~~~~~~~~~~~
I (9372) example: ~~~~~~~~~~~
I (9372) example: IP:192.168.1.112
I (9372) example: MASK:255.255.255.0
I (9372) example: GW:192.168.1.1
I (9372) example: ~~~~~~~~~~~