3.9 KiB

WPA2 Enterprise Example

This example shows how ESP32 connects to AP with wpa2 enterprise encryption. Example does the following steps:

  1. Install CA certificate which is optional.
  2. Install client certificate and client key which is required in TLS method and optional in PEAP and TTLS methods.
  3. Set identity of phase 1 which is optional.
  4. Set user name and password of phase 2 which is required in PEAP and TTLS methods.
  5. Enable wpa2 enterprise.
  6. Connect to AP.

Note: 1. The certificates currently are generated and are present in examples.wifi/wpa2_enterprise/main folder. 2. The expiration date of the certificates is 2027/06/05.

The steps to create new certificates are given below.

The file wpa2_ca.pem, wpa2_ca.key, wpa2_server.pem, wpa2_server.crt and wpa2_server.key can be used to configure AP with wpa2 enterprise encryption.

How to use Example

Configuration

idf.py menuconfig
  • Set SSID of Access Point to connect in Example Configuration.
  • Select EAP method (TLS, TTLS or PEAP).
  • Select Phase2 method (only for TTLS).
  • Enter EAP-ID.
  • Enter Username and Password (only for TTLS and PEAP).
  • Enable or disable Validate Server option.

Build and Flash the project.

idf.py -p PORT flash monitor

Steps to create wpa2_ent openssl certs

  1. make directry tree

mkdir demoCA mkdir demoCA/newcerts mkdir demoCA/private sh -c "echo '01' > ./demoCA/serial" touch ./demoCA/index.txt touch xpextensions

 add following lines in xpextensions file 

  [ xpclient_ext ]
  extendedKeyUsage = 1.3.6.1.5.5.7.3.2

  [ xpserver_ext ]
  extendedKeyUsage = 1.3.6.1.5.5.7.3.1
  1. ca.pem: root certificate, foundation of certificate verigy openssl req -new -x509 -keyout wpa2_ca.key -out wpa2_ca.pem

  2. generate rsa keys for client and server openssl genrsa -out wpa2_client.key 2048 openssl genrsa -out wpa2_server.key 2048

  3. generate certificate signing req for both client and server openssl req -new -key wpa2_client.key -out wpa2_client.csr openssl req -new -key wpa2_server.key -out wpa2_server.csr

  4. create certs (.crt) for client nd server openssl ca -batch -keyfile wpa2_ca.key -cert wpa2_ca.pem -in wpa2_client.csr -key (password) -out wpa2_client.crt -extensions xpserver_ext -extfile xpextensions openssl ca -batch -keyfile wpa2_ca.key -cert wpa2_ca.pem -in wpa2_server.csr -key (password) -out wpa2_server.crt -extensions xpserver_ext -extfile xpextensions

  5. export .p12 files openssl pkcs12 -export -out wpa2_client.p12 -inkey wpa2_client.key -in wpa2_client.crt openssl pkcs12 -export -out wpa2_server.p12 -inkey wpa2_server.key -in wpa2_server.crt

  6. create .pem files openssl pkcs12 -in wpa2_client.p12 -out wpa2_client.pem openssl pkcs12 -in wpa2_server.p12 -out wpa2_server.pem

Example output

Here is an example of wpa2 enterprise(PEAP method) console output.

I (1352) example: Setting WiFi configuration SSID wpa2_test...
I (1362) wpa: WPA2 ENTERPRISE VERSION: [v2.0] enable

I (1362) wifi: rx_ba=1 tx_ba=1

I (1372) wifi: mode : sta (24:0a:c4:03:b8:dc)
I (3002) wifi: n:11 0, o:1 0, ap:255 255, sta:11 0, prof:11
I (3642) wifi: state: init -> auth (b0)
I (3642) wifi: state: auth -> assoc (0)
I (3652) wifi: state: assoc -> run (10)
I (3652) wpa: wpa2_task prio:24, stack:6144

I (3972) wpa: >>>>>wpa2 FINISH

I (3982) wpa: wpa2 task delete

I (3992) wifi: connected with wpa2_test, channel 11
I (5372) example: ~~~~~~~~~~~
I (5372) example: IP:0.0.0.0
I (5372) example: MASK:0.0.0.0
I (5372) example: GW:0.0.0.0
I (5372) example: ~~~~~~~~~~~
I (6832) event: ip: 192.168.1.112, mask: 255.255.255.0, gw: 192.168.1.1
I (7372) example: ~~~~~~~~~~~
I (7372) example: IP:192.168.1.112
I (7372) example: MASK:255.255.255.0
I (7372) example: GW:192.168.1.1
I (7372) example: ~~~~~~~~~~~
I (9372) example: ~~~~~~~~~~~
I (9372) example: IP:192.168.1.112
I (9372) example: MASK:255.255.255.0
I (9372) example: GW:192.168.1.1
I (9372) example: ~~~~~~~~~~~