esp-idf/examples/wifi/wpa2_enterprise/README.md

121 wiersze
3.9 KiB
Markdown

# WPA2 Enterprise Example
This example shows how ESP32 connects to AP with wpa2 enterprise encryption. Example does the following steps:
1. Install CA certificate which is optional.
2. Install client certificate and client key which is required in TLS method and optional in PEAP and TTLS methods.
3. Set identity of phase 1 which is optional.
4. Set user name and password of phase 2 which is required in PEAP and TTLS methods.
5. Enable wpa2 enterprise.
6. Connect to AP.
*Note:* 1. The certificates currently are generated and are present in examples.wifi/wpa2_enterprise/main folder.
2. The expiration date of the certificates is 2027/06/05.
The steps to create new certificates are given below.
## The file wpa2_ca.pem, wpa2_ca.key, wpa2_server.pem, wpa2_server.crt and wpa2_server.key can be used to configure AP with wpa2 enterprise encryption.
## How to use Example
### Configuration
```
idf.py menuconfig
```
* Set SSID of Access Point to connect in Example Configuration.
* Select EAP method (TLS, TTLS or PEAP).
* Select Phase2 method (only for TTLS).
* Enter EAP-ID.
* Enter Username and Password (only for TTLS and PEAP).
* Enable or disable Validate Server option.
### Build and Flash the project.
```
idf.py -p PORT flash monitor
```
## Steps to create wpa2_ent openssl certs
1. make directry tree
mkdir demoCA
mkdir demoCA/newcerts
mkdir demoCA/private
sh -c "echo '01' > ./demoCA/serial"
touch ./demoCA/index.txt
touch xpextensions
add following lines in xpextensions file
[ xpclient_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
2. ca.pem: root certificate, foundation of certificate verigy
openssl req -new -x509 -keyout wpa2_ca.key -out wpa2_ca.pem
3. generate rsa keys for client and server
openssl genrsa -out wpa2_client.key 2048
openssl genrsa -out wpa2_server.key 2048
4. generate certificate signing req for both client and server
openssl req -new -key wpa2_client.key -out wpa2_client.csr
openssl req -new -key wpa2_server.key -out wpa2_server.csr
5. create certs (.crt) for client nd server
openssl ca -batch -keyfile wpa2_ca.key -cert wpa2_ca.pem -in wpa2_client.csr -key (password) -out wpa2_client.crt -extensions xpserver_ext -extfile xpextensions
openssl ca -batch -keyfile wpa2_ca.key -cert wpa2_ca.pem -in wpa2_server.csr -key (password) -out wpa2_server.crt -extensions xpserver_ext -extfile xpextensions
6. export .p12 files
openssl pkcs12 -export -out wpa2_client.p12 -inkey wpa2_client.key -in wpa2_client.crt
openssl pkcs12 -export -out wpa2_server.p12 -inkey wpa2_server.key -in wpa2_server.crt
7. create .pem files
openssl pkcs12 -in wpa2_client.p12 -out wpa2_client.pem
openssl pkcs12 -in wpa2_server.p12 -out wpa2_server.pem
### Example output
Here is an example of wpa2 enterprise(PEAP method) console output.
```
I (1352) example: Setting WiFi configuration SSID wpa2_test...
I (1362) wpa: WPA2 ENTERPRISE VERSION: [v2.0] enable
I (1362) wifi: rx_ba=1 tx_ba=1
I (1372) wifi: mode : sta (24:0a:c4:03:b8:dc)
I (3002) wifi: n:11 0, o:1 0, ap:255 255, sta:11 0, prof:11
I (3642) wifi: state: init -> auth (b0)
I (3642) wifi: state: auth -> assoc (0)
I (3652) wifi: state: assoc -> run (10)
I (3652) wpa: wpa2_task prio:24, stack:6144
I (3972) wpa: >>>>>wpa2 FINISH
I (3982) wpa: wpa2 task delete
I (3992) wifi: connected with wpa2_test, channel 11
I (5372) example: ~~~~~~~~~~~
I (5372) example: IP:0.0.0.0
I (5372) example: MASK:0.0.0.0
I (5372) example: GW:0.0.0.0
I (5372) example: ~~~~~~~~~~~
I (6832) event: ip: 192.168.1.112, mask: 255.255.255.0, gw: 192.168.1.1
I (7372) example: ~~~~~~~~~~~
I (7372) example: IP:192.168.1.112
I (7372) example: MASK:255.255.255.0
I (7372) example: GW:192.168.1.1
I (7372) example: ~~~~~~~~~~~
I (9372) example: ~~~~~~~~~~~
I (9372) example: IP:192.168.1.112
I (9372) example: MASK:255.255.255.0
I (9372) example: GW:192.168.1.1
I (9372) example: ~~~~~~~~~~~
```