← index #2778PR #17234
Related · high · value 1.167
QUERY · ISSUE

esp8266: WPA2 Enterprise support?

openby udupa-varunopened 2017-01-09updated 2025-06-08
enhancementport-esp8266

The network security protocols that can be handled are listed as WEP, WPA-PSK and WPA2-PSK. Are there any plans to support WPA2-Enterprise PEAP in the near future? Would love to see that included.

CANDIDATE · PULL REQUEST

ports/esp32: added WPA-Enterprise (new)

openby h-milzopened 2025-05-01updated 2026-03-12
port-esp32

Summary

This PR supersedes #16463 which is FUBAR.

This PR adds WPA2 Enterprise support to the ESP32 port. In particular, the patch supports EAP-PWD, EAP-PEAP, and EAP-TTLS (all supported ttls phase2 methods). Code for EAP-TLS is also included but UNTESTED and EXPERIMENTAL. The patch is a thin wrapper around the ESP-IDF functions and does not implement any further network or security relevant programming. Consequently, it is specific to the ESP32 port.

Testing

The patch was developed and tested in the Technical University of Munich eduroam network on an ESP32_GENERIC_S3 board, namely, a CrowPanel 5.0"-HMI ESP32 Display board with a ESP32-S3-WROOM-1-N4R8 module, as well as a generic ESP32-C6 board from DFRobot, on MPY v1.23.0 using ESP-IDF 5.22 and on MPY v1.25.0 using ESP-IDF 5.4.0.

Usage example:

import network

wlan = network.WLAN(network.STA_IF)
wlan.active(True)

identity = "anonymous@eduroam.mwn.de"           # set accordingly for EAP-PEAP and EAP-TTLS
username = "my_username@eduroam.mwn.de"         # set your username
password = "my_password"                        # set your password
certfile = "/T-TeleSec_GlobalRoot_Class_2.pem"  # needs to be uploaded first
ssid     = "eduroam"
method   = wlan.EAP_method    #   method = { EAP, PEAP, TTLS, TLS }
ttls_phase2_method = 1        #   0 = EAP, 1 = MSCHAPv2 (default), 2 = MSCHAP, 3 = PAP, 4 = CHAP

        
with open (certfile, 'rb') as file:
    ca_cert = file.read()
            
try:
    if method == wlan.EAP_PWD:
        wlan.eap_connect(ssid=ssid, eap_method=method, 
                        username=username, password=password)
    elif method == wlan.EAP_PEAP:
        wlan.eap_connect(ssid=ssid, eap_method=method, 
                        username=username, password=password, 
                        identity=identity, ca_cert=ca_cert)        
    elif method == wlan.EAP_TTLS:  
        wlan.eap_connect(ssid=ssid, eap_method=method, 
                        username=username, password=password, 
                        identity=identity, ca_cert=ca_cert,
                        ttls_phase2_method=ttls_phase2_method)
except Exception as e:
    print (f"error: {e}")

Trade-offs and Alternatives

If your board does not have a hardware RTC, odds are that the server certificate validation for EAP-PEAP, -TTLS and potentially -TLS will fail due to the system time being way off. As a workaround, you can set the system time to build time on system start like this:

import sys
import machine

(year, month, day) = sys.version.split(" on ")[1].split("-")
rtc = machine.RTC()
date_time = (int(year), int(month), int(day), 0, 0, 0, 0, 0)
rtc.init(date_time)

and from then on, synchronize the internal RTC using NTP in regular intervals.

More documentation is contained in ports/esp32/README.md.

Keyboard

j / / n
next pair
k / / p
previous pair
1 / / h
show query pane
2 / / l
show candidate pane
c
copy suggested comment
r
toggle reasoning
g i
go to index
?
show this help
esc
close overlays

press ? or esc to close

copied