QUERY · ISSUE

ESP32: WPA2-Enterprise support

openby wgaylordopened 2020-02-27updated 2026-03-02

port-esp32

Hello, I am making this issue to request support for WPA2 enterprise network that use EAP.

I had late 2019 posted some code on how to do so that I used in a custom build of micropython so that someone with more knowledge of how to properly add it could take a look.

https://forum.micropython.org/viewtopic.php?f=18&t=7219

Looks like no one ever did which is why I am creating this issue to bring attention to this.

CANDIDATE · PULL REQUEST

esp32: add WPA2 enterprise support

closedby h-milzopened 2024-12-20updated 2025-07-23

port-esp32

<!-- Thanks for submitting a Pull Request! We appreciate you spending the
time to improve MicroPython. Please provide enough information so that
others can review your Pull Request.

 Before submitting, please read:
 https://github.com/micropython/micropython/blob/master/CODEOFCONDUCT.md
 https://github.com/micropython/micropython/wiki/ContributorGuidelines

 Please check any CI failures that appear after your Pull Request is opened.

-->

Summary

This PR adds WPA2 Enterprise support to the ESP32 port. In particular, the patch supports EAP-PWD, EAP-PEAP, and EAP-TTLS with MSCHAPv2 and PAP.

Testing

The patch was developed and tested in the Technical University of Munich eduroam network on an ESP32_GENERIC_S3 board, namely, a CrowPanel 5.0"-HMI ESP32 Display board with a ESP32-S3-WROOM-1-N4R8 module.

Usage example:

import network

wlan = network.WLAN(network.STA_IF)
wlan.active(True)

identity = "anonymous@eduroam.mwn.de"
username = "my_username@eduroam.mwn.de" 
password = "my_password"
certfile = "/T-TeleSec_GlobalRoot_Class_2.pem"  # needs to be uploaded first
ssid = "eduroam"
method = wlan.EAP_method
        
with open (certfile, 'rb') as file:
    ca_cert = file.read()
            
try:
    if method == wlan.EAP_PWD:
        wlan.eap_connect(ssid=ssid, eap_method=method, 
                        username=username, password=password)
    elif method == wlan.EAP_PEAP:
        wlan.eap_connect(ssid=ssid, eap_method=method, 
                        username=username, password=password, 
                        identity=identity, ca_cert=ca_cert)        
    elif method == wlan.EAP_TTLS:  
        wlan.eap_connect(ssid=ssid, eap_method=method, 
                        username=username, password=password, 
                        identity=identity, ca_cert=ca_cert,
                        ttls_phase2_method=ttls_phase2_method)
except Exception as e:
    print (f"error: {e}")

Trade-offs and Alternatives

If your board does not have a hardware RTC, odds are that the server certificate validation for EAP-PEAP, -TTLS and potentially -TLS will fail due to the system time being way off. As a workaround, you can set the system time to build time on system start like this:

import sys
import machine

(year, month, day) = sys.version.split(" on ")[1].split("-")
rtc = machine.RTC()
date_time = (int(year), int(month), int(day), 0, 0, 0, 0, 0)
rtc.init(date_time)

EAP-TTLS with MSCHAP or CHAP could not be tested so far, neither could EAP-TLS, lacking a corresponding network. User testing and feedback is highly appreciated!

Development and testing were done with ESP-IDF 5.2.2 and MPY 1.23.0 because later versions or master gave me too many runtime or compilation errors (in other places than this patch).

If requested, I can add more documentation for the README or the MPY documentation.