← index #5705PR #17234
Likely Duplicate · high · value 1.145
QUERY · ISSUE

ESP32: WPA2-Enterprise support

openby wgaylordopened 2020-02-27updated 2026-03-02
port-esp32

Hello, I am making this issue to request support for WPA2 enterprise network that use EAP.

I had late 2019 posted some code on how to do so that I used in a custom build of micropython so that someone with more knowledge of how to properly add it could take a look.

https://forum.micropython.org/viewtopic.php?f=18&t=7219

Looks like no one ever did which is why I am creating this issue to bring attention to this.

CANDIDATE · PULL REQUEST

ports/esp32: added WPA-Enterprise (new)

openby h-milzopened 2025-05-01updated 2026-03-12
port-esp32

Summary

This PR supersedes #16463 which is FUBAR.

This PR adds WPA2 Enterprise support to the ESP32 port. In particular, the patch supports EAP-PWD, EAP-PEAP, and EAP-TTLS (all supported ttls phase2 methods). Code for EAP-TLS is also included but UNTESTED and EXPERIMENTAL. The patch is a thin wrapper around the ESP-IDF functions and does not implement any further network or security relevant programming. Consequently, it is specific to the ESP32 port.

Testing

The patch was developed and tested in the Technical University of Munich eduroam network on an ESP32_GENERIC_S3 board, namely, a CrowPanel 5.0"-HMI ESP32 Display board with a ESP32-S3-WROOM-1-N4R8 module, as well as a generic ESP32-C6 board from DFRobot, on MPY v1.23.0 using ESP-IDF 5.22 and on MPY v1.25.0 using ESP-IDF 5.4.0.

Usage example:

import network

wlan = network.WLAN(network.STA_IF)
wlan.active(True)

identity = "anonymous@eduroam.mwn.de"           # set accordingly for EAP-PEAP and EAP-TTLS
username = "my_username@eduroam.mwn.de"         # set your username
password = "my_password"                        # set your password
certfile = "/T-TeleSec_GlobalRoot_Class_2.pem"  # needs to be uploaded first
ssid     = "eduroam"
method   = wlan.EAP_method    #   method = { EAP, PEAP, TTLS, TLS }
ttls_phase2_method = 1        #   0 = EAP, 1 = MSCHAPv2 (default), 2 = MSCHAP, 3 = PAP, 4 = CHAP

        
with open (certfile, 'rb') as file:
    ca_cert = file.read()
            
try:
    if method == wlan.EAP_PWD:
        wlan.eap_connect(ssid=ssid, eap_method=method, 
                        username=username, password=password)
    elif method == wlan.EAP_PEAP:
        wlan.eap_connect(ssid=ssid, eap_method=method, 
                        username=username, password=password, 
                        identity=identity, ca_cert=ca_cert)        
    elif method == wlan.EAP_TTLS:  
        wlan.eap_connect(ssid=ssid, eap_method=method, 
                        username=username, password=password, 
                        identity=identity, ca_cert=ca_cert,
                        ttls_phase2_method=ttls_phase2_method)
except Exception as e:
    print (f"error: {e}")

Trade-offs and Alternatives

If your board does not have a hardware RTC, odds are that the server certificate validation for EAP-PEAP, -TTLS and potentially -TLS will fail due to the system time being way off. As a workaround, you can set the system time to build time on system start like this:

import sys
import machine

(year, month, day) = sys.version.split(" on ")[1].split("-")
rtc = machine.RTC()
date_time = (int(year), int(month), int(day), 0, 0, 0, 0, 0)
rtc.init(date_time)

and from then on, synchronize the internal RTC using NTP in regular intervals.

More documentation is contained in ports/esp32/README.md.

Keyboard

j / / n
next pair
k / / p
previous pair
1 / / h
show query pane
2 / / l
show candidate pane
c
copy suggested comment
r
toggle reasoning
g i
go to index
?
show this help
esc
close overlays

press ? or esc to close

copied