Wi-Fi Management

Overview

The Wi-Fi management API is used to manage Wi-Fi networks. It supports below modes:

  • IEEE802.11 Station (STA)

  • IEEE802.11 Access Point (AP)

Only personal mode security is supported with below types:

  • Open

  • WPA2-PSK

  • WPA2-PSK-256

  • WPA3-SAE

The Wi-Fi management API is implemented in the wifi_mgmt module as a part of the networking L2 stack. Currently, two types of Wi-Fi drivers are supported:

  • Networking or socket offloaded drivers

  • Native L2 Ethernet drivers

Wi-Fi PSA crypto supported build

To enable PSA crypto API supported Wi-Fi build, the CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT and the CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA need to be set.

Wi-Fi Enterprise test: X.509 Certificate management

Wi-Fi enterprise security requires use of X.509 certificates, two methods of installing certificates are supported:

Compile time certificates

Test certificates in PEM format are committed to the repo at samples/net/wifi/test_certs and the during the build process the certificates are converted to a C header file that is included by the Wi-Fi shell module.

If you want to use your own certificates, you can replace the existing certificates with your own certificates in the same directory.

$ export WIFI_TEST_CERTS_DIR=samples/net/wifi/test_certs/rsa3k
$ cp client.pem $WIFI_TEST_CERTS_DIR
$ cp client-key.pem $WIFI_TEST_CERTS_DIR
$ cp ca.pem $WIFI_TEST_CERTS_DIR
$ cp client2.pem $WIFI_TEST_CERTS_DIR
$ cp client-key2.pem $WIFI_TEST_CERTS_DIR
$ cp ca2.pem $WIFI_TEST_CERTS_DIR
$ west build -p -b <board> samples/net/wifi -S wifi-enterprise

or alternatively copy rsa2k certificates by changing the WIFI_TEST_CERTS_DIR environment variable.

$ export WIFI_TEST_CERTS_DIR=samples/net/wifi/test_certs/rsa2k

or you can set the WIFI_TEST_CERTS_DIR environment variable to point to the directory containing your certificates.

$ west build -p -b <board> samples/net/wifi -S wifi-enterprise -- -DWIFI_TEST_CERTS_DIR=<path_to_your_certificates>

Run time certificates

The Wi-Fi shell module uses TLS credentials subsystem to store and manage the certificates. The certificates can be added at runtime using the shell commands, see TLS Credentials Shell for more details. The sample or application need to enable the CONFIG_WIFI_SHELL_RUNTIME_CERTIFICATES option to use this feature.

To facilitate installation of the certificates, a helper script is provided in the samples/net/wifi/test_certs directory. The script can be used to install the certificates at runtime.

$ ./scripts/utils/wifi_ent_cert_installer.py -p samples/net/wifi/test_certs/rsa2k

The script will install the certificates in the rsa2k directory to the TLS credentials store in the device over UART and using TLS credentials shell commands.

To initiate Wi-Fi connection, the following command can be used:

uart:~$ wifi connect -s <SSID> -c 149 -k 7 -w 2 -a client1 --key1-pwd whatever --key2-pwd whatever

Server certificate is also provided in the same directory for testing purposes. Any AAA server can be used for testing purposes, for example, FreeRADIUS or hostapd.

Note

The certificates are for testing purposes only and should not be used in production. They are generated using FreeRADIUS raddb scripts.

API Reference

Wi-Fi Management