WPA2 Enterprise Wi-Fi
WPA2 Enterprise Wi-Fi lets you connect your Alexa devices to WPA2 Extensible Authentication Protocol (EAP) Transport Layer Security (TLS) networks and let Alexa Smart Properties manage issuing and rotating certificates to your devices. WPA2 EAP TLS is a standard and widely-adopted enterprise authentication method that allows devices to meet the latest information security requirements. A device can connect to an WPA2 Enterprise Wi-Fi network only if it has a certificate issued by a trusted certificate authority, which provides an additional level of security on top of pre-shared key public networks. With WPA2 Enterprise Wi-Fi, you can create certificate authorities that generate certificates for your Alexa devices so that they connect to WPA2 Enterprise Wi-Fi networks.
Prerequisites
To use the WPA2 Enterprise Wi-Fi add-on, you must have the following items:
- A RADIUS authentication server to sign a Certificate Signing Request (CSR), issue the signed CA certificate to create a trust chain between the authentication server and the ASP devices.
- An Alexa Smart Properties account with Pay By Invoice as the selected payment method.
- An Alexa Smart Properties supported device.
- A router that supports WPA2 Enterprise Wi-Fi.
Steps to set up WPA2 Enterprise Wi-Fi
For details about how to run the operations described in these steps, see Certificate Authority Management REST API Reference.
- Visit the Alexa Smart Properties Console and request the WPA2 Enterprise Wi-Fi add-on package. An Alexa Smart Properties Solution Architect grants you access to the WPA2 Enterprise Wi-Fi feature after you confirm on-boarding and billing information.
- Call Create certificate authority to create a new private certificate authority (CA). You use this CA to create certificates for your devices.
- Call Get certificate authority details to obtain a CSR from the newly created certificate authority.
-
Sign the CSR on your RADIUS server and acquire a new CA certificate and certificate chain.
Amazon recommends that you configure the CA certificate with a certificate validity period between three and six years.
Important: When you provide the CSR, you must convert any new line characters (\n
) from the JSON to actual new lines - Store the CA certificate into your RADIUS server trust store so that the authentication server trusts your certificates.
-
Call Import certificate to activate the private CA by importing the CA certificate and certificate chain. Now, the CA can issue certificates to ASP devices.
Important: When you provide the PEM-encoded certificate, you must convert any new lines to new line characters (\n) in the JSON payload. - Call Save Wi-Fi configurations to add the WPA2 Enterprise Wi-Fi network configuration to your credential locker. This action lets you associate the network to devices in Step 9.
- Set up your devices on a pre-shared key network (standard username and password network) and associate the devices to units.
- Call Set Wi-Fi configurations to associate the WPA2 Enterprise Wi-Fi network to your devices.
Your devices should now be able to connect to the WPA2 Enterprise Wi-Fi network. Credentials are automatically rotated by Alexa Smart Properties at the specified rotation period so that your devices are always connected to your WPA2 Enterprise Wi-Fi network.
Related topics
- Certificate Authority Management API
- Add-Ons for Alexa Smart Properties
- Endpoint Wi-Fi Management REST API Reference
Last updated: frontmatter-missing