WPA2 Enterprise Wi-Fi

---

WPA2 Enterprise Wi-Fi lets you connect your Alexa devices to WPA2 Extensible Authentication Protocol (EAP) Transport Layer Security (TLS) networks and let Alexa Smart Properties manage issuing and rotating certificates to your devices. WPA2 EAP TLS is a standard and widely-adopted enterprise authentication method that allows devices to meet the latest information security requirements. A device can connect to an WPA2 Enterprise Wi-Fi network only if it has a certificate issued by a trusted certificate authority, which provides an additional level of security on top of pre-shared key public networks. With WPA2 Enterprise Wi-Fi, you can create certificate authorities that generate certificates for your Alexa devices so that they connect to WPA2 Enterprise Wi-Fi networks.

Prerequisites

In order to use the WPA2 Enterprise Wi-Fi add-on, you must have the following:

• A RADIUS server that you use to sign a certificate signing request, and obtain certificates and a certificate chain.
• An Alexa Smart Properties account with Pay By Invoice as the selected payment method.
• An Alexa Smart Properties supported device.
• A router that supports WPA2 Enterprise Wi-Fi.

Steps to set up WPA2 Enterprise Wi-Fi

For details on how to run the operations described in these steps, see Certificate Authority Management API.

1. Visit the Alexa Smart Properties Console and request the WPA2 Enterprise Wi-Fi add-on package. An Alexa Smart Properties Solution Architect grants you access to the WPA2 Enterprise Wi-Fi feature after you confirm on-boarding and billing information.
2. Call POST /v1/enterprise/certificateAuthorities/ to create a new certificate authority. You use this certificate authority to create certificates for your devices. For details, see Create certificate authority.
3. Call GET /v1/enterprise/certificateAuthorities/{certificateAuthorityId}?expand=all to obtain a certificate signing request from the newly created certificate authority. For details, see Get certificate authority details.

4. Sign the certificate signing request on your RADIUS server and acquire a new certificate and certificate chain.

   Amazon recommends that you configure the imported certificate with a certificate validity period between three to six years.

   Important: When you provide the certificate signing request, you must convert any new line characters (\n) from the JSON to actual new lines
5. Store the certificate into your RADIUS servers trust store so that the authentication server trusts your certificates.

6. Call POST /v1/enterprise/certificateAuthorities/{certificateAuthorityId}/importCertificate to activate the Certificate Authority by importing the certificate and certificate chain. For details, see Import certificate.

   Important: when you provide the PEM-encoded certificate, you must convert any new lines to new line characters (\n) in the JSON payload.
7. Call POST /credentiallocker/v2/saveWifiConfigurations to add the WPA2 Enterprise Wi-Fi network to your credential locker. This action lets you associate the network to devices.
8. Set up your devices on a pre-shared key network (standard username and password network) and associate the devices to units.
9. Call POST /v2/endpoints/{endpointId}/features/connectivity/addOrUpdateWifiConfigurations to associate the WPA2 Enterprise Wi-Fi network to your devices.

Your devices should now be able to connect to the new WPA2 Enterprise Wi-Fi network. Credentials are automatically rotated by Alexa Smart Properties at the specified rotation period so your devices are always connected to your WPA2 Enterprise Wi-Fi network.

Related topics

• Certificate Authority Management API
• Add-Ons for Alexa Smart Properties

---

---

Last updated: frontmatter-missing