Setup shared devices managed by Alexa for Business on WPA2 Enterprise Wi-Fi

Alexa for Business now allows organizations to setup and connect select Echo devices managed by Alexa for Business to their corporate WPA2 enterprise Wi-Fi network. This new feature, which was available in Beta since October 2018 and is now generally available, uses AWS Certificate Manager Private Certificate Authority (ACM – PCA) to generate device certificates based on your corporate root certificate and then distributes them to Echo devices using the Alexa for Business Device Setup Tool during the device setup process. Though Echo devices don’t need direct access to services on enterprise networks, many organizations prefer to have all devices on their WPA2 enterprise protected network to simplify network and device management.

This post provides the steps required to use WPA2 Enterprise Wi-Fi with your compatible Echo devices. Compatible Echo device are:

• Echo (2nd Generation)
• Echo Dot (2nd and 3rd Generation)
• Echo Plus (1st and 2nd Generation)

Setup Amazon Certificate Manager (ACM) Private Certificate Authority (PCAS)

To set up devices on a WPA2 Enterprise Wi-Fi network, you must follow the following four steps to first create a Private Certificate Authority (PCA) in Amazon Certificate Manager (ACM) and chain it to your corporate root certificate.

1. Create a Private Certificate Authority
2. Get a Certificate Signing Request (CSR)
3. Sign Your Private CA Certificate
4. Import Your Private CA Certificate into ACM PCA

After the PCA is created, the ACM Private CA becomes a subordinate issuing CAs under the customer’s Public Key Infrastructure (PKI). Certificates for Echo devices can now be issued under the private PKI.

Configure the Authentication Server

To set up devices on WPA2 Enterprise Wi-Fi, check that your authentication (RADIUS) server has been properly configured. Currently, Cisco ISE and FreeRadius authentication servers are supported. The details on how to perform this configuration vary depending on your network infrastructure, but includes these steps:

• Enable EAP-TLS on the authentication server. This may already be done if you have other devices using EAP-TLS.
• Ensure that the CAs in your PCAS CA’s certificate chain are added to the server’s trust store. It is likely that your existing root and intermediate CAs are already present, However, you may need to import the PCA CA itself into the trust store.
• Disable Active Directory checks for Echo devices. The precise steps to accomplish this will differ depending on your network stack.
• (Optional) If you’ve enabled CRL distribution for your PCAS CA, you must open all S3 IP ranges in your firewall. This enables your authentication server to contact Amazon S3 to retrieve the CRL. To get an updated list of these ranges, see AWS IP Address Ranges.

Ensure that Echo Devices have Up-to-Date Software

Software support for WPA2 Enterprise Wi-Fi was recently released and must be installed on Echo devices before they can receive certificates. If you use devices that are already set up, either for Alexa for Business or for personal use, they automatically receive the software update. If you’re using a brand-new device, you must first set it up on a non-WPA2 Enterprise network for at least 24 hours so it can receive and install the latest software.

Set up Devices using the Device Setup Tool

After ACM-PCA is set up and the authorization server has been configured, open Alexa for Business to begin device setup on your WPA2 Enterprise Wi-fi network. The Device Setup Tool (DST) is located by choosing Setup Devices on the Shared Devices page in the Alexa for Business console. You can install Device Setup Tool on a Windows laptop. Make sure to uninstall any other versions of Device Setup Tool before installation. By using the Device Setup Tool, devices can be configured individually or in bulk.

This capability is currently available for the Echo (2nd Generation), Echo Plus (1st and 2nd Generation), and Echo Dot (2nd and 3rd Generation). Again, WPA2 Enterprise Wi-Fi authentication is available only for shared devices managed by Alexa for Business service.

To complete configuration before setup, you must first create an IAM user for the Device Setup Tool.

To create an IAM user for the Device Setup Tool

1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Choose Users, Create new users.
3. Enter a user name (for example, DeviceSetupTool), and choose Programmatic access, Next.
4. Choose Attach existing policy directly, AlexaforBusinessDeviceSetup from the list, and Next.
5. If you plan on using WPA2 Enterprise for the Network security type in the Beta version of the Device Setup Tool, attach the following custom policy for additional ACM PCA permissions:

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“acm-pca:ListCertificateAuthorities”
],
“Resource”: “*”
},
{
“Effect”: “Allow”,
“Action”: [
“acm-pca:IssueCertificate”,
“acm-pca:GetCertificate”
],
“Resource”: “arn:aws:acm-pca:region:account:certificate-authority/11111111-1111-1111-111111111111”
}
]
}
If you don’t want to be restricted to a specific Private Certificate Authority, attach the following policy:

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“acm-pca:ListCertificateAuthorities”,
“acm-pca:IssueCertificate”,
“acm-pca:GetCertificate”
],
“Resource”: “*”
}
]
}

1. Choose Create user.
2. Download and save the IAM access key and secret key. You need them later when you configure the Device Setup Tool.

To Configure Wireless settings in Device Setup Tool

1. Enter the IAM access key and secret access key that you created for the Device Setup Tool user

2. Set these Wi-Fi network settings for Alexa devices to use your WPA2-Enterprise network:

1. Input Network SSID
2. For Network security type, choose WPA2-Enterprise
3. For EAP method, choose TLS
4. For AWS certificate authority, choose the CA that you created earlier

3. Setup authentication server trust
Provide the root certificate of your authentication server (RADIUS). This should be obtained from the IT admin who manages the Radius server and must be in PEM format. This certificate will be installed on the Echo devices. It will be used to trust your authentication server during EAP negotiation.

You can now put your Echo devices in Setup Mode and begin provisioning and registering of your Echo devices in Alexa for Business on your WPA2 Enterprise Wi-FI using the Device Setup Tool.