doc: networking: Add doc for EAP methods

kapbh · kartben · commit 15cf0c518eac · 2025-06-27T10:58:22.000+02:00
Add commands to connect with EAP-TTLS and EAP-PEAP
security modes.

Signed-off-by: Kapil Bhatt &lt;kapil.bhatt@nordicsemi.no&gt;
diff --git a/doc/connectivity/networking/api/wifi.rst b/doc/connectivity/networking/api/wifi.rst
@@ -97,15 +97,43 @@ To facilitate installation of the certificates, a helper script is provided, see
 The script will install the certificates in the ``rsa2k`` directory to the TLS credentials store in the device over UART and using TLS credentials shell commands.
 
 
-To initiate Wi-Fi connection, the following command can be used:
+To initiate Wi-Fi connection using enterprise security, use one of the following commands depending on the EAP method:
+
+**EAP-TLS**
+
+.. code-block:: console
+
+    uart:~$ wifi connect -s <SSID> -c <channel> -k 7 -w 2 -a <Anonymous identity> --key1-pwd <Password EAP phase1> --key2-pwd <Password EAP phase2>
+
+**EAP-TTLS-MSCHAPV2**
+
+.. code-block:: console
+
+    uart:~$ wifi connect -s <SSID> -c <channel> -k 14 -K <Private key Password> --eap-id1 <Client Identity> --eap-pwd1 <Client Password> -a <Anonymous identity>
+
+**EAP-PEAP-MSCHAPV2**
 
 .. code-block:: console
 
-    uart:~$ wifi connect -s <SSID> -c 149 -k 7 -w 2 -a client1 --key1-pwd whatever --key2-pwd whatever
+    uart:~$ wifi connect -s <SSID> -c <channel> -k 12 -K <Private key Password> --eap-id1 <Client Identity> --eap-pwd1 <Client Password> -a <Anonymous identity>
 
 Server certificate is also provided in the same directory for testing purposes.
 Any AAA server can be used for testing purposes, for example, ``FreeRADIUS`` or ``hostapd``.
 
+Certificate requirements for EAP methods
+----------------------------------------
+
+Different EAP methods require different certificates on the client side:
+
+* **EAP-TLS**:
+  Requires both a client certificate (and private key) and the CA certificate on the client. The client authenticates itself to the server using its certificate.
+
+* **EAP-TTLS-MSCHAPV2**:
+  Requires only the CA certificate on the client. The client authenticates to the server using a username and password (MSCHAPV2) inside the TLS tunnel. No client certificate is needed.
+
+* **EAP-PEAP-MSCHAPV2**:
+  Requires only the CA certificate on the client. Like TTLS, the client uses a username and password (MSCHAPV2) inside the TLS tunnel and does not need a client certificate.
+
 .. note::
 
     The certificates are for testing purposes only and should not be used in production.
