Search

Are you looking for test card numbers?

Would you like to contact support?

Point-of-sale icon

Wi-Fi profiles

Manage the Wi-Fi configuration of your terminals from the Customer Area.

To connect to your wireless network, the payment terminal needs to know certain network properties, depending on your type of Wi-Fi network. For example, the terminal needs to know basic properties such as the channel, password, and name of the network as well as advanced properties such as certificates for server validation and client authentication.
The terminal obtains the network properties through a Wi-Fi profile, which you can set up and manage remotely in the Customer Area. The terminal receives and loads the remote Wi-Fi profile as part of the terminal configuration.

Wi-Fi network and profile types

Adyen payment terminals support the following Wi-Fi networks:

WPA type Authentication Cipher suite Encryption
WPA-Personal PSK TKIP RC4
WPA-Enterprise EAP-PEAP, EAP-TLS TKIP RC4
WPA2-Personal PSK CCMP/TKIP AES
WPA2-Enterprise EAP-PEAP, EAP-TLS CCMP/TKIP AES

The network properties are supplied to the terminal in an SSID profile, which we refer to as the Wi-Fi profile. This can be a local profile or a remote profile.

  • Local Wi-Fi profile:

    • Is managed locally on the terminal.
    • Supports WPA Personal and WPA2 Personal networks. However, we recommend using a remote Wi-Fi profile.
    • Doesn't support WPA Enterprise and WPA2 Enterprise networks.
  • Remote Wi-Fi profile:
    • Is managed centrally from the Customer Area. This allows you to:
      • Configure Wi-Fi settings in one place instead of on each individual terminal.
      • Implement changes in one place instead of on each individual terminal, for example when the PSK password or an EAP-PEAP certificate expires.
    • Is mandatory for WPA Enterprise and WPA2 Enterprise networks.
    • Also supports WPA Personal and WPA2 Personal networks.

Set up remote Wi-Fi profiles

You can set up the following remote Wi-Fi profiles:

  • Enterprise EAP-PEAP: A profile for WPA-Enterprise and WPA2-Enterprise networks using EAP-PEAP authentication. This type of authentication uses only server-side certificates.
  • Enterprise EAP-TLS: A profile for WPA-Enterprise and WPA2-Enterprise networks using EAP-TLS authentication. This type of authentication uses both server-side and client-side certificates. The authentication server of the Wi-Fi network validates the certificate of the Adyen terminal, and the terminal as Wi-Fi client validates the certificate of the authentication server. This makes it the most secure wireless network, but you need to manage more certificates.

    Because of the technical complexities, the option to create this type of profile is only available on demand. Contact your Adyen account manager.

  • Personal PSK: A profile for WPA-Personal and WPA2-Personal networks using PSK authentication.

The account level where you need to configure your remote Wi-Fi profile depends on the network infrastructure architecture and the account structure in the Customer Area. For example, if there is a store-specific Wi-Fi network and the account is structured with stores, configure the remote Wi-Fi profile at the store level.

Select a tab to see the instructions for the type of remote profile you want to set up.

Set up an Enterprise EAP-PEAP profile

  1. Make sure you have the following certificates converted to .pem format:

    • CA root certificate. This must be the root certificate from the CA that signed the certificate of the RADIUS server that is part of your wireless network.
    • EAP intermediate certificate. This is optional, depending on your network infrastructure.

  2. Log in to your Customer Area.

  3. Switch to the merchant account or store that you want to configure a Wi-Fi profile for.

  4. Go to Terminal settings > Connectivity.

  5. Under Wi-Fi profiles select the + (plus) sign.
    The Wi-Fi Profile dialog opens.

  6. Complete the authentication type and WI-FI PROFILE settings:

    • WiFi Security: Select wpa_eap for a WPA Enterprise network or wpa2_eap for a WPA2 Enterprise network.
    • Name: Name of the profile.
    • SSID: Name of the wireless network.
    • Default: Select this checkbox if this is your preferred wireless network. The terminal will try connecting to that network first.

  7. Complete the EAP SETTINGS:

    • EAP: Select peap. The applicable fields appear.
    • EAP Identity: EAP-PEAP username from your MS-CHAP account. Must match the configuration of your RADIUS server.
    • EAP Password: EAP-PEAP password from your MS-CHAP account. Must match the configuration of your RADIUS server.
    • EAP CA Cert: Upload the CA root certificate in .pem format. This must be the root certificate from the CA that signed the certificate of the RADIUS server that is part of your wireless network.
    • EAP Intermediate Cert: Upload the EAP intermediate certificate in .pem format.

  8. Complete the NETWORK SETTINGS, making sure they match your Wi-Fi infrastructure:

    • Channel: The recommended setting is auto.
    • BSS Type: The recommenced setting is infra.
    • Encryption: The recommended setting is ccmp.

  9. Select Save in the dialog.
    The profile is added.

  10. Select Save at the bottom of the terminal settings page.

Set up an Enterprise EAP-TLS profile

The TLS option is hidden by default. To make it available, contact your Adyen account manager.

  1. Make sure you have the following certificates/keys, either in a PFX bundle or as individual files:

    • CA root certificate. This must be the root certificate from the CA that signed the certificate of the RADIUS server that is part of your wireless network.
    • Client certificate for the terminals.
    • Client key.

  2. Log in to your Customer Area.

  3. Switch to the merchant account or store that you want to configure a Wi-Fi profile for.

  4. Go to Terminal settings > Connectivity.

  5. Under Wi-Fi profiles select the + (plus) sign.
    The Wi-Fi Profile dialog opens.

  6. Complete the authentication type and WI-FI PROFILE settings:

    • WiFi Security: Select wpa_eap for a WPA Enterprise network or wpa2_eap for a WPA2 Enterprise network.
    • Name: Name of the profile.
    • SSID: Name of the wireless network.
    • Default: Select this checkbox if this is your preferred wireless network. The terminal will try connecting to that network first.

  7. Under EAP SETTINGS complete these boxes:

    • EAP: Select tls. (Contact your account manager if you don't see the tls option.) The applicable fields appear.
    • EAP Identity: CommonName of the EAP client certificate.

  8. Complete the remaining EAP SETTINGS depending on how you will provide the certificates and key: As separate files or in a PFX bundle.

    • To provide the certificates and key as separate files, proceed as follows:

      • Use.pfx bundle: Don't select this checkbox.
      • EAP CA Cert: Upload the CA root certificate in .pem format. This must be the root certificate from the CA that signed the certificate of the RADIUS server that is part of your wireless network. If applicable include intermediate certificates in the certificate chain.
      • EAP Client Cert: Upload a file in .pem format containing the certificate chain for the terminals. All terminals in the same network will use the same EAP client certificate.
      • EAP Client Key: Upload a file in .key or .pem format containing the RSA private key for the client. Include the begin and end lines -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----.
      • EAP Client Key Password: Optional. If applicable, type the password protecting the file containing the RSA key.

    • To provide the certificates and key bundled into a PFX file, proceed as follows:

      • Use.pfx bundle: Select this checkbox.
      • Certificate file: Upload a file in .pfx format containing the certificates and key.
      • Import password: Optional. If applicable, type the password protecting the PFX file.
      • EAP Client Key Password: Optional. If applicable, type the password protecting the file containing the RSA key.

  9. Complete the NETWORK SETTINGS, making sure they match your Wi-Fi infrastructure:

    • Channel: The recommended setting is auto.
    • BSS Type: The recommenced setting is infra.
    • Encryption: The recommended setting is ccmp.

  10. Select Save in the dialog.
    The profile is added.

  11. Select Save at the bottom of the terminal settings page.

Set up a Personal PSK profile

  1. Log in to your Customer Area.

  2. Switch to the merchant account or store that you want to configure a Wi-Fi profile for.

  3. Go to Terminal settings > Connectivity.

  4. Under Wi-Fi profiles select the + (plus) sign.
    The Wi-Fi Profile dialog opens.

  5. Complete the authentication type and WI-FI PROFILE settings:

    • WiFi Security: Select wpa_psk for a WPA Personal network or wpa2_psk for a WPA2 Personal network.
    • Name: Name of the profile.
    • SSID: Name of the wireless network.
    • PSK: The password to your wireless network.
    • Default: Select this checkbox if this is your preferred wireless network. The terminal will try connecting to that network first.

  6. Complete the NETWORK SETTINGS, making sure they match your Wi-Fi infrastructure:

    • Channel: The recommended setting is auto.
    • BSS Type: The recommenced setting is infra.
    • Encryption: The recommended setting is ccmp.

  7. Select Save in the dialog.
    The profile is added.

  8. Select Save at the bottom of the terminal settings page.

Load profiles on the terminal

First-time use

When you have set up a remote profile and are going to use the terminal for the first time, you need to set up a temporary internet connection on the terminal and then board the terminal. During boarding, the terminal retrieves its configuration including the Wi-Fi profile. The terminal then automatically reconnects to the internet using the network settings specified in the Wi-Fi profile.

To set up an initial temporary connection, you can use the alternative connectivity options of the terminal (if any) such as Ethernet or 3G/4G cellular, or connect to a (Personal) Wi-Fi network that doesn't require a remote profile.

Updates

An already-boarded terminal will receive a new Wi-Fi profile or changes to an existing Wi-Fi profile through the regular automatic maintenance call.

Because the Wi-Fi profile is part of the terminal configuration, you can also obtain it manually by downloading the latest configuration: On the terminal open the Admin menu and select Config > Update.

Manage changes with multiple-node Wi-Fi profiles

Over time, changes will occur in your wireless network:

  • Certificates are about to expire.
  • The EAP-PEAP username and password need to change.
  • The PSK needs to be reset.
  • You want to migrate to a different network, for example from a Personal network to an Enterprise network.

To manage such changes you can configure multiple Wi-Fi profiles or "profile nodes" for the same SSID. Each profile node for the SSID contains a different configuration. For example:

  • Profile node 1, which is the first profile you configured, contains the current certificates.
  • Profile node 2, which you configured next, contains the new certificates that will be needed when the current certificates expire.

The terminal tries to connect to the SSID using the available profile nodes one by one until it succeeds in establishing a connection. The next time the terminal tries to connect, as when rebooting or updating the software, it will start with the same profile node that it used for the previous successful connection.

If the terminal has established a connection, but the corresponding profile node fails, the terminal starts again trying to connect using the profile nodes one by one.

If a profile is outdated, you can remove it.

See also