ports/esp32: added WPA-Enterprise (new) #17234
Conversation
|
Thank you for updating. There are a few minor code formatting complaints. Mostly trailing spaces and wrong indentation. And a wrong formatted commit message. But that is easy to fix. |
No problem, I'll take care of it tomorrow. |
89f82e8 to
7c1623d
Compare
|
OK The checks now finish successfully and all should be clean. If I should add anything to the documentation just drop me a message. |
|
@h-milz
|
|
@Josverl I forgot to mention that since my first tests in December, my uni apparently implemented EAP-TTLS entirely, so the five methods are all tested and working fine. The only test missing is EAP-TLS which is not supported in our network according to our network admins. As far as FAST, Espressif does support it in ESP-IDF as documented in https://docs.espressif.com/projects/esp-idf/en/stable/esp32/api-reference/network/esp_wifi.html but as far as I'm aware, I have no way of testing it, so I omitted it for now. I think this is a call for other developers to jump in and provide the proper interface. But then, the whole WPA3 enterprise stuff is still missing as well. Basically, WPA3 is supported in eduroam but I don't know if my uni implements it. Let me check, and if yes, I may be able to provide some working code as well. |
|
Yes, please add a documentation. |
I understand. Thing is, I intended to be as little intrusive as possible. Integrating it in connect() would probably require adding another switch, or I can just use eap_method and branch accordingly. But we would have to pack the whole arg parsing into connect() ... |
Thanks - Updated the table accordingly
Perhaps that can be a follow-up PR, having this merged in would be a step forward. |
About integrating this, from a Python perspective I think this can be modelled as an overload MicroPython interface `WLAN.connect()`
class WLAN:
# not sure if these should be classvars as that takes some space , or just documented
AUTH_EAP_PWD = 0
AUTH_EAP_PEAP = 1
AUTH_EAP_TTLS = 2
AUTH_EAP_TLS = 3
TTLS_PWD = 0
TTLS_MSCHAPV2= 1
TTLS_MSCHAP = 2
TTLS_PAP = 3
TTLS_CHAP = 4
@overload
def connect(
self,
ssid: str | None = None,
password: str | None = None,
/,
*,
bssid: bytes | None = None,
) -> None:
"""
Connect to the specified wireless network,
...
"""
...
@overload
def connect(
self,
ssid: str | None = None,
/,
password: str | None = None,
*,
bssid: bytes | None = None,
eap_method : int = AUTH_EAP_PWD , # what is a sensible default
username: str | None = None,
identity: str | None = None,
ca_cert: bytes | None = None, # or server_cert ?
ttls_method: int = TTLS_MSCHAPV2,
client_cert: bytes | None = None,
private_key: bytes | None = None,
private_key_passphrase: str | None = None,
disable_time_check: bool = False,
) -> None:
"""
Connect to the specified wireless network using WPA2
"""
...( Actually it could be a Protocol as the same protocols can be used for wired network access as well. but I think that is of less concern now) |
|
So - what should we do? Leave it as-is and leave it to the user to use a wrapper on top, or go the whole nine yards and modify From a timeline perspective, I'd vote for leaving it as it is right now, as an intermediary step so to speak. Let people use the code, find potential issues and pitfalls, identify things to add like FAST and WPA3, and plan for a unified and extended solution for the next release. I must also say I have a pretty busy semester ahead of me, and potentially little spare time until early August. |
|
In the earlier conversation @dpgeorge commented:
And yes, it is port specific and will not help the STM32 or RP2 guys Right, so this is the main thing to discuss and get right first: how this API will generalise to other WLAN drivers. Should it be a new method like eap_connect(), or should the existing connect() method be reused and new security arguments/options added to it? The latter seems the more obvious path to me. |
|
|
Hi guys, I finally managed to find some time to merge wlan_connect() and eap_connect() as discussed, and I also enable WPA3. Sadly, after extending the eap_connect() function, I get an compiler error which leaves me wondering. I'm attaching the local diff against the last successfully compiling version and the new one, as well as the relevant part of the idf.py build log. ATM I'm stuck. Does it have to do with the number of args? I can't see how and where MP_DEFINE_CONST_OBJ_TYPE_NARGS_2 would be used in this case, and why it would complain. network_wlan.c.errs.txt Thanks for any insight. |
G'day! Take a look at this diff when you get a chance. I haven’t tested Wi-Fi. But it builds fine for ESP32-S3, flashed without issues, and all added attributes are in place. |
|
@mrcreatd thank you for the heads up but your diff lacks my latest changes, merging wifi_connect() and eap_connect() as well as a few wpa3 extensions. My earlier version compiles and works fine as well but my question is what in my latest diff causes the problem. Maybe I don't see the forest for the trees. @robert-hh @Josverl sorry to bother you but can you please look at the issue? Thank you ! |
|
I doubt that I can help. I have no access to a WPA-Enterprise net. |
|
OK, the reason was a missing closing brace m( I have everything up and running and thoroughly tested as listed in Jos' list above, and all the new stuff is merged into connect(). I'll do some cleanups by tomorrow EOB, and if there's any documentation to add just ping me. Other than that, I noticed that this extension dropped from the 1.26 merge list because the old PR was closed. Can you add this one then? |
@dpgeorge , @projectgus , can you please re-add this PR to the 1.26 milestone if that is still feasible . |
|
@h-milz I based it on the master branch and just tried to get the PR and your patch compiling. I'm happy to help with testing this PR going forward if needed. |
75a4a34 to
e79bff1
Compare
Signed-off-by: Harald Milz <[email protected]>
Signed-off-by: Harald Milz <[email protected]>
Signed-off-by: Harald Milz <[email protected]>
Signed-off-by: Harald Milz <[email protected]>
Signed-off-by: Harald Milz <[email protected]>
Signed-off-by: Harald Milz <[email protected]>
Signed-off-by: Harald Milz <[email protected]>
Signed-off-by: Harald Milz <[email protected]>
e79bff1 to
085a8ab
Compare
Signed-off-by: Harald Milz <[email protected]>
|
OK, that seems to work now. I had to reword some older commits that still had "ports/esp32" in the commit messages which made the old code pop up again. |
|
@Josverl, @dpgeorge, @projectgus is there anything missing to add this to the 1.26 merge list? |
Summary
This PR supersedes #16463 which is FUBAR.
This PR adds WPA2 Enterprise support to the ESP32 port. In particular, the patch supports EAP-PWD, EAP-PEAP, and EAP-TTLS (all supported ttls phase2 methods). Code for EAP-TLS is also included but UNTESTED and EXPERIMENTAL. The patch is a thin wrapper around the ESP-IDF functions and does not implement any further network or security relevant programming. Consequently, it is specific to the ESP32 port.
Testing
The patch was developed and tested in the Technical University of Munich
eduroamnetwork on an ESP32_GENERIC_S3 board, namely, a CrowPanel 5.0"-HMI ESP32 Display board with a ESP32-S3-WROOM-1-N4R8 module, as well as a generic ESP32-C6 board from DFRobot, on MPY v1.23.0 using ESP-IDF 5.22 and on MPY v1.25.0 using ESP-IDF 5.4.0.Usage example:
Trade-offs and Alternatives
If your board does not have a hardware RTC, odds are that the server certificate validation for EAP-PEAP, -TTLS and potentially -TLS will fail due to the system time being way off. As a workaround, you can set the system time to build time on system start like this:
and from then on, synchronize the internal RTC using NTP in regular intervals.
More documentation is contained in
ports/esp32/README.md.