WPA2 Enterprise for ESP32 (again!)

[h-milz]

Hi guys,

this topic seems to keep popping up every now and then, but so far there seems to be no apparent progress on this. I'd like to pick this up and provide a PR asap.

I made a small patch against ports/esp32/network_wlan.c and ports/esp32/esp32_common.cmake, essentially exposing the esp-idf esp_eap_client interface which is supposed to replace wpa2_ent which is deprecated. Connecting to the university network eduroam at Technical University of Munich in EAP-PWD mode works fine (as in "works for me"), but I am struggling with getting EAP-PEAP to work. (I hear that not all eduroam environments support EAP-PWD, which is why.) Maybe someone has an idea how to get this up and running.

ports/esp32/esp32_common.cmake adds only wpa_supplicant to the IDF_COMPONENTS.

The patch against ports/esp32/network_wlan.c is attached albeit still a bit raw.

network_wlan.diff.txt

The following Python snippet works nicely for EAP-PWD but gives me a consistent STAT_WRONG_PASSWORD for EAP-PEAP, and I don't understand why.

    identity = "[email protected]"
    username = "[email protected]"          
    password = "my_password"    
    certfile = "/T-TeleSec_GlobalRoot_Class_2.pem"
    ssid = "eduroam"
    
    wlan.active(True)
    # wlan.eap_init(ssid)
    wlan.connect(ssid, None)

    eap_peap = False
    try:
        with open (certfile) as file:
            ca_cert = file.read()
        eap_peap = True
        proto = "EAP-PEAP"
    except Exception as e:
        proto = "EAP-PWD"
        
    wlan.eap_set_username(username)
    wlan.eap_set_password(password)
    wlan.eap_set_new_password(password)    # is this needed at all? 
    if eap_peap:
        wlan.eap_set_identity(identity)
        wlan.eap_set_ca_cert(ca_cert)

    wlan.eap_enable()

# blablabla print connection status 

I also tried the esp-idf example for wifi_enterprise and it works out of the box after configuring the correct credentials and supplying the CA certificate mentioned above, so I can assume wpa_supplicant as such works fine.

Comparing the sequence of things, I noticed that in the example, network_wlan_connect() is not invoked. Instead, all it does after setting all the variables, it merely does

    ESP_ERROR_CHECK(esp_wifi_sta_enterprise_enable());
    ESP_ERROR_CHECK(esp_wifi_start());

which is why I created this little eap_init() routine doing some things similarly to the example and in the end I just do a wifi_sta_enterprise_enable and wifi_start.

I also suspected the certificate to be mangled somehow by the file.read() but comparing it to the binary translated version of this certificate that gets linked into the example it's byte by byte identical.

No difference if I supply the password to wlan.connect(). It's a different password variable internally anyway.

Any insight would be appreciated.

N.B.: I omitted the EAP-TTLS stuff so far because I have no way of testing this, but if anyone wants to I can add the few lines.