cpu/esp32/esp wifi: add WPA2 enterprise mode with IEEE 802.1x/EAP authentication

[gschorcht]

Contribution description

This PR adds the WPA2 enterprise mode with IEEE 802.1X/EAP authentication to the WiFi netdev driver.

To use the WiFi netdev driver in WPA2 enterprise mode with IEEE 802.1X/EAP
authentication, module esp_wifi_enterprise has to be enabled. It supports the following EAP authentication methods:

• PEAPv0
• PEAPv1
• TTLS

As inner (phase 2) EAP authentication method, only MSCHAPv2 is supported.

To use module esp_wifi_enterprise with these authentication methods, the
following configuration parameters have to be defined:

Parameter	Default	Description
ESP_WIFI_SSID	"RIOT_AP"	SSID of the AP to be used.
ESP_WIFI_EAP_ID	none	Optional anonymous identity used in phase 1 (outer) EAP authentication. If it is not defined, the user name defined for phase 2 (inner) EAP authentication is used as idendity in phase 1.
ESP_WIFI_EAP_USER	none	User name used in phase 2 (inner) EAP authentication.
ESP_WIFI_EAP_PASS	none	Password used in phase 2 (inner) EAP authentication.
ESP_WIFI_STACKSIZE	#THREAD_STACKSIZE_DEFAULT	Stack size used for the WiFi netdev driver thread.

[UPDATE] WPA2 enterprise mode only works for ESP32 at the moment. For ESP8266, it would need ESP8266_RTOS_SDK v3.3.

Testing procedure

Flash and test examples/gnrc_networking. Should work for example with eduroam:

USEMODULE='esp_wifi_enterprise' CFLAGS='-DESP_WIFI_SSID=\"ssid\" -DESP_WIFI_EAP_USER=\"user\" -DESP_WIFI_EAP_PASS=\"pass\"' make BOARD=esp32-wroom-32 -C examples/gnrc_networking flash term

[UDPATE] Now where lwIP in RIOT supports IPv4 with DHCP, it might be easier to test the PR with:

LWIP_IPV4=1 USEMODULE='esp_wifi_enterprise' CFLAGS='-DESP_WIFI_SSID=\"ssid\" -DESP_WIFI_EAP_USER=\"user\" -DESP_WIFI_EAP_PASS=\"pass\"' make BOARD=esp32-wroom-32 -C tests/lwip flash term

Issues/PRs references

Depends on #11947, #11994 and #11997

[gschorcht]

@MrKevinWeiss @smlng @benpicco It would be great if someone would to take a look to this PR? It makes it possible to use the WPA2 Enterprise WiFi networks like the eduroam. I think it is worth to release it with 2020.01.

Even though the PR seems to be pretty complex, it is a very small change. Most of the code is simply original vendor code. The only real change is in file cpu/esp32/esp-wifi/esp_wifi_netdev.c.

[MrKevinWeiss]

This looks pretty cool. I will try to find some time to dedicate to this but I can't make any promises until after Jan 15.

[aabadie]

I can't make any promises until after Jan 15

Jan 15 has arrived :) Any chance that you could test this one @MrKevinWeiss ?

@gschorcht, this needs a rebase BTW.

[gschorcht]

Rebased.

[gschorcht]

@miri64 I have a short question. When esp_wifi_enterprise is used as netdev with tests/gnrc_networking, I get the warning

    Use GNRC_IPV6_NIB_CONF_SLAAC=1 to activate.

Would it make sense the set GNRC_IPV6_NIB_CONF_SLAAC=1 by default if module esp_wifi_enterprise or esp_wifi is used to get a link local address by SLAAC?

[miri64]

Yes and it should be as long as you don't pull in 6LN or 6LR support (or are you also having esp_now pulled in automatically? edit: This would activate the former)

[gschorcht]

Yes and it should be as long as you don't pull in 6LN or 6LR support (or are you also having esp_now pulled in automatically? edit: This would activate the former)

esp_now is pulled in automatically as default netdev.

[miri64]

Yes and it should be as long as you don't pull in 6LN or 6LR support (or are you also having esp_now pulled in automatically? edit: This would activate the former)

esp_now is pulled in automatically as default netdev.

Then I would either make it a dependency on esp_wifi and gnrc_ipv6_nib (but only if GNRC_IPV6_NIB_CONF_SLAAC is not configured by the application... The user might not want/need it e.g. when using DHCPv6 later on) or configure it in the application as we do currently when using gnrc_ipv6_default on a 6LN with a Linux-based border router.

[benpicco]

Would you prefer to have this in before or after #12955?
I already tried this PR on the 36C3 WiFi, but it didn't work (as expected) as it only implements MSCHAPv2.

I should be able to test this on eduroam soon 😉

[gschorcht]

Would you prefer to have this in before or after #12955?

Not really sure. Both merges will produce conflicts since esp_wifi netdev will be moved to cpu/esp_common by PR #12955. Since the changes in cpu/esp32/esp_wifi/esp_wifi_netdev.c are small, it might be easier to merge #12955 first.

I already tried this PR on the 36C3 WiFi, but it didn't work (as expected) as it only implements MSCHAPv2.

Yeah, unfortunately we depend on the wpa_supplicant port shipped with the ESP-IDF SDK since the binary libraries of the SDK link against some functions from this wpa_supplicant port. I would prefer to use the original one as package.

[gschorcht]

Now I get the same error, is there some reason why I get xtensa-esp32-elf-gcc: error: /data/riotbuild/riotbase/examples/gnrc_networking/bin/esp32-wroom-32/esp_wifi_enterprise.a error?

Are you sure that you have the right source code version? Could you check that you have this change in your code?

Sorry for asking that, but the only reason for the error message

esp_wifi_enterprise.a: No such file or directory

can be that esp_wifi_enterprise.a isn't known as a pseudomodule. In that case it is looking for a module library.

[MrKevinWeiss]

probably would help if I was on this PR (I was on the esp power mode pr 😥 )

[MrKevinWeiss]

It seems like some success, it is no longer complaining that it cannot connect but I think there are some problems with trying to use this with eduroam (maybe my password is outdated or something)
I only get

2020-03-18 11:06:20,008 #  ifconfig
2020-03-18 11:06:20,012 # ET_00:  inet 0.0.0.0
2020-03-18 11:06:20,013 # 

This is with the lwip fw

[gschorcht]

I only get

2020-03-18 11:06:20,008 #  ifconfig
2020-03-18 11:06:20,012 # ET_00:  inet 0.0.0.0
2020-03-18 11:06:20,013 # 

This is with the lwip fw

Do you get repeating messages like WiFi disconnected from ssid eduroam, reason ...?

[MrKevinWeiss]

Nope it seems like it connected, do you think it is something to do with restrictions at HAW?

[benpicco]

I remember that there were issues with multiple connections from the same eduroam account, do you have other devices logged into the WiFi?

[gschorcht]

Nope it seems like it connected, do you think it is something to do with restrictions at HAW?

That is, you get something like WiFi disconnected from ssid eduroam? If so, the assosciation as well as the WiFi authentication using 802.1x/EAP should have been successful. Then it might be only that you don't get an IPv4 address via DHCP.

[MrKevinWeiss]

I remember that there were issues with multiple connections from the same eduroam account, do you have other devices logged into the WiFi?

I don't know, this is the only ESP in the rack, but there are many other things in the server room so maybe.

[MrKevinWeiss]

gnrc networking has an interface, but some problems it seems

> 2020-03-18 12:18:36,551 #  WiFi disconnected from ssid eduroam, reason 204 (HANDSHAKE_TIMEOUT)
ifconfig
2020-03-18 12:18:43,990 # ifconfig
2020-03-18 12:18:44,003 # Iface  8  HWaddr: 30:AE:A4:D3:35:AC  Link: down 
2020-03-18 12:18:44,011 #           L2-PDU:1500 MTU:1500  HL:64  RTR  
2020-03-18 12:18:44,015 #           RTR_ADV  
2020-03-18 12:18:44,022 #           Source address length: 6
2020-03-18 12:18:44,027 #           Link type: wireless
2020-03-18 12:18:44,039 #           inet6 addr: fe80::32ae:a4ff:fed3:35ac  scope: link  VAL
2020-03-18 12:18:44,042 #           inet6 group: ff02::2
2020-03-18 12:18:44,045 #           inet6 group: ff02::1
2020-03-18 12:18:44,048 #           inet6 group: ff02::1:ffd3:35ac
2020-03-18 12:18:44,051 #           inet6 group: ff02::1a
2020-03-18 12:18:44,052 #           
2020-03-18 12:18:44,055 #           Statistics for Layer 2
2020-03-18 12:18:44,058 #             RX packets 0  bytes 0
2020-03-18 12:18:44,061 #             TX packets 3 (Multicast: 3)  bytes 0
2020-03-18 12:18:44,064 #             TX succeeded 0 errors 0
2020-03-18 12:18:44,067 #           Statistics for IPv6
2020-03-18 12:18:44,069 #             RX packets 0  bytes 0
2020-03-18 12:18:44,073 #             TX packets 3 (Multicast: 3)  bytes 192
2020-03-18 12:18:44,076 #             TX succeeded 3 errors 0
2020-03-18 12:18:44,077 # 
> 2020-03-18 12:19:09,411 #  WiFi disconnected from ssid eduroam, reason 204 (HANDSHAKE_TIMEOUT)
2020-03-18 12:19:12,255 # WiFi disconnected from ssid eduroam, reason 201 (NO_AP_FOUND)
ifcon2020-03-18 12:19:45,132 # WiFi disconnected from ssid eduroam, reason 5 (ASSOC_TOOMANY)
fig
2020-03-18 12:19:45,686 # ifconfig
2020-03-18 12:19:45,697 # Iface  8  HWaddr: 30:AE:A4:D3:35:AC  Link: down 
2020-03-18 12:19:45,705 #           L2-PDU:1500 MTU:1500  HL:64  RTR  
2020-03-18 12:19:45,709 #           RTR_ADV  
2020-03-18 12:19:45,716 #           Source address length: 6
2020-03-18 12:19:45,722 #           Link type: wireless
2020-03-18 12:19:45,733 #           inet6 addr: fe80::32ae:a4ff:fed3:35ac  scope: link  VAL
2020-03-18 12:19:45,739 #           inet6 group: ff02::2
2020-03-18 12:19:45,745 #           inet6 group: ff02::1
2020-03-18 12:19:45,752 #           inet6 group: ff02::1:ffd3:35ac
2020-03-18 12:19:45,758 #           inet6 group: ff02::1a
2020-03-18 12:19:45,761 #           
2020-03-18 12:19:45,767 #           Statistics for Layer 2
2020-03-18 12:19:45,774 #             RX packets 0  bytes 0
2020-03-18 12:19:45,780 #             TX packets 4 (Multicast: 4)  bytes 0
2020-03-18 12:19:45,782 #             TX succeeded 0 errors 0
2020-03-18 12:19:45,785 #           Statistics for IPv6
2020-03-18 12:19:45,788 #             RX packets 0  bytes 0
2020-03-18 12:19:45,792 #             TX packets 4 (Multicast: 4)  bytes 256
2020-03-18 12:19:45,795 #             TX succeeded 4 errors 0
2020-03-18 12:19:45,795 # 
> 2020-03-18 12:19:48,018 #  WiFi disconnected from ssid eduroam, reason 5 (ASSOC_TOOMANY)
2020-03-18 12:19:51,862 # WiFi disconnected from ssid eduroam, reason 2 (AUTH_EXPIRE)
2020-03-18 12:19:54,723 # WiFi disconnected from ssid eduroam, reason 5 (ASSOC_TOOMANY)

[MrKevinWeiss]

Excluding the vendor files which I did not look in detail things look pretty good from the code side.

[MrKevinWeiss]

idendity -> identity I guess code spell would have got that.

[benpicco]

WiFi disconnected from ssid eduroam, reason 5 (ASSOC_TOOMANY)

Is your notebook or phone also connected to eduroam with the same account?

[miri64]

@benpicco IIRC this was a problem specific to the FU Berlin's eduroam back in the ye olden days which is solved nowadays (and would not be viable today when everyone has at least two devices they want to connect to the WiFi) ;-)

[MrKevinWeiss]

Is your notebook or phone also connected to eduroam with the same account?

I am at home just piping into the HIL rack in the server room. It would be much easier if I was on site I guess.

Short answer no.

[gschorcht]

2020-03-18 12:19:09,411 #  WiFi disconnected from ssid eduroam, reason 204 (HANDSHAKE_TIMEOUT)
2020-03-18 12:19:12,255 # WiFi disconnected from ssid eduroam, reason 201 (NO_AP_FOUND)
ifcon2020-03-18 12:19:45,132 # WiFi disconnected from ssid eduroam, reason 5 (ASSOC_TOOMANY)
...
2020-03-18 12:19:48,018 #  WiFi disconnected from ssid eduroam, reason 5 (ASSOC_TOOMANY)
2020-03-18 12:19:51,862 # WiFi disconnected from ssid eduroam, reason 2 (AUTH_EXPIRE)
2020-03-18 12:19:54,723 # WiFi disconnected from ssid eduroam, reason 5 (ASSOC_TOOMANY)

This looks like unstable WiFi radio conditions. You get HANDSHAKE_TIMEOUT, NO_AP_FOUND and AUTH_EXPIRE. These all are indicators that the signal strength and/or quality of eduroam could be too bad at your location for working with the small PCB antenna of the ESP32 board. Probably, your next eduroam AP is too far away, that is a pity.

[MrKevinWeiss]

Darn, I guess I will try the to simulate, I think @leandrolanzieri wants this for the release.

[cgundogan]

@leandrolanzieri and me tried this PR at the HAW and we get the same HANDSHAKE_TIMEOUT and AUTH_EXPIRE as previously pointed out by @MrKevinWeiss .. the signal looks actually strong enough, then again I do not know how close this esp needs to be .. the range is the same as to our personal wpa2 wifi, which is able to connect.

[benpicco]

Works for me™

2020-03-21 16:00:22,410 - INFO # RIOT lwip test application
2020-03-21 16:00:29,190 - INFO # > ifconfig
2020-03-21 16:00:29,191 - INFO # 
2020-03-21 16:00:29,194 - INFO # ET_00:  inet 0.0.0.0
2020-03-21 16:00:29,195 - INFO # 
2020-03-21 16:00:29,902 - INFO # SSL: Need 4268 bytes more input data
2020-03-21 16:00:29,916 - INFO # SSL: Need 3274 bytes more input data
2020-03-21 16:00:29,928 - INFO # SSL: Need 2280 bytes more input data
2020-03-21 16:00:29,940 - INFO # SSL: Need 1286 bytes more input data
2020-03-21 16:00:29,952 - INFO # SSL: Need 292 bytes more input data
2020-03-21 16:00:32,008 - INFO # EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed
2020-03-21 16:00:33,313 - INFO # WiFi connected to ssid eduroam, channel 11
2020-03-21 16:00:36,646 - INFO # > ifconfig
2020-03-21 16:00:36,647 - INFO # 
2020-03-21 16:00:36,651 - INFO # ET_00:  inet 141.23.210.154
2020-03-21 16:00:36,652 - INFO #

I had to walk around a bit to find a good spot.
The esp32 has trouble connecting when both my phone and notebook will connect just fine.
Is there a way to display the signal strength of the WiFi in RIOT?

[gschorcht]

The esp32 has trouble connecting when both my phone and notebook will connect just fine.

Yeah, as I said, the PCB antenna can't be compared to the antennas used in smart phones or notebooks.

Is there a way to display the signal strength of the WiFi in RIOT?

Let me take look. If it is possible, we could provide as netopt. This would be a good extension for my PR #13676.

[gschorcht]

Is there a way to display the signal strength of the WiFi in RIOT?

Let me take look. If it is possible, we could provide as netopt. This would be a good extension for my PR #13676.

Hm, I was already looking for RSSI some time ago. Unfortunately, the WiFi interface offeres only two functions where RSSI is available as information.

• get a list of all available APs if ESP is working in Station mode and
• get a list of associated stations if the ESP is working as SoftAP.

There should be RIOT app which asks the WiFi interface for the list and the RSSI of available APs. At the moment we could implement it directly on top of esp_wifi_netdev. But once we have more WiFi interfaces it would make sense to define a gnrc_wifi_netif for WiFi netdevs. The RIOT app would then use the gnrc_wifi_netif and the WiFi drivers would implement that function.

[benpicco]

A tool to view all available networks would be neat indeed! Even better if it provided the possibility to join them 😃

I think right now an esp-specific tool would be fine. It's always hard to design a general API if there is only one implementation, it's also good to have a proof of concept and not let perfect be the enemy of good.
It can be adopted to a general WiFi API in a second step.

As for this PR, I think it should be good. Just fix that one remaining typo 😉

[gschorcht]

As for this PR, I think it should be good. Just fix that one remaining typo

Fixed and directly squashed. I'm a bit confused that it wasn't catched by codespell.

[benpicco]

This should be good, no regressions and eduroam confirmed working.

[gschorcht]

@benpicco Thanks for all your effort with testing this PR. And of course, thanks for reviewing and merging.

[gschorcht]

@MrKevinWeiss @leandrolanzieri Thanks for your support with this PR, even if you had no success. I will provide an application that will make it easier to observe the radio condition.

[MrKevinWeiss]

Thanks for your contribution!