WPA2 Enterprise - Explicitly set TTLS Phase 2 (#6436)

Co-authored-by: Jesse Hills <3060199+jesserockz@users.noreply.github.com>

esphome/components/wifi/__init__.py

@@ -33,6 +33,7 @@ from esphome.const import (
     CONF_KEY,
     CONF_USERNAME,
     CONF_EAP,
+    CONF_TTLS_PHASE_2,
     CONF_ON_CONNECT,
     CONF_ON_DISCONNECT,
 )
@@ -98,6 +99,14 @@ STA_MANUAL_IP_SCHEMA = AP_MANUAL_IP_SCHEMA.extend(
     }
 )
 
+TTLS_PHASE_2 = {
+    "pap": cg.global_ns.ESP_EAP_TTLS_PHASE2_PAP,
+    "chap": cg.global_ns.ESP_EAP_TTLS_PHASE2_CHAP,
+    "mschap": cg.global_ns.ESP_EAP_TTLS_PHASE2_MSCHAP,
+    "mschapv2": cg.global_ns.ESP_EAP_TTLS_PHASE2_MSCHAPV2,
+    "eap": cg.global_ns.ESP_EAP_TTLS_PHASE2_EAP,
+}
+
 EAP_AUTH_SCHEMA = cv.All(
     cv.Schema(
         {
@@ -105,6 +114,9 @@ EAP_AUTH_SCHEMA = cv.All(
             cv.Optional(CONF_USERNAME): cv.string_strict,
             cv.Optional(CONF_PASSWORD): cv.string_strict,
             cv.Optional(CONF_CERTIFICATE_AUTHORITY): wpa2_eap.validate_certificate,
+            cv.Optional(CONF_TTLS_PHASE_2): cv.All(
+                cv.enum(TTLS_PHASE_2), cv.only_with_esp_idf
+            ),
             cv.Inclusive(
                 CONF_CERTIFICATE, "certificate_and_key"
             ): wpa2_eap.validate_certificate,
@@ -338,6 +350,7 @@ def eap_auth(config):
         ("ca_cert", ca_cert),
         ("client_cert", client_cert),
         ("client_key", key),
+        ("ttls_phase_2", config.get(CONF_TTLS_PHASE_2, TTLS_PHASE_2["mschapv2"])),
     )
 
 

esphome/components/wifi/wifi_component.cpp

@@ -1,5 +1,10 @@
 #include "wifi_component.h"
 #include <cinttypes>
+#include <map>
+
+#ifdef USE_ESP_IDF
+#include <esp_wpa2.h>
+#endif
 
 #if defined(USE_ESP32) || defined(USE_ESP_IDF)
 #include <esp_wifi.h>
@@ -318,6 +323,16 @@ void WiFiComponent::start_connecting(const WiFiAP &ap, bool two) {
     ESP_LOGV(TAG, "    Identity: " LOG_SECRET("'%s'"), eap_config.identity.c_str());
     ESP_LOGV(TAG, "    Username: " LOG_SECRET("'%s'"), eap_config.username.c_str());
     ESP_LOGV(TAG, "    Password: " LOG_SECRET("'%s'"), eap_config.password.c_str());
+#ifdef USE_ESP_IDF
+#if ESPHOME_LOG_LEVEL >= ESPHOME_LOG_LEVEL_VERBOSE
+    std::map<esp_eap_ttls_phase2_types, std::string> phase2types = {{ESP_EAP_TTLS_PHASE2_PAP, "pap"},
+                                                                    {ESP_EAP_TTLS_PHASE2_CHAP, "chap"},
+                                                                    {ESP_EAP_TTLS_PHASE2_MSCHAP, "mschap"},
+                                                                    {ESP_EAP_TTLS_PHASE2_MSCHAPV2, "mschapv2"},
+                                                                    {ESP_EAP_TTLS_PHASE2_EAP, "eap"}};
+    ESP_LOGV(TAG, "    TTLS Phase 2: " LOG_SECRET("'%s'"), phase2types[eap_config.ttls_phase_2].c_str());
+#endif
+#endif
     bool ca_cert_present = eap_config.ca_cert != nullptr && strlen(eap_config.ca_cert);
     bool client_cert_present = eap_config.client_cert != nullptr && strlen(eap_config.client_cert);
     bool client_key_present = eap_config.client_key != nullptr && strlen(eap_config.client_key);

esphome/components/wifi/wifi_component.h

@@ -19,6 +19,10 @@
 #include <WiFi.h>
 #endif
 
+#if defined(USE_ESP_IDF) && defined(USE_WIFI_WPA2_EAP)
+#include <esp_wpa2.h>
+#endif
+
 #ifdef USE_ESP8266
 #include <ESP8266WiFi.h>
 #include <ESP8266WiFiType.h>
@@ -102,6 +106,10 @@ struct EAPAuth {
   // used for EAP-TLS
   const char *client_cert;
   const char *client_key;
+// used for EAP-TTLS
+#ifdef USE_ESP_IDF
+  esp_eap_ttls_phase2_types ttls_phase_2;
+#endif
 };
 #endif  // USE_WIFI_WPA2_EAP
 

esphome/components/wifi/wifi_component_esp_idf.cpp

@@ -396,6 +396,11 @@ bool WiFiComponent::wifi_sta_connect_(const WiFiAP &ap) {
       if (err != ESP_OK) {
         ESP_LOGV(TAG, "esp_wifi_sta_wpa2_ent_set_password failed! %d", err);
       }
+      // set TTLS Phase 2, defaults to MSCHAPV2
+      err = esp_wifi_sta_wpa2_ent_set_ttls_phase2_method(eap.ttls_phase_2);
+      if (err != ESP_OK) {
+        ESP_LOGV(TAG, "esp_wifi_sta_wpa2_ent_set_ttls_phase2_method failed! %d", err);
+      }
     }
     err = esp_wifi_sta_wpa2_ent_enable();
     if (err != ESP_OK) {

esphome/const.py

@@ -856,6 +856,7 @@ CONF_TRANSFORM = "transform"
 CONF_TRANSITION_LENGTH = "transition_length"
 CONF_TRIGGER_ID = "trigger_id"
 CONF_TRIGGER_PIN = "trigger_pin"
+CONF_TTLS_PHASE_2 = "ttls_phase_2"
 CONF_TUNE_ANTENNA = "tune_antenna"
 CONF_TURN_OFF_ACTION = "turn_off_action"
 CONF_TURN_ON_ACTION = "turn_on_action"