wpa_supplicant: expose EAP state machine via D-Bus for UI error signalling

Stefan Winter stefan.winter at restena.lu
Fri Apr 25 08:00:16 EDT 2014 

Hello,

it occured to me that UIs based on wpa_supplicant only get very limited
insight in *why* an EAP authentication failed. There are quite a few
scenarios, most of which have nothing to do with the user's username
and/or password.

I have sketched six scenarios below where it would make sense to tell
the user why and what went wrong; e.g. to prevent him from panickally
trying to change a set of passwords when the failure in fact has nothing
to do with the password (e.g. RADIUS server unreachable).

I checked the debug log of wpa_supplicant and sketched at which points
of the ongoing conversation which signals would need to be emitted to
sufficiently inform UIs on what's going on.

The set of scenarios is below.

I don't code C myself, and have no idea about D-Bus except knowing that
it exists - so no patch, sorry.

What do folks think of the idea of adding verbosity to the
authentication flow? Any chance that such signalling can find its way
into wpa_supplicant?

Greetings,

Stefan Winter

====== SIX FAILURE SCENARIOS BELOW =======

The flow for informing users regarding the state is:

1)
CTRL-EVENT-EAP-STARTED EAP authentication started
(and no RADIUS message received until timeout)

-> "The authentication server could not be reached. This is an
infrastructure problem, and unrelated to your password. Please try again
later or contact your network administrator."

2)
CTRL-EVENT-EAP-STARTED EAP authentication started
RADIUS message received, it's a Reject

-> "You were not allowed to authenticate. Either the (outer, anonymous)
username you chose is wrong, or there is an infrastructure problem. In
either case, this is not a problem with your password. Please verify
your username, or try again later or contact your network administrator."

3)
CTRL-EVENT-EAP-STARTED EAP authentication started
RADIUS message received, it's a Challenge
CTRL-EVENT-EAP-PROPOSED-METHOD
RADIUS message received, it's a Reject

-> "It was not possible to negotiate an EAP method between your device
and the server. This is a configuration problem; please double-check the
EAP method you chose in your configuration. This is not a problem with
your username and password. It does not make sense to keep trying until
this configuration problem is solved. If you don't know how to configure
your device, please contact your network administrator."

4)
CTRL-EVENT-EAP-STARTED EAP authentication started
RADIUS message received, it's a Challenge
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
CTRL-EVENT-EAP-PEER-CERT ( >= 0 times)
CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1

-> "The certification authority (CA) certificate which you configured as
trusted does NOT match the incoming server certificate. Either you have
an error in your configuration, or somebody is trying to attack you! If
you suspect a configuration error, please contact your network
administrator."

5)
CTRL-EVENT-EAP-STARTED EAP authentication started
RADIUS message received, it's a Challenge
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
CTRL-EVENT-EAP-PEER-CERT ( >= 1 time)
CTRL-EVENT-EAP-TLS-CERT-ERROR reason=5

-> "The server name which you configured as trusted does NOT match the
incoming server certificate. Either you have an error in your
configuration, or somebody is trying to attack you! If you suspect a
configuration error, please contact your network administrator."

6)
CTRL-EVENT-EAP-STARTED EAP authentication started
RADIUS message received, it's a Challenge
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
CTRL-EVENT-EAP-PEER-CERT ( >= 1 time)
CTRL-EVENT-EAP-FAILURE EAP authentication failed

-> "Your username and password combination was rejected. Please verify
your access credentials."

==========================================
-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x8A39DC66.asc
Type: application/pgp-keys
Size: 3243 bytes
Desc: not available
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20140425/90647e2a/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20140425/90647e2a/attachment.pgp>

More information about the HostAP mailing list