wpa_supplicant: expose EAP state machine via D-Bus for UI error signalling

Stefan Winter stefan.winter at restena.lu
Fri Apr 25 08:10:56 EDT 2014 

Well,

that's what you get when using eapol_test, which sees the RADIUS encap.

Replace RADIUS message with EAPoL payload below...

Stefan

On 25.04.2014 14:00, Stefan Winter wrote:
> Hello,
> 
> it occured to me that UIs based on wpa_supplicant only get very limited
> insight in *why* an EAP authentication failed. There are quite a few
> scenarios, most of which have nothing to do with the user's username
> and/or password.
> 
> I have sketched six scenarios below where it would make sense to tell
> the user why and what went wrong; e.g. to prevent him from panickally
> trying to change a set of passwords when the failure in fact has nothing
> to do with the password (e.g. RADIUS server unreachable).
> 
> I checked the debug log of wpa_supplicant and sketched at which points
> of the ongoing conversation which signals would need to be emitted to
> sufficiently inform UIs on what's going on.
> 
> The set of scenarios is below.
> 
> I don't code C myself, and have no idea about D-Bus except knowing that
> it exists - so no patch, sorry.
> 
> What do folks think of the idea of adding verbosity to the
> authentication flow? Any chance that such signalling can find its way
> into wpa_supplicant?
> 
> Greetings,
> 
> Stefan Winter
> 
> ====== SIX FAILURE SCENARIOS BELOW =======
> 
> The flow for informing users regarding the state is:
> 
> 1)
> CTRL-EVENT-EAP-STARTED EAP authentication started
> (and no RADIUS message received until timeout)
> 
> -> "The authentication server could not be reached. This is an
> infrastructure problem, and unrelated to your password. Please try again
> later or contact your network administrator."
> 
> 2)
> CTRL-EVENT-EAP-STARTED EAP authentication started
> RADIUS message received, it's a Reject
> 
> -> "You were not allowed to authenticate. Either the (outer, anonymous)
> username you chose is wrong, or there is an infrastructure problem. In
> either case, this is not a problem with your password. Please verify
> your username, or try again later or contact your network administrator."
> 
> 3)
> CTRL-EVENT-EAP-STARTED EAP authentication started
> RADIUS message received, it's a Challenge
> CTRL-EVENT-EAP-PROPOSED-METHOD
> RADIUS message received, it's a Reject
> 
> -> "It was not possible to negotiate an EAP method between your device
> and the server. This is a configuration problem; please double-check the
> EAP method you chose in your configuration. This is not a problem with
> your username and password. It does not make sense to keep trying until
> this configuration problem is solved. If you don't know how to configure
> your device, please contact your network administrator."
> 
> 4)
> CTRL-EVENT-EAP-STARTED EAP authentication started
> RADIUS message received, it's a Challenge
> CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
> CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
> CTRL-EVENT-EAP-PEER-CERT ( >= 0 times)
> CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1
> 
> -> "The certification authority (CA) certificate which you configured as
> trusted does NOT match the incoming server certificate. Either you have
> an error in your configuration, or somebody is trying to attack you! If
> you suspect a configuration error, please contact your network
> administrator."
> 
> 5)
> CTRL-EVENT-EAP-STARTED EAP authentication started
> RADIUS message received, it's a Challenge
> CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
> CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
> CTRL-EVENT-EAP-PEER-CERT ( >= 1 time)
> CTRL-EVENT-EAP-TLS-CERT-ERROR reason=5
> 
> -> "The server name which you configured as trusted does NOT match the
> incoming server certificate. Either you have an error in your
> configuration, or somebody is trying to attack you! If you suspect a
> configuration error, please contact your network administrator."
> 
> 6)
> CTRL-EVENT-EAP-STARTED EAP authentication started
> RADIUS message received, it's a Challenge
> CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
> CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
> CTRL-EVENT-EAP-PEER-CERT ( >= 1 time)
> CTRL-EVENT-EAP-FAILURE EAP authentication failed
> 
> -> "Your username and password combination was rejected. Please verify
> your access credentials."
> 
> ==========================================
> 
> 
> 
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x8A39DC66.asc
Type: application/pgp-keys
Size: 3243 bytes
Desc: not available
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20140425/d59b9a3a/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20140425/d59b9a3a/attachment.pgp>

More information about the HostAP mailing list