<div dir="ltr">It's great you have interest in this. I also was interested in it and submitted a couple patches that got accepted:<div><br></div><div><a href="http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff;h=dd7fec1f2969c377ac895246edd34c13986ebb08">http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff;h=dd7fec1f2969c377ac895246edd34c13986ebb08</a><br>
</div><div><a href="http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff;h=93c7e332c2ed28238628a52c259670da93ed663a">http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff;h=93c7e332c2ed28238628a52c259670da93ed663a</a><br>
</div><div><br></div><div>Was this along the lines of what you were thinking? Those changes report quite a bit of information on the progress of the EAP negotiation process and sends them via "EAP" D-Bus signals. </div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Apr 25, 2014 at 5:10 AM, Stefan Winter <span dir="ltr"><<a href="mailto:stefan.winter@restena.lu" target="_blank">stefan.winter@restena.lu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Well,<br>
<br>
that's what you get when using eapol_test, which sees the RADIUS encap.<br>
<br>
Replace RADIUS message with EAPoL payload below...<br>
<br>
Stefan<br>
<div><div class="h5"><br>
On <a href="tel:25.04.2014%2014" value="+12504201414">25.04.2014 14</a>:00, Stefan Winter wrote:<br>
> Hello,<br>
><br>
> it occured to me that UIs based on wpa_supplicant only get very limited<br>
> insight in *why* an EAP authentication failed. There are quite a few<br>
> scenarios, most of which have nothing to do with the user's username<br>
> and/or password.<br>
><br>
> I have sketched six scenarios below where it would make sense to tell<br>
> the user why and what went wrong; e.g. to prevent him from panickally<br>
> trying to change a set of passwords when the failure in fact has nothing<br>
> to do with the password (e.g. RADIUS server unreachable).<br>
><br>
> I checked the debug log of wpa_supplicant and sketched at which points<br>
> of the ongoing conversation which signals would need to be emitted to<br>
> sufficiently inform UIs on what's going on.<br>
><br>
> The set of scenarios is below.<br>
><br>
> I don't code C myself, and have no idea about D-Bus except knowing that<br>
> it exists - so no patch, sorry.<br>
><br>
> What do folks think of the idea of adding verbosity to the<br>
> authentication flow? Any chance that such signalling can find its way<br>
> into wpa_supplicant?<br>
><br>
> Greetings,<br>
><br>
> Stefan Winter<br>
><br>
> ====== SIX FAILURE SCENARIOS BELOW =======<br>
><br>
> The flow for informing users regarding the state is:<br>
><br>
> 1)<br>
> CTRL-EVENT-EAP-STARTED EAP authentication started<br>
> (and no RADIUS message received until timeout)<br>
><br>
> -> "The authentication server could not be reached. This is an<br>
> infrastructure problem, and unrelated to your password. Please try again<br>
> later or contact your network administrator."<br>
><br>
> 2)<br>
> CTRL-EVENT-EAP-STARTED EAP authentication started<br>
> RADIUS message received, it's a Reject<br>
><br>
> -> "You were not allowed to authenticate. Either the (outer, anonymous)<br>
> username you chose is wrong, or there is an infrastructure problem. In<br>
> either case, this is not a problem with your password. Please verify<br>
> your username, or try again later or contact your network administrator."<br>
><br>
> 3)<br>
> CTRL-EVENT-EAP-STARTED EAP authentication started<br>
> RADIUS message received, it's a Challenge<br>
> CTRL-EVENT-EAP-PROPOSED-METHOD<br>
> RADIUS message received, it's a Reject<br>
><br>
> -> "It was not possible to negotiate an EAP method between your device<br>
> and the server. This is a configuration problem; please double-check the<br>
> EAP method you chose in your configuration. This is not a problem with<br>
> your username and password. It does not make sense to keep trying until<br>
> this configuration problem is solved. If you don't know how to configure<br>
> your device, please contact your network administrator."<br>
><br>
> 4)<br>
> CTRL-EVENT-EAP-STARTED EAP authentication started<br>
> RADIUS message received, it's a Challenge<br>
> CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25<br>
> CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected<br>
> CTRL-EVENT-EAP-PEER-CERT ( >= 0 times)<br>
> CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1<br>
><br>
> -> "The certification authority (CA) certificate which you configured as<br>
> trusted does NOT match the incoming server certificate. Either you have<br>
> an error in your configuration, or somebody is trying to attack you! If<br>
> you suspect a configuration error, please contact your network<br>
> administrator."<br>
><br>
> 5)<br>
> CTRL-EVENT-EAP-STARTED EAP authentication started<br>
> RADIUS message received, it's a Challenge<br>
> CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25<br>
> CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected<br>
> CTRL-EVENT-EAP-PEER-CERT ( >= 1 time)<br>
> CTRL-EVENT-EAP-TLS-CERT-ERROR reason=5<br>
><br>
> -> "The server name which you configured as trusted does NOT match the<br>
> incoming server certificate. Either you have an error in your<br>
> configuration, or somebody is trying to attack you! If you suspect a<br>
> configuration error, please contact your network administrator."<br>
><br>
> 6)<br>
> CTRL-EVENT-EAP-STARTED EAP authentication started<br>
> RADIUS message received, it's a Challenge<br>
> CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25<br>
> CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected<br>
> CTRL-EVENT-EAP-PEER-CERT ( >= 1 time)<br>
> CTRL-EVENT-EAP-FAILURE EAP authentication failed<br>
><br>
> -> "Your username and password combination was rejected. Please verify<br>
> your access credentials."<br>
><br>
> ==========================================<br>
><br>
><br>
><br>
</div></div>> _______________________________________________<br>
> HostAP mailing list<br>
> <a href="mailto:HostAP@lists.shmoo.com">HostAP@lists.shmoo.com</a><br>
> <a href="http://lists.shmoo.com/mailman/listinfo/hostap" target="_blank">http://lists.shmoo.com/mailman/listinfo/hostap</a><br>
<div class="HOEnZb"><div class="h5">><br>
<br>
<br>
--<br>
Stefan WINTER<br>
Ingenieur de Recherche<br>
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et<br>
de la Recherche<br>
6, rue Richard Coudenhove-Kalergi<br>
L-1359 Luxembourg<br>
<br>
Tel: <a href="tel:%2B352%20424409%201" value="+3524244091">+352 424409 1</a><br>
Fax: <a href="tel:%2B352%20422473" value="+352422473">+352 422473</a><br>
<br>
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the<br>
recipient's key is known to me<br>
<br>
<a href="http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66" target="_blank">http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66</a><br>
</div></div><br>_______________________________________________<br>
HostAP mailing list<br>
<a href="mailto:HostAP@lists.shmoo.com">HostAP@lists.shmoo.com</a><br>
<a href="http://lists.shmoo.com/mailman/listinfo/hostap" target="_blank">http://lists.shmoo.com/mailman/listinfo/hostap</a><br>
<br></blockquote></div><br></div>