wpa_supplicant: expose EAP state machine via D-Bus for UI error signalling

Fri Apr 25 09:26:39 PDT 2014

It's great you have interest in this.  I also was interested in it and
submitted a couple patches that got accepted:

http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff;h=dd7fec1f2969c377ac895246edd34c13986ebb08
http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff;h=93c7e332c2ed28238628a52c259670da93ed663a

Was this along the lines of what you were thinking?  Those changes report
quite a bit of information on the progress of the EAP negotiation process
and sends them via "EAP" D-Bus signals.

On Fri, Apr 25, 2014 at 5:10 AM, Stefan Winter <stefan.winter at restena.lu>wrote:

> Well,
>
> that's what you get when using eapol_test, which sees the RADIUS encap.
>
> Replace RADIUS message with EAPoL payload below...
>
> Stefan
>
> On 25.04.2014 14:00, Stefan Winter wrote:
> > Hello,
> >
> > it occured to me that UIs based on wpa_supplicant only get very limited
> > insight in *why* an EAP authentication failed. There are quite a few
> > scenarios, most of which have nothing to do with the user's username
> > and/or password.
> >
> > I have sketched six scenarios below where it would make sense to tell
> > the user why and what went wrong; e.g. to prevent him from panickally
> > trying to change a set of passwords when the failure in fact has nothing
> > to do with the password (e.g. RADIUS server unreachable).
> >
> > I checked the debug log of wpa_supplicant and sketched at which points
> > of the ongoing conversation which signals would need to be emitted to
> > sufficiently inform UIs on what's going on.
> >
> > The set of scenarios is below.
> >
> > I don't code C myself, and have no idea about D-Bus except knowing that
> > it exists - so no patch, sorry.
> >
> > What do folks think of the idea of adding verbosity to the
> > authentication flow? Any chance that such signalling can find its way
> > into wpa_supplicant?
> >
> > Greetings,
> >
> > Stefan Winter
> >
> > ====== SIX FAILURE SCENARIOS BELOW =======
> >
> > The flow for informing users regarding the state is:
> >
> > 1)
> > CTRL-EVENT-EAP-STARTED EAP authentication started
> > (and no RADIUS message received until timeout)
> >
> > -> "The authentication server could not be reached. This is an
> > infrastructure problem, and unrelated to your password. Please try again
> > later or contact your network administrator."
> >
> > 2)
> > CTRL-EVENT-EAP-STARTED EAP authentication started
> > RADIUS message received, it's a Reject
> >
> > -> "You were not allowed to authenticate. Either the (outer, anonymous)
> > username you chose is wrong, or there is an infrastructure problem. In
> > either case, this is not a problem with your password. Please verify
> > your username, or try again later or contact your network administrator."
> >
> > 3)
> > CTRL-EVENT-EAP-STARTED EAP authentication started
> > RADIUS message received, it's a Challenge
> > CTRL-EVENT-EAP-PROPOSED-METHOD
> > RADIUS message received, it's a Reject
> >
> > -> "It was not possible to negotiate an EAP method between your device
> > and the server. This is a configuration problem; please double-check the
> > EAP method you chose in your configuration. This is not a problem with
> > your username and password. It does not make sense to keep trying until
> > this configuration problem is solved. If you don't know how to configure
> > your device, please contact your network administrator."
> >
> > 4)
> > CTRL-EVENT-EAP-STARTED EAP authentication started
> > RADIUS message received, it's a Challenge
> > CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
> > CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
> > CTRL-EVENT-EAP-PEER-CERT ( >= 0 times)
> > CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1
> >
> > -> "The certification authority (CA) certificate which you configured as
> > trusted does NOT match the incoming server certificate. Either you have
> > an error in your configuration, or somebody is trying to attack you! If
> > you suspect a configuration error, please contact your network
> > administrator."
> >
> > 5)
> > CTRL-EVENT-EAP-STARTED EAP authentication started
> > RADIUS message received, it's a Challenge
> > CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
> > CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
> > CTRL-EVENT-EAP-PEER-CERT ( >= 1 time)
> > CTRL-EVENT-EAP-TLS-CERT-ERROR reason=5
> >
> > -> "The server name which you configured as trusted does NOT match the
> > incoming server certificate. Either you have an error in your
> > configuration, or somebody is trying to attack you! If you suspect a
> > configuration error, please contact your network administrator."
> >
> > 6)
> > CTRL-EVENT-EAP-STARTED EAP authentication started
> > RADIUS message received, it's a Challenge
> > CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
> > CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
> > CTRL-EVENT-EAP-PEER-CERT ( >= 1 time)
> > CTRL-EVENT-EAP-FAILURE EAP authentication failed
> >
> > -> "Your username and password combination was rejected. Please verify
> > your access credentials."
> >
> > ==========================================
> >
> >
> >
> > _______________________________________________
> > HostAP mailing list
> > HostAP at lists.shmoo.com
> > http://lists.shmoo.com/mailman/listinfo/hostap
> >
>
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - R?seau T?l?informatique de l'Education Nationale et
> de la Recherche
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
>
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20140425/7842f750/attachment.htm>