EAP authentication timeout
Matthew Wang
matthewmwang at chromium.org
Wed Jan 11 12:24:01 PST 2023
Thanks for the context, that makes sense - I'll give it some thought.
On Wed, Jan 11, 2023 at 10:18 AM Jouni Malinen <j at w1.fi> wrote:
>
> On Tue, Jan 10, 2023 at 09:30:04PM -0800, Matthew Wang wrote:
> > Does anyone have context on the 70 second timeout for EAP
> > authentication? Specifically, this snippet of code in
> > wpa_supplicant_rx_eapol:
> >
> > if (wpa_key_mgmt_wpa_ieee8021x(wpa_s->key_mgmt) ||
> > wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X_NO_WPA ||
> > wpa_s->key_mgmt == WPA_KEY_MGMT_WPS) {
> > /* Use longer timeout for IEEE 802.1X/EAP */
> > timeout = 70;
> > }
>
> This is from adding 60 seconds of time for possible upper layer,
> including the user, interaction that could happen during EAP
> authentication. In other word, this would things like username/password
> entry during authentication if someone does not want to store those in
> the configuration or various 2FA cases where a dynamic token value would
> need to be generated by something external and potentially
> copied/concatenated by the user to something.
>
> > This seems like an egregiously long timeout, and it looks to be
> > untouched since before 2008. Is this something that folks would be
> > interested in changing? Any thoughts for or against?
>
> This timeout is a hard limit on the full sequence of whatever is needed
> to complete the full connection. Sure, it is large for cases where no
> interaction with the user is needed, but under the current design, this
> has to cover the longest possible case.
>
> It should be fine to use a smaller timeout for some cases, e.g., if it
> can be determined this early that no interaction with the user is going
> to be needed. However, that is a bit inconvenient to do with EAP since
> even the EAP method itself, never mind other things like need for 2FA in
> some case, could be determined by the authentication server during the
> actual EAP exchange and as such, would not really been known here.
>
> In practice, making this smaller for some cases would likely require a
> more dynamic design where the initial timeout is set to something
> smaller like the 10 second default and that timeout is then increased at
> the point the parameters and needed operations become known during the
> EAP exchange.
>
> --
> Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list