Cannot connect to EAP (ieee8021x) without a .config file

Felipe Tonello eu at felipetonello.com
Thu Nov 22 12:37:56 PST 2012


Hi Patrick,

On Nov 22, 2012 3:48 AM, "Patrik Flykt" <patrik.flykt at linux.intel.com>
wrote:
>
>
>         Hi,
>
> On Wed, 2012-11-21 at 11:06 -0800, Felipe Ferreri Tonello wrote:
> > But in this case, since there is no need of certificate, shouldn't
> > connman be able to try to connect without it? I'm just saying it
> > because
> > when I try to connect to this network with an iPhone it connects
> > without
> > any certificate (it just ask if you want to accept a certificate) and
> > with an Android it just connect without even asking to accept a
> > certificate.
>
> It is true that Android (and iPhone) asks you these questions when you
> click on an 802.1x EAP network. Unfortunately they have to ask the use
> up front before proceeding with the connection attempt, since the WiFi
> network information from the Access Point does not contain any
> information about the used EAP protocol. Thus they are as lost as
> ConnMan what the EAP method of connecting to the network actually is.
> Asking the user happens before anything starts connecting.
>

Android does that but not iPhone. iPhone just asks for the user/password,
tries to connect and shows a certificate that the user needs to accept. Do
you guess what they do?

The main problem is that, as we know, users doesn't care about this
certificates, eap protocols and so on. And if on iOS they are not asked
those informations, they expect the same in other devices.

Btw, what is this certificate for and why with connman and Android the user
don't need to accept it?

> > Since there is no certificate the user expects to connect directly.
> > IMO
> > it's ugly to some Agent (or external program) to write a .config file
> > just so connman can recognize the service.
>
> Whether any certificates exist or not needs a user decision as much as
> the EAP method itself. Thus any UI trying to connect to an 802.1x EAP
> network must prompt the user, give the information to ConnMan and then
> connect. The current implementation in ConnMan is such that an EAP
> network needs to be described as a .config file. Maybe it's less
> implementation friendly to write a file with the needed information, but
> it shouldn't be a too big obstacle since the UI has already received all
> the needed (known) information from the user.

Some times the Agent will not have rights to write in /var/lib/connman or
whatever where connman is reading those files.

But I agree that knowing this information is not a problem to write a
.config file.

Another point is the fact that the Agent doesn't know when it should ask
those informations to the user. Perhaps by checking the service's security
property is ieee8021x?

I remember that there was a discussion here and Marcel Holtmann said that
Agents shouldn't ask this kind of information to the user, that's why there
is no API for that. But as we are discussing now we still need to ask that
in case of EAP. So there is clearly an inconsistency here.

Regards,
Felipe



More information about the connman mailing list