Cannot connect to EAP (ieee8021x) without a .config file

Patrik Flykt patrik.flykt at linux.intel.com
Fri Nov 23 00:55:28 PST 2012


	Hi,

On Thu, 2012-11-22 at 12:37 -0800, Felipe Tonello wrote:
> Android does that but not iPhone. iPhone just asks for the
> user/password,
> tries to connect and shows a certificate that the user needs to
> accept. Do
> you guess what they do?
>
> The main problem is that, as we know, users doesn't care about this
> certificates, eap protocols and so on. And if on iOS they are not
> asked
> those informations, they expect the same in other devices.
>
> Btw, what is this certificate for and why with connman and Android the
> user
> don't need to accept it?

I don't have an iPhone so I can't verify what it does. The user
certificate is very often optional and the server certificates may be
silently accepted in the background. If there is no possibility of
selecting a client certificate, some of the EAP PEAP/TLS/TTLS/etc. WiFi
networks will not be accessible.

> > > Since there is no certificate the user expects to connect
> directly.
> > > IMO
> > > it's ugly to some Agent (or external program) to write a .config
> file
> > > just so connman can recognize the service.
> >
> > Whether any certificates exist or not needs a user decision as much
> as
> > the EAP method itself. Thus any UI trying to connect to an 802.1x
> EAP
> > network must prompt the user, give the information to ConnMan and
> then
> > connect. The current implementation in ConnMan is such that an EAP
> > network needs to be described as a .config file. Maybe it's less
> > implementation friendly to write a file with the needed information,
> but
> > it shouldn't be a too big obstacle since the UI has already received
> all
> > the needed (known) information from the user.
> 
> Some times the Agent will not have rights to write in /var/lib/connman
> or
> whatever where connman is reading those files.
> 
> But I agree that knowing this information is not a problem to write a
> .config file.
> 
> Another point is the fact that the Agent doesn't know when it should
> ask
> those informations to the user. Perhaps by checking the service's
> security
> property is ieee8021x?

That's exactly the point here. The WiFi security property only specifies
EAP, not the authentication method used. The authentication method can
be TLS, TTLS, PEAP, plain MSCHAP, PEAP with MSCHAP, GTC, password, etc.
- not all of them implemented by ConnMan btw. The EAP method needs to be
chosen by the user, at least on Android phones even more method specific
options can or need to be filled in by the user depending on the WiFi
network. Already the first question about the EAP method used needs to
be asked from the user. iOS probably makes a shortcut here, tries by
default with something and only then asks some further information (or
not) if the initial guess failed.

> I remember that there was a discussion here and Marcel Holtmann said
> that
> Agents shouldn't ask this kind of information to the user, that's why
> there
> is no API for that. But as we are discussing now we still need to ask
> that
> in case of EAP. So there is clearly an inconsistency here.

Interactively asking all this becomes very complex very fast, which is a
reason why not to implement it via Agent API. As the user anyway needs
to be asked up front for the EAP security method, the user can fill in
the remaining bits an pieces at the same time, if there is such a UI
component.

Except that the user will have a really hard time answering any of the
EAP related questions correctly, especially the ones with subtle usage
of client certificates and other mysterious bits. Thus its _much_ better
that the information comes provisioned as a .config file, especially
when said client certs are needed - they can not be generated on the
fly. What we're talking about here really goes way beyond the
expectations of an Agent UI. All of this should belong to a provisioning
component with or without a UI of some kind.

Cheers,

	Patrik




More information about the connman mailing list