Cannot connect to EAP (ieee8021x) without a .config file

Felipe Ferreri Tonello eu at felipetonello.com
Mon Nov 26 17:35:09 PST 2012


Hello Marcel

Thank you for your answer.

On 11/23/2012 12:26 AM, Marcel Holtmann wrote:
> Hi Filipe,
>
>>>> But in this case, since there is no need of certificate, shouldn't
>>>> connman be able to try to connect without it? I'm just saying it
>>>> because
>>>> when I try to connect to this network with an iPhone it connects
>>>> without
>>>> any certificate (it just ask if you want to accept a certificate) and
>>>> with an Android it just connect without even asking to accept a
>>>> certificate.
>>>
>>> It is true that Android (and iPhone) asks you these questions when you
>>> click on an 802.1x EAP network. Unfortunately they have to ask the use
>>> up front before proceeding with the connection attempt, since the WiFi
>>> network information from the Access Point does not contain any
>>> information about the used EAP protocol. Thus they are as lost as
>>> ConnMan what the EAP method of connecting to the network actually is.
>>> Asking the user happens before anything starts connecting.
>>>
>>
>> Android does that but not iPhone. iPhone just asks for the user/password,
>> tries to connect and shows a certificate that the user needs to accept. Do
>> you guess what they do?
>>
>> The main problem is that, as we know, users doesn't care about this
>> certificates, eap protocols and so on. And if on iOS they are not asked
>> those informations, they expect the same in other devices.
>>
>> Btw, what is this certificate for and why with connman and Android the user
>> don't need to accept it?
>
> that last I have been told is that iOS on purpose does not check these
> certificates against the global trusted certificates. Simple because non
> of them are authorized for WiFi usage anyway.

So does connman always accept it? How is it handled?

>
> The only get trusted if you provide your own CA via device management.
>
> Also iOS is kinda stupid. They always show the username/password
> question for the 802.1x networks. Even if that would not work. There are
> networks that completely authorize by just using certificates.
>
>>>> Since there is no certificate the user expects to connect directly.
>>>> IMO
>>>> it's ugly to some Agent (or external program) to write a .config file
>>>> just so connman can recognize the service.
>>>
>>> Whether any certificates exist or not needs a user decision as much as
>>> the EAP method itself. Thus any UI trying to connect to an 802.1x EAP
>>> network must prompt the user, give the information to ConnMan and then
>>> connect. The current implementation in ConnMan is such that an EAP
>>> network needs to be described as a .config file. Maybe it's less
>>> implementation friendly to write a file with the needed information, but
>>> it shouldn't be a too big obstacle since the UI has already received all
>>> the needed (known) information from the user.
>>
>> Some times the Agent will not have rights to write in /var/lib/connman or
>> whatever where connman is reading those files.
>
> The agent should never have access to /var/lib/connman ever. If you do
> that, then your security model is broken.

Well, you need to write there somehow. I said an Agent just for the sake 
of the argument, but it's a external tool anyway.

What about writing there user/password credentials? Is there anyway to 
secure the password in the .config file?

>
>> But I agree that knowing this information is not a problem to write a
>> .config file.
>>
>> Another point is the fact that the Agent doesn't know when it should ask
>> those informations to the user. Perhaps by checking the service's security
>> property is ieee8021x?
>>
>> I remember that there was a discussion here and Marcel Holtmann said that
>> Agents shouldn't ask this kind of information to the user, that's why there
>> is no API for that. But as we are discussing now we still need to ask that
>> in case of EAP. So there is clearly an inconsistency here.
>
> I am totally fine if we ask username and password for 802.1x from the
> user, but nothing more. To do that, we need to first know if username
> and password would actually work in that case.

Is there anyway to know that? As you said, there are networks that works 
fine with the certificate only.

Regards,

Felipe



More information about the connman mailing list