Discussion:
Cannot connect to EAP (ieee8021x) without a .config file
Felipe Ferreri Tonello
2012-11-19 19:21:49 UTC
Permalink
Hi all,

I've read over and over all the discussion about this support to PEAP
over the service api and so on.

Ok, the thing is: I'm trying to connect to a EAP (ieee8021x) network
without the .config file, but it doesn't
work(net.connman.Error.InvalidArguments: Invalid arguments).

When I add this[1] .config file, the agent receives a request to a
Identity and a Passphrase, as expected.

[1]
[service_engineering]
Type = wifi
Name = engineering
EAP = peap
Phase2 = MSCHAPV2

If there is no certificate, shouldn't be possible to connect without the
provisioning file? Since it's how it works on iOS and Android.

PS: Is there anything that needs to be implemented in this matter? If
so, let me know.

Thank you in advance,
Felipe
Zheng, Jeff
2012-11-20 00:51:59 UTC
Permalink
Post by Felipe Ferreri Tonello
Hi all,
I've read over and over all the discussion about this support to PEAP over the
service api and so on.
Ok, the thing is: I'm trying to connect to a EAP (ieee8021x) network without
the .config file, but it doesn't
work(net.connman.Error.InvalidArguments: Invalid arguments).
When I add this[1] .config file, the agent receives a request to a Identity and a
Passphrase, as expected.
[1]
[service_engineering]
Type = wifi
Name = engineering
EAP = peap
Phase2 = MSCHAPV2
If there is no certificate, shouldn't be possible to connect without the
provisioning file? Since it's how it works on iOS and Android.
Submitted as a bug: https://bugs.meego.com/show_bug.cgi?id=25868

Bests
Jeff
Felipe Ferreri Tonello
2012-11-20 23:42:38 UTC
Permalink
Post by Zheng, Jeff
Post by Felipe Ferreri Tonello
Hi all,
I've read over and over all the discussion about this support to PEAP over the
service api and so on.
Ok, the thing is: I'm trying to connect to a EAP (ieee8021x) network without
the .config file, but it doesn't
work(net.connman.Error.InvalidArguments: Invalid arguments).
When I add this[1] .config file, the agent receives a request to a Identity and a
Passphrase, as expected.
[1]
[service_engineering]
Type = wifi
Name = engineering
EAP = peap
Phase2 = MSCHAPV2
If there is no certificate, shouldn't be possible to connect without the
provisioning file? Since it's how it works on iOS and Android.
Submitted as a bug: https://bugs.meego.com/show_bug.cgi?id=25868
Thank you Jeff,

Please, if someone could explain a little bit about this issue I can
take a look on that.

Regards,
Felipe
Patrik Flykt
2012-11-21 11:28:57 UTC
Permalink
Hi,
Post by Felipe Ferreri Tonello
Post by Felipe Ferreri Tonello
When I add this[1] .config file, the agent receives a request to a
Identity
Post by Felipe Ferreri Tonello
and a
Passphrase, as expected.
[1]
[service_engineering]
Type = wifi
Name = engineering
EAP = peap
Phase2 = MSCHAPV2
If there is no certificate, shouldn't be possible to connect
without the
Post by Felipe Ferreri Tonello
provisioning file? Since it's how it works on iOS and Android.
Currently it is not possible to connect to an EAP network without
a .config file. Explicitely specifying a .config file without a
certificate tells ConnMan that this is the intention. Blindly trying to
connect without a certificate would mysteriously work for some of the
networks while others wouldn't. It'd look confusinly inconsistent and
historically a .config file was always needed.
Post by Felipe Ferreri Tonello
Please, if someone could explain a little bit about this issue I can
take a look on that.
The above was probably an explanation but not really any decision either
way :-).

Cheers,

Patrik
Felipe Ferreri Tonello
2012-11-21 19:06:41 UTC
Permalink
Post by Patrik Flykt
Hi,
Post by Felipe Ferreri Tonello
Post by Felipe Ferreri Tonello
When I add this[1] .config file, the agent receives a request to a
Identity
Post by Felipe Ferreri Tonello
and a
Passphrase, as expected.
[1]
[service_engineering]
Type = wifi
Name = engineering
EAP = peap
Phase2 = MSCHAPV2
If there is no certificate, shouldn't be possible to connect
without the
Post by Felipe Ferreri Tonello
provisioning file? Since it's how it works on iOS and Android.
Currently it is not possible to connect to an EAP network without
a .config file. Explicitely specifying a .config file without a
certificate tells ConnMan that this is the intention. Blindly trying to
connect without a certificate would mysteriously work for some of the
networks while others wouldn't. It'd look confusinly inconsistent and
historically a .config file was always needed.
But in this case, since there is no need of certificate, shouldn't
connman be able to try to connect without it? I'm just saying it because
when I try to connect to this network with an iPhone it connects without
any certificate (it just ask if you want to accept a certificate) and
with an Android it just connect without even asking to accept a certificate.

Since there is no certificate the user expects to connect directly. IMO
it's ugly to some Agent (or external program) to write a .config file
just so connman can recognize the service.

Is there any work to be done here or it's by design this behavior?

Regards,
Felipe
Patrik Flykt
2012-11-22 11:47:37 UTC
Permalink
Hi,
Post by Felipe Ferreri Tonello
But in this case, since there is no need of certificate, shouldn't
connman be able to try to connect without it? I'm just saying it because
when I try to connect to this network with an iPhone it connects without
any certificate (it just ask if you want to accept a certificate) and
with an Android it just connect without even asking to accept a certificate.
It is true that Android (and iPhone) asks you these questions when you
click on an 802.1x EAP network. Unfortunately they have to ask the use
up front before proceeding with the connection attempt, since the WiFi
network information from the Access Point does not contain any
information about the used EAP protocol. Thus they are as lost as
ConnMan what the EAP method of connecting to the network actually is.
Asking the user happens before anything starts connecting.
Post by Felipe Ferreri Tonello
Since there is no certificate the user expects to connect directly. IMO
it's ugly to some Agent (or external program) to write a .config file
just so connman can recognize the service.
Whether any certificates exist or not needs a user decision as much as
the EAP method itself. Thus any UI trying to connect to an 802.1x EAP
network must prompt the user, give the information to ConnMan and then
connect. The current implementation in ConnMan is such that an EAP
network needs to be described as a .config file. Maybe it's less
implementation friendly to write a file with the needed information, but
it shouldn't be a too big obstacle since the UI has already received all
the needed (known) information from the user.

Cheers,

Patrik
Felipe Tonello
2012-11-22 20:37:56 UTC
Permalink
Hi Patrick,
Post by Patrik Flykt
Hi,
Post by Felipe Ferreri Tonello
But in this case, since there is no need of certificate, shouldn't
connman be able to try to connect without it? I'm just saying it because
when I try to connect to this network with an iPhone it connects without
any certificate (it just ask if you want to accept a certificate) and
with an Android it just connect without even asking to accept a certificate.
It is true that Android (and iPhone) asks you these questions when you
click on an 802.1x EAP network. Unfortunately they have to ask the use
up front before proceeding with the connection attempt, since the WiFi
network information from the Access Point does not contain any
information about the used EAP protocol. Thus they are as lost as
ConnMan what the EAP method of connecting to the network actually is.
Asking the user happens before anything starts connecting.
Android does that but not iPhone. iPhone just asks for the user/password,
tries to connect and shows a certificate that the user needs to accept. Do
you guess what they do?

The main problem is that, as we know, users doesn't care about this
certificates, eap protocols and so on. And if on iOS they are not asked
those informations, they expect the same in other devices.

Btw, what is this certificate for and why with connman and Android the user
don't need to accept it?
Post by Patrik Flykt
Post by Felipe Ferreri Tonello
Since there is no certificate the user expects to connect directly. IMO
it's ugly to some Agent (or external program) to write a .config file
just so connman can recognize the service.
Whether any certificates exist or not needs a user decision as much as
the EAP method itself. Thus any UI trying to connect to an 802.1x EAP
network must prompt the user, give the information to ConnMan and then
connect. The current implementation in ConnMan is such that an EAP
network needs to be described as a .config file. Maybe it's less
implementation friendly to write a file with the needed information, but
it shouldn't be a too big obstacle since the UI has already received all
the needed (known) information from the user.
Some times the Agent will not have rights to write in /var/lib/connman or
whatever where connman is reading those files.

But I agree that knowing this information is not a problem to write a
.config file.

Another point is the fact that the Agent doesn't know when it should ask
those informations to the user. Perhaps by checking the service's security
property is ieee8021x?

I remember that there was a discussion here and Marcel Holtmann said that
Agents shouldn't ask this kind of information to the user, that's why there
is no API for that. But as we are discussing now we still need to ask that
in case of EAP. So there is clearly an inconsistency here.

Regards,
Felipe
Marcel Holtmann
2012-11-23 08:26:49 UTC
Permalink
Hi Filipe,
Post by Felipe Tonello
Post by Patrik Flykt
Post by Felipe Ferreri Tonello
But in this case, since there is no need of certificate, shouldn't
connman be able to try to connect without it? I'm just saying it because
when I try to connect to this network with an iPhone it connects without
any certificate (it just ask if you want to accept a certificate) and
with an Android it just connect without even asking to accept a certificate.
It is true that Android (and iPhone) asks you these questions when you
click on an 802.1x EAP network. Unfortunately they have to ask the use
up front before proceeding with the connection attempt, since the WiFi
network information from the Access Point does not contain any
information about the used EAP protocol. Thus they are as lost as
ConnMan what the EAP method of connecting to the network actually is.
Asking the user happens before anything starts connecting.
Android does that but not iPhone. iPhone just asks for the user/password,
tries to connect and shows a certificate that the user needs to accept. Do
you guess what they do?
The main problem is that, as we know, users doesn't care about this
certificates, eap protocols and so on. And if on iOS they are not asked
those informations, they expect the same in other devices.
Btw, what is this certificate for and why with connman and Android the user
don't need to accept it?
that last I have been told is that iOS on purpose does not check these
certificates against the global trusted certificates. Simple because non
of them are authorized for WiFi usage anyway.

The only get trusted if you provide your own CA via device management.

Also iOS is kinda stupid. They always show the username/password
question for the 802.1x networks. Even if that would not work. There are
networks that completely authorize by just using certificates.
Post by Felipe Tonello
Post by Patrik Flykt
Post by Felipe Ferreri Tonello
Since there is no certificate the user expects to connect directly. IMO
it's ugly to some Agent (or external program) to write a .config file
just so connman can recognize the service.
Whether any certificates exist or not needs a user decision as much as
the EAP method itself. Thus any UI trying to connect to an 802.1x EAP
network must prompt the user, give the information to ConnMan and then
connect. The current implementation in ConnMan is such that an EAP
network needs to be described as a .config file. Maybe it's less
implementation friendly to write a file with the needed information, but
it shouldn't be a too big obstacle since the UI has already received all
the needed (known) information from the user.
Some times the Agent will not have rights to write in /var/lib/connman or
whatever where connman is reading those files.
The agent should never have access to /var/lib/connman ever. If you do
that, then your security model is broken.
Post by Felipe Tonello
But I agree that knowing this information is not a problem to write a
.config file.
Another point is the fact that the Agent doesn't know when it should ask
those informations to the user. Perhaps by checking the service's security
property is ieee8021x?
I remember that there was a discussion here and Marcel Holtmann said that
Agents shouldn't ask this kind of information to the user, that's why there
is no API for that. But as we are discussing now we still need to ask that
in case of EAP. So there is clearly an inconsistency here.
I am totally fine if we ask username and password for 802.1x from the
user, but nothing more. To do that, we need to first know if username
and password would actually work in that case.

Regards

Marcel
Felipe Ferreri Tonello
2012-11-27 01:35:09 UTC
Permalink
Hello Marcel

Thank you for your answer.
Post by Marcel Holtmann
Hi Filipe,
Post by Felipe Tonello
Post by Patrik Flykt
Post by Felipe Ferreri Tonello
But in this case, since there is no need of certificate, shouldn't
connman be able to try to connect without it? I'm just saying it because
when I try to connect to this network with an iPhone it connects without
any certificate (it just ask if you want to accept a certificate) and
with an Android it just connect without even asking to accept a certificate.
It is true that Android (and iPhone) asks you these questions when you
click on an 802.1x EAP network. Unfortunately they have to ask the use
up front before proceeding with the connection attempt, since the WiFi
network information from the Access Point does not contain any
information about the used EAP protocol. Thus they are as lost as
ConnMan what the EAP method of connecting to the network actually is.
Asking the user happens before anything starts connecting.
Android does that but not iPhone. iPhone just asks for the user/password,
tries to connect and shows a certificate that the user needs to accept. Do
you guess what they do?
The main problem is that, as we know, users doesn't care about this
certificates, eap protocols and so on. And if on iOS they are not asked
those informations, they expect the same in other devices.
Btw, what is this certificate for and why with connman and Android the user
don't need to accept it?
that last I have been told is that iOS on purpose does not check these
certificates against the global trusted certificates. Simple because non
of them are authorized for WiFi usage anyway.
So does connman always accept it? How is it handled?
Post by Marcel Holtmann
The only get trusted if you provide your own CA via device management.
Also iOS is kinda stupid. They always show the username/password
question for the 802.1x networks. Even if that would not work. There are
networks that completely authorize by just using certificates.
Post by Felipe Tonello
Post by Patrik Flykt
Post by Felipe Ferreri Tonello
Since there is no certificate the user expects to connect directly. IMO
it's ugly to some Agent (or external program) to write a .config file
just so connman can recognize the service.
Whether any certificates exist or not needs a user decision as much as
the EAP method itself. Thus any UI trying to connect to an 802.1x EAP
network must prompt the user, give the information to ConnMan and then
connect. The current implementation in ConnMan is such that an EAP
network needs to be described as a .config file. Maybe it's less
implementation friendly to write a file with the needed information, but
it shouldn't be a too big obstacle since the UI has already received all
the needed (known) information from the user.
Some times the Agent will not have rights to write in /var/lib/connman or
whatever where connman is reading those files.
The agent should never have access to /var/lib/connman ever. If you do
that, then your security model is broken.
Well, you need to write there somehow. I said an Agent just for the sake
of the argument, but it's a external tool anyway.

What about writing there user/password credentials? Is there anyway to
secure the password in the .config file?
Post by Marcel Holtmann
Post by Felipe Tonello
But I agree that knowing this information is not a problem to write a
.config file.
Another point is the fact that the Agent doesn't know when it should ask
those informations to the user. Perhaps by checking the service's security
property is ieee8021x?
I remember that there was a discussion here and Marcel Holtmann said that
Agents shouldn't ask this kind of information to the user, that's why there
is no API for that. But as we are discussing now we still need to ask that
in case of EAP. So there is clearly an inconsistency here.
I am totally fine if we ask username and password for 802.1x from the
user, but nothing more. To do that, we need to first know if username
and password would actually work in that case.
Is there anyway to know that? As you said, there are networks that works
fine with the certificate only.

Regards,

Felipe

Patrik Flykt
2012-11-23 08:55:28 UTC
Permalink
Hi,
Post by Felipe Tonello
Android does that but not iPhone. iPhone just asks for the
user/password,
tries to connect and shows a certificate that the user needs to accept. Do
you guess what they do?
The main problem is that, as we know, users doesn't care about this
certificates, eap protocols and so on. And if on iOS they are not asked
those informations, they expect the same in other devices.
Btw, what is this certificate for and why with connman and Android the user
don't need to accept it?
I don't have an iPhone so I can't verify what it does. The user
certificate is very often optional and the server certificates may be
silently accepted in the background. If there is no possibility of
selecting a client certificate, some of the EAP PEAP/TLS/TTLS/etc. WiFi
networks will not be accessible.
Post by Felipe Tonello
Post by Patrik Flykt
Post by Felipe Ferreri Tonello
Since there is no certificate the user expects to connect
directly.
Post by Patrik Flykt
Post by Felipe Ferreri Tonello
IMO
it's ugly to some Agent (or external program) to write a .config
file
Post by Patrik Flykt
Post by Felipe Ferreri Tonello
just so connman can recognize the service.
Whether any certificates exist or not needs a user decision as much
as
Post by Patrik Flykt
the EAP method itself. Thus any UI trying to connect to an 802.1x
EAP
Post by Patrik Flykt
network must prompt the user, give the information to ConnMan and
then
Post by Patrik Flykt
connect. The current implementation in ConnMan is such that an EAP
network needs to be described as a .config file. Maybe it's less
implementation friendly to write a file with the needed information,
but
Post by Patrik Flykt
it shouldn't be a too big obstacle since the UI has already received
all
Post by Patrik Flykt
the needed (known) information from the user.
Some times the Agent will not have rights to write in /var/lib/connman or
whatever where connman is reading those files.
But I agree that knowing this information is not a problem to write a
.config file.
Another point is the fact that the Agent doesn't know when it should ask
those informations to the user. Perhaps by checking the service's security
property is ieee8021x?
That's exactly the point here. The WiFi security property only specifies
EAP, not the authentication method used. The authentication method can
be TLS, TTLS, PEAP, plain MSCHAP, PEAP with MSCHAP, GTC, password, etc.
- not all of them implemented by ConnMan btw. The EAP method needs to be
chosen by the user, at least on Android phones even more method specific
options can or need to be filled in by the user depending on the WiFi
network. Already the first question about the EAP method used needs to
be asked from the user. iOS probably makes a shortcut here, tries by
default with something and only then asks some further information (or
not) if the initial guess failed.
Post by Felipe Tonello
I remember that there was a discussion here and Marcel Holtmann said that
Agents shouldn't ask this kind of information to the user, that's why there
is no API for that. But as we are discussing now we still need to ask that
in case of EAP. So there is clearly an inconsistency here.
Interactively asking all this becomes very complex very fast, which is a
reason why not to implement it via Agent API. As the user anyway needs
to be asked up front for the EAP security method, the user can fill in
the remaining bits an pieces at the same time, if there is such a UI
component.

Except that the user will have a really hard time answering any of the
EAP related questions correctly, especially the ones with subtle usage
of client certificates and other mysterious bits. Thus its _much_ better
that the information comes provisioned as a .config file, especially
when said client certs are needed - they can not be generated on the
fly. What we're talking about here really goes way beyond the
expectations of an Agent UI. All of this should belong to a provisioning
component with or without a UI of some kind.

Cheers,

Patrik
Loading...