Hi,
Post by Felipe TonelloAndroid does that but not iPhone. iPhone just asks for the
user/password,
tries to connect and shows a certificate that the user needs to accept. Do
you guess what they do?
The main problem is that, as we know, users doesn't care about this
certificates, eap protocols and so on. And if on iOS they are not asked
those informations, they expect the same in other devices.
Btw, what is this certificate for and why with connman and Android the user
don't need to accept it?
I don't have an iPhone so I can't verify what it does. The user
certificate is very often optional and the server certificates may be
silently accepted in the background. If there is no possibility of
selecting a client certificate, some of the EAP PEAP/TLS/TTLS/etc. WiFi
networks will not be accessible.
Post by Felipe TonelloPost by Patrik FlyktPost by Felipe Ferreri TonelloSince there is no certificate the user expects to connect
directly.
Post by Patrik FlyktPost by Felipe Ferreri TonelloIMO
it's ugly to some Agent (or external program) to write a .config
file
Post by Patrik FlyktPost by Felipe Ferreri Tonellojust so connman can recognize the service.
Whether any certificates exist or not needs a user decision as much
as
Post by Patrik Flyktthe EAP method itself. Thus any UI trying to connect to an 802.1x
EAP
Post by Patrik Flyktnetwork must prompt the user, give the information to ConnMan and
then
Post by Patrik Flyktconnect. The current implementation in ConnMan is such that an EAP
network needs to be described as a .config file. Maybe it's less
implementation friendly to write a file with the needed information,
but
Post by Patrik Flyktit shouldn't be a too big obstacle since the UI has already received
all
Post by Patrik Flyktthe needed (known) information from the user.
Some times the Agent will not have rights to write in /var/lib/connman or
whatever where connman is reading those files.
But I agree that knowing this information is not a problem to write a
.config file.
Another point is the fact that the Agent doesn't know when it should ask
those informations to the user. Perhaps by checking the service's security
property is ieee8021x?
That's exactly the point here. The WiFi security property only specifies
EAP, not the authentication method used. The authentication method can
be TLS, TTLS, PEAP, plain MSCHAP, PEAP with MSCHAP, GTC, password, etc.
- not all of them implemented by ConnMan btw. The EAP method needs to be
chosen by the user, at least on Android phones even more method specific
options can or need to be filled in by the user depending on the WiFi
network. Already the first question about the EAP method used needs to
be asked from the user. iOS probably makes a shortcut here, tries by
default with something and only then asks some further information (or
not) if the initial guess failed.
Post by Felipe TonelloI remember that there was a discussion here and Marcel Holtmann said that
Agents shouldn't ask this kind of information to the user, that's why there
is no API for that. But as we are discussing now we still need to ask that
in case of EAP. So there is clearly an inconsistency here.
Interactively asking all this becomes very complex very fast, which is a
reason why not to implement it via Agent API. As the user anyway needs
to be asked up front for the EAP security method, the user can fill in
the remaining bits an pieces at the same time, if there is such a UI
component.
Except that the user will have a really hard time answering any of the
EAP related questions correctly, especially the ones with subtle usage
of client certificates and other mysterious bits. Thus its _much_ better
that the information comes provisioned as a .config file, especially
when said client certs are needed - they can not be generated on the
fly. What we're talking about here really goes way beyond the
expectations of an Agent UI. All of this should belong to a provisioning
component with or without a UI of some kind.
Cheers,
Patrik