Hi Kalle, > >> There are WPA Enterprise networks just with a list of settings and > >> possible screenshots of settings dialogs from different devices. Here > >> are few examples I quickly googled: > >> > >> http://oregonstate.edu/helpdocs/wireless/getting-connected/OSU-secure > >> http://www.oit.umd.edu/nts/noc/wireless/connect.html > >> http://www.inf.aber.ac.uk/advisory/faq/253/ > > > > as I said before, for the ones that just requires a username and > > password we can ask the user via the agent (once that got implemented) > > to provide such information. For the ones that requires certificates it > > will not work. > > Like someone else already said, for EAP-PEAP and EAP-TTLS it's crucial > that the correct CA certificate is used, otherwise man in the middle > attacks are possible. So no matter what EAP method is used, we will have > to deal with certificates one way or the other.
verifying valid certificates in the background without user interaction is a different story than to ask the user to put in a CA and its client certificate. They need to be provided by the admin anyway, so the admin can also just provide some XML configuration file. > >> In this case forcing the user to create an XML file won't work. In my > >> opinion there needs to be a proper UI for EAP settings, and especially > >> proper interfaces provided by connman, to setup all this. And the > >> settings need to be editable so that user can correct the mistakes he > >> did earlier. > > > > That can be done via some nice admin tool UI that creates these XML > > files for you. However the normal users can only answer simple > > questions. For example "What is your passphrase?" If you ask them if it > > is WEP40 or WPA, if you key is ascii or hex, they don't even know. And > > even the access point owner most times doesn't know. Hence we are not > > asking this question. > > I fully agree you with here. We need to make it as easy as possible for > the users. > > > Same for WPA-Enterprise. Please provide the CA Cert for this access? > > That is not an appropriate question for the end users. > > It's not appropriate because they are difficult, yes that's true. But > that's currently the only way to setup a WPA Enterprise connection, a > fact of life we can't change in the near future. I am not signing up for confusing the end user. If it is more than username and password, it will not be exposed by the UI. They can have done that in the past this way as much as they want, now it is time to change this. If this means an extra setup tool for creating WPA Enterprise configuration, so be it. > > As mentioned above, I give you case for username/password authentication > > and that we should present these to the users. If it involves a client > > certificate or anything else, then this up to the admin to get this > > right. > > If the network administrator is forced to create such an XML file, > currently only very few of them will do that just for connman. So most > of the connman users would just not be able to access the network. In > some cases the most advanced users would create the XML file themselves > and provide it to others, but I would not rely that to happen > everywhere. This happened before and will happen again ;) > > And there will be as many instructions on how to create this XML files > > for MeeGo as there will be screenshots for Windows and MacOS. > > This is to be seen. It may happen, or may not. But what do users do > before MeeGo is so succesful that all the network administrators have > created the XML file for the MeeGo users? > > I think that your WPA Enterprise settings in an XML file is a great > idea, and it would be even better if you can convince Wi-Fi Alliance to > support it and to increase its adoption. > > *But* we need a solution which works now, with the current networks and > instructions available. I'm really worried how we can do that just by > having a connman interface importing XML files. In my opinion we need to > have EAP settings as properties in the service API so that it's easy for > the user to add EAP networks, edit the EAP settings and remove them as > necessary. Including all the necessary certificates and so on. As I said, no. If you require to ask the user for a certificate then your whole trust behind this is bogus anyway. Use WEP for all that matters. Admins with proper handling of the trust chains have to be involved. > >> I assume you refer to EAP-TLS here. From my point of view it's not that > >> widely used and I don't care about it.[1] So I'm not going complain > >> about that one, at least not yet :) > > > > That is what the real Enterprise world cares about and uses. All the > > other ones are just nasty hacks. Mainly since you can't tie them to a > > specific machine. With the EAP-TLS you can issue as many certificates > > per person as you want and force them to use a different for every > > laptop, phone etc. > > And all the trouble of certificate handling (creating and revoking them > etc). No thanks, I'll let you corporate guys play with those :) My point exactly. The admin of the network should provide the configuration for you. Regards Marcel _______________________________________________ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman
