RE: Cannot connect to EAP (ieee8021x) without a .config file
> Hi all, > > I've read over and over all the discussion about this support to PEAP over the > service api and so on. > > Ok, the thing is: I'm trying to connect to a EAP (ieee8021x) network without > the .config file, but it doesn't > work(net.connman.Error.InvalidArguments: Invalid arguments). > > When I add this[1] .config file, the agent receives a request to a Identity > and a > Passphrase, as expected. > > [1] > [service_engineering] > Type = wifi > Name = engineering > EAP = peap > Phase2 = MSCHAPV2 > > If there is no certificate, shouldn't be possible to connect without the > provisioning file? Since it's how it works on iOS and Android. Submitted as a bug: https://bugs.meego.com/show_bug.cgi?id=25868 Bests Jeff ___ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman
Re: Cannot connect to EAP (ieee8021x) without a .config file
On 11/19/2012 04:51 PM, Zheng, Jeff wrote: Hi all, I've read over and over all the discussion about this support to PEAP over the service api and so on. Ok, the thing is: I'm trying to connect to a EAP (ieee8021x) network without the .config file, but it doesn't work(net.connman.Error.InvalidArguments: Invalid arguments). When I add this[1] .config file, the agent receives a request to a Identity and a Passphrase, as expected. [1] [service_engineering] Type = wifi Name = engineering EAP = peap Phase2 = MSCHAPV2 If there is no certificate, shouldn't be possible to connect without the provisioning file? Since it's how it works on iOS and Android. Submitted as a bug: https://bugs.meego.com/show_bug.cgi?id=25868 Thank you Jeff, Please, if someone could explain a little bit about this issue I can take a look on that. Regards, Felipe ___ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman
Re: Cannot connect to EAP (ieee8021x) without a .config file
Hi, On Tue, 2012-11-20 at 15:42 -0800, Felipe Ferreri Tonello wrote: > >> When I add this[1] .config file, the agent receives a request to a > Identity > >> and a > >> Passphrase, as expected. > >> > >> [1] > >> [service_engineering] > >> Type = wifi > >> Name = engineering > >> EAP = peap > >> Phase2 = MSCHAPV2 > >> > >> If there is no certificate, shouldn't be possible to connect > without the > >> provisioning file? Since it's how it works on iOS and Android. Currently it is not possible to connect to an EAP network without a .config file. Explicitely specifying a .config file without a certificate tells ConnMan that this is the intention. Blindly trying to connect without a certificate would mysteriously work for some of the networks while others wouldn't. It'd look confusinly inconsistent and historically a .config file was always needed. > Please, if someone could explain a little bit about this issue I can > take a look on that. The above was probably an explanation but not really any decision either way :-). Cheers, Patrik ___ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman
Re: Cannot connect to EAP (ieee8021x) without a .config file
On 11/21/2012 03:28 AM, Patrik Flykt wrote: Hi, On Tue, 2012-11-20 at 15:42 -0800, Felipe Ferreri Tonello wrote: When I add this[1] .config file, the agent receives a request to a Identity and a Passphrase, as expected. [1] [service_engineering] Type = wifi Name = engineering EAP = peap Phase2 = MSCHAPV2 If there is no certificate, shouldn't be possible to connect without the provisioning file? Since it's how it works on iOS and Android. Currently it is not possible to connect to an EAP network without a .config file. Explicitely specifying a .config file without a certificate tells ConnMan that this is the intention. Blindly trying to connect without a certificate would mysteriously work for some of the networks while others wouldn't. It'd look confusinly inconsistent and historically a .config file was always needed. But in this case, since there is no need of certificate, shouldn't connman be able to try to connect without it? I'm just saying it because when I try to connect to this network with an iPhone it connects without any certificate (it just ask if you want to accept a certificate) and with an Android it just connect without even asking to accept a certificate. Since there is no certificate the user expects to connect directly. IMO it's ugly to some Agent (or external program) to write a .config file just so connman can recognize the service. Is there any work to be done here or it's by design this behavior? Regards, Felipe ___ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman
Re: Cannot connect to EAP (ieee8021x) without a .config file
Hi, On Wed, 2012-11-21 at 11:06 -0800, Felipe Ferreri Tonello wrote: > But in this case, since there is no need of certificate, shouldn't > connman be able to try to connect without it? I'm just saying it > because > when I try to connect to this network with an iPhone it connects > without > any certificate (it just ask if you want to accept a certificate) and > with an Android it just connect without even asking to accept a > certificate. It is true that Android (and iPhone) asks you these questions when you click on an 802.1x EAP network. Unfortunately they have to ask the use up front before proceeding with the connection attempt, since the WiFi network information from the Access Point does not contain any information about the used EAP protocol. Thus they are as lost as ConnMan what the EAP method of connecting to the network actually is. Asking the user happens before anything starts connecting. > Since there is no certificate the user expects to connect directly. > IMO > it's ugly to some Agent (or external program) to write a .config file > just so connman can recognize the service. Whether any certificates exist or not needs a user decision as much as the EAP method itself. Thus any UI trying to connect to an 802.1x EAP network must prompt the user, give the information to ConnMan and then connect. The current implementation in ConnMan is such that an EAP network needs to be described as a .config file. Maybe it's less implementation friendly to write a file with the needed information, but it shouldn't be a too big obstacle since the UI has already received all the needed (known) information from the user. Cheers, Patrik ___ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman
Re: Cannot connect to EAP (ieee8021x) without a .config file
Hi Patrick, On Nov 22, 2012 3:48 AM, "Patrik Flykt" wrote: > > > Hi, > > On Wed, 2012-11-21 at 11:06 -0800, Felipe Ferreri Tonello wrote: > > But in this case, since there is no need of certificate, shouldn't > > connman be able to try to connect without it? I'm just saying it > > because > > when I try to connect to this network with an iPhone it connects > > without > > any certificate (it just ask if you want to accept a certificate) and > > with an Android it just connect without even asking to accept a > > certificate. > > It is true that Android (and iPhone) asks you these questions when you > click on an 802.1x EAP network. Unfortunately they have to ask the use > up front before proceeding with the connection attempt, since the WiFi > network information from the Access Point does not contain any > information about the used EAP protocol. Thus they are as lost as > ConnMan what the EAP method of connecting to the network actually is. > Asking the user happens before anything starts connecting. > Android does that but not iPhone. iPhone just asks for the user/password, tries to connect and shows a certificate that the user needs to accept. Do you guess what they do? The main problem is that, as we know, users doesn't care about this certificates, eap protocols and so on. And if on iOS they are not asked those informations, they expect the same in other devices. Btw, what is this certificate for and why with connman and Android the user don't need to accept it? > > Since there is no certificate the user expects to connect directly. > > IMO > > it's ugly to some Agent (or external program) to write a .config file > > just so connman can recognize the service. > > Whether any certificates exist or not needs a user decision as much as > the EAP method itself. Thus any UI trying to connect to an 802.1x EAP > network must prompt the user, give the information to ConnMan and then > connect. The current implementation in ConnMan is such that an EAP > network needs to be described as a .config file. Maybe it's less > implementation friendly to write a file with the needed information, but > it shouldn't be a too big obstacle since the UI has already received all > the needed (known) information from the user. Some times the Agent will not have rights to write in /var/lib/connman or whatever where connman is reading those files. But I agree that knowing this information is not a problem to write a .config file. Another point is the fact that the Agent doesn't know when it should ask those informations to the user. Perhaps by checking the service's security property is ieee8021x? I remember that there was a discussion here and Marcel Holtmann said that Agents shouldn't ask this kind of information to the user, that's why there is no API for that. But as we are discussing now we still need to ask that in case of EAP. So there is clearly an inconsistency here. Regards, Felipe ___ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman
Re: Cannot connect to EAP (ieee8021x) without a .config file
Hi Filipe, > > > But in this case, since there is no need of certificate, shouldn't > > > connman be able to try to connect without it? I'm just saying it > > > because > > > when I try to connect to this network with an iPhone it connects > > > without > > > any certificate (it just ask if you want to accept a certificate) and > > > with an Android it just connect without even asking to accept a > > > certificate. > > > > It is true that Android (and iPhone) asks you these questions when you > > click on an 802.1x EAP network. Unfortunately they have to ask the use > > up front before proceeding with the connection attempt, since the WiFi > > network information from the Access Point does not contain any > > information about the used EAP protocol. Thus they are as lost as > > ConnMan what the EAP method of connecting to the network actually is. > > Asking the user happens before anything starts connecting. > > > > Android does that but not iPhone. iPhone just asks for the user/password, > tries to connect and shows a certificate that the user needs to accept. Do > you guess what they do? > > The main problem is that, as we know, users doesn't care about this > certificates, eap protocols and so on. And if on iOS they are not asked > those informations, they expect the same in other devices. > > Btw, what is this certificate for and why with connman and Android the user > don't need to accept it? that last I have been told is that iOS on purpose does not check these certificates against the global trusted certificates. Simple because non of them are authorized for WiFi usage anyway. The only get trusted if you provide your own CA via device management. Also iOS is kinda stupid. They always show the username/password question for the 802.1x networks. Even if that would not work. There are networks that completely authorize by just using certificates. > > > Since there is no certificate the user expects to connect directly. > > > IMO > > > it's ugly to some Agent (or external program) to write a .config file > > > just so connman can recognize the service. > > > > Whether any certificates exist or not needs a user decision as much as > > the EAP method itself. Thus any UI trying to connect to an 802.1x EAP > > network must prompt the user, give the information to ConnMan and then > > connect. The current implementation in ConnMan is such that an EAP > > network needs to be described as a .config file. Maybe it's less > > implementation friendly to write a file with the needed information, but > > it shouldn't be a too big obstacle since the UI has already received all > > the needed (known) information from the user. > > Some times the Agent will not have rights to write in /var/lib/connman or > whatever where connman is reading those files. The agent should never have access to /var/lib/connman ever. If you do that, then your security model is broken. > But I agree that knowing this information is not a problem to write a > .config file. > > Another point is the fact that the Agent doesn't know when it should ask > those informations to the user. Perhaps by checking the service's security > property is ieee8021x? > > I remember that there was a discussion here and Marcel Holtmann said that > Agents shouldn't ask this kind of information to the user, that's why there > is no API for that. But as we are discussing now we still need to ask that > in case of EAP. So there is clearly an inconsistency here. I am totally fine if we ask username and password for 802.1x from the user, but nothing more. To do that, we need to first know if username and password would actually work in that case. Regards Marcel ___ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman
Re: Cannot connect to EAP (ieee8021x) without a .config file
Hi, On Thu, 2012-11-22 at 12:37 -0800, Felipe Tonello wrote: > Android does that but not iPhone. iPhone just asks for the > user/password, > tries to connect and shows a certificate that the user needs to > accept. Do > you guess what they do? > > The main problem is that, as we know, users doesn't care about this > certificates, eap protocols and so on. And if on iOS they are not > asked > those informations, they expect the same in other devices. > > Btw, what is this certificate for and why with connman and Android the > user > don't need to accept it? I don't have an iPhone so I can't verify what it does. The user certificate is very often optional and the server certificates may be silently accepted in the background. If there is no possibility of selecting a client certificate, some of the EAP PEAP/TLS/TTLS/etc. WiFi networks will not be accessible. > > > Since there is no certificate the user expects to connect > directly. > > > IMO > > > it's ugly to some Agent (or external program) to write a .config > file > > > just so connman can recognize the service. > > > > Whether any certificates exist or not needs a user decision as much > as > > the EAP method itself. Thus any UI trying to connect to an 802.1x > EAP > > network must prompt the user, give the information to ConnMan and > then > > connect. The current implementation in ConnMan is such that an EAP > > network needs to be described as a .config file. Maybe it's less > > implementation friendly to write a file with the needed information, > but > > it shouldn't be a too big obstacle since the UI has already received > all > > the needed (known) information from the user. > > Some times the Agent will not have rights to write in /var/lib/connman > or > whatever where connman is reading those files. > > But I agree that knowing this information is not a problem to write a > .config file. > > Another point is the fact that the Agent doesn't know when it should > ask > those informations to the user. Perhaps by checking the service's > security > property is ieee8021x? That's exactly the point here. The WiFi security property only specifies EAP, not the authentication method used. The authentication method can be TLS, TTLS, PEAP, plain MSCHAP, PEAP with MSCHAP, GTC, password, etc. - not all of them implemented by ConnMan btw. The EAP method needs to be chosen by the user, at least on Android phones even more method specific options can or need to be filled in by the user depending on the WiFi network. Already the first question about the EAP method used needs to be asked from the user. iOS probably makes a shortcut here, tries by default with something and only then asks some further information (or not) if the initial guess failed. > I remember that there was a discussion here and Marcel Holtmann said > that > Agents shouldn't ask this kind of information to the user, that's why > there > is no API for that. But as we are discussing now we still need to ask > that > in case of EAP. So there is clearly an inconsistency here. Interactively asking all this becomes very complex very fast, which is a reason why not to implement it via Agent API. As the user anyway needs to be asked up front for the EAP security method, the user can fill in the remaining bits an pieces at the same time, if there is such a UI component. Except that the user will have a really hard time answering any of the EAP related questions correctly, especially the ones with subtle usage of client certificates and other mysterious bits. Thus its _much_ better that the information comes provisioned as a .config file, especially when said client certs are needed - they can not be generated on the fly. What we're talking about here really goes way beyond the expectations of an Agent UI. All of this should belong to a provisioning component with or without a UI of some kind. Cheers, Patrik ___ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman
Re: Cannot connect to EAP (ieee8021x) without a .config file
Hello Marcel Thank you for your answer. On 11/23/2012 12:26 AM, Marcel Holtmann wrote: Hi Filipe, But in this case, since there is no need of certificate, shouldn't connman be able to try to connect without it? I'm just saying it because when I try to connect to this network with an iPhone it connects without any certificate (it just ask if you want to accept a certificate) and with an Android it just connect without even asking to accept a certificate. It is true that Android (and iPhone) asks you these questions when you click on an 802.1x EAP network. Unfortunately they have to ask the use up front before proceeding with the connection attempt, since the WiFi network information from the Access Point does not contain any information about the used EAP protocol. Thus they are as lost as ConnMan what the EAP method of connecting to the network actually is. Asking the user happens before anything starts connecting. Android does that but not iPhone. iPhone just asks for the user/password, tries to connect and shows a certificate that the user needs to accept. Do you guess what they do? The main problem is that, as we know, users doesn't care about this certificates, eap protocols and so on. And if on iOS they are not asked those informations, they expect the same in other devices. Btw, what is this certificate for and why with connman and Android the user don't need to accept it? that last I have been told is that iOS on purpose does not check these certificates against the global trusted certificates. Simple because non of them are authorized for WiFi usage anyway. So does connman always accept it? How is it handled? The only get trusted if you provide your own CA via device management. Also iOS is kinda stupid. They always show the username/password question for the 802.1x networks. Even if that would not work. There are networks that completely authorize by just using certificates. Since there is no certificate the user expects to connect directly. IMO it's ugly to some Agent (or external program) to write a .config file just so connman can recognize the service. Whether any certificates exist or not needs a user decision as much as the EAP method itself. Thus any UI trying to connect to an 802.1x EAP network must prompt the user, give the information to ConnMan and then connect. The current implementation in ConnMan is such that an EAP network needs to be described as a .config file. Maybe it's less implementation friendly to write a file with the needed information, but it shouldn't be a too big obstacle since the UI has already received all the needed (known) information from the user. Some times the Agent will not have rights to write in /var/lib/connman or whatever where connman is reading those files. The agent should never have access to /var/lib/connman ever. If you do that, then your security model is broken. Well, you need to write there somehow. I said an Agent just for the sake of the argument, but it's a external tool anyway. What about writing there user/password credentials? Is there anyway to secure the password in the .config file? But I agree that knowing this information is not a problem to write a .config file. Another point is the fact that the Agent doesn't know when it should ask those informations to the user. Perhaps by checking the service's security property is ieee8021x? I remember that there was a discussion here and Marcel Holtmann said that Agents shouldn't ask this kind of information to the user, that's why there is no API for that. But as we are discussing now we still need to ask that in case of EAP. So there is clearly an inconsistency here. I am totally fine if we ask username and password for 802.1x from the user, but nothing more. To do that, we need to first know if username and password would actually work in that case. Is there anyway to know that? As you said, there are networks that works fine with the certificate only. Regards, Felipe ___ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman