From 7f7bfba919a76bb03a7f762eab0ac00d4f5c3184 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 1 Feb 2015 19:22:54 +0200 Subject: [PATCH] Add an option allow canned EAP-Success for wired IEEE 802.1X For wired IEEE 802.1X authentication, phase1="allow_canned_success=1" can now be used to configure a mode that allows EAP-Success (and EAP-Failure) without going through authentication step. Some switches use such sequence when forcing the port to be authorized/unauthorized or as a fallback option if the authentication server is unreachable. By default, wpa_supplicant discards such frames to protect against potential attacks by rogue devices, but this option can be used to disable that protection for cases where the server/authenticator does not need to be authenticated. When enabled, this mode allows EAP-Success/EAP-Failure as an immediate response to EAPOL-Start (or even without EAPOL-Start) and EAP-Success is also allowed immediately after EAP-Identity exchange (fallback case for authenticator not being able to connect to authentication server). Signed-off-by: Jouni Malinen --- src/eap_peer/eap.c | 20 ++++++++++++++++++++ src/eap_peer/eap_config.h | 10 ++++++++++ wpa_supplicant/wpa_supplicant.conf | 10 ++++++++++ 3 files changed, 40 insertions(+) diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c index 62cd4a18c..35433f3bd 100644 --- a/src/eap_peer/eap.c +++ b/src/eap_peer/eap.c @@ -934,6 +934,15 @@ static int eap_peer_req_is_duplicate(struct eap_sm *sm) } +static int eap_peer_sm_allow_canned(struct eap_sm *sm) +{ + struct eap_peer_config *config = eap_get_config(sm); + + return config && config->phase1 && + os_strstr(config->phase1, "allow_canned_success=1"); +} + + static void eap_peer_sm_step_received(struct eap_sm *sm) { int duplicate = eap_peer_req_is_duplicate(sm); @@ -947,6 +956,17 @@ static void eap_peer_sm_step_received(struct eap_sm *sm) (sm->reqId == sm->lastId || eap_success_workaround(sm, sm->reqId, sm->lastId))) SM_ENTER(EAP, SUCCESS); + else if (sm->workaround && sm->lastId == -1 && sm->rxSuccess && + !sm->rxFailure && !sm->rxReq && eap_peer_sm_allow_canned(sm)) + SM_ENTER(EAP, SUCCESS); /* EAP-Success prior any EAP method */ + else if (sm->workaround && sm->lastId == -1 && sm->rxFailure && + !sm->rxReq && sm->methodState != METHOD_CONT && + eap_peer_sm_allow_canned(sm)) + SM_ENTER(EAP, FAILURE); /* EAP-Failure prior any EAP method */ + else if (sm->workaround && sm->rxSuccess && !sm->rxFailure && + !sm->rxReq && sm->methodState != METHOD_CONT && + eap_peer_sm_allow_canned(sm)) + SM_ENTER(EAP, SUCCESS); /* EAP-Success after Identity */ else if (sm->methodState != METHOD_CONT && ((sm->rxFailure && sm->decision != DECISION_UNCOND_SUCC) || diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h index 73d020688..2b1a1d5e4 100644 --- a/src/eap_peer/eap_config.h +++ b/src/eap_peer/eap_config.h @@ -418,6 +418,16 @@ struct eap_peer_config { * * EAP-WSC (WPS) uses following options: pin=Device_Password and * uuid=Device_UUID + * + * For wired IEEE 802.1X authentication, "allow_canned_success=1" can be + * used to configure a mode that allows EAP-Success (and EAP-Failure) + * without going through authentication step. Some switches use such + * sequence when forcing the port to be authorized/unauthorized or as a + * fallback option if the authentication server is unreachable. By + * default, wpa_supplicant discards such frames to protect against + * potential attacks by rogue devices, but this option can be used to + * disable that protection for cases where the server/authenticator does + * not need to be authenticated. */ char *phase1; diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf index a8c30e1b8..8964b3f72 100644 --- a/wpa_supplicant/wpa_supplicant.conf +++ b/wpa_supplicant/wpa_supplicant.conf @@ -940,6 +940,16 @@ fast_reauth=1 # * 2 = require cryptobinding # EAP-WSC (WPS) uses following options: pin= or # pbc=1. +# +# For wired IEEE 802.1X authentication, "allow_canned_success=1" can be +# used to configure a mode that allows EAP-Success (and EAP-Failure) +# without going through authentication step. Some switches use such +# sequence when forcing the port to be authorized/unauthorized or as a +# fallback option if the authentication server is unreachable. By default, +# wpa_supplicant discards such frames to protect against potential attacks +# by rogue devices, but this option can be used to disable that protection +# for cases where the server/authenticator does not need to be +# authenticated. # phase2: Phase2 (inner authentication with TLS tunnel) parameters # (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or # "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS). "mschapv2_retry=0" can be