Add an option allow canned EAP-Success for wired IEEE 802.1X
For wired IEEE 802.1X authentication, phase1="allow_canned_success=1" can now be used to configure a mode that allows EAP-Success (and EAP-Failure) without going through authentication step. Some switches use such sequence when forcing the port to be authorized/unauthorized or as a fallback option if the authentication server is unreachable. By default, wpa_supplicant discards such frames to protect against potential attacks by rogue devices, but this option can be used to disable that protection for cases where the server/authenticator does not need to be authenticated. When enabled, this mode allows EAP-Success/EAP-Failure as an immediate response to EAPOL-Start (or even without EAPOL-Start) and EAP-Success is also allowed immediately after EAP-Identity exchange (fallback case for authenticator not being able to connect to authentication server). Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
49fcc32e91
commit
7f7bfba919
3 changed files with 40 additions and 0 deletions
|
@ -934,6 +934,15 @@ static int eap_peer_req_is_duplicate(struct eap_sm *sm)
|
|||
}
|
||||
|
||||
|
||||
static int eap_peer_sm_allow_canned(struct eap_sm *sm)
|
||||
{
|
||||
struct eap_peer_config *config = eap_get_config(sm);
|
||||
|
||||
return config && config->phase1 &&
|
||||
os_strstr(config->phase1, "allow_canned_success=1");
|
||||
}
|
||||
|
||||
|
||||
static void eap_peer_sm_step_received(struct eap_sm *sm)
|
||||
{
|
||||
int duplicate = eap_peer_req_is_duplicate(sm);
|
||||
|
@ -947,6 +956,17 @@ static void eap_peer_sm_step_received(struct eap_sm *sm)
|
|||
(sm->reqId == sm->lastId ||
|
||||
eap_success_workaround(sm, sm->reqId, sm->lastId)))
|
||||
SM_ENTER(EAP, SUCCESS);
|
||||
else if (sm->workaround && sm->lastId == -1 && sm->rxSuccess &&
|
||||
!sm->rxFailure && !sm->rxReq && eap_peer_sm_allow_canned(sm))
|
||||
SM_ENTER(EAP, SUCCESS); /* EAP-Success prior any EAP method */
|
||||
else if (sm->workaround && sm->lastId == -1 && sm->rxFailure &&
|
||||
!sm->rxReq && sm->methodState != METHOD_CONT &&
|
||||
eap_peer_sm_allow_canned(sm))
|
||||
SM_ENTER(EAP, FAILURE); /* EAP-Failure prior any EAP method */
|
||||
else if (sm->workaround && sm->rxSuccess && !sm->rxFailure &&
|
||||
!sm->rxReq && sm->methodState != METHOD_CONT &&
|
||||
eap_peer_sm_allow_canned(sm))
|
||||
SM_ENTER(EAP, SUCCESS); /* EAP-Success after Identity */
|
||||
else if (sm->methodState != METHOD_CONT &&
|
||||
((sm->rxFailure &&
|
||||
sm->decision != DECISION_UNCOND_SUCC) ||
|
||||
|
|
|
@ -418,6 +418,16 @@ struct eap_peer_config {
|
|||
*
|
||||
* EAP-WSC (WPS) uses following options: pin=Device_Password and
|
||||
* uuid=Device_UUID
|
||||
*
|
||||
* For wired IEEE 802.1X authentication, "allow_canned_success=1" can be
|
||||
* used to configure a mode that allows EAP-Success (and EAP-Failure)
|
||||
* without going through authentication step. Some switches use such
|
||||
* sequence when forcing the port to be authorized/unauthorized or as a
|
||||
* fallback option if the authentication server is unreachable. By
|
||||
* default, wpa_supplicant discards such frames to protect against
|
||||
* potential attacks by rogue devices, but this option can be used to
|
||||
* disable that protection for cases where the server/authenticator does
|
||||
* not need to be authenticated.
|
||||
*/
|
||||
char *phase1;
|
||||
|
||||
|
|
|
@ -940,6 +940,16 @@ fast_reauth=1
|
|||
# * 2 = require cryptobinding
|
||||
# EAP-WSC (WPS) uses following options: pin=<Device Password> or
|
||||
# pbc=1.
|
||||
#
|
||||
# For wired IEEE 802.1X authentication, "allow_canned_success=1" can be
|
||||
# used to configure a mode that allows EAP-Success (and EAP-Failure)
|
||||
# without going through authentication step. Some switches use such
|
||||
# sequence when forcing the port to be authorized/unauthorized or as a
|
||||
# fallback option if the authentication server is unreachable. By default,
|
||||
# wpa_supplicant discards such frames to protect against potential attacks
|
||||
# by rogue devices, but this option can be used to disable that protection
|
||||
# for cases where the server/authenticator does not need to be
|
||||
# authenticated.
|
||||
# phase2: Phase2 (inner authentication with TLS tunnel) parameters
|
||||
# (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
|
||||
# "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS). "mschapv2_retry=0" can be
|
||||
|
|
Loading…
Reference in a new issue