Add an option allow canned EAP-Success for wired IEEE 802.1X

For wired IEEE 802.1X authentication, phase1="allow_canned_success=1"
can now be used to configure a mode that allows EAP-Success (and
EAP-Failure) without going through authentication step. Some switches
use such sequence when forcing the port to be authorized/unauthorized or
as a fallback option if the authentication server is unreachable. By
default, wpa_supplicant discards such frames to protect against
potential attacks by rogue devices, but this option can be used to
disable that protection for cases where the server/authenticator does
not need to be authenticated.

When enabled, this mode allows EAP-Success/EAP-Failure as an immediate
response to EAPOL-Start (or even without EAPOL-Start) and EAP-Success is
also allowed immediately after EAP-Identity exchange (fallback case for
authenticator not being able to connect to authentication server).

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-02-01 19:22:54 +02:00
parent 49fcc32e91
commit 7f7bfba919
3 changed files with 40 additions and 0 deletions

View file

@ -934,6 +934,15 @@ static int eap_peer_req_is_duplicate(struct eap_sm *sm)
}
static int eap_peer_sm_allow_canned(struct eap_sm *sm)
{
struct eap_peer_config *config = eap_get_config(sm);
return config && config->phase1 &&
os_strstr(config->phase1, "allow_canned_success=1");
}
static void eap_peer_sm_step_received(struct eap_sm *sm)
{
int duplicate = eap_peer_req_is_duplicate(sm);
@ -947,6 +956,17 @@ static void eap_peer_sm_step_received(struct eap_sm *sm)
(sm->reqId == sm->lastId ||
eap_success_workaround(sm, sm->reqId, sm->lastId)))
SM_ENTER(EAP, SUCCESS);
else if (sm->workaround && sm->lastId == -1 && sm->rxSuccess &&
!sm->rxFailure && !sm->rxReq && eap_peer_sm_allow_canned(sm))
SM_ENTER(EAP, SUCCESS); /* EAP-Success prior any EAP method */
else if (sm->workaround && sm->lastId == -1 && sm->rxFailure &&
!sm->rxReq && sm->methodState != METHOD_CONT &&
eap_peer_sm_allow_canned(sm))
SM_ENTER(EAP, FAILURE); /* EAP-Failure prior any EAP method */
else if (sm->workaround && sm->rxSuccess && !sm->rxFailure &&
!sm->rxReq && sm->methodState != METHOD_CONT &&
eap_peer_sm_allow_canned(sm))
SM_ENTER(EAP, SUCCESS); /* EAP-Success after Identity */
else if (sm->methodState != METHOD_CONT &&
((sm->rxFailure &&
sm->decision != DECISION_UNCOND_SUCC) ||

View file

@ -418,6 +418,16 @@ struct eap_peer_config {
*
* EAP-WSC (WPS) uses following options: pin=Device_Password and
* uuid=Device_UUID
*
* For wired IEEE 802.1X authentication, "allow_canned_success=1" can be
* used to configure a mode that allows EAP-Success (and EAP-Failure)
* without going through authentication step. Some switches use such
* sequence when forcing the port to be authorized/unauthorized or as a
* fallback option if the authentication server is unreachable. By
* default, wpa_supplicant discards such frames to protect against
* potential attacks by rogue devices, but this option can be used to
* disable that protection for cases where the server/authenticator does
* not need to be authenticated.
*/
char *phase1;

View file

@ -940,6 +940,16 @@ fast_reauth=1
# * 2 = require cryptobinding
# EAP-WSC (WPS) uses following options: pin=<Device Password> or
# pbc=1.
#
# For wired IEEE 802.1X authentication, "allow_canned_success=1" can be
# used to configure a mode that allows EAP-Success (and EAP-Failure)
# without going through authentication step. Some switches use such
# sequence when forcing the port to be authorized/unauthorized or as a
# fallback option if the authentication server is unreachable. By default,
# wpa_supplicant discards such frames to protect against potential attacks
# by rogue devices, but this option can be used to disable that protection
# for cases where the server/authenticator does not need to be
# authenticated.
# phase2: Phase2 (inner authentication with TLS tunnel) parameters
# (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
# "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS). "mschapv2_retry=0" can be