Hi Felix,
I started working on fixing the WPA-EAP client support and while
reviewing your suggestions and the reading the scripts and hostap
sources, I had some realizations and suggest to do things in yet
another way:
On Sun, Jan 03, 2016 at 10:13:17PM +0100, Felix Fietkau wrote:
> On 2016-01-03 22:06, Daniel Golle wrote:
> > Hi Felix,
> >
> > On Sun, Jan 03, 2016 at 09:33:13PM +0100, Felix Fietkau wrote:
> >> > - append network_data
> >> > "phase2=\"$auth\"" "$N$T"
> >> > + append network_data
> >> > "phase2=\"auth=$auth\"" "$N$T"
> >> This might break existing configurations that already include the auth=
> >> part, so when reworking this part you should detect and fix this.
> >> Also, for EAP-TLS, phase2 needs to be autheap=TLS, which is not
> >> supported with this change.
The change I suggested is inside a case-section
case "$eap_type" in
...
peap|ttls)
...
so it will only affect PEAP and TTLS and leave anything belonging to
TLS unchanged.
> >
> > Right... Probably this should be changed in LuCI then, because
> > currently $auth is set to values like 'PAP', 'MSCHAPV2', ... see
> > https://github.com/openwrt/luci/blob/master/modules/luci-mod-admin-full/luasrc/model/cbi/admin_network/wifi.lua#L897
> > which still matches the pre-netifd behaviour as defined in
> > https://dev.openwrt.org/browser/trunk/package/network/services/hostapd/files/wpa_supplicant.sh#L107
> > which is what I wanted to restore.
> > Having a complex value stored in UCI and leaving it to the user/view
> > to set it seems a bit odd to me (but might still be the best thing to
> > do), maybe we should rather store eap_type in UCI as well and then
> > generate the phase2 string in netifd.sh according to that...?
> >
> > Let me know what you think and I'll suggest a follow-up patch.
> How about this:
>
> If $auth is set, add it with auth=$auth (strip existing auth= from the
> variable if present).
>
> Then add an eap_auth config option (should be a list), add autheap=<val>
> for every entry (I think there can be multiple ones).
>
> That way you can configure everything and avoid complex UI-hostile types.
Reading up the wpa_supplicant source and test-cases, I found out that
EAP-TTLS/EAP-MSCHAPv2 and EAP-TTLS/MSCHAPv2 are different methods.
This is probably for historic reasons as MSCHAPV2 and PAP are stone-age
protocols originally intended for PPP and thus precede the introduction
of EAP. Other, more modern protocols, build upon EAP and thus cannot be
used stand-alone, e.g. EAP-TTLS/EAP-GTC. It thus depends on the vendors
whether they use MSCHAPV2 as a stand-alone phase2 or wrap it in EAP...
Have a look at
https://hostap.epitest.fi/cgit/hostap/diff/tests/hwsim/test_ap_eap.py
where both methods, EAP-TTLS/MSCHAPV2 and EAP-TTLS/EAP-MSCHAPV2 got
their corresponding test-cases and are simply being treated as
different methods.
To remain compatible with existing configurations, I suggest to:
Check if $auth starts with string "auth", if so, just set it as phase2
without changes. This will allow existing configurations which relied
on the previous behaviour to keep working.
If $auth starts with "EAP-", strip those four characters and pass
phase2="autheap=$auth", e.g. if auth is set to "EAP-MSCHAPV2" set
phase2="autheap=MSCHAPV2".
This will allow to simply add new options for auth to the list in LuCI:
EAP-GTC, EAP-MD5, EAP-MSCHAPV2, EAP-PAP.
Cheers
Daniel
Patch follows:
---
Signed-off-by: Daniel Golle <dan...@makrotopia.org>
---
package/network/services/hostapd/files/netifd.sh | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/package/network/services/hostapd/files/netifd.sh
b/package/network/services/hostapd/files/netifd.sh
index 8056080..8903f3e 100644
--- a/package/network/services/hostapd/files/netifd.sh
+++ b/package/network/services/hostapd/files/netifd.sh
@@ -636,7 +636,17 @@ wpa_supplicant_add_network() {
peap|ttls)
json_get_vars auth password
set_default auth MSCHAPV2
- append network_data "phase2=\"$auth\""
"$N$T"
+ phase2proto="auth="
+ case "$auth" in
+ "auth"*)
+ phase2proto=""
+ ;;
+ "EAP-"*)
+ phase2proto="autheap="
+ auth="$(echo "$auth" |
cut -b5-)"
+ ;;
+ esac
+ append network_data
"phase2=\"$phase2proto$auth\"" "$N$T"
append network_data
"password=\"$password\"" "$N$T"
;;
esac
--
2.7.0
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
