Add an option allow canned EAP-Success for wired IEEE 802.1X

[mech_eap.git] / src / eap_peer / eap_config.h

diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
index 73d0206..2b1a1d5 100644 (file)
--- a/src/eap_peer/eap_config.h
+++ b/src/eap_peer/eap_config.h
@@ -418,6 +418,16 @@ struct eap_peer_config {
         *
         * EAP-WSC (WPS) uses following options: pin=Device_Password and
         * uuid=Device_UUID
+        *
+        * For wired IEEE 802.1X authentication, "allow_canned_success=1" can be
+        * used to configure a mode that allows EAP-Success (and EAP-Failure)
+        * without going through authentication step. Some switches use such
+        * sequence when forcing the port to be authorized/unauthorized or as a
+        * fallback option if the authentication server is unreachable. By
+        * default, wpa_supplicant discards such frames to protect against
+        * potential attacks by rogue devices, but this option can be used to
+        * disable that protection for cases where the server/authenticator does
+        * not need to be authenticated.
         */
        char *phase1;