Add an option allow canned EAP-Success for wired IEEE 802.1X

For wired IEEE 802.1X authentication, phase1="allow_canned_success=1"
can now be used to configure a mode that allows EAP-Success (and
EAP-Failure) without going through authentication step. Some switches
use such sequence when forcing the port to be authorized/unauthorized or
as a fallback option if the authentication server is unreachable. By
default, wpa_supplicant discards such frames to protect against
potential attacks by rogue devices, but this option can be used to
disable that protection for cases where the server/authenticator does
not need to be authenticated.

When enabled, this mode allows EAP-Success/EAP-Failure as an immediate
response to EAPOL-Start (or even without EAPOL-Start) and EAP-Success is
also allowed immediately after EAP-Identity exchange (fallback case for
authenticator not being able to connect to authentication server).

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c
index 62cd4a1..35433f3 100644 (file)
--- a/src/eap_peer/eap.c
+++ b/src/eap_peer/eap.c
@@ -934,6 +934,15 @@ static int eap_peer_req_is_duplicate(struct eap_sm *sm)
 }
 
 
+static int eap_peer_sm_allow_canned(struct eap_sm *sm)
+{
+       struct eap_peer_config *config = eap_get_config(sm);
+
+       return config && config->phase1 &&
+               os_strstr(config->phase1, "allow_canned_success=1");
+}
+
+
 static void eap_peer_sm_step_received(struct eap_sm *sm)
 {
        int duplicate = eap_peer_req_is_duplicate(sm);
@@ -947,6 +956,17 @@ static void eap_peer_sm_step_received(struct eap_sm *sm)
            (sm->reqId == sm->lastId ||
             eap_success_workaround(sm, sm->reqId, sm->lastId)))
                SM_ENTER(EAP, SUCCESS);
+       else if (sm->workaround && sm->lastId == -1 && sm->rxSuccess &&
+                !sm->rxFailure && !sm->rxReq && eap_peer_sm_allow_canned(sm))
+               SM_ENTER(EAP, SUCCESS); /* EAP-Success prior any EAP method */
+       else if (sm->workaround && sm->lastId == -1 && sm->rxFailure &&
+                !sm->rxReq && sm->methodState != METHOD_CONT &&
+                eap_peer_sm_allow_canned(sm))
+               SM_ENTER(EAP, FAILURE); /* EAP-Failure prior any EAP method */
+       else if (sm->workaround && sm->rxSuccess && !sm->rxFailure &&
+                !sm->rxReq && sm->methodState != METHOD_CONT &&
+                eap_peer_sm_allow_canned(sm))
+               SM_ENTER(EAP, SUCCESS); /* EAP-Success after Identity */
        else if (sm->methodState != METHOD_CONT &&
                 ((sm->rxFailure &&
                   sm->decision != DECISION_UNCOND_SUCC) ||

diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
index 73d0206..2b1a1d5 100644 (file)
--- a/src/eap_peer/eap_config.h
+++ b/src/eap_peer/eap_config.h
@@ -418,6 +418,16 @@ struct eap_peer_config {
         *
         * EAP-WSC (WPS) uses following options: pin=Device_Password and
         * uuid=Device_UUID
+        *
+        * For wired IEEE 802.1X authentication, "allow_canned_success=1" can be
+        * used to configure a mode that allows EAP-Success (and EAP-Failure)
+        * without going through authentication step. Some switches use such
+        * sequence when forcing the port to be authorized/unauthorized or as a
+        * fallback option if the authentication server is unreachable. By
+        * default, wpa_supplicant discards such frames to protect against
+        * potential attacks by rogue devices, but this option can be used to
+        * disable that protection for cases where the server/authenticator does
+        * not need to be authenticated.
         */
        char *phase1;
 

diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index a8c30e1..8964b3f 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -940,6 +940,16 @@ fast_reauth=1
 #       * 2 = require cryptobinding
 #      EAP-WSC (WPS) uses following options: pin=<Device Password> or
 #      pbc=1.
+#
+#      For wired IEEE 802.1X authentication, "allow_canned_success=1" can be
+#      used to configure a mode that allows EAP-Success (and EAP-Failure)
+#      without going through authentication step. Some switches use such
+#      sequence when forcing the port to be authorized/unauthorized or as a
+#      fallback option if the authentication server is unreachable. By default,
+#      wpa_supplicant discards such frames to protect against potential attacks
+#      by rogue devices, but this option can be used to disable that protection
+#      for cases where the server/authenticator does not need to be
+#      authenticated.
 # phase2: Phase2 (inner authentication with TLS tunnel) parameters
 #      (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
 #      "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS). "mschapv2_retry=0" can be