aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant/wpa_supplicant.conf
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2015-02-01 17:22:54 (GMT)
committerJouni Malinen <j@w1.fi>2015-02-01 17:22:54 (GMT)
commit7f7bfba919a76bb03a7f762eab0ac00d4f5c3184 (patch)
tree6359ad7255d2c1be42d94105ea6b16290dceaa9b /wpa_supplicant/wpa_supplicant.conf
parent49fcc32e91ddf38259765a0218a4519977411a19 (diff)
downloadhostap-7f7bfba919a76bb03a7f762eab0ac00d4f5c3184.zip
hostap-7f7bfba919a76bb03a7f762eab0ac00d4f5c3184.tar.gz
hostap-7f7bfba919a76bb03a7f762eab0ac00d4f5c3184.tar.bz2
Add an option allow canned EAP-Success for wired IEEE 802.1X
For wired IEEE 802.1X authentication, phase1="allow_canned_success=1" can now be used to configure a mode that allows EAP-Success (and EAP-Failure) without going through authentication step. Some switches use such sequence when forcing the port to be authorized/unauthorized or as a fallback option if the authentication server is unreachable. By default, wpa_supplicant discards such frames to protect against potential attacks by rogue devices, but this option can be used to disable that protection for cases where the server/authenticator does not need to be authenticated. When enabled, this mode allows EAP-Success/EAP-Failure as an immediate response to EAPOL-Start (or even without EAPOL-Start) and EAP-Success is also allowed immediately after EAP-Identity exchange (fallback case for authenticator not being able to connect to authentication server). Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'wpa_supplicant/wpa_supplicant.conf')
-rw-r--r--wpa_supplicant/wpa_supplicant.conf10
1 files changed, 10 insertions, 0 deletions
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index a8c30e1..8964b3f 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -940,6 +940,16 @@ fast_reauth=1
# * 2 = require cryptobinding
# EAP-WSC (WPS) uses following options: pin=<Device Password> or
# pbc=1.
+#
+# For wired IEEE 802.1X authentication, "allow_canned_success=1" can be
+# used to configure a mode that allows EAP-Success (and EAP-Failure)
+# without going through authentication step. Some switches use such
+# sequence when forcing the port to be authorized/unauthorized or as a
+# fallback option if the authentication server is unreachable. By default,
+# wpa_supplicant discards such frames to protect against potential attacks
+# by rogue devices, but this option can be used to disable that protection
+# for cases where the server/authenticator does not need to be
+# authenticated.
# phase2: Phase2 (inner authentication with TLS tunnel) parameters
# (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
# "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS). "mschapv2_retry=0" can be