Skip to content

Commit 2aea73d

Browse files
noursaidinoursaidi
authored
Improved 802.1x documentation
1 parent 9659eb3 commit 2aea73d

9 files changed

Lines changed: 51 additions & 20 deletions

File tree

docker/modules/Dockerfile.faux1

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -85,5 +85,6 @@ RUN mv /usr/sbin/tcpdump /usr/bin/tcpdump
8585
RUN $AG update && $AG install wpasupplicant vim iproute2
8686

8787
COPY docker/include/etc/wpasupplicant/ /etc/wpasupplicant/
88+
COPY resources/802.1x/ /etc/wpasupplicant/
8889

8990
ENTRYPOINT ["bin/start_faux"]

docs/device_report.md

Lines changed: 16 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -83,7 +83,7 @@ Syntax: Pass / Fail / Skip
8383
|pass|communication.network.min_send|Communication|Required Pass|ARP packets received. Data packets were sent at a frequency of less than 5 minutes|
8484
|pass|communication.network.type|Communication|Required Pass|Broadcast packets received. Unicast packets received.|
8585
|pass|connection.base.target_ping|Connection|Required Pass|target reached|
86-
|pass|connection.dot1x.authentication|Connection|Required Pass|Authentication for 9a:02:57:1e:8f:01 succeeded.|
86+
|pass|connection.dot1x.authentication|Connection|Required Pass|Authentication succeeded.|
8787
|gone|connection.ipaddr.dhcp_disconnect|Connection|Required Pass||
8888
|gone|connection.ipaddr.disconnect_ip_change|Connection|Required Pass||
8989
|gone|connection.ipaddr.ip_change|Connection|Required Pass||
@@ -780,9 +780,21 @@ connection.dot1x.authentication
780780
--------------------
781781
Verifies general support for 802.1x authentication.
782782
--------------------
783-
n/a
784-
--------------------
785-
RESULT pass connection.dot1x.authentication Authentication for 9a:02:57:1e:8f:01 succeeded.
783+
784+
785+
786+
787+
788+
789+
790+
791+
792+
793+
794+
795+
796+
--------------------
797+
RESULT pass connection.dot1x.authentication Authentication succeeded.
786798
787799
```
788800

docker/include/etc/wpasupplicant/cert/ca.pem renamed to resources/802.1x/cert/ca.pem

File renamed without changes.

docker/include/etc/wpasupplicant/cert/user@example.org.pem renamed to resources/802.1x/cert/user@example.org.pem

File renamed without changes.

subset/dot1x/authenticator/authenticator.py

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ def __init__(self, src_mac, auth_mac, idle_time, retry_count,
3232
self.identity = None
3333
self.authentication_mac = auth_mac
3434
self.radius_state = None
35+
self.radius_access_reject = None
3536
self._idle_time = idle_time
3637
self._max_retry_count = retry_count
3738
self._current_timeout = None
@@ -77,6 +78,7 @@ def received_radius_response(self, payload, radius_state, packet_type):
7778
"""Received RADIUS access channel"""
7879
self.radius_state = radius_state
7980
if packet_type == 'RadiusAccessReject':
81+
self.radius_access_reject = True
8082
self._state_transition(self.FAIL, self.RADIUS)
8183
eap_message = FailureMessage(self.src_mac, 255)
8284
self.auth_callback(self.src_mac, False)
@@ -141,6 +143,7 @@ class Authenticator:
141143
def __init__(self, config_file):
142144
self.state_machines = {}
143145
self.results = {}
146+
self.radius_access_reject = {}
144147
self.eap_module = None
145148
self.radius_module = None
146149
self.logger = utils.get_logger('Authenticator')
@@ -280,6 +283,8 @@ def process_test_result(self, src_mac, is_success):
280283
self.logger.info('Authentication failed. Received no EAPOL packets.')
281284
if src_mac:
282285
self.results[src_mac] = is_success
286+
if self.state_machines[src_mac].radius_access_reject:
287+
self.radius_access_reject[src_mac] = True
283288
self.state_machines.pop(src_mac)
284289
# TODO: We currently finalize results as soon as we get a result for a src_mac.
285290
# Needs to be changed if we support multiple devices.
@@ -290,17 +295,23 @@ def run_authentication_test(self):
290295
result_str = ""
291296
test_result = ""
292297
if not self.results:
293-
result_str = "Authentication failed. No EAPOL messages received."
298+
result_str = "Authentication failed. No EAPOL messages received." \
299+
" Check 802.1x is enabled"
294300
test_result = "skip"
295301
else:
296302
test_result = "pass"
297303
for src_mac, is_success in self.results.items():
304+
additional = ''
298305
if is_success:
299306
result = 'succeeded'
300307
else:
301308
result = 'failed'
302309
test_result = "fail"
303-
result_str += "Authentication for %s %s." % (src_mac, result)
310+
if src_mac in self.radius_access_reject:
311+
additional = ' Incorrect credentials provided.'
312+
else:
313+
additional = ' Error encountered.'
314+
result_str += "Authentication %s.%s" % (result, additional)
304315
return result_str, test_result
305316

306317
def handle_sm_timeout(self):

subset/dot1x/readme.md

Lines changed: 15 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -22,25 +22,30 @@ can authenticate using 802.1x with one of the following supported protocols:
2222
- PEAP/MSChapv2
2323
- MD5
2424

25+
The test is run by configuring the device to use one of the provided
26+
credentials included in this test module.
27+
2528
#### Supported Protocols/Supplicant Credentials
26-
The module includes a set of credential, from which one should used to configure
27-
the device/supplicant. These are located
28-
[here](../../docker/include/etc/wpasupplicant). Different suppliants may use
29-
different names for the below fields or may not provide the ability to modify
30-
all these fields.
29+
The module includes a set of credential which should be used to configure the device.
30+
31+
Certificates are located in the
32+
[resources/802.1x/cert](../../resources/802.1x/cert) directory.
33+
34+
Different suppliants may use different names for the below fields or may not
35+
provide the ability to modify all these fields.
3136
- **TTLS**
3237
- Username: `user`
3338
- Password: `microphone`
34-
- CA Certificate: [ca.pem](../../docker/include/etc/wpasupplicant/cert/ca.pem)
39+
- CA Certificate: [ca.pem](../../resources/802.1x/cert/ca.pem)
3540
- Inner (Phase 2) Authentication: MSCHAPV2
3641
- **TLS**
3742
- Identity: `user@example.org`
38-
- CA Certificate: [ca.pem](../../docker/include/etc/wpasupplicant/cert/ca.pem)
39-
- Client Certificate: [user@example.org.pem](../../docker/include/etc/wpasupplicant/cert/user@example.org.pem)
40-
- Private Key: [user@example.org.pem](../../docker/include/etc/wpasupplicant/cert/user@example.org.pem)
43+
- CA Certificate: [ca.pem](../../resources/802.1x/cert/ca.pem)
44+
- Client Certificate: [user@example.org.pem](../../resources/802.1x/cert/user@example.org.pem)
45+
- Private Key: [user@example.org.pem](../../resources/802.1x/cert/user@example.org.pem)
4146
- Private Key Password: `whatever`
4247
- **Protected EAP (PEAP)**
43-
- CA Certificate: [ca.pem](../../docker/include/etc/wpasupplicant/cert/ca.pem)
48+
- CA Certificate: [ca.pem](../../resources/802.1x/cert/ca.pem)
4449
- Outer (Phase 1) Authentication: PEAP Version 1
4550
- Inner (Phase 2) Authentication: MSCHAPV2
4651
- Username: `user`

subset/dot1x/test_dot1x

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ echo 'Dot1x Authentication tests'
1515
python3 authenticator/test_dot1x.py /tmp/dot1x_result.txt $1
1616

1717
RESULT_AND_SUMMARY=$(cat /tmp/dot1x_result.txt)
18+
TEST_LOG=$(sed -e 's/^/%% /' /tmp/dot1x_debug_log)
1819

1920
write_out_result $REPORT "$TEST_NAME" "$TEST_DESCRIPTION" \
20-
"n/a" "$RESULT_AND_SUMMARY"
21+
"$TEST_LOG" "$RESULT_AND_SUMMARY"

testing/test_aux.out

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -71,9 +71,9 @@ RESULT skip ntp.network.ntp_update Not enough NTP packets received.
7171
RESULT pass connection.network.mac_oui Manufacturer: Google found for address 3c:5a:b4:1e:8f:0a
7272
RESULT pass connection.network.mac_address Device MAC address is 3c:5a:b4:1e:8f:0a
7373
RESULT pass dns.network.hostname_resolution Device sends DNS requests and resolves host names
74-
RESULT pass connection.dot1x.authentication Authentication for 9a:02:57:1e:8f:01 succeeded.
75-
RESULT fail connection.dot1x.authentication Authentication for 3c:5a:b4:1e:8f:0b failed.
76-
RESULT skip connection.dot1x.authentication Authentication failed. No EAPOL messages received.
74+
RESULT pass connection.dot1x.authentication Authentication succeeded.
75+
RESULT fail connection.dot1x.authentication Authentication failed. Incorrect credentials provided.
76+
RESULT skip connection.dot1x.authentication Authentication failed. No EAPOL messages received. Check 802.1x is enabled
7777
dhcp requests 1 1 1 1
7878
3c5ab41e8f0a: []
7979
3c5ab41e8f0b: ['3c5ab41e8f0b:ping:TimeoutError']

testing/test_preamble.sh

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -73,6 +73,7 @@ function redact {
7373
-e 's/[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2} [A-Z]{3}/XXX/' \
7474
-e 's/[a-zA-Z]{3} [a-zA-Z]{3}\s+[0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2} [0-9]{4}/XXX/' \
7575
-e 's/[A-Za-z]{3} [0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}/XXX/' \
76+
-e 's/[0-9]{4}-(0|1)[0-9]-(0|1|2|3)[0-9] [0-9]{2}:[0-9]{2}:[0-9]{2},[0-9]{3}/XXX/' \
7677
-e 's/[0-9]{4}-(0|1)[0-9]-(0|1|2|3)[0-9] [0-9]{2}:[0-9]{2}:[0-9]{2}(\+00:00)?/XXX/g' \
7778
-e 's/[0-9]+\.[0-9]{2} seconds/XXX/' \
7879
-e 's/-?0\.[0-9]+s latency/XXX/' \

0 commit comments

Comments
 (0)