New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 747999 link

Starred by 2 users
Status: Assigned
Owner:
pmarko@chromium.org
Cc:
pstew@chromium.org
aashuto...@chromium.org
dsunk...@chromium.org
dskaram@chromium.org
cernekee@chromium.org
harpreet@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Bug



Sign in to add a comment

Make "Identity" a required field for EAP-TLS in Wifi config dialog

Project Member Reported by pmarko@chromium.org, Jul 24 2017 
The wifi config dialog only regards client cert as a required field for EAP-TLS [1] and lets the user press Connect if Identity is empty.

However, shill regards networks without the Identity field as "not connectable" [2] and refuses to attempt to connect to the wifi network.

When trying to connect to a network without "Identity" filled in, nothing happens when "Connect" is pressed, which confused customers.

The TODO here is:
Investigate if the "Identity" string is actually required for EAP-TLS according to the RFC[3] / wpa_supplicant docs[4] and:
- if yes, make wifi config dialog require the field
- if not, make shill attempt to connect even if the field is empty.

[1] See WifiConfigView::CanLogin() in chrome/browser/chromeos/options/wifi_config_view.cc.
[2] See EapCredentials::IsConnectable() in aosp/system/connectivity/shill/eap_credentials.cc
[3] https://tools.ietf.org/html/rfc5216
[4] https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf ?

Comment 1 by pmarko@chromium.org, Jul 24 2017

Description: Show this description

Comment 2 by dskaram@chromium.org, Jul 24 2017 

I think there might be a good reason for this. Please make sure cernekee@ and pstew@ take a look at this before it lands. In particular, if servers can be configured to ignore the identity field, we cannot make it required on the client.

We have to be careful here as we could inadvertenly break someone who depends on having this field empty. The real fix to today's problem is better error handling.

Comment 3 by pmarko@chromium.org, Jul 24 2017 

Happy to let them chime in - Agree that Identity may be optional.

But we have a TODO either way - currently shill regards it as required but chrome as optional. Either we make shill regard it as optional too, or chrome as required.

Comment 4 by pmarko@chromium.org, Jul 24 2017

Cc: cernekee@chromium.org pstew@chromium.org
+cernekee, +pstew

Would you know if "Identity" is a required field for EAP/TLS wifi authentication?
(E.g. are there authentication servers which would accept the client even with "Identity" being empty)?

Thanks!

Comment 5 by cernekee@chromium.org, Jul 28 2017 

> Would you know if "Identity" is a required field for EAP/TLS wifi authentication?

Not sure, need to investigate.

> if servers can be configured to ignore the identity field, we cannot make it required on the client.

My experience is consistent with the behavior reported in the OP.  i.e. it is *already* required by Chromebook clients, but the UX is confusing.

Comment 6 by pmarko@chromium.org, Feb 6 2018

Labels: pmarko-backlog

Comment 7 by ovanieva@chromium.org, Feb 23 2018

Components: UI>Shell>StartScreen

Comment 8 by jmuppala@chromium.org, Oct 19

Cc: dsunk...@chromium.org harpreet@chromium.org aashuto...@chromium.org
Some observations on EAP-TLS auth:
1)EAP-TLS authentication with empty username/Identity : throws "error configuring network"
2)EPA-TLS authentication with correct username/Identity : connection successful
3)EPA-TLS authentication with INCORRECT username/Identity:connection successful.

Can anyone confirm if this is expected?

Comment 9 by zalcorn@chromium.org, Jan 4

Components: -UI>Shell>StartScreen UI>Shell>Networking

Sign in to add a comment