Re: EAP authentication timeout

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Jan 10, 2023 at 09:30:04PM -0800, Matthew Wang wrote:
> Does anyone have context on the 70 second timeout for EAP
> authentication? Specifically, this snippet of code in
> wpa_supplicant_rx_eapol:
> 
> if (wpa_key_mgmt_wpa_ieee8021x(wpa_s->key_mgmt) ||
>     wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X_NO_WPA ||
>     wpa_s->key_mgmt == WPA_KEY_MGMT_WPS) {
>   /* Use longer timeout for IEEE 802.1X/EAP */
>   timeout = 70;
> }

This is from adding 60 seconds of time for possible upper layer,
including the user, interaction that could happen during EAP
authentication. In other word, this would things like username/password
entry during authentication if someone does not want to store those in
the configuration or various 2FA cases where a dynamic token value would
need to be generated by something external and potentially
copied/concatenated by the user to something.

> This seems like an egregiously long timeout, and it looks to be
> untouched since before 2008. Is this something that folks would be
> interested in changing? Any thoughts for or against?

This timeout is a hard limit on the full sequence of whatever is needed
to complete the full connection. Sure, it is large for cases where no
interaction with the user is needed, but under the current design, this
has to cover the longest possible case.

It should be fine to use a smaller timeout for some cases, e.g., if it
can be determined this early that no interaction with the user is going
to be needed. However, that is a bit inconvenient to do with EAP since
even the EAP method itself, never mind other things like need for 2FA in
some case, could be determined by the authentication server during the
actual EAP exchange and as such, would not really been known here.

In practice, making this smaller for some cases would likely require a
more dynamic design where the initial timeout is set to something
smaller like the 10 second default and that timeout is then increased at
the point the parameters and needed operations become known during the
EAP exchange.

-- 
Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux