Re: EAP authentication timeout

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks for the context, that makes sense - I'll give it some thought.

On Wed, Jan 11, 2023 at 10:18 AM Jouni Malinen <j@xxxxx> wrote:
>
> On Tue, Jan 10, 2023 at 09:30:04PM -0800, Matthew Wang wrote:
> > Does anyone have context on the 70 second timeout for EAP
> > authentication? Specifically, this snippet of code in
> > wpa_supplicant_rx_eapol:
> >
> > if (wpa_key_mgmt_wpa_ieee8021x(wpa_s->key_mgmt) ||
> >     wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X_NO_WPA ||
> >     wpa_s->key_mgmt == WPA_KEY_MGMT_WPS) {
> >   /* Use longer timeout for IEEE 802.1X/EAP */
> >   timeout = 70;
> > }
>
> This is from adding 60 seconds of time for possible upper layer,
> including the user, interaction that could happen during EAP
> authentication. In other word, this would things like username/password
> entry during authentication if someone does not want to store those in
> the configuration or various 2FA cases where a dynamic token value would
> need to be generated by something external and potentially
> copied/concatenated by the user to something.
>
> > This seems like an egregiously long timeout, and it looks to be
> > untouched since before 2008. Is this something that folks would be
> > interested in changing? Any thoughts for or against?
>
> This timeout is a hard limit on the full sequence of whatever is needed
> to complete the full connection. Sure, it is large for cases where no
> interaction with the user is needed, but under the current design, this
> has to cover the longest possible case.
>
> It should be fine to use a smaller timeout for some cases, e.g., if it
> can be determined this early that no interaction with the user is going
> to be needed. However, that is a bit inconvenient to do with EAP since
> even the EAP method itself, never mind other things like need for 2FA in
> some case, could be determined by the authentication server during the
> actual EAP exchange and as such, would not really been known here.
>
> In practice, making this smaller for some cases would likely require a
> more dynamic design where the initial timeout is set to something
> smaller like the 10 second default and that timeout is then increased at
> the point the parameters and needed operations become known during the
> EAP exchange.
>
> --
> Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux