Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(nm): Backend implementation to support EAP-TLS + Minor WebUI fixes #4872

Merged
merged 33 commits into from
Oct 12, 2023
Merged

feat(nm): Backend implementation to support EAP-TLS + Minor WebUI fixes #4872

merged 33 commits into from
Oct 12, 2023

Conversation

GregoryIvo
Copy link
Contributor

@GregoryIvo GregoryIvo commented Sep 28, 2023
edited
Loading

This PR adds some basic support for TLS.

add your certs to the KeystoreManager,

point the keystone, and cert names to the NM service

certs are decoded passed to NM, and a config is established.

Note: there may be a possible race condition with NM and the keystore service, which needs to be investigated.

Note: We are using the Conventional Commits convention for our pull request titles. Please take a look at the PR title format document for the supported types and scopes.

Brief description of the PR. [e.g. Added null check on object to avoid NullPointerException]

Related Issue: This PR fixes/closes {issue number}

Description of the solution adopted: A more detailed description of the changes made to solve/close one or more issues. If the PR is simple and easy to understand this section can be skipped

Screenshots: If applicable, add screenshots to help explain your solution

Manual Tests: Optional description of the tests performed to check correct functioning of changes, useful for an efficient review

Any side note on the changes made: Description of any other change that has been made, which is not directly linked to the issue resolution [e.g. Code clean up/Sonar issue resolution]

@GregoryIvo GregoryIvo mentioned this pull request Sep 28, 2023
Closed
@GregoryIvo
Copy link
Contributor Author

The snapshot I used to test this PR:

wifi-ee-snapshot.json.zip

mattdibi
mattdibi requested changes Sep 29, 2023
View reviewed changes
Copy link
Contributor

@mattdibi mattdibi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comments.

Furthermore there are test failures. You'll probably need to update some unit tests to take into account the newly introduced dependency on the KeystoreService and actually test the newly introduced functionality.

...org.eclipse.kura.nm/src/main/java/org/eclipse/kura/nm/configuration/NMSettingsConverter.java Outdated Show resolved Hide resolved
...org.eclipse.kura.nm/src/main/java/org/eclipse/kura/nm/configuration/NMSettingsConverter.java Outdated Show resolved Hide resolved
...org.eclipse.kura.nm/src/main/java/org/eclipse/kura/nm/configuration/NMSettingsConverter.java Outdated Show resolved Hide resolved
...org.eclipse.kura.nm/src/main/java/org/eclipse/kura/nm/configuration/NMSettingsConverter.java Outdated Show resolved Hide resolved
@GregoryIvo GregoryIvo marked this pull request as draft September 29, 2023 13:00
@GregoryIvo GregoryIvo marked this pull request as ready for review October 1, 2023 20:45
@GregoryIvo
Copy link
Contributor Author

How I set up EAP-TLS for testing:

  1. pull https://github.com/sxiii/fralp
  2. Generate certs with docker run -it -v pki:/easyrsa/pki easyrsa build-client-full toshiba
  3. build the container and mount pki folder as instructed in the git repo
  4. set PC IP as radius server on the AP
  5. use open SSL to decrypt the Private key you generated before
  6. in kura create a new wifiKeystore
  7. add certificate and add CA.cert created above
  8. add private key (use the cert, and the decrypted key)
  9. update the snapshot to include the name of the keystore.pid, ca.cert name, client-cert-name (private key name), and private-key-name (private-key-name)
  10. configure wifi settings in the snapshot
  11. apply snapshot

@mattdibi mattdibi self-requested a review October 2, 2023 15:46
@GregoryIvo GregoryIvo force-pushed the wpa-enterprise-certificate-support-backend branch from b2d9382 to b66808f Compare October 3, 2023 14:39
@GregoryIvo
Copy link
Contributor Author

what a working config looks like:

nmcli> print
===============================================================================
              Connection profile details (kura-wlan0-connection)
===============================================================================
connection.id:                          kura-wlan0-connection
connection.uuid:                        1d60629e-c907-40e0-8e7e-1bdf01db27a9
connection.stable-id:                   --
connection.type:                        802-11-wireless
connection.interface-name:              wlan0
connection.autoconnect:                 yes
connection.autoconnect-priority:        0
connection.autoconnect-retries:         1
connection.multi-connect:               0 (default)
connection.auth-retries:                -1
connection.timestamp:                   1696362353
connection.read-only:                   no
connection.permissions:                 --
connection.zone:                        --
connection.master:                      --
connection.slave-type:                  --
connection.autoconnect-slaves:          -1 (default)
connection.secondaries:                 --
connection.gateway-ping-timeout:        0
connection.metered:                     unknown
connection.lldp:                        default
connection.mdns:                        -1 (default)
connection.llmnr:                       -1 (default)
connection.wait-device-timeout:         -1
-------------------------------------------------------------------------------
802-1x.optional:                        no
802-1x.eap:                             tls
802-1x.identity:                        pc
802-1x.anonymous-identity:              --
802-1x.pac-file:                        --
802-1x.ca-cert:                         --
802-1x.ca-cert-password:                <hidden>
802-1x.ca-cert-password-flags:          0 (none)
802-1x.ca-path:                         --
802-1x.subject-match:                   --
802-1x.altsubject-matches:              --
802-1x.domain-suffix-match:             --
802-1x.domain-match:                    --
802-1x.client-cert:                     /etc/NetworkManager/system-connections/1d60629e-c907-40e0-8e7e-1bdf01db27a9-client-cert.der
802-1x.client-cert-password:            <hidden>
802-1x.client-cert-password-flags:      0 (none)
802-1x.phase1-peapver:                  --
802-1x.phase1-peaplabel:                --
802-1x.phase1-fast-provisioning:        --
802-1x.phase1-auth-flags:               0x0 (none)
802-1x.phase2-auth:                     --
802-1x.phase2-autheap:                  --
802-1x.phase2-ca-cert:                  --
802-1x.phase2-ca-cert-password:         <hidden>
802-1x.phase2-ca-cert-password-flags:   0 (none)
802-1x.phase2-ca-path:                  --
802-1x.phase2-subject-match:            --
802-1x.phase2-altsubject-matches:       --
802-1x.phase2-domain-suffix-match:      --
802-1x.phase2-domain-match:             --
802-1x.phase2-client-cert:              --
802-1x.phase2-client-cert-password:     <hidden>
802-1x.phase2-client-cert-password-flags:0 (none)
802-1x.password:                        <hidden>
802-1x.password-flags:                  0 (none)
802-1x.password-raw:                    <hidden>
802-1x.password-raw-flags:              0 (none)
802-1x.private-key:                     /etc/NetworkManager/system-connections/1d60629e-c907-40e0-8e7e-1bdf01db27a9-private-key.pem
802-1x.private-key-password:            <hidden>
802-1x.private-key-password-flags:      4 (not required)
802-1x.phase2-private-key:              --
802-1x.phase2-private-key-password:     <hidden>
802-1x.phase2-private-key-password-flags:0 (none)
802-1x.pin:                             <hidden>
802-1x.pin-flags:                       0 (none)
802-1x.system-ca-certs:                 no
802-1x.auth-timeout:                    0
-------------------------------------------------------------------------------
802-11-wireless.ssid:                   greg-enterprise-external
802-11-wireless.mode:                   infrastructure
802-11-wireless.band:                   --
802-11-wireless.channel:                0
802-11-wireless.bssid:                  --
802-11-wireless.rate:                   0
802-11-wireless.tx-power:               0
802-11-wireless.mac-address:            --
802-11-wireless.cloned-mac-address:     --
802-11-wireless.generate-mac-address-mask:--
802-11-wireless.mac-address-blacklist:  --
802-11-wireless.mac-address-randomization:default
802-11-wireless.mtu:                    auto
802-11-wireless.seen-bssids:            62:22:32:98:12:54,62:22:32:A8:12:54,DC:A6:32:A6:E0:C2
802-11-wireless.hidden:                 no
802-11-wireless.powersave:              0 (default)
802-11-wireless.wake-on-wlan:           0x1 (default)
802-11-wireless.ap-isolation:           -1 (default)
-------------------------------------------------------------------------------
802-11-wireless-security.key-mgmt:      wpa-eap
802-11-wireless-security.wep-tx-keyidx: 0
802-11-wireless-security.auth-alg:      --
802-11-wireless-security.proto:         --
802-11-wireless-security.pairwise:      --
802-11-wireless-security.group:         --
802-11-wireless-security.pmf:           0 (default)
802-11-wireless-security.leap-username: --
802-11-wireless-security.wep-key0:      <hidden>
802-11-wireless-security.wep-key1:      <hidden>
802-11-wireless-security.wep-key2:      <hidden>
802-11-wireless-security.wep-key3:      <hidden>
802-11-wireless-security.wep-key-flags: 0 (none)
802-11-wireless-security.wep-key-type:  unknown
802-11-wireless-security.psk:           <hidden>
802-11-wireless-security.psk-flags:     0 (none)
802-11-wireless-security.leap-password: <hidden>
802-11-wireless-security.leap-password-flags:0 (none)
802-11-wireless-security.wps-method:    0x0 (default)
802-11-wireless-security.fils:          0 (default)
-------------------------------------------------------------------------------
ipv4.method:                            auto
ipv4.dns:                               --
ipv4.dns-search:                        --
ipv4.dns-options:                       --
ipv4.dns-priority:                      0
ipv4.addresses:                         --
ipv4.gateway:                           --
ipv4.routes:                            --
ipv4.route-metric:                      -1
ipv4.route-table:                       0 (unspec)
ipv4.routing-rules:                     --
ipv4.ignore-auto-routes:                no
ipv4.ignore-auto-dns:                   no
ipv4.dhcp-client-id:                    --
ipv4.dhcp-iaid:                         --
ipv4.dhcp-timeout:                      0 (default)
ipv4.dhcp-send-hostname:                yes
ipv4.dhcp-hostname:                     --
ipv4.dhcp-fqdn:                         --
ipv4.dhcp-hostname-flags:               0x0 (none)
ipv4.never-default:                     no
ipv4.may-fail:                          yes
ipv4.dad-timeout:                       -1 (default)
ipv4.dhcp-vendor-class-identifier:      --
ipv4.dhcp-reject-servers:               --
-------------------------------------------------------------------------------
ipv6.method:                            disabled
ipv6.dns:                               --
ipv6.dns-search:                        --
ipv6.dns-options:                       --
ipv6.dns-priority:                      0
ipv6.addresses:                         --
ipv6.gateway:                           --
ipv6.routes:                            --
ipv6.route-metric:                      -1
ipv6.route-table:                       0 (unspec)
ipv6.routing-rules:                     --
ipv6.ignore-auto-routes:                no
ipv6.ignore-auto-dns:                   no
ipv6.never-default:                     no
ipv6.may-fail:                          yes
ipv6.ip6-privacy:                       -1 (unknown)
ipv6.addr-gen-mode:                     stable-privacy
ipv6.ra-timeout:                        0 (default)
ipv6.dhcp-duid:                         --
ipv6.dhcp-iaid:                         --
ipv6.dhcp-timeout:                      0 (default)
ipv6.dhcp-send-hostname:                yes
ipv6.dhcp-hostname:                     --
ipv6.dhcp-hostname-flags:               0x0 (none)
ipv6.token:                             --
-------------------------------------------------------------------------------
proxy.method:                           none
proxy.browser-only:                     no
proxy.pac-url:                          --
proxy.pac-script:                       --
-------------------------------------------------------------------------------

mattdibi
mattdibi requested changes Oct 4, 2023
View reviewed changes
Copy link
Contributor

@mattdibi mattdibi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In addition to the comments I provided I need some clarification about the scope of this PR: the title says "initial implementation of tls enterprise backend" but I see changes also in the frontend. Is this complete at this point?

...ipse.kura.nm/src/main/java/org/eclipse/kura/nm/configuration/NMConfigurationServiceImpl.java Outdated Show resolved Hide resolved
...ipse.kura.nm/src/main/java/org/eclipse/kura/nm/configuration/NMConfigurationServiceImpl.java Outdated Show resolved Hide resolved
...ipse.kura.nm/src/main/java/org/eclipse/kura/nm/configuration/NMConfigurationServiceImpl.java Outdated Show resolved Hide resolved
...ipse.kura.nm/src/main/java/org/eclipse/kura/nm/configuration/NMConfigurationServiceImpl.java Outdated Show resolved Hide resolved
...ipse.kura.nm/src/main/java/org/eclipse/kura/nm/configuration/NMConfigurationServiceImpl.java Outdated Show resolved Hide resolved
...ipse.kura.nm/src/main/java/org/eclipse/kura/nm/configuration/NMConfigurationServiceImpl.java Outdated Show resolved Hide resolved
...org.eclipse.kura.nm/src/main/java/org/eclipse/kura/nm/configuration/NMSettingsConverter.java Outdated Show resolved Hide resolved
...org.eclipse.kura.nm/src/main/java/org/eclipse/kura/nm/configuration/NMSettingsConverter.java Outdated Show resolved Hide resolved
...org.eclipse.kura.nm/src/main/java/org/eclipse/kura/nm/configuration/NMSettingsConverter.java Outdated Show resolved Hide resolved
...se.kura.nm.test/src/test/java/org/eclipse/kura/nm/configuration/NMSettingsConverterTest.java Outdated Show resolved Hide resolved
@GregoryIvo
Copy link
Contributor Author

these changes also seem to fix the clear text password bug:
image

@GregoryIvo GregoryIvo changed the title feat: initial implementation of tls enterprise backend feat(nm): Backend implementation to support EAP-TLS + Minor WebUI fixes Oct 6, 2023
mattdibi
mattdibi requested changes Oct 9, 2023
View reviewed changes
Copy link
Contributor

@mattdibi mattdibi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's still some minor issues... we're almost there!

...ipse.kura.nm/src/main/java/org/eclipse/kura/nm/configuration/NMConfigurationServiceImpl.java Outdated Show resolved Hide resolved
...ipse.kura.nm/src/main/java/org/eclipse/kura/nm/configuration/NMConfigurationServiceImpl.java Outdated Show resolved Hide resolved
...ipse.kura.nm/src/main/java/org/eclipse/kura/nm/configuration/NMConfigurationServiceImpl.java Outdated Show resolved Hide resolved
...ipse.kura.nm/src/main/java/org/eclipse/kura/nm/configuration/NMConfigurationServiceImpl.java Outdated Show resolved Hide resolved
...org.eclipse.kura.nm/src/main/java/org/eclipse/kura/nm/configuration/NMSettingsConverter.java Show resolved Hide resolved
@MMaiero MMaiero force-pushed the wpa-enterprise-certificate-support-backend branch from 6668ef1 to 4465939 Compare October 10, 2023 07:39
GregoryIvo and others added 2 commits October 10, 2023 10:00
@GregoryIvo @mattdibi
refactor: add extra safety checks in getTrustedCertificateFromKeystor…
5150b1e 
…eMethod

Co-authored-by: Mattia Dal Ben <mattdibi@users.noreply.github.com>
@GregoryIvo
lint: fix whitespace issues
820d627
@GregoryIvo GregoryIvo force-pushed the wpa-enterprise-certificate-support-backend branch from c815b62 to 820d627 Compare October 10, 2023 14:00
@GregoryIvo GregoryIvo mentioned this pull request Oct 11, 2023
Closed
@mattdibi
Copy link
Contributor

mattdibi commented Oct 11, 2023
edited
Loading

@GregoryIvo there's a couple of issues reported by Sonar that require fixing. The code smells are all easy and quick, the coverage needs some more work though. Let me know if you need help with that.

mattdibi
mattdibi reviewed Oct 12, 2023
View reviewed changes
...va/org/eclipse/kura/web/server/net2/configuration/NetworkConfigurationServiceProperties.java Outdated
Copy link
Contributor

@mattdibi mattdibi Oct 12, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whenever possible I would avoid committing formatting changes to files you didn't actually change. It adds to the noise and make reviews more difficult.

Obviously, since the formatting changes are correct, leave it as-is but take this into account for the future.

mattdibi
mattdibi reviewed Oct 12, 2023
View reviewed changes
kura/org.eclipse.kura.web2/src/main/java/org/eclipse/kura/web/client/ui/network/TabIp4Ui.java Outdated
Copy link
Contributor

@mattdibi mattdibi Oct 12, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whenever possible I would avoid committing formatting changes to files you didn't actually change. It adds to the noise and make reviews more difficult.

Obviously, since the formatting changes are correct, leave it as-is but take this into account for the future.

mattdibi
mattdibi reviewed Oct 12, 2023
View reviewed changes
...ipse.kura.nm/src/main/java/org/eclipse/kura/nm/configuration/NMConfigurationServiceImpl.java
Comment on lines +322 to +332
if (modifiedProps.containsKey(key)) {

Object prop = modifiedProps.get(key);

if (prop instanceof String) {
String keystorePid = (String) prop;

findAndDecodeCertificatesForInterface(interfaceName, modifiedProps,
this.keystoreServices.get(keystorePid));
}
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can leave the code as-is but consider using Early Returns in the future. I think the code is much easier to read:

Suggested change
if (modifiedProps.containsKey(key)) {
Object prop = modifiedProps.get(key);
if (prop instanceof String) {
String keystorePid = (String) prop;
findAndDecodeCertificatesForInterface(interfaceName, modifiedProps,
this.keystoreServices.get(keystorePid));
}
}
if (!modifiedProps.containsKey(key)) {
return; // we cannot "continue" since we're inside a lambda
}
Object keystorePid = modifiedProps.get(key);
if (!keystorePid instanceof String) {
return;
}
findAndDecodeCertificatesForInterface(interfaceName, modifiedProps,
this.keystoreServices.get((String) keystorePid));

@mattdibi
Copy link
Contributor

@GregoryIvo I think the code is OK.

I suggested a small change to avoid magic numbers in the code and have a couple of questions ([1], [2] and [3]). Everything else I mentioned is optional and is not required for merging.

I will now move on with testing.

mattdibi
mattdibi reviewed Oct 12, 2023
View reviewed changes
...ipse.kura.nm/src/main/java/org/eclipse/kura/nm/configuration/NMConfigurationServiceImpl.java
@@ -295,6 +315,86 @@ private void decryptAndConvertPasswordProperties(Map<String, Object> modifiedPro
}
}

private void decryptAndConvertCertificatesProperties(Map<String, Object> modifiedProps, Set<String> interfaces) {
Copy link
Contributor

@mattdibi mattdibi Oct 12, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One final thought: this is a Side Effect Method.

A side effect method is a method which modifies some state variable value/arguments passed having a consequence beyond its scope, that is to say it has an observable effect besides returning a value (the main effect) to the invoker of the operation.

which is a known anti-pattern/bad practice (see Uncle Bob Martin's "Clean Code", there's a dedicated section for that).

The correct way to handle this would be to return a modified version of the passed argument, but we already had the decryptAndConvertPasswordProperties that behaved the same way and therefore we're doing the same for consistency.

Again: leave it as-is but be aware of the fact that this is not the best implementation.

Also notice that you've hidden the actual modification of the map down a couple of layer of abstractions (you actually change the values inside findAndDecodeCertificatesForInterface), so you've hidden the Side Effect even more than what was done in decryptAndConvertPasswordProperties.

Regarding why this is considered a bad practice... you experienced it first hand while chasing that bug caused by the modified map 😆

@mattdibi
Copy link
Contributor

mattdibi commented Oct 12, 2023
edited
Loading

@GregoryIvo tested on my setup. It works! 🥳

I used the UI in #4881 and the instruction here and here and was able to connect to my WPA Enterprise hotspot.

Here's some screenshots of the setup

image

image

image

image

image

The resulting NM configuration:

Expand 
connection.id:                          kura-wlan0-connection
connection.uuid:                        10852979-9610-42ec-bcfc-eb609c0860de
connection.stable-id:                   --
connection.type:                        802-11-wireless
connection.interface-name:              wlan0
connection.autoconnect:                 yes
connection.autoconnect-priority:        0
connection.autoconnect-retries:         1
connection.multi-connect:               0 (default)
connection.auth-retries:                -1
connection.timestamp:                   1697105080
connection.read-only:                   no
connection.permissions:                 --
connection.zone:                        --
connection.master:                      --
connection.slave-type:                  --
connection.autoconnect-slaves:          -1 (default)
connection.secondaries:                 --
connection.gateway-ping-timeout:        0
connection.metered:                     unknown
connection.lldp:                        default
connection.mdns:                        -1 (default)
connection.llmnr:                       -1 (default)
connection.dns-over-tls:                -1 (default)
connection.mptcp-flags:                 0x0 (default)
connection.wait-device-timeout:         -1
connection.wait-activation-delay:       -1
802-1x.optional:                        no
802-1x.eap:                             tls
802-1x.identity:                        password
802-1x.anonymous-identity:              --
802-1x.pac-file:                        --
802-1x.ca-cert:                         /etc/NetworkManager/system-connections/10852979-9610-42ec-bcfc-eb609c0860de-ca-cert.der
802-1x.ca-cert-password:                <hidden>
802-1x.ca-cert-password-flags:          0 (none)
802-1x.ca-path:                         --
802-1x.subject-match:                   --
802-1x.altsubject-matches:              --
802-1x.domain-suffix-match:             --
802-1x.domain-match:                    --
802-1x.client-cert:                     /etc/NetworkManager/system-connections/10852979-9610-42ec-bcfc-eb609c0860de-client-cert.der
802-1x.client-cert-password:            <hidden>
802-1x.client-cert-password-flags:      0 (none)
802-1x.phase1-peapver:                  --
802-1x.phase1-peaplabel:                --
802-1x.phase1-fast-provisioning:        --
802-1x.phase1-auth-flags:               0x0 (none)
802-1x.phase2-auth:                     --
802-1x.phase2-autheap:                  --
802-1x.phase2-ca-cert:                  --
802-1x.phase2-ca-cert-password:         <hidden>
802-1x.phase2-ca-cert-password-flags:   0 (none)
802-1x.phase2-ca-path:                  --
802-1x.phase2-subject-match:            --
802-1x.phase2-altsubject-matches:       --
802-1x.phase2-domain-suffix-match:      --
802-1x.phase2-domain-match:             --
802-1x.phase2-client-cert:              --
802-1x.phase2-client-cert-password:     <hidden>
802-1x.phase2-client-cert-password-flags:0 (none)
802-1x.password:                        <hidden>
802-1x.password-flags:                  0 (none)
802-1x.password-raw:                    <hidden>
802-1x.password-raw-flags:              0 (none)
802-1x.private-key:                     /etc/NetworkManager/system-connections/10852979-9610-42ec-bcfc-eb609c0860de-private-key.pem
802-1x.private-key-password:            <hidden>
802-1x.private-key-password-flags:      4 (not required)
802-1x.phase2-private-key:              --
802-1x.phase2-private-key-password:     <hidden>
802-1x.phase2-private-key-password-flags:0 (none)
802-1x.pin:                             <hidden>
802-1x.pin-flags:                       0 (none)
802-1x.system-ca-certs:                 no
802-1x.auth-timeout:                    0
802-11-wireless.ssid:                   GREG_TEST
802-11-wireless.mode:                   infrastructure
802-11-wireless.band:                   a
802-11-wireless.channel:                48
802-11-wireless.bssid:                  --
802-11-wireless.rate:                   0
802-11-wireless.tx-power:               0
802-11-wireless.mac-address:            --
802-11-wireless.cloned-mac-address:     --
802-11-wireless.generate-mac-address-mask:--
802-11-wireless.mac-address-blacklist:  --
802-11-wireless.mac-address-randomization:default
802-11-wireless.mtu:                    auto
802-11-wireless.seen-bssids:            7A:A7:41:8D:5B:1D,DC:A6:32:E0:54:F1
802-11-wireless.hidden:                 no
802-11-wireless.powersave:              0 (default)
802-11-wireless.wake-on-wlan:           0x1 (default)
802-11-wireless.ap-isolation:           -1 (default)
802-11-wireless-security.key-mgmt:      wpa-eap
802-11-wireless-security.wep-tx-keyidx: 0
802-11-wireless-security.auth-alg:      --
802-11-wireless-security.proto:         --
802-11-wireless-security.pairwise:      --
802-11-wireless-security.group:         --
802-11-wireless-security.pmf:           0 (default)
802-11-wireless-security.leap-username: --
802-11-wireless-security.wep-key0:      <hidden>
802-11-wireless-security.wep-key1:      <hidden>
802-11-wireless-security.wep-key2:      <hidden>
802-11-wireless-security.wep-key3:      <hidden>
802-11-wireless-security.wep-key-flags: 0 (none)
802-11-wireless-security.wep-key-type:  unknown
802-11-wireless-security.psk:           <hidden>
802-11-wireless-security.psk-flags:     0 (none)
802-11-wireless-security.leap-password: <hidden>
802-11-wireless-security.leap-password-flags:0 (none)
802-11-wireless-security.wps-method:    0x0 (default)
802-11-wireless-security.fils:          0 (default)
ipv4.method:                            auto
ipv4.dns:                               --
ipv4.dns-search:                        --
ipv4.dns-options:                       --
ipv4.dns-priority:                      0
ipv4.addresses:                         --
ipv4.gateway:                           --
ipv4.routes:                            --
ipv4.route-metric:                      -1
ipv4.route-table:                       0 (unspec)
ipv4.routing-rules:                     --
ipv4.replace-local-rule:                -1 (default)
ipv4.ignore-auto-routes:                no
ipv4.ignore-auto-dns:                   no
ipv4.dhcp-client-id:                    --
ipv4.dhcp-iaid:                         --
ipv4.dhcp-timeout:                      0 (default)
ipv4.dhcp-send-hostname:                yes
ipv4.dhcp-hostname:                     --
ipv4.dhcp-fqdn:                         --
ipv4.dhcp-hostname-flags:               0x0 (none)
ipv4.never-default:                     no
ipv4.may-fail:                          yes
ipv4.required-timeout:                  -1 (default)
ipv4.dad-timeout:                       -1 (default)
ipv4.dhcp-vendor-class-identifier:      --
ipv4.link-local:                        0 (default)
ipv4.dhcp-reject-servers:               --
ipv4.auto-route-ext-gw:                 -1 (default)
ipv6.method:                            disabled
ipv6.dns:                               --
ipv6.dns-search:                        --
ipv6.dns-options:                       --
ipv6.dns-priority:                      0
ipv6.addresses:                         --
ipv6.gateway:                           --
ipv6.routes:                            --
ipv6.route-metric:                      -1
ipv6.route-table:                       0 (unspec)
ipv6.routing-rules:                     --
ipv6.replace-local-rule:                -1 (default)
ipv6.ignore-auto-routes:                no
ipv6.ignore-auto-dns:                   no
ipv6.never-default:                     no
ipv6.may-fail:                          yes
ipv6.required-timeout:                  -1 (default)
ipv6.ip6-privacy:                       -1 (unknown)
ipv6.addr-gen-mode:                     default
ipv6.ra-timeout:                        0 (default)
ipv6.mtu:                               auto
ipv6.dhcp-duid:                         --
ipv6.dhcp-iaid:                         --
ipv6.dhcp-timeout:                      0 (default)
ipv6.dhcp-send-hostname:                yes
ipv6.dhcp-hostname:                     --
ipv6.dhcp-hostname-flags:               0x0 (none)
ipv6.auto-route-ext-gw:                 -1 (default)
ipv6.token:                             --
proxy.method:                           none
proxy.browser-only:                     no
proxy.pac-url:                          --
proxy.pac-script:                       --
GENERAL.NAME:                           kura-wlan0-connection
GENERAL.UUID:                           10852979-9610-42ec-bcfc-eb609c0860de
GENERAL.DEVICES:                        wlan0
GENERAL.IP-IFACE:                       wlan0
GENERAL.STATE:                          activated
GENERAL.DEFAULT:                        no
GENERAL.DEFAULT6:                       no
GENERAL.SPEC-OBJECT:                    /org/freedesktop/NetworkManager/AccessPoint/45
GENERAL.VPN:                            no
GENERAL.DBUS-PATH:                      /org/freedesktop/NetworkManager/ActiveConnection/26
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/Settings/2
GENERAL.ZONE:                           --
GENERAL.MASTER-PATH:                    --
IP4.ADDRESS[1]:                         192.168.1.112/24
IP4.GATEWAY:                            192.168.1.1
IP4.ROUTE[1]:                           dst = 0.0.0.0/0, nh = 192.168.1.1, mt = 20600
IP4.ROUTE[2]:                           dst = 192.168.1.0/24, nh = 0.0.0.0, mt = 600
IP4.DNS[1]:                             192.168.1.10
IP4.DOMAIN[1]:                          localdomain
IP4.SEARCHES[1]:                        localdomain
DHCP4.OPTION[1]:                        broadcast_address = 192.168.1.255
DHCP4.OPTION[2]:                        dad_wait_time = 0
DHCP4.OPTION[3]:                        dhcp_lease_time = 86400
DHCP4.OPTION[4]:                        dhcp_message_type = 5
DHCP4.OPTION[5]:                        dhcp_server_identifier = 192.168.1.1
DHCP4.OPTION[6]:                        domain_name = localdomain
DHCP4.OPTION[7]:                        domain_name_servers = 192.168.1.10
DHCP4.OPTION[8]:                        domain_search = localdomain.
DHCP4.OPTION[9]:                        expiry = 1697191513
DHCP4.OPTION[10]:                       ip_address = 192.168.1.112
DHCP4.OPTION[11]:                       network_number = 192.168.1.0
DHCP4.OPTION[12]:                       next_server = 0.0.0.0
DHCP4.OPTION[13]:                       ntp_servers = 162.159.200.1 185.19.184.35
DHCP4.OPTION[14]:                       requested_broadcast_address = 1
DHCP4.OPTION[15]:                       requested_domain_name = 1
DHCP4.OPTION[16]:                       requested_domain_name_servers = 1
DHCP4.OPTION[17]:                       requested_domain_search = 1
DHCP4.OPTION[18]:                       requested_host_name = 1
DHCP4.OPTION[19]:                       requested_interface_mtu = 1
DHCP4.OPTION[20]:                       requested_ms_classless_static_routes = 1
DHCP4.OPTION[21]:                       requested_netbios_name_servers = 1
DHCP4.OPTION[22]:                       requested_netbios_scope = 1
DHCP4.OPTION[23]:                       requested_ntp_servers = 1
DHCP4.OPTION[24]:                       requested_rfc3442_classless_static_routes = 1
DHCP4.OPTION[25]:                       requested_root_path = 1
DHCP4.OPTION[26]:                       requested_routers = 1
DHCP4.OPTION[27]:                       requested_static_routes = 1
DHCP4.OPTION[28]:                       requested_subnet_mask = 1
DHCP4.OPTION[29]:                       requested_time_offset = 1
DHCP4.OPTION[30]:                       requested_wpad = 1
DHCP4.OPTION[31]:                       routers = 192.168.1.1
DHCP4.OPTION[32]:                       subnet_mask = 255.255.255.0
IP6.GATEWAY:                            --

Additional notes:

  1. For decrypting the private key I used openssl rsa -in toshiba.key -out toshiba
  2. For running the RADIUS server I had to use the following:
docker run -it -p 1812:1812/udp --restart=always -v $(pwd)/pki:/etc/raddb/certs:ro -e CLIENT_ADDRESS=172.17.0.1 -e CLIENT_SECRET=secret -e PRIVATE_KEY_PASSWORD=password fralp:latest

Where:

  • CLIENT_SECRET: Is what Unifi calls "Shared Secret" in the RADIUS profile
  • PRIVATE_KEY_PASSWORD: is the password required for decrypting the toshiba.key used by the client
  • CLIENT_ADDRESS: is the address of the client forwarding authentication requests. In my case the router. Issue is, since the RADIUS server is running as a docker container, it was not seeing the correct IP address but the inner Docker representation hence the 172.16.0.1 in my case.
  1. I had some trouble in generating and extracting the keys from the easyrsa container. In the end I ran the container in interactive mode overriding the entrypoint using:
docker run -it --entrypoint /bin/sh easyrsa

ran the commands container in the entrypoint.sh, and then issued the command for generating the keys. Once done copied the pki folder from the container using:

 docker cp <container_id>:/easyrsa/pki ./pki

@mattdibi mattdibi merged commit f82c490 into eclipse-kura:develop Oct 12, 2023
3 checks passed
pierantoniomerlino pushed a commit that referenced this pull request Oct 13, 2023
@GregoryIvo @mattdibi @pierantoniomerlino
feat(nm): Backend implementation to support EAP-TLS + Minor WebUI fix…
dea99cd 
…es (#4872)

* feat: initial implimentation of tls backend

* fix: weird formatter oddity

* fix: removed loggers

* refactor: ifPresent if's changed to lamdas

* tests: update for new tls changes

* fix: revert un-needed change

* feat: added support for multiple keystores

* tests: removed not needed logging

* fix: improved backend stability, and fixed regex

* refactor: changed the way the keystore var is passed

* feat: added more type security in webUI

* refactor: fix comments enable -> unable

* refactor: removed to string

* refactor: certificate replacement method

* refactor: removed not needed Exception

* refactor: decryptAndConvertCertificates method

* refactor: removed extra newline

Co-authored-by: Mattia Dal Ben <mattdibi@users.noreply.github.com>

* refactor: error message

* refactor: added more if checks to improve reliability when applying from webUI

* refactor: created a hard copy of the modifiedMap so it is not passed to the configuration service and applied

* refactor: removed extra 802-1x in String

Co-authored-by: Mattia Dal Ben <mattdibi@users.noreply.github.com>

* refactor: add specificity to to isCertificate method

Co-authored-by: Mattia Dal Ben <mattdibi@users.noreply.github.com>

* refactor: updated String for better readability

Co-authored-by: Mattia Dal Ben <mattdibi@users.noreply.github.com>

* refactor: add extra safety checks in getTrustedCertificateFromKeystoreMethod

Co-authored-by: Mattia Dal Ben <mattdibi@users.noreply.github.com>

* lint: fix whitespace issues

* fix: changed 802-1x -> 802.1x

* refactor: removed unnecessary cast to String

* refactor: removed extra curly braces in lamdas

* refactor: removed type in <>

* tests: added basic enterprise test coverage

* test: added method for mocking keystore

* fix: added static variable for NM_SECRET_FLAGS_NOT_REQUIRED

* fix: removed generic exception logging, and changed exceptions

---------

Co-authored-by: Mattia Dal Ben <mattdibi@users.noreply.github.com>
pierantoniomerlino pushed a commit that referenced this pull request Oct 20, 2023
@GregoryIvo @mattdibi @pierantoniomerlino
feat(nm): Backend implementation to support EAP-TLS + Minor WebUI fix…
8fbf6f9 
…es (#4872)

* feat: initial implimentation of tls backend

* fix: weird formatter oddity

* fix: removed loggers

* refactor: ifPresent if's changed to lamdas

* tests: update for new tls changes

* fix: revert un-needed change

* feat: added support for multiple keystores

* tests: removed not needed logging

* fix: improved backend stability, and fixed regex

* refactor: changed the way the keystore var is passed

* feat: added more type security in webUI

* refactor: fix comments enable -> unable

* refactor: removed to string

* refactor: certificate replacement method

* refactor: removed not needed Exception

* refactor: decryptAndConvertCertificates method

* refactor: removed extra newline

Co-authored-by: Mattia Dal Ben <mattdibi@users.noreply.github.com>

* refactor: error message

* refactor: added more if checks to improve reliability when applying from webUI

* refactor: created a hard copy of the modifiedMap so it is not passed to the configuration service and applied

* refactor: removed extra 802-1x in String

Co-authored-by: Mattia Dal Ben <mattdibi@users.noreply.github.com>

* refactor: add specificity to to isCertificate method

Co-authored-by: Mattia Dal Ben <mattdibi@users.noreply.github.com>

* refactor: updated String for better readability

Co-authored-by: Mattia Dal Ben <mattdibi@users.noreply.github.com>

* refactor: add extra safety checks in getTrustedCertificateFromKeystoreMethod

Co-authored-by: Mattia Dal Ben <mattdibi@users.noreply.github.com>

* lint: fix whitespace issues

* fix: changed 802-1x -> 802.1x

* refactor: removed unnecessary cast to String

* refactor: removed extra curly braces in lamdas

* refactor: removed type in <>

* tests: added basic enterprise test coverage

* test: added method for mocking keystore

* fix: added static variable for NM_SECRET_FLAGS_NOT_REQUIRED

* fix: removed generic exception logging, and changed exceptions

---------

Co-authored-by: Mattia Dal Ben <mattdibi@users.noreply.github.com>
This was referenced Nov 23, 2023
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattdibi mattdibi mattdibi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@GregoryIvo @mattdibi