Make 802.1x test easier to use

docker/modules/Dockerfile.faux1

@@ -85,5 +85,6 @@ RUN mv /usr/sbin/tcpdump /usr/bin/tcpdump
 RUN $AG update && $AG install wpasupplicant vim iproute2
 
 COPY docker/include/etc/wpasupplicant/ /etc/wpasupplicant/
+COPY resources/802.1x/ /etc/wpasupplicant/
 
 ENTRYPOINT ["bin/start_faux"]

docs/device_report.md

@@ -83,7 +83,7 @@ Syntax: Pass / Fail / Skip
 |pass|communication.network.min_send|Communication|Required Pass|ARP packets received. Data packets were sent at a frequency of less than 5 minutes|
 |pass|communication.network.type|Communication|Required Pass|Broadcast packets received. Unicast packets received.|
 |pass|connection.base.target_ping|Connection|Required Pass|target reached|
-|pass|connection.dot1x.authentication|Connection|Required Pass|Authentication for 9a:02:57:1e:8f:01 succeeded.|
+|pass|connection.dot1x.authentication|Connection|Required Pass|Authentication succeeded.|
 |gone|connection.ipaddr.dhcp_disconnect|Connection|Required Pass||
 |gone|connection.ipaddr.disconnect_ip_change|Connection|Required Pass||
 |gone|connection.ipaddr.ip_change|Connection|Required Pass||
@@ -688,9 +688,21 @@ connection.dot1x.authentication
 --------------------
 Verifies general support for 802.1x authentication.
 --------------------
-n/a
---------------------
-RESULT pass connection.dot1x.authentication Authentication for 9a:02:57:1e:8f:01 succeeded.
+
+
+
+
+
+
+
+
+
+
+
+
+
+--------------------
+RESULT pass connection.dot1x.authentication Authentication succeeded.
 
 ```
 

subset/dot1x/authenticator/authenticator.py

@@ -32,6 +32,7 @@ def __init__(self, src_mac, auth_mac, idle_time, retry_count,
         self.identity = None
         self.authentication_mac = auth_mac
         self.radius_state = None
+        self.radius_access_reject = None
         self._idle_time = idle_time
         self._max_retry_count = retry_count
         self._current_timeout = None
@@ -77,6 +78,7 @@ def received_radius_response(self, payload, radius_state, packet_type):
         """Received RADIUS access channel"""
         self.radius_state = radius_state
         if packet_type == 'RadiusAccessReject':
+            self.radius_access_reject = True
             self._state_transition(self.FAIL, self.RADIUS)
             eap_message = FailureMessage(self.src_mac, 255)
             self.auth_callback(self.src_mac, False)
@@ -141,6 +143,7 @@ class Authenticator:
     def __init__(self, config_file):
         self.state_machines = {}
         self.results = {}
+        self.radius_access_reject = {}
         self.eap_module = None
         self.radius_module = None
         self.logger = utils.get_logger('Authenticator')
@@ -280,6 +283,8 @@ def process_test_result(self, src_mac, is_success):
                 self.logger.info('Authentication failed. Received no EAPOL packets.')
         if src_mac:
             self.results[src_mac] = is_success
+            if self.state_machines[src_mac].radius_access_reject:
+                self.radius_access_reject[src_mac] = True
             self.state_machines.pop(src_mac)
         # TODO: We currently finalize results as soon as we get a result for a src_mac.
         # Needs to be changed if we support multiple devices.
@@ -290,17 +295,23 @@ def run_authentication_test(self):
         result_str = ""
         test_result = ""
         if not self.results:
-            result_str = "Authentication failed. No EAPOL messages received."
+            result_str = "Authentication failed. No EAPOL messages received." \
+                         " Check 802.1x is enabled"
             test_result = "skip"
         else:
             test_result = "pass"
             for src_mac, is_success in self.results.items():
+                additional = ''
                 if is_success:
                     result = 'succeeded'
                 else:
                     result = 'failed'
                     test_result = "fail"
-                result_str += "Authentication for %s %s." % (src_mac, result)
+                    if src_mac in self.radius_access_reject:
+                        additional = ' Incorrect credentials provided.'
+                    else:
+                        additional = ' Error encountered.'
+                result_str += "Authentication %s.%s" % (result, additional)
         return result_str, test_result
 
     def handle_sm_timeout(self):

subset/dot1x/readme.md

@@ -22,25 +22,30 @@ can authenticate using 802.1x with one of the following supported protocols:
 - PEAP/MSChapv2
 - MD5
 
+The test is run by configuring the device to use one of the provided 
+credentials included in this test module. 
+
 #### Supported Protocols/Supplicant Credentials
-The module includes a set of credential, from which one should used to configure
-the device/supplicant. These are located
-[here](../../docker/include/etc/wpasupplicant). Different suppliants may use
-different names for the below fields or may not provide the ability to modify
-all these fields. 
+The module includes a set of credential which should be used to configure the device.
+
+Certificates are located in the 
+[resources/802.1x/cert](../../resources/802.1x/cert) directory. 
+
+Different suppliants may use different names for the below fields or may not
+provide the ability to modify all these fields. 
 - **TTLS**
    - Username: `user`
    - Password: `microphone`
-   - CA Certificate: [ca.pem](../../docker/include/etc/wpasupplicant/cert/ca.pem)
+   - CA Certificate: [ca.pem](../../resources/802.1x/cert/ca.pem)
    - Inner (Phase 2) Authentication: MSCHAPV2
 - **TLS**
    - Identity: `user@example.org`
-   - CA Certificate: [ca.pem](../../docker/include/etc/wpasupplicant/cert/ca.pem)
-   - Client Certificate: [user@example.org.pem](../../docker/include/etc/wpasupplicant/cert/user@example.org.pem)
-   - Private Key: [user@example.org.pem](../../docker/include/etc/wpasupplicant/cert/user@example.org.pem)
+   - CA Certificate: [ca.pem](../../resources/802.1x/cert/ca.pem)
+   - Client Certificate: [user@example.org.pem](../../resources/802.1x/cert/user@example.org.pem)
+   - Private Key: [user@example.org.pem](../../resources/802.1x/cert/user@example.org.pem)
    - Private Key Password: `whatever`
 - **Protected EAP (PEAP)**
-   - CA Certificate: [ca.pem](../../docker/include/etc/wpasupplicant/cert/ca.pem)
+   - CA Certificate: [ca.pem](../../resources/802.1x/cert/ca.pem)
    - Outer (Phase 1) Authentication: PEAP Version 1
    - Inner (Phase 2) Authentication: MSCHAPV2
    - Username: `user`

subset/dot1x/test_dot1x

@@ -15,6 +15,7 @@ echo 'Dot1x Authentication tests'
 python3 authenticator/test_dot1x.py /tmp/dot1x_result.txt $1
 
 RESULT_AND_SUMMARY=$(cat /tmp/dot1x_result.txt)
+TEST_LOG=$(sed -e 's/^/%% /' /tmp/dot1x_debug_log)
 
 write_out_result $REPORT "$TEST_NAME" "$TEST_DESCRIPTION" \
-                     "n/a" "$RESULT_AND_SUMMARY"
+                     "$TEST_LOG" "$RESULT_AND_SUMMARY"

testing/test_aux.out

@@ -71,9 +71,9 @@ RESULT skip ntp.network.ntp_update Not enough NTP packets received.
 RESULT pass connection.network.mac_oui Manufacturer: Google found for address 3c:5a:b4:1e:8f:0a
 RESULT pass connection.network.mac_address Device MAC address is 3c:5a:b4:1e:8f:0a
 RESULT pass dns.network.hostname_resolution Device sends DNS requests and resolves host names
-RESULT pass connection.dot1x.authentication Authentication for 9a:02:57:1e:8f:01 succeeded.
-RESULT fail connection.dot1x.authentication Authentication for 3c:5a:b4:1e:8f:0b failed.
-RESULT skip connection.dot1x.authentication Authentication failed. No EAPOL messages received.
+RESULT pass connection.dot1x.authentication Authentication succeeded.
+RESULT fail connection.dot1x.authentication Authentication failed. Incorrect credentials provided.
+RESULT skip connection.dot1x.authentication Authentication failed. No EAPOL messages received. Check 802.1x is enabled
 dhcp requests 1 1 1 1
 3c5ab41e8f0a: []
 3c5ab41e8f0b: ['3c5ab41e8f0b:ping:TimeoutError']

testing/test_preamble.sh

@@ -73,6 +73,7 @@ function redact {
         -e 's/[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2} [A-Z]{3}/XXX/' \
         -e 's/[a-zA-Z]{3} [a-zA-Z]{3}\s+[0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2} [0-9]{4}/XXX/' \
         -e 's/[A-Za-z]{3} [0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}/XXX/' \
+        -e 's/[0-9]{4}-(0|1)[0-9]-(0|1|2|3)[0-9] [0-9]{2}:[0-9]{2}:[0-9]{2},[0-9]{3}/XXX/' \
         -e 's/[0-9]{4}-(0|1)[0-9]-(0|1|2|3)[0-9] [0-9]{2}:[0-9]{2}:[0-9]{2}(\+00:00)?/XXX/g' \
         -e 's/[0-9]+\.[0-9]{2} seconds/XXX/' \
         -e 's/-?0\.[0-9]+s latency/XXX/' \