Empty EAP-FAST exchange after Phase 1 authentication
Jouni Malinen
j
Tue Jun 26 20:08:18 PDT 2007
On Tue, Jun 26, 2007 at 04:59:07PM -0400, Eric Fung wrote:
> I noticed that hostapd expects an empty EAP-FAST Request/Response exchange
> after Phase 1 Authentication (using a valid PAC-Opaque) completes successfully
> before proceeding to Phase 2. RFC 4851 does not show this exchange, but shows
> TLVs being sent inside the tunnel immediately in the next message.
Thanks for testing and reporting this! The EAP-FAST server side
implementation is still quite experimental and it hasn't yet received
much testing. It is based on the EAP-PEAP implementation that did not
support session resumption or abbreviated TLS handshake. Consequently,
it did not really expect Phase 1 to be completed with a message from the
peer.
I fixed this now by allowing the server to bypass the extra state that
is needed in the non-abbreviated TLS case and move directly into sending
Phase 2 data as a response to the received TLS ClientFinished message.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list