fast re-auth configuration issues

[Jouni Malinen]

On Thu, Apr 03, 2008 at 11:27:26AM +0200, jan terje t?nnessen wrote:

> When setting up EAP-SIM is works with the initial setup (full authentication)
> When the WLAN-device tries to re-authenticate it uses the fast reauth-id and it fails due to "User-Name not found"
> 
> In hostapd.eap_user I have only one line
> "DUT at lab.org"      SIM
> 
> re-auth works when changing the entry in hostapd.eap_user to
> * SIM 
> 
> Is this how it should be ?

Yes, you will need to have an entry in the EAP user list for whatever
identity will be used during authentication. As far as EAP-SIM is
concerned, you can use following wildcards to limit just to the standard
identity prefixes, if desired:
"1"*	SIM
"3"*	SIM
"5"*	SIM

(that includes full authentication, identity protection with pseudonym,
and fast re-authentication; I would expect the "DUT at lab.org" style
identity to be 1 | IMSI at realm in most cases, but if not, you will need
to make sure there is a match for whatever style permanent id)

> Is it possible for hostapd to require full-auth even if the WLAN-device attempts to use the fast-id ?

Yes, if hostapd does not recognize the provided fast reauth id, it will
try to fall back to full-auth.

> Is it possible to configure hostapd to not generate/send fast-id to the WLAN-device ?

Not without changing source code.. If you are fine with hardcoding this
to be disabled, you can modify eap_sim_build_encr() not to add the next
re-authentication id or alternatively change
eap_sim_db_get_next_reauth_id() to return NULL. Similarly, it would be
possible to remove the use of pseudonyms, if needed.

-- 
Jouni Malinen                                            PGP id EFC895FA