Why does username is considered as part of the identity ?
TianHong Zhao
tzhao
Thu Mar 5 13:51:23 PST 2009
Regarding to the identity issue, your solution about using
"anonymous_identity" is exactly what I want.
Thanks a lot.
Tianhong
On Thu, 2009-03-05 at 12:00 -0500, hostap-request at lists.shmoo.com wrote:
> Send HostAP mailing list submissions to
> hostap at lists.shmoo.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.shmoo.com/mailman/listinfo/hostap
> or, via email, send a message with subject or body 'help' to
> hostap-request at lists.shmoo.com
>
> You can reach the person managing the list at
> hostap-owner at lists.shmoo.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of HostAP digest..."
>
>
> Today's Topics:
>
> 1. Why does username is considered as part of the identity ?
> (TianHong Zhao)
> 2. PEAPv1(EAP-GTC) config with Cisco ACS (Ben Carbery)
> 3. Re: Why does username is considered as part of the identity ?
> (Jouni Malinen)
> 4. Re: Why does username is considered as part of the identity ?
> (Alan DeKok)
> 5. Re: PEAPv1(EAP-GTC) config with Cisco ACS (Jouni Malinen)
> 6. Re: wpa_supplicant for ad-hoc mode (Dan Williams)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 04 Mar 2009 17:15:43 -0500
> From: TianHong Zhao <tzhao at wavesat.com>
A. Subject: Why does username is considered as part of the
identity ?
> To: hostap at lists.shmoo.com
> Message-ID: <1236204943.7146.14.camel at WT0340>
> Content-Type: text/plain
>
> Hi,
>
> In EAP_TTLS/MSCHAPV2, the username is taken from identity (excluding the
> realm part), but why ?
>
> In the project I'm working on, when using EAP_TTLS/MSCHAPV2, "identity"
> in phase1 is MAC address, "identity" in phase2 is the username,
> is there any easy way to make eap_ttls code choose the right one ?
>
> Tianhong
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 5 Mar 2009 09:49:59 +1100
> From: Ben Carbery <ben.carbery at gmail.com>
> Subject: PEAPv1(EAP-GTC) config with Cisco ACS
> To: hostap at lists.shmoo.com
> Message-ID:
> <ab82fd6c0903041449l7fe8e00dged88a06db0a742bb at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> I am trying to get wpa_supplicant going with this setup:
>
> Linux Laptop (Thinkpad with iwl4965agn) -> Aruba AP -> Aruba Wireless
> Controller -> Cisco ACS RADIUS server (terminates EAP)
>
> It's PEAPv1 as the passwords need to be in clear text, not MSCHAP. I have
> this setup successfully working with Windows and Mac, so just trying to get
> the wpa_supplicant config right. The best I can get is partial success, but
> it's not clear why it's failing. I think I *may* be hitting this problem
> fixed in v0.6.6:
>
> 2008-11-23 - v0.6.6
> * fixed canceling of PMKSA caching when using drivers that generate
> RSN IE and refuse to drop PMKIDs that wpa_supplicant does not know
> about
> i.e. "RSN: no matching PMKID found" error
>
> But my distro is still on 0.6.4. Can anyone confirm this is the
> problem I am hitting? Also is my config correct for this setup?
>
> Ben
>
>
> ---------------------------------------------------------------------------------------------------
>
> # config
>
> network={
> priority=4
> disabled=0
> ssid="WLAN-Secure"
> scan_ssid=1
> proto=WPA2
> key_mgmt=WPA-EAP
> ca_cert="/etc/ssl/certs/Thawte_Premium_Server_CA.pem"
>
> pairwise=CCMP
> group=CCMP
> eap=PEAP
> identity="u4399999"
> password="password"
> # guessing about the following..
> phase1="peap_outer_success=0 peaplabel=1"
>
> phase2="auth=GTC"
> }
>
> ---------------------------------------------------------------------------------------------------
>
> # wpa_cli status - cycles between the following several times
>
> wintermute ~ # wpa_cli status
> Selected interface 'wlan0'
> bssid=00:1a:1e:11:e5:42
> ssid=WLAN-Secure
> id=0
> pairwise_cipher=CCMP
>
> group_cipher=CCMP
> key_mgmt=WPA2/IEEE 802.1X/EAP
> wpa_state=4WAY_HANDSHAKE
> Supplicant PAE state=CONNECTING
> suppPortStatus=Unauthorized
> EAP state=IDLE
>
> wintermute ~ # wpa_cli status
> Selected interface 'wlan0'
>
> bssid=00:1a:1e:97:02:71
> ssid=WLAN-Secure
> id=0
> pairwise_cipher=CCMP
> group_cipher=CCMP
> key_mgmt=WPA2/IEEE 802.1X/EAP
> wpa_state=4WAY_HANDSHAKE
> Supplicant PAE state=AUTHENTICATING
> suppPortStatus=Unauthorized
>
> EAP state=IDLE
> selectedMethod=25 (EAP-PEAP)
> EAP TLS cipher=
> EAP-PEAPv1 Phase2 method=GTC
>
> # Before the controller bars the client for number of attempts and settles on:
>
> Selected interface 'wlan0'
>
>
> wpa_state=DISCONNECTED
> Supplicant PAE state=DISCONNECTED
> suppPortStatus=Unauthorized
> EAP state=DISABLED
> selectedMethod=25 (EAP-PEAP)
> EAP TLS cipher=
> EAP-PEAPv1 Phase2 method=GTC
>
> ---------------------------------------------------------------------------------------------------
>
> # connection logs
>
> I had to remove these logs as my post got lost in moderator-land for
> being to big, will update in next post if my config is correct.
>
>
> B
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://lists.shmoo.com/pipermail/hostap/attachments/20090305/41a75f5a/attachment.html
>
> ------------------------------
>
> Message: 3
> Date: Thu, 5 Mar 2009 09:06:47 +0200
> From: Jouni Malinen <j at w1.fi>
> Subject: Re: Why does username is considered as part of the identity ?
> To: hostap at lists.shmoo.com
> Message-ID: <20090305070647.GA10972 at jm.kir.nu>
> Content-Type: text/plain; charset=us-ascii
>
> On Wed, Mar 04, 2009 at 05:15:43PM -0500, TianHong Zhao wrote:
>
> > In EAP_TTLS/MSCHAPV2, the username is taken from identity (excluding the
> > realm part), but why ?
> >
> > In the project I'm working on, when using EAP_TTLS/MSCHAPV2, "identity"
> > in phase1 is MAC address, "identity" in phase2 is the username,
> > is there any easy way to make eap_ttls code choose the right one ?
>
> I'm not sure I'm fully following your description, but if all you want
> to do is to use different identity in phase 1 and 2, please take a look
> at anonymous_identity parameter: (anonymous_identity="<MAC addr>",
> identity="real username").
>
> --
> Jouni Malinen PGP id EFC895FA
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 05 Mar 2009 08:07:43 +0100
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: Why does username is considered as part of the identity ?
> To: TianHong Zhao <tzhao at wavesat.com>
> Cc: hostap at lists.shmoo.com
> Message-ID: <49AF7A3F.5070401 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> TianHong Zhao wrote:
> > In EAP_TTLS/MSCHAPV2, the username is taken from identity (excluding the
> > realm part), but why ?
>
> Because that's what everyone does.
>
> > In the project I'm working on, when using EAP_TTLS/MSCHAPV2, "identity"
> > in phase1 is MAC address, "identity" in phase2 is the username,
> > is there any easy way to make eap_ttls code choose the right one ?
>
> You can set the identities independently to whatever you want.
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 5 Mar 2009 09:09:17 +0200
> From: Jouni Malinen <j at w1.fi>
> Subject: Re: PEAPv1(EAP-GTC) config with Cisco ACS
> To: hostap at lists.shmoo.com
> Message-ID: <20090305070917.GB10972 at jm.kir.nu>
> Content-Type: text/plain; charset=us-ascii
>
> On Thu, Mar 05, 2009 at 09:49:59AM +1100, Ben Carbery wrote:
>
> > I am trying to get wpa_supplicant going with this setup:
> >
> > Linux Laptop (Thinkpad with iwl4965agn) -> Aruba AP -> Aruba Wireless
> > Controller -> Cisco ACS RADIUS server (terminates EAP)
> >
> > It's PEAPv1 as the passwords need to be in clear text, not MSCHAP.
>
> > # guessing about the following..
> > phase1="peap_outer_success=0 peaplabel=1"
>
> That's incorrect; just remove the phase1 parameter and authentication
> should work fine with ACS. Forcing peaplabel=1 will break key derivation
> with most authentication servers, including ACS.
>
More information about the Hostap
mailing list