Hostapd EAP-FAST PAC-Info lacks I-ID attribute

Lundberg, Justin justin.lundberg
Tue Aug 17 12:28:39 PDT 2010

Does anyone know why the EAP-FAST server in hostapd-0.6.6 does not
the I-ID attribute as part of the PAC-Info during provisioning?

The PAC-Opaque is currently explicitly bound to the user it was issued
in hostapd-0.6.6 but my reading of RFC5422 Section 4.2.4 is that if the
PAC is not usable by multiple users (a "global" PAC in some of the
documentation I have seen) that the I-ID must be included with the
PAC-Info TLV. While I will not claim that all of the text describing the
I-ID seems particularly clear; in practice Cisco ACS is just sending the
user name (which in the case I have observed is just ASCII or UTF-8
in the I-ID attribute. However, the following excerpt from RFC5422 4.2.4
seems to unambiguously state that hostapd should be including the I-ID
given that the hostapd issued PAC-Opaque is bond to a single user. 

	If the I-ID is missing from the PAC-Info, it is assumed that the
	Tunnel PAC can be used for multiple users and the peer will not
	enforce the unique-Tunnel-PAC-per-user policy.

Given, that the Wi-Fi Alliance is already doing interoperability testing
with hostapd-0.6.6 I plan to extend the client code to treat the hostapd
PAC as if the PAC-Info included the I-ID attribute.

After reading through RFC5422 I suspect that hostapd could just include
the I-ID attribute and be fully complaint. Has anyone else encountered


This message is intended only for the named recipient. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action based on the contents of this information is strictly prohibited.

More information about the Hostap mailing list