Hostapd EAP-FAST PAC-Info lacks I-ID attribute

[Jouni Malinen]

On Tue, Aug 17, 2010 at 02:28:39PM -0500, Lundberg, Justin wrote:
> Does anyone know why the EAP-FAST server in hostapd-0.6.6 does not
> include
> the I-ID attribute as part of the PAC-Info during provisioning?

That got probably missed when the identity was added to the PAC-Opaque
and then started to be required to match with the identity used during
authentication.

> The PAC-Opaque is currently explicitly bound to the user it was issued
> to
> in hostapd-0.6.6 but my reading of RFC5422 Section 4.2.4 is that if the
> PAC is not usable by multiple users (a "global" PAC in some of the
> documentation I have seen) that the I-ID must be included with the
> PAC-Info TLV. While I will not claim that all of the text describing the
> I-ID seems particularly clear; in practice Cisco ACS is just sending the
> user name (which in the case I have observed is just ASCII or UTF-8
> text)
> in the I-ID attribute. However, the following excerpt from RFC5422 4.2.4
> seems to unambiguously state that hostapd should be including the I-ID
> given that the hostapd issued PAC-Opaque is bond to a single user. 

It sounds reasonable to add I-ID into the PAC-Info and I did that in the
development branch. I'm not sure how various clients change their
behavior based on this attribute, but if it has been used by Cisco ACS,
it sounds likely that adding it is unlikely to cause interop issues.

I've never even considered using a shared PAC in the client side
implementation, so I haven't found use for this in the PAC-Info. Anyway,
if some implementations do want to try to use a shared PAC for multiple
users and only request new per-user PACs if the I-ID is included, it can
be useful to make sure this gets added.

-- 
Jouni Malinen                                            PGP id EFC895FA