Check for identifier in EAP-PEAP phase-2

Jouni Malinen j
Fri Sep 24 23:13:35 PDT 2010


On Sat, Sep 25, 2010 at 12:19:01AM +0530, paul peterson wrote:

> I'm trying to perform EAP-PEAPv1 authentication using Juniper SBR. I have
> EAP-GTC disabled in wpa_supplicant, so in phase-2 when wpa_supp receives
> EAP-GTC proposal, it sends legacy NAK with method MSCHAPv2. In response SBR
> sends a new proposal for MSCHAPv2 but with same identifier value as in the
> last EAP frame. I see wpa_supplicant does not have any check to see if the
> identifier value matches with the one in the last frame received during the
> EAP-PEAP second stage. Is this correct to skip the check ?

which Identifier field are you referring to? The one in the outer header
or the one in the inner (tunneled) one? I would assume that both values
are actually supposed to change in this particular case. However,
wpa_supplicant has a workaround for this enabled by default to
interoperate with deployed authentication servers. Unless disabled
(eap_workaround=0), the EAP message with the same Identifier value is
accepted if it differs from the previous message in any part of the
payload.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list