[PATCH 4/4] EAP-SIM/EAP-AKA peer: Support realms according to 3GPP TS 23.003

Simon Baatz gmbnomis
Mon Jan 23 13:25:10 PST 2012

Am 23.01.2012 21:23, schrieb Jouni Malinen:
> On Mon, Jan 23, 2012 at 08:48:32PM +0100, Simon Baatz wrote:
>> Great, thanks! You did not apply patches 1/4 and 2/4 (use the realm of
>> the permanent identity for the pseudonym as well). This is needed to
>> make pseudonyms work in environments that need a realm. Is there a
>> specific reason for not applying the patches, or is this just an oversight?
> They are still in the queue since I did not have time to test them yet.
> You can see the status of pending patches at
> http://patchwork.ozlabs.org/project/hostap/list/

I see. Sorry to be so impatient...

> Talking of those patches, I would assume something similar would be
> needed for fast reauthentication case, too. Or was that already covered
> in those patches?

For the fast reauthentication IDs the server may choose a different
realm. This makes sense if one has multiple EAP servers. If the realm
used for fast reauth points to a specific server, the fast reauth
context may be only local to this specific server. There is no need to
synchronize the state across servers or to store it persistently.
That's why AT_NEXT_REAUTH_ID must already contain both a username and a
realm if the realm is needed. (see section 5.3 of RFC 4186/4187)

- Simon

More information about the Hostap mailing list