[RFC] supplicant/interworking: Allow EAP-TLS without user specified.

Jouni Malinen j
Mon Sep 23 10:53:33 PDT 2013

On Mon, Sep 23, 2013 at 08:58:21AM -0700, Ben Greear wrote:
> In eap_sm_buildIdentity, there is a check for null identity.  From what I
> can tell by reading code, it would seem that eap_sm_get_scard_identity
> could populate this automatically and let the EAP response be built properly,
> even when the user does not specify a username in the config file.
> I don't actually have any system that supports the pcsc/IMSI logic yet,
> so I can't test it.

That is for EAP-SIM/AKA/AKA', not for EAP-TLS.

> And, would it be worth just using a hard-coded "default-user" string
> for ID in cases where we cannot otherwise determine the ID?

No, EAP-TLS should probably extract the EAP identity from the client
certificate (subjectName or subjectAltName) if no identity is set in the

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list