[RFC] supplicant/interworking: Allow EAP-TLS without user specified.

Ben Greear greearb
Mon Sep 23 10:58:37 PDT 2013

On 09/23/2013 10:53 AM, Jouni Malinen wrote:
> On Mon, Sep 23, 2013 at 08:58:21AM -0700, Ben Greear wrote:
>> In eap_sm_buildIdentity, there is a check for null identity.  From what I
>> can tell by reading code, it would seem that eap_sm_get_scard_identity
>> could populate this automatically and let the EAP response be built properly,
>> even when the user does not specify a username in the config file.
>> I don't actually have any system that supports the pcsc/IMSI logic yet,
>> so I can't test it.
> That is for EAP-SIM/AKA/AKA', not for EAP-TLS.
>> And, would it be worth just using a hard-coded "default-user" string
>> for ID in cases where we cannot otherwise determine the ID?
> No, EAP-TLS should probably extract the EAP identity from the client
> certificate (subjectName or subjectAltName) if no identity is set in the
> configuration.

Ok, I'll add that to my wishlist and will just make sure I configure
a user-name in the meantime.


Ben Greear <greearb at candelatech.com>
Candela Technologies Inc  http://www.candelatech.com

More information about the Hostap mailing list