More questions on hs20/OSU keys and configuration.

Ben Greear greearb
Thu Mar 26 09:44:54 PDT 2015

On 03/26/2015 06:16 AM, Jouni Malinen wrote:
> On Wed, Mar 25, 2015 at 04:34:00PM -0700, Ben Greear wrote:
>> But, it seems that supplicant is using anonymous@, and so the radius server
>> does not find the user in the eap_user.db file and supplicant cannot connect.
> Hotspot 2.0 mandates use of identity protection for EAP-TTLS, i.e., the
> unencrypted EAP-Identity/Response has to use anonymous@<realm> form
> while the real identity is used only within the encrypted tunnel. You
> will need to configure the authentication server to allow EAP-TTLS to be
> used with such an anonymous identity.

At least part of my problem is that I did not have SQLITE support enabled.

Should we change this config to fail to load if user requests sqlite but
does not have support compiled in?

static int hostapd_config_read_eap_user(const char *fname,
					struct hostapd_bss_config *conf)
	FILE *f;
	char buf[512], *pos, *start, *pos2;
	int line = 0, ret = 0, num_methods;
	struct hostapd_eap_user *user = NULL, *tail = NULL, *new_user = NULL;

	if (!fname)
		return 0;

	if (os_strncmp(fname, "sqlite:", 7) == 0) {
		conf->eap_user_sqlite = os_strdup(fname + 7);
		return 0;


Ben Greear <greearb at>
Candela Technologies Inc

More information about the Hostap mailing list