Sending EAP Identity Encrypted
Alan DeKok
aland at deployingradius.com
Thu Sep 22 09:14:34 PDT 2016
On Sep 22, 2016, at 12:06 PM, alan furlong <alan250985 at gmail.com> wrote:
> Is it possible to configure wpa_supplicant to send EAP Identity
> encrypted for privacy reasons?
>
> This makes an assumption that the RADIUS on the other end is able to
> decrypt it. Both EAP Peer and Authentication server could either use
> same shared secret, or client can encrypt using public key of the
> authentication server and server decrypting it using the private key.
My $0.02 (as a RADIUS guy) is that this is a terrible idea. Don't do it.
Instead, use anonymous outer identities (@example.com), and use the real identity in the inner tunnel.
For further explanation, see my RFC:
https://tools.ietf.org/html/rfc7542
Alan DeKok.
More information about the Hostap
mailing list