Sending EAP Identity Encrypted

alan furlong alan250985 at
Thu Sep 22 13:35:55 PDT 2016

Thanks Jouni.

On Thu, Sep 22, 2016 at 1:02 PM, Jouni Malinen <j at> wrote:
> On Thu, Sep 22, 2016 at 09:47:27AM -0700, alan furlong wrote:
>> Just to add more info to this. I'm only looking for encryption of
>> username part of NAI, and there is no outer tunnel possibility to
>> protect the identity in the scenario I'm dealing with.
> Why would you need to that instead of using anonymous username and
> exchange the real identity in protected manner within the actual EAP
> authentication method?
Few reasons could be -
1. The inner EAP method supports mutual authentication.
2. TLS based outer tunnel could be expensive in terms of crypto and
does not offer much except privacy protection. Also pinning server
certificate may add overheads.
3. The EAP method will have to support crypto binding (PEAPv2, FAST, TEAP ?)

Which EAP method(s) are you thinking of using?

>> On Thu, Sep 22, 2016 at 9:06 AM, alan furlong <alan250985 at> wrote:
>> > Is it possible to configure wpa_supplicant to send EAP Identity
>> > encrypted for privacy reasons?
> It is not really a question of configuration option on the client side.
> There is no specification of a protocol for doing this nor support on
> the authentication servers for doing something like this. Nor need for
> this if the EAP authentication method supports protected exchange of
> identities.


> --
> Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list