[PATCH] EAP-SIM: Don't use anonymous identity in phase2
Jouni Malinen
j at w1.fi
Fri Feb 10 10:12:26 PST 2017
On Wed, Feb 08, 2017 at 05:47:57PM -0800, Paul Stewart wrote:
> The "anonymous_identity" configuration field has more than one
> semantic meaning. For tunneled EAP methods, this refers to the
> outer EAP identity. For EAP-SIM, this refers to the pseudonym
> identity. Also, interestingly, EAP-SIM can overwrite the
> "anonymous_identity" field if one is provided to it by the
> authenticator.
>
> When EAP-SIM is tunneled within an outer method, it makes sense
> to only use this value for the outer method, since it's unlikely
> that this will also be valid as an identity for the inner EAP-SIM
> method. Also, presumably since the outer method protects the
> EAP-SIM transaction, there is no need for a pseudonym in this
> usage.
>
> Similarly, if EAP-SIM is being used as an inner method, it must
> not push the pseudonym identity using eap_set_anon_id() since it
> could overwrite the identity for the outer EAP method.
Thanks, applied. I did same changes for EAP-AKA as well and also
extended the EAP-TTLS/PEAP reauthentication cases to cover this
properly. With those changes, EAP-SIM and EAP-AKA worked fine with hwsim
test cases within EAP-TTLS/PEAP/FAST tunnel; including the EAP
reauthentication sequence.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list