Does RADIUS server support ERP?

James Prestwood james.prestwood at
Wed Apr 3 10:47:56 PDT 2019

On Tue, 2019-04-02 at 12:09 -0700, James Prestwood wrote:
> Hi,
> I am trying to get FILS working and it appears a RADIUS server is
> required for this? I am using EAP-PWD as the method for full EAP
> authentication, then trying to use FILS to authenticate using the
> cached ERP keys. I have played around with the configuration trying
> to
> eliminate the RADIUS server, but regardless of what I do the FILS
> authentication will always try to use RADIUS. The full EAP auth works
> fine, and I even see hostapd caching my ERP keys:
> EAP: Stored ERP keys 3d340950a519007f at
> After this I disconnect, and reconnect using FILS. Unfortunately FILS
> tries to use RADIUS rather than the internal EAP/ERP server, and
> since
> the previous run never cached the ERP keys in the RADIUS server it
> only
> finds the full user identity, not the derived identity (above).
> Further
> I see in the hostapd RADIUS server implementation there is no use of
> the erp_add_key/erp_set_key functions. This makes me think the
> hostapd
> RADIUS server does not support ERP?
> If the hostapd RADIUS server does not support ERP is there a way to
> get
> FILS to use the internal EAP/ERP server? I have tried removing all
> the
> radius server options, but FILS still attempts to get a response from
> RADIUS regardless.
> Thanks,
> James

Ok, so I was able to hack hostapd to do what I expect (still possible
this is incorrect, but seems right to me). This is what is happening:

After a successful full EAP authentication I disconnect and reconnect
using FILS. I send my authenticate frame and hostapd parses out the
FILS Wrapped data (the ERP packet). This ERP data contains the keyName-
NAI which is what hostapd has previously cached. Before hostapd
forwards this to the RADIUS server it needs to build up a RADIUS
message with the ERP data encapsulated.

ieee802_1x_encapsulate_radius calls ieee802_1x_learn_identity which
parses the ERP data to find the "identity" (which is the keyName-NAI,
NOT the radius user/identity). After this it sets what it thinks is the
identity to the eapol state machines identity. This identity is then
used as the User-Name part of the RADIUS request.

RADIUS receives this tries to lookup the User-Name, which it will never
find because the User-Name sent was actually the keyName-NAI.

If I hack ieee802_1x_learn_identity to not use the keyName-NAI, I see
RADIUS successfully creating a session, and looking up the ERP keys and
hostapd continues onto association.

Rather than using the keyName-NAI as the RADIUS user name, the actual
identity needs to be looked up and used. Does ERP retain the full
identity? or just the keyName-NAI? Or is there another way to obtain
the User-Name not via the ERP cache.


> _______________________________________________
> Hostap mailing list
> Hostap at

More information about the Hostap mailing list