Does RADIUS server support ERP?

Jouni Malinen j at w1.fi
Sat Apr 6 06:51:29 PDT 2019


On Tue, Apr 02, 2019 at 12:09:14PM -0700, James Prestwood wrote:
> I am trying to get FILS working and it appears a RADIUS server is
> required for this? I am using EAP-PWD as the method for full EAP
> authentication, then trying to use FILS to authenticate using the
> cached ERP keys. I have played around with the configuration trying to
> eliminate the RADIUS server, but regardless of what I do the FILS
> authentication will always try to use RADIUS. The full EAP auth works
> fine, and I even see hostapd caching my ERP keys:
> 
> EAP: Stored ERP keys 3d340950a519007f at example.com

You can use either the internal EAP authentication server or an external
RADIUS server for FILS shared key authentication.

> After this I disconnect, and reconnect using FILS. Unfortunately FILS
> tries to use RADIUS rather than the internal EAP/ERP server, and since
> the previous run never cached the ERP keys in the RADIUS server it only
> finds the full user identity, not the derived identity (above). Further
> I see in the hostapd RADIUS server implementation there is no use of
> the erp_add_key/erp_set_key functions. This makes me think the hostapd
> RADIUS server does not support ERP?

Which version of hostapd are you using on the RADIUS server?
erp_add_key() callback was added in 2014 to radius_server.c. There is no
erp_set_key, so I guess that was a type for erp_get_key() which was also
added in 2014..

> If the hostapd RADIUS server does not support ERP is there a way to get
> FILS to use the internal EAP/ERP server? I have tried removing all the
> radius server options, but FILS still attempts to get a response from
> RADIUS regardless.

I'm not sure what you are describing here, but all the ERP and FILS test
cases in tests/hwsim/test_{erp,fils}.py work fine for me. Those have
examples of various different ways of using FILS shared key
authentication with internal or external EAP server and with and without
PMKSA caching.

If some combinations do not work for you, please provide configuration
files from the hostapd(s) and debug logs from them as well.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list