Does RADIUS server support ERP?

Jouni Malinen j at
Mon Apr 8 14:18:10 PDT 2019

On Mon, Apr 08, 2019 at 10:41:04AM -0700, James Prestwood wrote:
> Ah yeah, there is no erp_set_key, I meant erp_add_key. I was able to
> figure out what is happening, explained in my reply to this post, but
> for a short(ish) version:
> ieee802_1x_learn_identity is being called to parse out the keyName-NAI
> from the ERP packet, which is then set as 'identity' on the eapol state
> machine. This identity is used in ieee802_1x_encapsulate_radius as the
> RADIUS_ATTR_USER_NAME attribute for the radius packet.
> The issue here is RADIUS expects the full user name (e.g.
> user at in order to look up/create a session. But the ERP
> packet contains the keyName-NAI (e.g. 99cf9651efb22254 at
> Hence the lookup fails. If I hack ieee802_1x_learn_identity to instead
> set my expected user name, RADIUS is happy, creates a session, grabs
> the ERP keys and sends back EAP-Finish (encapsulated in FILS Wrapped
> data).

I was trying to understand this part from the earlier messages without
success since what you described here for User-Name selection is the way
this is supposed to work.. That's why I asked for debug logs and
configuration files. Anyway, I think I figured out what you mean here
and why that "fixes" the issue (while breaking the contents of the
RADIUS Access-Request).

> So with my little hack it all works as I would expect. I haven't ever
> had much luck running the hostapd hwsim tests in the past, but if you
> say they work as expected then maybe its worth my time to figure it
> out. If the logic I am describing does not happen with the hwsim tests
> then I may be doing something incorrect. But looking at the logic in
> _learn_identity, I don't really see how setting the keyName-NAI as the
> RADIUS user name would ever work (unless RADIUS actually looks up the
> ERP key to get the proper user name, which it doesn't AFAIK).

That thing mentioned in the parenthetical is indeed what should be
happening here.. I did not notice this since I was always testing with
EAP user database that included a wildcard entry that matches with the
ERP keyName-NAI. Anything like "* TLS" in the eap_user.conf would make
this matching work..

I'll modify the User-Name matching code fro RADIUS server to have a
separate check for stored keyName-NAI values for ERP to remove need for
that wildcard entry.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list