Does RADIUS server support ERP?

James Prestwood james.prestwood at linux.intel.com
Mon Apr 8 14:22:34 PDT 2019


On Tue, 2019-04-09 at 00:18 +0300, Jouni Malinen wrote:
> On Mon, Apr 08, 2019 at 10:41:04AM -0700, James Prestwood wrote:
> > Ah yeah, there is no erp_set_key, I meant erp_add_key. I was able
> > to
> > figure out what is happening, explained in my reply to this post,
> > but
> > for a short(ish) version:
> > 
> > ieee802_1x_learn_identity is being called to parse out the keyName-
> > NAI
> > from the ERP packet, which is then set as 'identity' on the eapol
> > state
> > machine. This identity is used in ieee802_1x_encapsulate_radius as
> > the
> > RADIUS_ATTR_USER_NAME attribute for the radius packet.
> > 
> > The issue here is RADIUS expects the full user name (e.g.
> > user at example.com) in order to look up/create a session. But the ERP
> > packet contains the keyName-NAI (e.g. 99cf9651efb22254 at example.com)
> > .
> > Hence the lookup fails. If I hack ieee802_1x_learn_identity to
> > instead
> > set my expected user name, RADIUS is happy, creates a session,
> > grabs
> > the ERP keys and sends back EAP-Finish (encapsulated in FILS
> > Wrapped
> > data).
> 
> I was trying to understand this part from the earlier messages
> without
> success since what you described here for User-Name selection is the
> way
> this is supposed to work.. That's why I asked for debug logs and
> configuration files. Anyway, I think I figured out what you mean here
> and why that "fixes" the issue (while breaking the contents of the
> RADIUS Access-Request).
> 
> > So with my little hack it all works as I would expect. I haven't
> > ever
> > had much luck running the hostapd hwsim tests in the past, but if
> > you
> > say they work as expected then maybe its worth my time to figure it
> > out. If the logic I am describing does not happen with the hwsim
> > tests
> > then I may be doing something incorrect. But looking at the logic
> > in
> > _learn_identity, I don't really see how setting the keyName-NAI as
> > the
> > RADIUS user name would ever work (unless RADIUS actually looks up
> > the
> > ERP key to get the proper user name, which it doesn't AFAIK).
> 
> That thing mentioned in the parenthetical is indeed what should be
> happening here.. I did not notice this since I was always testing
> with
> EAP user database that included a wildcard entry that matches with
> the
> ERP keyName-NAI. Anything like "* TLS" in the eap_user.conf would
> make
> this matching work..
> 
> I'll modify the User-Name matching code fro RADIUS server to have a
> separate check for stored keyName-NAI values for ERP to remove need
> for
> that wildcard entry.

Awesome! Thanks. Yeah I see the wildcard entries now and it all makes
sense why the hwsim tests would work. Thanks for taking a look at this.

- James

> 




More information about the Hostap mailing list