[PATCH] EAP-TEAP peer: keep inner EAP method when processing Identity method

Jouni Malinen j at w1.fi
Thu Dec 1 08:45:12 PST 2022

On Wed, Nov 30, 2022 at 08:05:44PM +0200, Jouni Malinen wrote:
> On Wed, Nov 30, 2022 at 03:53:15PM +0000, Alexander Clouter wrote:
> > There are two instances of EAP-Identity in the tunnel.
> > 
> > 1. server->peer: Identity-Type-TLV + EAP-Payload-TLV[EAP-Identity]
> > 2. peer<->server: EAP-Payload-TLV[do EAP-<anything>]
> > 3. server->peer: {Intermediate-Success,Cryptobinding}-TLV + Identity-Type-TLV + EAP-Payload-TLV[EAP-Identity]
> > 4. server<-peer: {Intermediate-Success,Cryptobinding}-TLV + Identity-Type-TLV + EAP-Payload-TLV[EAP-Identity]

> While I have not yet managed to force hostapd to send the Crypto-Binding
> TLV after the second EAP-Request/Identity, I'm pretty sure that is the
> difference here between what you see with FreeRADIUS and I see with
> hostapd as the TEAP server.

I was able to reproduce this now. I had not used the optimized sequence
within the tunnel by combination start of the next EAP method with the
cryptobinding of the previous one. I implemented that in hostapd and saw
the same issue in wpa_supplicant. This is now fixed in hostap.git using
the changes I described here. This will hopefully work with FreeRADIUS
as well.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list