Cannot lookup EAP user on reauthentication (PEAP/TTLS)
Alan DeKok
aland at deployingradius.com
Fri May 27 06:54:59 PDT 2022
On May 26, 2022, at 6:21 PM, James Prestwood <prestwoj at gmail.com> wrote:
> For tunneled methods like PEAP/TTLS, on a reauthentication request,
> hostapd uses the phase2 identity stored in the sm but hard codes the
> phase to 0. This happens in eap_sm_Policy_getDecision().
The outer identity should be the same for both the initial authentication, and any resumption. For details, see:
https://datatracker.ietf.org/doc/html/rfc9190#section-2.1.3
When NAI reuse can be
done without privacy implications, it is RECOMMENDED to use the same
NAI in the resumption as was used in the original full handshake
[RFC7542]
Changing outer identities for resumption seems wrong.
Alan DeKok.
More information about the Hostap
mailing list