Cannot lookup EAP user on reauthentication (PEAP/TTLS)

Alan DeKok aland at deployingradius.com
Fri May 27 06:54:59 PDT 2022


On May 26, 2022, at 6:21 PM, James Prestwood <prestwoj at gmail.com> wrote:
> For tunneled methods like PEAP/TTLS, on a reauthentication request,
> hostapd uses the phase2 identity stored in the sm but hard codes the
> phase to 0. This happens in eap_sm_Policy_getDecision().

  The outer identity should be the same for both the initial authentication, and any resumption.  For details, see:

https://datatracker.ietf.org/doc/html/rfc9190#section-2.1.3

   When NAI reuse can be
   done without privacy implications, it is RECOMMENDED to use the same
   NAI in the resumption as was used in the original full handshake
   [RFC7542]
  
  Changing outer identities for resumption seems wrong.

  Alan DeKok.




More information about the Hostap mailing list