Cannot lookup EAP user on reauthentication (PEAP/TTLS)

Alan DeKok aland at
Fri May 27 06:54:59 PDT 2022

On May 26, 2022, at 6:21 PM, James Prestwood <prestwoj at> wrote:
> For tunneled methods like PEAP/TTLS, on a reauthentication request,
> hostapd uses the phase2 identity stored in the sm but hard codes the
> phase to 0. This happens in eap_sm_Policy_getDecision().

  The outer identity should be the same for both the initial authentication, and any resumption.  For details, see:

   When NAI reuse can be
   done without privacy implications, it is RECOMMENDED to use the same
   NAI in the resumption as was used in the original full handshake
  Changing outer identities for resumption seems wrong.

  Alan DeKok.

More information about the Hostap mailing list