Cannot lookup EAP user on reauthentication (PEAP/TTLS)
prestwoj at gmail.com
Fri May 27 10:06:33 PDT 2022
On Fri, 2022-05-27 at 12:35 -0400, Alan DeKok wrote:
> On May 27, 2022, at 12:22 PM, James Prestwood <prestwoj at gmail.com>
> > On Fri, 2022-05-27 at 09:54 -0400, Alan DeKok wrote:
> > >
> > > Changing outer identities for resumption seems wrong.
> > I'm not sure I follow, EAP-TLS doesn't suffer this issue since it
> > doesn't have two phases.
> I referenced the EAP-TLS document because the updated PEAP / TTLS /
> PEAP RFC will have similar requirements. Unfortunately, it's not
> done yet, so there's only a draft document available.
> > TTLS/PEAP use an anonymous/outer identity and
> > the real identity for phase2 which is encrypted. Using the same
> > identities for both phases removes any privacy from the real
> > identity.
> I didn't say anything about using the same identity for both
> I said that the same identity should be used for the initial
> authentication, and for resumption.
Yes I misinterpreted what you said. But from what I can tell the
supplicant isn't even involved at the point when hostapd fails to look
up the user (the supplicant hasn't even received an identity request).
In my test I issue the EAPOL_REAUTH command to hostapd which triggers
the lookup based on the eap_sm's saved identity. This identity is
phase2 since TTLS/PEAP overwrite sm->identity during the initial
I could care less what identity hostapd wants to use to lookup the
session, but since sm->identity is used for both phases there needs to
be some logic to determine what phase the identity goes with. Hard
coding to phase1 in all cases is wrong if sm->identity is for phase2.
More information about the Hostap