[PATCH] EAP-SIM: Don't use anonymous identity in phase2

Jouni Malinen j at w1.fi
Fri Feb 10 10:12:26 PST 2017

On Wed, Feb 08, 2017 at 05:47:57PM -0800, Paul Stewart wrote:
> The "anonymous_identity" configuration field has more than one
> semantic meaning.  For tunneled EAP methods, this refers to the
> outer EAP identity.  For EAP-SIM, this refers to the pseudonym
> identity.  Also, interestingly, EAP-SIM can overwrite the
> "anonymous_identity" field if one is provided to it by the
> authenticator.
> When EAP-SIM is tunneled within an outer method, it makes sense
> to only use this value for the outer method, since it's unlikely
> that this will also be valid as an identity for the inner EAP-SIM
> method.  Also, presumably since the outer method protects the
> EAP-SIM transaction, there is no need for a pseudonym in this
> usage.
> Similarly, if EAP-SIM is being used as an inner method, it must
> not push the pseudonym identity using eap_set_anon_id() since it
> could overwrite the identity for the outer EAP method.

Thanks, applied. I did same changes for EAP-AKA as well and also
extended the EAP-TTLS/PEAP reauthentication cases to cover this
properly. With those changes, EAP-SIM and EAP-AKA worked fine with hwsim
test cases within EAP-TTLS/PEAP/FAST tunnel; including the EAP
reauthentication sequence.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list