Cannot lookup EAP user on reauthentication (PEAP/TTLS)
aland at deployingradius.com
Fri May 27 06:54:59 PDT 2022
On May 26, 2022, at 6:21 PM, James Prestwood <prestwoj at gmail.com> wrote:
> For tunneled methods like PEAP/TTLS, on a reauthentication request,
> hostapd uses the phase2 identity stored in the sm but hard codes the
> phase to 0. This happens in eap_sm_Policy_getDecision().
The outer identity should be the same for both the initial authentication, and any resumption. For details, see:
When NAI reuse can be
done without privacy implications, it is RECOMMENDED to use the same
NAI in the resumption as was used in the original full handshake
Changing outer identities for resumption seems wrong.
More information about the Hostap