On Wed, Feb 08, 2017 at 05:47:57PM -0800, Paul Stewart wrote: > The "anonymous_identity" configuration field has more than one > semantic meaning. For tunneled EAP methods, this refers to the > outer EAP identity. For EAP-SIM, this refers to the pseudonym > identity. Also, interestingly, EAP-SIM can overwrite the > "anonymous_identity" field if one is provided to it by the > authenticator. > > When EAP-SIM is tunneled within an outer method, it makes sense > to only use this value for the outer method, since it's unlikely > that this will also be valid as an identity for the inner EAP-SIM > method. Also, presumably since the outer method protects the > EAP-SIM transaction, there is no need for a pseudonym in this > usage. > > Similarly, if EAP-SIM is being used as an inner method, it must > not push the pseudonym identity using eap_set_anon_id() since it > could overwrite the identity for the outer EAP method. Thanks, applied. I did same changes for EAP-AKA as well and also extended the EAP-TTLS/PEAP reauthentication cases to cover this properly. With those changes, EAP-SIM and EAP-AKA worked fine with hwsim test cases within EAP-TTLS/PEAP/FAST tunnel; including the EAP reauthentication sequence. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
