Re: [PATCH] EAP-SIM: Don't use anonymous identity in phase2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Feb 08, 2017 at 05:47:57PM -0800, Paul Stewart wrote:
> The "anonymous_identity" configuration field has more than one
> semantic meaning.  For tunneled EAP methods, this refers to the
> outer EAP identity.  For EAP-SIM, this refers to the pseudonym
> identity.  Also, interestingly, EAP-SIM can overwrite the
> "anonymous_identity" field if one is provided to it by the
> authenticator.
> 
> When EAP-SIM is tunneled within an outer method, it makes sense
> to only use this value for the outer method, since it's unlikely
> that this will also be valid as an identity for the inner EAP-SIM
> method.  Also, presumably since the outer method protects the
> EAP-SIM transaction, there is no need for a pseudonym in this
> usage.
> 
> Similarly, if EAP-SIM is being used as an inner method, it must
> not push the pseudonym identity using eap_set_anon_id() since it
> could overwrite the identity for the outer EAP method.

Thanks, applied. I did same changes for EAP-AKA as well and also
extended the EAP-TTLS/PEAP reauthentication cases to cover this
properly. With those changes, EAP-SIM and EAP-AKA worked fine with hwsim
test cases within EAP-TTLS/PEAP/FAST tunnel; including the EAP
reauthentication sequence.

-- 
Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux