On Tue, 2019-04-02 at 12:09 -0700, James Prestwood wrote: > Hi, > > I am trying to get FILS working and it appears a RADIUS server is > required for this? I am using EAP-PWD as the method for full EAP > authentication, then trying to use FILS to authenticate using the > cached ERP keys. I have played around with the configuration trying > to > eliminate the RADIUS server, but regardless of what I do the FILS > authentication will always try to use RADIUS. The full EAP auth works > fine, and I even see hostapd caching my ERP keys: > > EAP: Stored ERP keys 3d340950a519007f@xxxxxxxxxxx > > After this I disconnect, and reconnect using FILS. Unfortunately FILS > tries to use RADIUS rather than the internal EAP/ERP server, and > since > the previous run never cached the ERP keys in the RADIUS server it > only > finds the full user identity, not the derived identity (above). > Further > I see in the hostapd RADIUS server implementation there is no use of > the erp_add_key/erp_set_key functions. This makes me think the > hostapd > RADIUS server does not support ERP? > > If the hostapd RADIUS server does not support ERP is there a way to > get > FILS to use the internal EAP/ERP server? I have tried removing all > the > radius server options, but FILS still attempts to get a response from > RADIUS regardless. > > Thanks, > James Ok, so I was able to hack hostapd to do what I expect (still possible this is incorrect, but seems right to me). This is what is happening: After a successful full EAP authentication I disconnect and reconnect using FILS. I send my authenticate frame and hostapd parses out the FILS Wrapped data (the ERP packet). This ERP data contains the keyName- NAI which is what hostapd has previously cached. Before hostapd forwards this to the RADIUS server it needs to build up a RADIUS message with the ERP data encapsulated. ieee802_1x_encapsulate_radius calls ieee802_1x_learn_identity which parses the ERP data to find the "identity" (which is the keyName-NAI, NOT the radius user/identity). After this it sets what it thinks is the identity to the eapol state machines identity. This identity is then used as the User-Name part of the RADIUS request. RADIUS receives this tries to lookup the User-Name, which it will never find because the User-Name sent was actually the keyName-NAI. If I hack ieee802_1x_learn_identity to not use the keyName-NAI, I see RADIUS successfully creating a session, and looking up the ERP keys and hostapd continues onto association. Rather than using the keyName-NAI as the RADIUS user name, the actual identity needs to be looked up and used. Does ERP retain the full identity? or just the keyName-NAI? Or is there another way to obtain the User-Name not via the ERP cache. Thanks, James > > > _______________________________________________ > Hostap mailing list > Hostap@xxxxxxxxxxxxxxxxxxx > http://lists.infradead.org/mailman/listinfo/hostap _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
