On Mon, Apr 08, 2019 at 10:41:04AM -0700, James Prestwood wrote: > Ah yeah, there is no erp_set_key, I meant erp_add_key. I was able to > figure out what is happening, explained in my reply to this post, but > for a short(ish) version: > > ieee802_1x_learn_identity is being called to parse out the keyName-NAI > from the ERP packet, which is then set as 'identity' on the eapol state > machine. This identity is used in ieee802_1x_encapsulate_radius as the > RADIUS_ATTR_USER_NAME attribute for the radius packet. > > The issue here is RADIUS expects the full user name (e.g. > user@xxxxxxxxxxx) in order to look up/create a session. But the ERP > packet contains the keyName-NAI (e.g. 99cf9651efb22254@xxxxxxxxxxx). > Hence the lookup fails. If I hack ieee802_1x_learn_identity to instead > set my expected user name, RADIUS is happy, creates a session, grabs > the ERP keys and sends back EAP-Finish (encapsulated in FILS Wrapped > data). I was trying to understand this part from the earlier messages without success since what you described here for User-Name selection is the way this is supposed to work.. That's why I asked for debug logs and configuration files. Anyway, I think I figured out what you mean here and why that "fixes" the issue (while breaking the contents of the RADIUS Access-Request). > So with my little hack it all works as I would expect. I haven't ever > had much luck running the hostapd hwsim tests in the past, but if you > say they work as expected then maybe its worth my time to figure it > out. If the logic I am describing does not happen with the hwsim tests > then I may be doing something incorrect. But looking at the logic in > _learn_identity, I don't really see how setting the keyName-NAI as the > RADIUS user name would ever work (unless RADIUS actually looks up the > ERP key to get the proper user name, which it doesn't AFAIK). That thing mentioned in the parenthetical is indeed what should be happening here.. I did not notice this since I was always testing with EAP user database that included a wildcard entry that matches with the ERP keyName-NAI. Anything like "* TLS" in the eap_user.conf would make this matching work.. I'll modify the User-Name matching code fro RADIUS server to have a separate check for stored keyName-NAI values for ERP to remove need for that wildcard entry. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
