On Tue, 2019-04-09 at 00:18 +0300, Jouni Malinen wrote: > On Mon, Apr 08, 2019 at 10:41:04AM -0700, James Prestwood wrote: > > Ah yeah, there is no erp_set_key, I meant erp_add_key. I was able > > to > > figure out what is happening, explained in my reply to this post, > > but > > for a short(ish) version: > > > > ieee802_1x_learn_identity is being called to parse out the keyName- > > NAI > > from the ERP packet, which is then set as 'identity' on the eapol > > state > > machine. This identity is used in ieee802_1x_encapsulate_radius as > > the > > RADIUS_ATTR_USER_NAME attribute for the radius packet. > > > > The issue here is RADIUS expects the full user name (e.g. > > user@xxxxxxxxxxx) in order to look up/create a session. But the ERP > > packet contains the keyName-NAI (e.g. 99cf9651efb22254@xxxxxxxxxxx) > > . > > Hence the lookup fails. If I hack ieee802_1x_learn_identity to > > instead > > set my expected user name, RADIUS is happy, creates a session, > > grabs > > the ERP keys and sends back EAP-Finish (encapsulated in FILS > > Wrapped > > data). > > I was trying to understand this part from the earlier messages > without > success since what you described here for User-Name selection is the > way > this is supposed to work.. That's why I asked for debug logs and > configuration files. Anyway, I think I figured out what you mean here > and why that "fixes" the issue (while breaking the contents of the > RADIUS Access-Request). > > > So with my little hack it all works as I would expect. I haven't > > ever > > had much luck running the hostapd hwsim tests in the past, but if > > you > > say they work as expected then maybe its worth my time to figure it > > out. If the logic I am describing does not happen with the hwsim > > tests > > then I may be doing something incorrect. But looking at the logic > > in > > _learn_identity, I don't really see how setting the keyName-NAI as > > the > > RADIUS user name would ever work (unless RADIUS actually looks up > > the > > ERP key to get the proper user name, which it doesn't AFAIK). > > That thing mentioned in the parenthetical is indeed what should be > happening here.. I did not notice this since I was always testing > with > EAP user database that included a wildcard entry that matches with > the > ERP keyName-NAI. Anything like "* TLS" in the eap_user.conf would > make > this matching work.. > > I'll modify the User-Name matching code fro RADIUS server to have a > separate check for stored keyName-NAI values for ERP to remove need > for > that wildcard entry. Awesome! Thanks. Yeah I see the wildcard entries now and it all makes sense why the hwsim tests would work. Thanks for taking a look at this. - James > _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
