On Fri, 2022-05-27 at 12:35 -0400, Alan DeKok wrote: > > On May 27, 2022, at 12:22 PM, James Prestwood <prestwoj@xxxxxxxxx> > wrote: > > On Fri, 2022-05-27 at 09:54 -0400, Alan DeKok wrote: > > > > > > Changing outer identities for resumption seems wrong. > > > > I'm not sure I follow, EAP-TLS doesn't suffer this issue since it > > doesn't have two phases. > > I referenced the EAP-TLS document because the updated PEAP / TTLS / > PEAP RFC will have similar requirements. Unfortunately, it's not > done yet, so there's only a draft document available. > > > TTLS/PEAP use an anonymous/outer identity and > > the real identity for phase2 which is encrypted. Using the same > > identities for both phases removes any privacy from the real > > identity. > > I didn't say anything about using the same identity for both > phases. > I said that the same identity should be used for the initial > authentication, and for resumption. Yes I misinterpreted what you said. But from what I can tell the supplicant isn't even involved at the point when hostapd fails to look up the user (the supplicant hasn't even received an identity request). In my test I issue the EAPOL_REAUTH command to hostapd which triggers the lookup based on the eap_sm's saved identity. This identity is phase2 since TTLS/PEAP overwrite sm->identity during the initial authentication. I could care less what identity hostapd wants to use to lookup the session, but since sm->identity is used for both phases there needs to be some logic to determine what phase the identity goes with. Hard coding to phase1 in all cases is wrong if sm->identity is for phase2. Thanks, James _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
