Re: [PATCH] EAP-TEAP peer: keep inner EAP method when processing Identity method

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Nov 30, 2022 at 08:05:44PM +0200, Jouni Malinen wrote:
> On Wed, Nov 30, 2022 at 03:53:15PM +0000, Alexander Clouter wrote:
> > There are two instances of EAP-Identity in the tunnel.
> > 
> > 1. server->peer: Identity-Type-TLV + EAP-Payload-TLV[EAP-Identity]
> > 2. peer<->server: EAP-Payload-TLV[do EAP-<anything>]
> > 3. server->peer: {Intermediate-Success,Cryptobinding}-TLV + Identity-Type-TLV + EAP-Payload-TLV[EAP-Identity]
> > 4. server<-peer: {Intermediate-Success,Cryptobinding}-TLV + Identity-Type-TLV + EAP-Payload-TLV[EAP-Identity]
..

> While I have not yet managed to force hostapd to send the Crypto-Binding
> TLV after the second EAP-Request/Identity, I'm pretty sure that is the
> difference here between what you see with FreeRADIUS and I see with
> hostapd as the TEAP server.

I was able to reproduce this now. I had not used the optimized sequence
within the tunnel by combination start of the next EAP method with the
cryptobinding of the previous one. I implemented that in hostapd and saw
the same issue in wpa_supplicant. This is now fixed in hostap.git using
the changes I described here. This will hopefully work with FreeRADIUS
as well.

-- 
Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux