Empty EAP-FAST exchange after Phase 1 authentication

Jouni Malinen j at w1.fi
Tue Jun 26 23:08:18 EDT 2007


On Tue, Jun 26, 2007 at 04:59:07PM -0400, Eric Fung wrote:

> I noticed that hostapd expects an empty EAP-FAST Request/Response exchange 
> after Phase 1 Authentication (using a valid PAC-Opaque) completes successfully 
> before proceeding to Phase 2. RFC 4851 does not show this exchange, but shows 
> TLVs being sent inside the tunnel immediately in the next message.

Thanks for testing and reporting this! The EAP-FAST server side
implementation is still quite experimental and it hasn't yet received
much testing. It is based on the EAP-PEAP implementation that did not
support session resumption or abbreviated TLS handshake. Consequently,
it did not really expect Phase 1 to be completed with a message from the
peer.

I fixed this now by allowing the server to bypass the extra state that
is needed in the non-abbreviated TLS case and move directly into sending
Phase 2 data as a response to the received TLS ClientFinished message.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list