fast re-auth configuration issues
j at w1.fi
Thu Apr 3 09:14:43 EDT 2008
On Thu, Apr 03, 2008 at 11:27:26AM +0200, jan terje tønnessen wrote:
> When setting up EAP-SIM is works with the initial setup (full authentication)
> When the WLAN-device tries to re-authenticate it uses the fast reauth-id and it fails due to "User-Name not found"
> In hostapd.eap_user I have only one line
> "DUT at lab.org" SIM
> re-auth works when changing the entry in hostapd.eap_user to
> * SIM
> Is this how it should be ?
Yes, you will need to have an entry in the EAP user list for whatever
identity will be used during authentication. As far as EAP-SIM is
concerned, you can use following wildcards to limit just to the standard
identity prefixes, if desired:
(that includes full authentication, identity protection with pseudonym,
and fast re-authentication; I would expect the "DUT at lab.org" style
identity to be 1 | IMSI at realm in most cases, but if not, you will need
to make sure there is a match for whatever style permanent id)
> Is it possible for hostapd to require full-auth even if the WLAN-device attempts to use the fast-id ?
Yes, if hostapd does not recognize the provided fast reauth id, it will
try to fall back to full-auth.
> Is it possible to configure hostapd to not generate/send fast-id to the WLAN-device ?
Not without changing source code.. If you are fine with hardcoding this
to be disabled, you can modify eap_sim_build_encr() not to add the next
re-authentication id or alternatively change
eap_sim_db_get_next_reauth_id() to return NULL. Similarly, it would be
possible to remove the use of pseudonyms, if needed.
Jouni Malinen PGP id EFC895FA
More information about the HostAP