Why does username is considered as part of the identity ?

TianHong Zhao tzhao at wavesat.com
Thu Mar 5 16:51:23 EST 2009


Regarding to the identity issue, your solution about using
"anonymous_identity" is exactly what I want.

Thanks a lot.

Tianhong

On Thu, 2009-03-05 at 12:00 -0500, hostap-request at lists.shmoo.com wrote:
> Send HostAP mailing list submissions to
> 	hostap at lists.shmoo.com
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.shmoo.com/mailman/listinfo/hostap
> or, via email, send a message with subject or body 'help' to
> 	hostap-request at lists.shmoo.com
> 
> You can reach the person managing the list at
> 	hostap-owner at lists.shmoo.com
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of HostAP digest..."
> 
> 
> Today's Topics:
> 
>    1. Why does username is considered as part of the identity ?
>       (TianHong Zhao)
>    2. PEAPv1(EAP-GTC) config with Cisco ACS (Ben Carbery)
>    3. Re: Why does username is considered as part of the identity ?
>       (Jouni Malinen)
>    4. Re: Why does username is considered as part of the identity ?
>       (Alan DeKok)
>    5. Re: PEAPv1(EAP-GTC) config with Cisco ACS (Jouni Malinen)
>    6. Re: wpa_supplicant for ad-hoc mode (Dan Williams)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Wed, 04 Mar 2009 17:15:43 -0500
> From: TianHong Zhao <tzhao at wavesat.com>
     A. Subject: Why does username is considered as part of the
        identity ?
> To: hostap at lists.shmoo.com
> Message-ID: <1236204943.7146.14.camel at WT0340>
> Content-Type: text/plain
> 
> Hi,
> 
> In EAP_TTLS/MSCHAPV2, the username is taken from identity (excluding the
> realm part), but why ?
> 
> In the project I'm working on, when using EAP_TTLS/MSCHAPV2, "identity"
> in phase1 is MAC address, "identity" in phase2 is the username,
> is there any easy way to make eap_ttls code choose the right one ?
> 
> Tianhong
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Thu, 5 Mar 2009 09:49:59 +1100
> From: Ben Carbery <ben.carbery at gmail.com>
> Subject: PEAPv1(EAP-GTC) config with Cisco ACS
> To: hostap at lists.shmoo.com
> Message-ID:
> 	<ab82fd6c0903041449l7fe8e00dged88a06db0a742bb at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> Hi,
> 
> I am trying to get wpa_supplicant going with this setup:
> 
> Linux Laptop (Thinkpad with iwl4965agn) -> Aruba AP -> Aruba Wireless
> Controller -> Cisco ACS RADIUS server (terminates EAP)
> 
> It's PEAPv1 as the passwords need to be in clear text, not MSCHAP.  I have
> this setup successfully working with Windows and Mac, so just trying to get
> the wpa_supplicant config right. The best I can get is partial success, but
> it's not clear why it's failing. I think I *may* be hitting this problem
> fixed in v0.6.6:
> 
> 2008-11-23 - v0.6.6
> 	* fixed canceling of PMKSA caching when using drivers that generate
> 	  RSN IE and refuse to drop PMKIDs that wpa_supplicant does not know
> 	  about
> i.e. "RSN: no matching PMKID found" error
> 
> But my distro is still on 0.6.4. Can anyone confirm this is the
> problem I am hitting? Also is my config correct for this setup?
> 
> Ben
> 
> 
> ---------------------------------------------------------------------------------------------------
> 
> # config
> 
> network={
>         priority=4
>         disabled=0
>         ssid="WLAN-Secure"
>         scan_ssid=1
>         proto=WPA2
>         key_mgmt=WPA-EAP
>         ca_cert="/etc/ssl/certs/Thawte_Premium_Server_CA.pem"
> 
>         pairwise=CCMP
>         group=CCMP
>         eap=PEAP
>         identity="u4399999"
>         password="password"
>         # guessing about the following..
>         phase1="peap_outer_success=0 peaplabel=1"
> 
>         phase2="auth=GTC"
> }
> 
> ---------------------------------------------------------------------------------------------------
> 
> # wpa_cli status - cycles between the following several times
> 
> wintermute ~ # wpa_cli status
> Selected interface 'wlan0'
> bssid=00:1a:1e:11:e5:42
> ssid=WLAN-Secure
> id=0
> pairwise_cipher=CCMP
> 
> group_cipher=CCMP
> key_mgmt=WPA2/IEEE 802.1X/EAP
> wpa_state=4WAY_HANDSHAKE
> Supplicant PAE state=CONNECTING
> suppPortStatus=Unauthorized
> EAP state=IDLE
> 
> wintermute ~ # wpa_cli status
> Selected interface 'wlan0'
> 
> bssid=00:1a:1e:97:02:71
> ssid=WLAN-Secure
> id=0
> pairwise_cipher=CCMP
> group_cipher=CCMP
> key_mgmt=WPA2/IEEE 802.1X/EAP
> wpa_state=4WAY_HANDSHAKE
> Supplicant PAE state=AUTHENTICATING
> suppPortStatus=Unauthorized
> 
> EAP state=IDLE
> selectedMethod=25 (EAP-PEAP)
> EAP TLS cipher=
> EAP-PEAPv1 Phase2 method=GTC
> 
> # Before the controller bars the client for number of attempts and settles on:
> 
> Selected interface 'wlan0'
> 
> 
> wpa_state=DISCONNECTED
> Supplicant PAE state=DISCONNECTED
> suppPortStatus=Unauthorized
> EAP state=DISABLED
> selectedMethod=25 (EAP-PEAP)
> EAP TLS cipher=
> EAP-PEAPv1 Phase2 method=GTC
> 
> ---------------------------------------------------------------------------------------------------
> 
> # connection logs
> 
> I had to remove these logs as my post got lost in moderator-land for
> being to big, will update in next post if my config is correct.
> 
> 
> B
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://lists.shmoo.com/pipermail/hostap/attachments/20090305/41a75f5a/attachment.html 
> 
> ------------------------------
> 
> Message: 3
> Date: Thu, 5 Mar 2009 09:06:47 +0200
> From: Jouni Malinen <j at w1.fi>
> Subject: Re: Why does username is considered as part of the identity ?
> To: hostap at lists.shmoo.com
> Message-ID: <20090305070647.GA10972 at jm.kir.nu>
> Content-Type: text/plain; charset=us-ascii
> 
> On Wed, Mar 04, 2009 at 05:15:43PM -0500, TianHong Zhao wrote:
> 
> > In EAP_TTLS/MSCHAPV2, the username is taken from identity (excluding the
> > realm part), but why ?
> > 
> > In the project I'm working on, when using EAP_TTLS/MSCHAPV2, "identity"
> > in phase1 is MAC address, "identity" in phase2 is the username,
> > is there any easy way to make eap_ttls code choose the right one ?
> 
> I'm not sure I'm fully following your description, but if all you want
> to do is to use different identity in phase 1 and 2, please take a look
> at anonymous_identity parameter: (anonymous_identity="<MAC addr>",
> identity="real username").
> 
> -- 
> Jouni Malinen                                            PGP id EFC895FA
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Thu, 05 Mar 2009 08:07:43 +0100
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: Why does username is considered as part of the identity ?
> To: TianHong Zhao <tzhao at wavesat.com>
> Cc: hostap at lists.shmoo.com
> Message-ID: <49AF7A3F.5070401 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> TianHong Zhao wrote:
> > In EAP_TTLS/MSCHAPV2, the username is taken from identity (excluding the
> > realm part), but why ?
> 
>   Because that's what everyone does.
> 
> > In the project I'm working on, when using EAP_TTLS/MSCHAPV2, "identity"
> > in phase1 is MAC address, "identity" in phase2 is the username,
> > is there any easy way to make eap_ttls code choose the right one ?
> 
>   You can set the identities independently to whatever you want.
> 
>   Alan DeKok.
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Thu, 5 Mar 2009 09:09:17 +0200
> From: Jouni Malinen <j at w1.fi>
> Subject: Re: PEAPv1(EAP-GTC) config with Cisco ACS
> To: hostap at lists.shmoo.com
> Message-ID: <20090305070917.GB10972 at jm.kir.nu>
> Content-Type: text/plain; charset=us-ascii
> 
> On Thu, Mar 05, 2009 at 09:49:59AM +1100, Ben Carbery wrote:
> 
> > I am trying to get wpa_supplicant going with this setup:
> > 
> > Linux Laptop (Thinkpad with iwl4965agn) -> Aruba AP -> Aruba Wireless
> > Controller -> Cisco ACS RADIUS server (terminates EAP)
> > 
> > It's PEAPv1 as the passwords need to be in clear text, not MSCHAP.
> 
> >         # guessing about the following..
> >         phase1="peap_outer_success=0 peaplabel=1"
> 
> That's incorrect; just remove the phase1 parameter and authentication
> should work fine with ACS. Forcing peaplabel=1 will break key derivation
> with most authentication servers, including ACS.
> 


More information about the HostAP mailing list