EAP SM should prefer first specified EAP method for IMSI authentication

Jouni Malinen j at w1.fi
Sat Nov 3 11:09:23 EDT 2012


On Wed, Sep 12, 2012 at 11:13:26PM +0800, Kaustav Dey Biswas wrote:
> In the EAP state machine, while retrieving identity information for the SCARD, the eap_sm_imsi_identity() function (eap_peer/eap.c) would go over all the configured EAP methods and would essentially select one from EAP-SIM, EAP-AKA and EAP-AKA-PRIME. The way this currently works is, first, the method is defaulted to EAP-SIM. Then, all the available methods are looped over, and it is checked whether EAP-AKA or EAP-AKA-PRIME is there in the list, and if so, either of them (respectively) is selected. However, this approach actually de-prioritizes EAP-SIM in scenarios where both EAP-SIM and EAP-AKA (or PRIME) are present. In such a case, whatever be the order of the specified methods, EAP-SIM never gets selected.
> 
> Is this the intended behaviour?

Yes.

> Wouldn't it be more logical to select the first method in the list, since many applications would list out the available EAP methods in the order of preference?

The eap parameter in wpa_supplicant is a set of allowed EAP methods,
i.e., it does not indicate any particular preference order between the
listed entries.

> This can be achieved by adding a simple check for EAP-SIM in the loop (similar to the EAP-AKA and EAP-AKA-PRIME checks), so that it is ensured that if EAP-SIM is first in the list, it gets selected. This way, the first specified EAP method would always get selected and EAP-SIM wouldn't be de-prioritized where multiple EAP methods are available.

Do you have a use case where this behavior would be of some benefit? In
general, EAP-AKA or EAP-AKA' should be used if possible taken into
account that they have quite a bit stronger design from security view
point. The code here is for building the EAP-Response/Identity value
which is done before knowing what the server supports. The prefix value
in the SIM/AKA/AKA' identities does not prevent another method to be
tried, i.e., the server could propose EAP-SIM in case it doesn't support
EAP-AKA even if the EAP-Response/Identity would start with a prefix for
EAP-AKA.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list