Question on HS20, possibly realm related.
j at w1.fi
Mon Sep 23 04:33:07 EDT 2013
On Thu, Sep 19, 2013 at 03:43:11PM -0700, Ben Greear wrote:
> I notice something that seems strange to me. If I don't configure a user-name in
> supplicant, it will not attempt to connect to the AP, but it does not actually matter
> what I choose for the user-name..it just needs to exist.
username is used to determine which cred blocks are valid for comparing
against NAI Realm list.
That password entry looks pointless for EAP-TLS..
> But, if I remove that 'username="client"', the interworking code will fail its EAP selection.
> If I change 'client' to anything else, it still works...so it does not actually seem to be
> using that field for anything useful...
Well, it will be used for building the EAP-Identity/Response value.
There is currently no mechanism to build that automatically based on
some client certificate fields, but if such code were to be added, it
should be fine to ignore missing username for EAP-TLS case (but
obviously not for other EAP types) in Interworking network selecting.
Jouni Malinen PGP id EFC895FA
More information about the HostAP