Question on HS20, possibly realm related.

Jouni Malinen j at w1.fi
Mon Sep 23 04:33:07 EDT 2013


On Thu, Sep 19, 2013 at 03:43:11PM -0700, Ben Greear wrote:

> I notice something that seems strange to me.  If I don't configure a user-name in
> supplicant, it will not attempt to connect to the AP, but it does not actually matter
> what I choose for the user-name..it just needs to exist.

username is used to determine which cred blocks are valid for comparing
against NAI Realm list.

> cred={
>     username="client"
>     password="lanforge"
>     ca_cert="/home/lanforge/ca.pem"
>     private_key="/home/lanforge/client.p12"
>     private_key_passwd="lanforge"
>     realm="lanforge.org"
>     domain="lanforge.org"
>     eap=TLS
> 
> }

That password entry looks pointless for EAP-TLS..

> But, if I remove that 'username="client"', the interworking code will fail its EAP selection.
> 
> If I change 'client' to anything else, it still works...so it does not actually seem to be
> using that field for anything useful...

Well, it will be used for building the EAP-Identity/Response value.
There is currently no mechanism to build that automatically based on
some client certificate fields, but if such code were to be added, it
should be fine to ignore missing username for EAP-TLS case (but
obviously not for other EAP types) in Interworking network selecting.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list