[RFC] supplicant/interworking: Allow EAP-TLS without user specified.

Jouni Malinen j at w1.fi
Mon Sep 23 13:53:33 EDT 2013


On Mon, Sep 23, 2013 at 08:58:21AM -0700, Ben Greear wrote:
> In eap_sm_buildIdentity, there is a check for null identity.  From what I
> can tell by reading code, it would seem that eap_sm_get_scard_identity
> could populate this automatically and let the EAP response be built properly,
> even when the user does not specify a username in the config file.
> 
> I don't actually have any system that supports the pcsc/IMSI logic yet,
> so I can't test it.

That is for EAP-SIM/AKA/AKA', not for EAP-TLS.

> And, would it be worth just using a hard-coded "default-user" string
> for ID in cases where we cannot otherwise determine the ID?

No, EAP-TLS should probably extract the EAP identity from the client
certificate (subjectName or subjectAltName) if no identity is set in the
configuration.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list