[RFC] supplicant/interworking: Allow EAP-TLS without user specified.

Ben Greear greearb at candelatech.com
Mon Sep 23 13:58:37 EDT 2013


On 09/23/2013 10:53 AM, Jouni Malinen wrote:
> On Mon, Sep 23, 2013 at 08:58:21AM -0700, Ben Greear wrote:
>> In eap_sm_buildIdentity, there is a check for null identity.  From what I
>> can tell by reading code, it would seem that eap_sm_get_scard_identity
>> could populate this automatically and let the EAP response be built properly,
>> even when the user does not specify a username in the config file.
>>
>> I don't actually have any system that supports the pcsc/IMSI logic yet,
>> so I can't test it.
>
> That is for EAP-SIM/AKA/AKA', not for EAP-TLS.
>
>> And, would it be worth just using a hard-coded "default-user" string
>> for ID in cases where we cannot otherwise determine the ID?
>
> No, EAP-TLS should probably extract the EAP identity from the client
> certificate (subjectName or subjectAltName) if no identity is set in the
> configuration.

Ok, I'll add that to my wishlist and will just make sure I configure
a user-name in the meantime.

Thanks,
Ben

-- 
Ben Greear <greearb at candelatech.com>
Candela Technologies Inc  http://www.candelatech.com



More information about the HostAP mailing list