More questions on hs20/OSU keys and configuration.

Jouni Malinen j at w1.fi
Thu Mar 26 13:50:23 EDT 2015


On Thu, Mar 26, 2015 at 09:44:54AM -0700, Ben Greear wrote:
> On 03/26/2015 06:16 AM, Jouni Malinen wrote:
> > On Wed, Mar 25, 2015 at 04:34:00PM -0700, Ben Greear wrote:
> >> But, it seems that supplicant is using anonymous@, and so the radius server
> >> does not find the user in the eap_user.db file and supplicant cannot connect.
> > 
> > Hotspot 2.0 mandates use of identity protection for EAP-TTLS, i.e., the
> > unencrypted EAP-Identity/Response has to use anonymous@<realm> form
> > while the real identity is used only within the encrypted tunnel. You
> > will need to configure the authentication server to allow EAP-TTLS to be
> > used with such an anonymous identity.
> > 
> 
> At least part of my problem is that I did not have SQLITE support enabled.

Yes, that would explain this.. The last entry in sql-example.txt (INSERT
into wildcards) adds the rule that allows anonymous outer identity to be
used.

> Should we change this config to fail to load if user requests sqlite but
> does not have support compiled in?

It would be a good thing to reject the sqlite: prefix or simply comment
out its parsing so that the following operation fails to avoid issues
like this.
 
-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list