[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: EAP-TLS and EAP-Identity
From:       "David Weidenkopf" <david+freeradius () weidenkopf ! com>
Date:       2022-05-27 21:32:53
Message-ID: 596a4eb8-6752-401f-a396-53ae5327e8af () www ! fastmail ! com
[Download RAW message or body]

Thank you for your pain and suffering!

On Fri, May 27, 2022, at 2:28 PM, Alan DeKok wrote:
> On May 27, 2022, at 5:14 PM, David Weidenkopf <david+freeradius@weidenkopf.com \
> <mailto:david%2Bfreeradius@weidenkopf.com>> wrote:
> > I am trying to understand EAP-TLS configuration. RFC3748 seems to indicate that \
> > the identity response can be empty. This makes sense for EAP-TLS, since it is \
> > using certificates, so maybe the identity is not useful in that case. I am aware \
> > of RFC5080 and it seems to discuss the conflicting requirements around this. 
> 
> There's also RFC 2716, RFC 5216, and RFC 9190.
> 
> The server can send an EAP-Request / Identity packet with no data.  This indicates \
> that the supplicant should respond with an EAP-Response / Identity packet, with an \
> actual identity. 
> RFC 3748 Section 5.1 says:
> 
> If the Identity is unknown, the
> Identity Response field should be zero bytes in length.
> 
> But... that's stupid.  I don't know of any RADIUS server which allows empty \
> identities. 
> > However, from looking at what I could find on this list about EAP-TLS \
> > configuration, is that the supplicant (wpa_supplicant in this case) is broken if \
> > it does not provide an identity.
> 
> Yes.
> 
> > We control the supplicant and are only trying to integrate with customers using \
> > 8021X with WPA. We don't control their configuration. We have one that insists \
> > the identity should be able to be blank. 
> 
> If the supplicant sends an EAP-Response / Identity with no identity, then \
> FreeRADIUS will reject it. 
> To be perfectly frank, it's idiotic for a supplicant to send an empty identity.  It \
> means that proxying won't work, and a host of other things won't work. 
> e.g. What should be put into the User-Name field?  How will you probably do \
> accounting for that user? 
> While the RFCs don't explicitly forbid empty identities RFC 3748 is old, and they \
> permit a whole lot of idiocy.  Simply by not forbidding it.  Newer RFCs are much \
> more carefully written. 
> > My interest here is we use freeradius for testing our system. Is there a \
> > configuration for EAP-TLS that supports a blank or empty Identity?
> 
> No.  It's hard-coded into the server.  An empty identity will always cause \
> Access-Reject. 
> > I appreciate any wisdom anyone can share regarding this.
> 
> There's no wisdom.  Only understanding gained through years of pain and suffering.  \
> :( 
> Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]