[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: EAP-TLS and EAP-Identity
From: "David Weidenkopf" <david+freeradius () weidenkopf ! com>
Date: 2022-05-27 21:32:53
Message-ID: 596a4eb8-6752-401f-a396-53ae5327e8af () www ! fastmail ! com
[Download RAW message or body]
Thank you for your pain and suffering!
On Fri, May 27, 2022, at 2:28 PM, Alan DeKok wrote:
> On May 27, 2022, at 5:14 PM, David Weidenkopf <david+freeradius@weidenkopf.com \
> <mailto:david%2Bfreeradius@weidenkopf.com>> wrote:
> > I am trying to understand EAP-TLS configuration. RFC3748 seems to indicate that \
> > the identity response can be empty. This makes sense for EAP-TLS, since it is \
> > using certificates, so maybe the identity is not useful in that case. I am aware \
> > of RFC5080 and it seems to discuss the conflicting requirements around this.
>
> There's also RFC 2716, RFC 5216, and RFC 9190.
>
> The server can send an EAP-Request / Identity packet with no data. This indicates \
> that the supplicant should respond with an EAP-Response / Identity packet, with an \
> actual identity.
> RFC 3748 Section 5.1 says:
>
> If the Identity is unknown, the
> Identity Response field should be zero bytes in length.
>
> But... that's stupid. I don't know of any RADIUS server which allows empty \
> identities.
> > However, from looking at what I could find on this list about EAP-TLS \
> > configuration, is that the supplicant (wpa_supplicant in this case) is broken if \
> > it does not provide an identity.
>
> Yes.
>
> > We control the supplicant and are only trying to integrate with customers using \
> > 8021X with WPA. We don't control their configuration. We have one that insists \
> > the identity should be able to be blank.
>
> If the supplicant sends an EAP-Response / Identity with no identity, then \
> FreeRADIUS will reject it.
> To be perfectly frank, it's idiotic for a supplicant to send an empty identity. It \
> means that proxying won't work, and a host of other things won't work.
> e.g. What should be put into the User-Name field? How will you probably do \
> accounting for that user?
> While the RFCs don't explicitly forbid empty identities RFC 3748 is old, and they \
> permit a whole lot of idiocy. Simply by not forbidding it. Newer RFCs are much \
> more carefully written.
> > My interest here is we use freeradius for testing our system. Is there a \
> > configuration for EAP-TLS that supports a blank or empty Identity?
>
> No. It's hard-coded into the server. An empty identity will always cause \
> Access-Reject.
> > I appreciate any wisdom anyone can share regarding this.
>
> There's no wisdom. Only understanding gained through years of pain and suffering. \
> :(
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic