Jouni Malinen wrote:
The exact behavior here depends on the definition of "session". From hostapd viewpoint, IEEE 802.11 association is the session and there is nothing that would prevent the Supplicant from changing its identity string (User-Name in RADIUS) during the re-association if an EAPOL reauthenticaton occurs (either from client/Supplicant request as is the case here or based on Authenticator timer). Sure, that definition of "session" could be modified to arbitrarily start a new session should the Supplicant decide to use a different identity in re-authentication within the same association, but I would like to see a specific requirement for this in an RFC before changing hostapd behavior.
Hostapd should not change. The supplicants that change Identity in the middle of a session need to be fixed. Alan DeKok.