EAP-TTLS with phase2="autheap=TLS" ?

Jouni Malinen jkmaline
Tue Feb 7 19:03:57 PST 2006

On Tue, Feb 07, 2006 at 05:56:52PM -0500, Andrea G Forte wrote:

> I am confused by the example in the supplicant config file. In particular:
> # WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner
> # authentication.
> network={
>     eap=TTLS
> *  phase2="autheap=TLS" *

> It seems not to be a standard mode (phase2="autheap=TLS"). Earlier in 
> the config file:

What do you mean with a "standard mode"? Both EAP-PEAP and EAP-TTLS can
use multiple different EAP methods inside the tunnel (phase 2). This
particular example is using EAP-TLS for inner authentication.

> there is no mention of this other mode. Also, freeradius does not 
> support it (unless I have done something wrong) saying that TLS inside a 
> TTLS tunnel is not possible.

You are correct about FreeRADIUS not supporting this, but this is a
valid EAP-TTLS configuration (though, certainly not very commonly used).
See eap_testing.txt for RADIUS servers that have been tested
successfully in this mode with wpa_supplicant.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list