Need info about EAP-TTLS and EAP-PEAP

Jouni Malinen j
Wed Dec 5 19:06:05 PST 2007

On Thu, Dec 06, 2007 at 06:45:12AM +0530, Raghavendra. S wrote:

>    Can I support both EAP-TTLS and EAP-PEAP in same supplicant config?

Yes, but it is somewhat tricky on the phase2 configuration since the
used format is bit different.

>         eap=TTLS

If you want to enable both EAP-TTLS and EAP-PEAP, you would need to
changes this to "eap=TTLS PEAP".

>         phase2="autheap=MD5"

And this to something like phase2="autheap=MD5 auth=MD5" if you want to
use both TTLS and PEAP with a tunneled EAP-MD5. Alternatively, you could
probably leave this phase2 parameter out to allow all EAP methods in
phase 2.

> 3. anonymous - Is this parameter must?

anonymous_identity can be used to set the phase 1 identity. If it is not
configured the phase 2 identity is used for both phase 1 and 2 (i.e.,
the value from 'identity' field is used in both cases). If identity
protection is not needed (phase 1 identity is sent in clear; phase 2
identity is encrypted), anonymous_identity is not needed in the

> Other config parameters he need not modify to make EAP-TTLS working.
> Similarly I need your help for supporting EAP-PEAP? where as end user modify
> only above 3/4 parameters.

In order to keep both EAP-TTLS and EAP-PEAP secure, you will have to add
ca_cert parameter to allow the supplicant to authenticate the server.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list