Need info about EAP-TTLS and EAP-PEAP
Jouni Malinen
j
Wed Dec 5 19:06:05 PST 2007
On Thu, Dec 06, 2007 at 06:45:12AM +0530, Raghavendra. S wrote:
> Can I support both EAP-TTLS and EAP-PEAP in same supplicant config?
Yes, but it is somewhat tricky on the phase2 configuration since the
used format is bit different.
> eap=TTLS
If you want to enable both EAP-TTLS and EAP-PEAP, you would need to
changes this to "eap=TTLS PEAP".
> phase2="autheap=MD5"
And this to something like phase2="autheap=MD5 auth=MD5" if you want to
use both TTLS and PEAP with a tunneled EAP-MD5. Alternatively, you could
probably leave this phase2 parameter out to allow all EAP methods in
phase 2.
> 3. anonymous - Is this parameter must?
anonymous_identity can be used to set the phase 1 identity. If it is not
configured the phase 2 identity is used for both phase 1 and 2 (i.e.,
the value from 'identity' field is used in both cases). If identity
protection is not needed (phase 1 identity is sent in clear; phase 2
identity is encrypted), anonymous_identity is not needed in the
configuration.
> Other config parameters he need not modify to make EAP-TTLS working.
> Similarly I need your help for supporting EAP-PEAP? where as end user modify
> only above 3/4 parameters.
In order to keep both EAP-TTLS and EAP-PEAP secure, you will have to add
ca_cert parameter to allow the supplicant to authenticate the server.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list