Configuration of hostapd for: EAP-PEAP/TLS (outer PEAP and inner TLS configuration)
Jouni Malinen
jkmaline
Sat Feb 10 19:52:31 PST 2007
On Wed, Jan 17, 2007 at 09:26:56AM +0100, Heiss, Stefan wrote:
> I want to configure hostapd in such a way that it will do outer PEAP and inner TLS configuraiton.
hostapd does not support this.
> There is actually a example for using TTLS/TLS(outer TTLS and inner TLS authentication) which is:
> # WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner authentication.
> network={
> ssid="example"
..
This is not for hostapd, but for wpa_supplicant..
> From this example, I would like to derive the PEAP/TLS configuration, and version one would be:
> network={
> ssid="example"
> key_mgmt=WPA-EAP
> eap=PEAP
> # Phase1 / outer authentication
> #anonymous_identity=anonymous at example.com <mailto:> => anonymous identitiy is not required for PEAP therefore leave it out
> ca_cert="/etc/cert/ca.pem"
> # Phase 2 / inner authentication
> phase2="autheap=TLS"
That should be auth=TLS for PEAP (only TTLS has two different types of
inner methods, auth=PAP/CHAP/MSCHAP/MSCHAPV2 and autheap=<eap method>;
that autheap for TTLS is similar to auth with PEAP).
> ca_cert2="/etc/cert/ca2.pem"
> client_cert2="/etc/cer/user.pem"
> private_key2="/etc/cer/user.prv"
> private_key2_passwd="password"
> priority=2
> I wonder which version would do the configuration correct for PEAP/TLS.
The first one was closer. phase2 should be changed, but other than that,
it looked file.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list