Query: auth server bahaviour when presented with unknown user certs (EAP-TLS)
Jouni Malinen
j
Thu Nov 27 05:31:46 PST 2008
On Thu, Nov 27, 2008 at 05:22:02PM +0800, Soh Kam Yung wrote:
> Suppose I have a device with two or more user certificates which are
> used to join two or more different EAP-TLS networks. When I am
> requested to join a EAP-TLS network, I will try to join by passing the
> user certificates one by one to the server using wpa_supplicant (i.e.
> change the "private_key" and "private_key_password" parameters in each
> join attempt) until it succeeds or until I run out of user
> certificates.
Ideally, this would be done be selecting the certificate based on which
certificate server used and what the server asked for in
CertificateRequest..
> What I would like to know is how do authentication servers behave when
> presented with unrecognised user certificates? Do they just log the
> failed attempts and let the device continue to try to join the
> network?
Implementation specific.. I have not seen servers that would lock the
account based on unexpected certificates, but that does not mean there
aren't any that would.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list