Query: auth server bahaviour when presented with unknown user certs (EAP-TLS)

Jouni Malinen j
Thu Nov 27 05:31:46 PST 2008

On Thu, Nov 27, 2008 at 05:22:02PM +0800, Soh Kam Yung wrote:

> Suppose I have a device with two or more user certificates which are
> used to join two or more different EAP-TLS networks.  When I am
> requested to join a EAP-TLS network, I will try to join by passing the
> user certificates one by one to the server using wpa_supplicant (i.e.
> change the "private_key" and "private_key_password" parameters in each
> join attempt) until it succeeds or until I run out of user
> certificates.

Ideally, this would be done be selecting the certificate based on which
certificate server used and what the server asked for in

> What I would like to know is how do authentication servers behave when
> presented with unrecognised user certificates?  Do they just log the
> failed attempts and let the device continue to try to join the
> network?

Implementation specific.. I have not seen servers that would lock the
account based on unexpected certificates, but that does not mean there
aren't any that would.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list