Problems with EAP-TTLS/EAP-TLS - One Step further
Jouni Malinen
j
Thu Oct 30 12:04:26 PDT 2008
On Thu, Oct 30, 2008 at 03:11:39PM +0100, Carolin Latze wrote:
> meanwhile I tried several things and didn't succeed but I have an idea
> what's going wrong. It seems that the wpa_supplicant only takes the
> engine for the outer authentication. Is that possible?
Yes, that is quite possible. I have not tested using OpenSSL engine in
phase 2.
> Therefore my question: On the wpa_supplicant homepage I saw that
> EAP-TTLS/EAP-TLS has been tested with FreeRADIUS. Is there a place where
> to download the test configurations? That would be very helpful for me!
> I want to try to use EAP-TTLS/EAP-TLS without engine for a first test
> (take out the complexity in order to understand it :)). I tried it with:
This worked when I lasted tested it, but I've only tested without an
engine and EAP-TLS inside EAP-PEAP or -TTLS has previously been somewhat
of a problem case, so you may need to update FreeRADIUS unless you are
using the latest release.
> eap=TTLS
>
> phase2="autheap=TLS"
>
> identity="10.1.1.5"
> ca_cert="/home/latze/cert/cacert.pem"
> client_cert2="/home/latze/cert/basisk_cert.pem"
> private_key2="/home/latze/cert/basisk_key.pem"
> private_key2_passwd="PW"
I would recommend including ca_cert2 here, too, so that wpa_supplicant
will verify server certificate in phase2 should the server be using a
different key in phase 1 and 2 (not really a very likely case, but
anyway, it is good to validate certificates both in phase 1 and 2).
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list