Problems with EAP-TTLS/EAP-TLS - One Step further
Thu Oct 30 12:04:26 PDT 2008
On Thu, Oct 30, 2008 at 03:11:39PM +0100, Carolin Latze wrote:
> meanwhile I tried several things and didn't succeed but I have an idea
> what's going wrong. It seems that the wpa_supplicant only takes the
> engine for the outer authentication. Is that possible?
Yes, that is quite possible. I have not tested using OpenSSL engine in
> Therefore my question: On the wpa_supplicant homepage I saw that
> EAP-TTLS/EAP-TLS has been tested with FreeRADIUS. Is there a place where
> to download the test configurations? That would be very helpful for me!
> I want to try to use EAP-TTLS/EAP-TLS without engine for a first test
> (take out the complexity in order to understand it :)). I tried it with:
This worked when I lasted tested it, but I've only tested without an
engine and EAP-TLS inside EAP-PEAP or -TTLS has previously been somewhat
of a problem case, so you may need to update FreeRADIUS unless you are
using the latest release.
I would recommend including ca_cert2 here, too, so that wpa_supplicant
will verify server certificate in phase2 should the server be using a
different key in phase 1 and 2 (not really a very likely case, but
anyway, it is good to validate certificates both in phase 1 and 2).
Jouni Malinen PGP id EFC895FA
More information about the Hostap