Problems with EAP-TTLS/EAP-TLS - One Step further

Jouni Malinen j
Thu Oct 30 12:04:26 PDT 2008

On Thu, Oct 30, 2008 at 03:11:39PM +0100, Carolin Latze wrote:

> meanwhile I tried several things and didn't succeed but I have an idea 
> what's going wrong. It seems that the wpa_supplicant only takes the 
> engine for the outer authentication. Is that possible?

Yes, that is quite possible. I have not tested using OpenSSL engine in
phase 2.

> Therefore my question: On the wpa_supplicant homepage I saw that 
> EAP-TTLS/EAP-TLS has been tested with FreeRADIUS. Is there a place where 
> to download the test configurations? That would be very helpful for me! 
> I want to try to use EAP-TTLS/EAP-TLS without engine for a first test 
> (take out the complexity in order to understand it :)). I tried it with:

This worked when I lasted tested it, but I've only tested without an
engine and EAP-TLS inside EAP-PEAP or -TTLS has previously been somewhat
of a problem case, so you may need to update FreeRADIUS unless you are
using the latest release.

>         eap=TTLS
>         phase2="autheap=TLS"
>         identity=""
>         ca_cert="/home/latze/cert/cacert.pem"
>         client_cert2="/home/latze/cert/basisk_cert.pem"
>         private_key2="/home/latze/cert/basisk_key.pem"
>         private_key2_passwd="PW"

I would recommend including ca_cert2 here, too, so that wpa_supplicant
will verify server certificate in phase2 should the server be using a
different key in phase 1 and 2 (not really a very likely case, but
anyway, it is good to validate certificates both in phase 1 and 2).

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list