Mutual EAP-TTLS Authentication

Martin Schneider martincschneider
Tue Sep 23 06:03:09 PDT 2008

Hi Jouni

Maybe I start with our intentions: We plan to authenticate client and
server using certificates. After this has happended, we want to
exchange EAP-TNC data in a tunnel between client and server.

> What exactly do you mean with "mutual authentication" here? The common
> use case for EAP-TTLS is to authenticate the server during the TLS
> handshake (X.509 certificate verified against a trusted CA) and client
> during Phase 2 using username/password. Are you trying to use client
> certificate during TLS handshake? If yes, what would you expect to see
> in Phase 2?

Yes...! We try to use a client certificates during the TLS handshake
of EAP-TTLS (of cause the server also has a cert...). After this step,
both parties are authetnicated and we should have a TLS tunnel between
client and server. Now, in phase 2, we plan to use EAP-TNC to exchange
some other data measured on the client... If I understand the
information I read correctly, this setup should be possible. But in
reality it seems, that the server is unable to verify the certificate
of the client for some reason.

What would you suggest? Is our setup feasible at all or do we need
another setup? EAP-TTLS/EAP-TLS + EAP-TNC??


More information about the Hostap mailing list