Mutual EAP-TTLS Authentication

Jouni Malinen j
Tue Sep 23 06:09:48 PDT 2008


On Tue, Sep 23, 2008 at 03:03:09PM +0200, Martin Schneider wrote:

> Maybe I start with our intentions: We plan to authenticate client and
> server using certificates. After this has happended, we want to
> exchange EAP-TNC data in a tunnel between client and server.

OK.

> Yes...! We try to use a client certificates during the TLS handshake
> of EAP-TTLS (of cause the server also has a cert...). After this step,
> both parties are authetnicated and we should have a TLS tunnel between
> client and server. Now, in phase 2, we plan to use EAP-TNC to exchange
> some other data measured on the client... If I understand the
> information I read correctly, this setup should be possible. But in
> reality it seems, that the server is unable to verify the certificate
> of the client for some reason.
> 
> What would you suggest? Is our setup feasible at all or do we need
> another setup? EAP-TTLS/EAP-TLS + EAP-TNC??

That sounds like a valid configuration for EAP-TTLS. I would expect
wpa_supplicant to be able to handle that. However, I'm not sure that
hostapd would support that type of configuration currently.. My first
assumption is that there would be need for at least adding support for
enforcing client certificate validation (either enforce it for TLS or
ideally, verify after TLS handshake whether it was done or not) and then
option to skip phase 2 authentication step and just move directly to
EAP-TNC (that might already be doable).

EAP-TTLS/EAP-TLS with TNC enabled would be a way to approximate this
with the current version, i.e., the main difference would be in the
extra TLS handshake inside the tunnel.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list