TTLS TLS configuration

Tue Sep 23 10:23:46 PDT 2008

On Tue, Sep 23, 2008 at 05:36:43PM +0200, Fernando wrote:

> I want to perform an authentication using wpa_supplicant and freeradius 
> with EAP-TTLS using in phase 2 EAP-TLS but I don't know how configure it 
> in wpa_supplicant. I've wrote  in the configuration file 
> "phase2=auth=TLS"  is it ok? and I don't know where the different 

Close, but not quite.. EAP-TTLS uses phase2="autheap=TLS".

> configuration parameters of EAP-TLS must be placed, such as, client 
> cert, client priv etc. Can you provide me with an example of 
> configuration file?

network={
    key_mgmt=WPA-EAP
    eap=TTLS
    anonymous_identity="anonymous"
    identity="User"
    ca_cert="ca.pem"
    phase2="autheap=TLS"

    ca_cert2="ca.pem"
    client_cert2="user.pem"
    private_key2="user.pem"
    private_key2_passwd="whatever"
}

> I've written client cert, client priv... in the same configuration file 
> and I've been testing it but when the second phase starts the client 
> (wpa_supplicant) sends a NAK  when TLS is requested.

You probably used client_cert and private_key while the Phase 2
parameters need to be configured separately with
client_cert2/private_key2 to allow a somewhat odd case of someone using
different client cert in phase 1 and 2 (ca_cert vs. ca_cert2 could be
considered a bit more realistic case for difference to occur).

-- 
Jouni Malinen                                            PGP id EFC895FA