Windows wpa_supplicant EAP-TLS and PEAP with freeradius

Jouni Malinen j
Tue Dec 22 01:04:09 PST 2009

On Mon, Dec 21, 2009 at 06:06:25AM -0800, Vieri wrote:

> My goal is to allow the Windows clients to access a wireless network only if they meet the following requirements (both of them):
> * client certificate
> * authorized username/password
> Could I need EAP-TLS + PEAP (both at once)? Is this possible?

EAP does not allow sequences of different methods at the "top level", so
just running EAP-TLS and PEAP in sequence it not allowed. In theory, you
run a sequence of EAP methods inside a tunneled method, but in case of
PEAP, that is not normally used to run, say, EAP-TLS and EAP-MSCHAPv2.
Instead, you could use PEAP and require client certificate in Phase 1
and username/password in Phase 2. Though, not all authentication servers
support such configuration.

> I setup EAP-TLS and it seems to work with the following config file:
> ctrl_interface=
> network={
> 	ssid="WIFI1"
> 	proto=WPA
> 	key_mgmt=WPA-EAP
> 	pairwise=CCMP
> 	eap=TLS
> 	identity="anything"
> 	ca_cert="D:\cacert.pem"
> 	private_key="D:\d831.p12"
> }

If you want to run PEAP with client certificate, you could use this as a
starting point and just replace "eap=TLS" with "eap=PEAP" and add
password for Phase 2.

> (as a side note, I don't know why but it doesn't work with proto=WPA2; with the latter, it doesn't go past the AP and thus does not reach the RADIUS server)

As you sure the driver you use supports WPA2?

> Can this method be considered "safe enough"? (is there a better setup?)

I'm not sure sure how exactly you were planning on combining the two
configuration blocks, but assuming it would be using PEAP with client
certificate, it would be relatively safe configuration (assuming it is
configured correctly, i.e., require certificate validation on both the
server and the client).

> As stated before, I need to *require* both client certificates and valid username/passwords. 

This is more of a server configuration question that wpa_supplicant, but
assuming the server you use is enforcing that, it should be possible to
get wpa_supplicant providing the needed credentials during
authentication and to also validate the server certificate as long as
ca_cert is configuration.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list