EAP-TTLS/EAP-TLS hostap configuration

Sat Nov 26 12:26:00 PST 2011

My aim is to configure and use wireless clients using wpa_supplicant to 
connect to AP (which has hostapd installed on it - version 1.0-rc1), 
which are then authorised via freeRADIUS server (based on another 
machine on a separate segment of the network) using the above 
authentication mechanisms.

After reading the configuration file guides for both the wpa_supplicant 
(wpa_supplicant.conf) and hostapd (hostapd.conf) I am at a loss as to 
how can this be configured? I am more or less clear with the client side 
and wpa_supplicant.conf, but I don't know how to configure the AP on 
which the hostap daemon is installed.

The theory of EAP-TTLS/EAP-TLS - at least as far as I understand it - 
allows for two phases of authentication and in both phases the 
authentication/authorisation is done purely on the basis of certificates 
and their various properties (CN, Subject, Issuer etc) - there is *no* 
involvement of "passwords" or "shared secrets" in any way (or at least I 
don't want to use any!).

In addition, I could use two different sets of certificates (ca, server, 
user/client) for each phase. Assuming that is so, I created (just for 
the purpose of testing - at least for now) an example 
wpa_supplicant.conf (below). What I am struggling with is creating a 
similar hostapd.conf configuration file as the template hostapd.conf 
included with the hostap package does not have room for the second-phase 
certificates to be specified (or at least I could not see any). Is that 
feature implemented in hostap, or am I missing something obvious?

In addition, I am asked to use "shared secret" 
("auth_server_shared_secret" and "acct_server_shared_secret" options) 
for AP authentication to the RADIUS server. My understanding is that I 
can also use certificates for that to authenticate AP to the RADIUS 
server, isn't that the case? Again, I would like avoiding the use of 
"shared secrets" and "passowrds" in any of this and base this purely on 
certificates - that is my ultimate aim in this.

Any help and advice on this would be gratefully received, thanks.

=============(example) 
wpa_supplicant.conf=====================================
# WPA-EAP, EAP-TTLS/EAP-TLS with different CA, server & user 
certificates/private keys used for outer and inner authentication.
ctrl_interface=/var/run/wps
eapol_version=2
ap_scan=1 # <- default. Should be ap_scan=2 to deal with hidden APs, not 
sure though!
country=UK
bss_max_count=10
filter_ssids=1 # Only include configured ones. filter_ssids=0 is the default
network={
    disabled=0
    scan_ssid=1
    ssid="example_ssid"
    bssid=00:11:22:33:44:55 # change only when known from AP
    proto=WPA2
    key_mgmt=WPA-EAP
    auth_alg=OPEN
    eap=TTLS
    # Phase 1 / outer authentication
    ca_cert="/etc/cert/ca_p1.pem"
    subject_match="/C=US/ST=CA/L=San Francisco/CN=Test 
AS/emailAddress=ap_server at example.com"

altsubject_match="EMAIL:ap_server at example.com;DNS:dns.example.com;DNS:dns2.example.com"
    client_cert="/etc/cer/user_p1.pem"
    private_key="/etc/cer/user_p1.key"
    private_key_passwd="password"
    # Phase 2 / inner authentication
    phase2="autheap=TLS"
    ca_cert2="/etc/cert/ca_p2.pem"
    subject_match2="/C=US/ST=CA/L=San Francisco/CN=Test2 
AS/emailAddress=ap_server2 at example.com"

 altsubject_match2="EMAIL:ap_server2 at example.com;DNS:dns.example.com;DNS:dns2.example.com"
    client_cert2="/etc/cer/user_p2.pem"
    private_key2="/etc/cer/user_p2.key"
    private_key2_passwd="password2"
    # priority=10 -    not applicable if scan_ssid=1 *and* ap_scan=2. 
The larger the number - the higher the priority
    # eap_workaround=0 - only enable when everything is configured *and* 
works!
}
==================================================