EAP-TTLS/EAP-TLS hostap configuration

Jouni Malinen j
Sun Nov 27 02:53:29 PST 2011

On Sat, Nov 26, 2011 at 08:26:00PM +0000, Mr Dash Four wrote:

> In addition, I could use two different sets of certificates (ca, server, 
> user/client) for each phase. Assuming that is so, I created (just for 
> the purpose of testing - at least for now) an example 
> wpa_supplicant.conf (below). What I am struggling with is creating a 
> similar hostapd.conf configuration file as the template hostapd.conf 
> included with the hostap package does not have room for the second-phase 
> certificates to be specified (or at least I could not see any). Is that 
> feature implemented in hostap, or am I missing something obvious?

If you are using an external RADIUS server (FreeRADIUS), none of the EAP
configuration like certificates are used within hostapd.conf, i.e., the
EAP part is completely transparent to the AP in this case.

> In addition, I am asked to use "shared secret" 
> ("auth_server_shared_secret" and "acct_server_shared_secret" options) 
> for AP authentication to the RADIUS server.

That's the way RADIUS works.

> My understanding is that I 
> can also use certificates for that to authenticate AP to the RADIUS 
> server, isn't that the case? Again, I would like avoiding the use of 
> "shared secrets" and "passowrds" in any of this and base this purely on 
> certificates - that is my ultimate aim in this.

Then you cannot use RADIUS and the design you have with an external
RADIUS server is not going to be feasible.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list