EAP-TTLS/EAP-TLS hostap configuration

[Mr Dash Four]

>> In addition, I could use two different sets of certificates (ca, server, 
>> user/client) for each phase. Assuming that is so, I created (just for 
>> the purpose of testing - at least for now) an example 
>> wpa_supplicant.conf (below). What I am struggling with is creating a 
>> similar hostapd.conf configuration file as the template hostapd.conf 
>> included with the hostap package does not have room for the second-phase 
>> certificates to be specified (or at least I could not see any). Is that 
>> feature implemented in hostap, or am I missing something obvious?
>>     
>
> If you are using an external RADIUS server (FreeRADIUS), none of the EAP
> configuration like certificates are used within hostapd.conf, i.e., the
> EAP part is completely transparent to the AP in this case.
>   
I see! So, if I use external RADIUS none of the EAP configuration, apart 
from the shared_secret part, is applicable in my case, right? However, 
if I decide to use hostapd as RADIUS would I be able to configure it 
that way - with (potentially) two separate sets of ca, server & user 
certificates for each phase (EAP-TTLS - outer, and then EAP-TLS - inner)?

In addition, is it possible to specify user-authentication matching by 
certain certificate attributes (CN, Subject etc), is that implemented in 
hostapd?

>> In addition, I am asked to use "shared secret" 
>> ("auth_server_shared_secret" and "acct_server_shared_secret" options) 
>> for AP authentication to the RADIUS server.
>>     
>
> That's the way RADIUS works.
>   
Yep, I understand that now, though I might consider using a separate 
tunnelling for this in order to make sure this part is completely secure 
- that provided I go via the freeRADIUS route, which I am not 100% sure yet.