Two Factor Authentication using EAP-TTLS
Fri Sep 4 09:57:52 PDT 2015
Thanks for your comments.
I'm using Hostap as a RADIUS server, and wanted to know if there is a
way I could configured it to send certificate request to the client
during TLS (outer authentication), so this could accomplish first
factor of the authentication of the client. What I see with default
EAP-TTLS configuration is it performs only server authentication using
certificate in first phase.
On Fri, Sep 4, 2015 at 9:20 AM, Kanago, Kerwin <kkanago at ciena.com> wrote:
>> Date: Thu, 3 Sep 2015 13:59:38 -0700
>> From: Paresh Sawant <paresh.sawant at gmail.com>
>> To: hostap at lists.shmoo.com
>> Subject: Two Factor Authentication using EAP-TTLS
>> <CAJ5GY0f3ixfGPkD3vVkU58P2dkZOjdYjtNNsCEYDTyekvmVwJA at mail.gmail.com>
>> Content-Type: text/plain; charset=UTF-8
>> Does hostap configuration support two factor authentication of the client? I'm looking for hostap configuration (as a RADIUS server) that'll allow client to be authenticated using certificate in
>> outer phase and some other method e.g. EAP-MSCHAPV2 in the inner phase.
> Are you asking if EAP-TTLS and EAP-MSCHAPV is supported or if that's valid two factor auth?
> Doing EAP-TTLS as the outer method and EAP-MSCHAPv2 as the inner meets the definition of two
> factor authentication. The certificates for TTLS are "something you have" and MSCHAPv2 relies
> on credentials that are "something you know".
> Hostap with an external radius server will (so far as I know/have used it) pass whatever EAP it gets to
> RADIUS, so it shouldn't (generally) care what kind of EAP methods you are using.
> HostAP mailing list
> HostAP at lists.shmoo.com
More information about the Hostap