Two Factor Authentication using EAP-TTLS

Paresh Sawant paresh.sawant
Fri Sep 4 12:27:12 PDT 2015


This is what I was looking for. Thanks!

Would it make sense to make it possible through a configuration (with
default value 0) in next release ?

Thanks,
Paresh

On Fri, Sep 4, 2015 at 12:11 PM, Jouni Malinen <j at w1.fi> wrote:
> On Fri, Sep 04, 2015 at 10:41:25AM -0700, Paresh Sawant wrote:
>> Yes, I have valid certs installed installed on Hostapd side. I could
>> confirm that by running EAP-TLS or EAP-TTLS.
>>
>> What I'm not able to do is make Hostapd send certificate request to
>> the client in the way it does for EAP-TLS configuration.
>
> hostapd EAP server is currently hardcoded to not require client
> certificate for EAP-TTLS or EAP-PEAP. There is no configuration
> parameter for this, but one-line source code change can be used if you
> are looking at simply mandating this for every case. That change is to
> modify the eap_server_tls_ssl_init() call in eap_peap_init() and
> eap_ttls_init() to use verify_peer=1 instead of verify_peer=0. In other
> words:
>
>
> diff --git a/src/eap_server/eap_server_peap.c b/src/eap_server/eap_server_peap.c
> index 51062b0..ce37286 100644
> --- a/src/eap_server/eap_server_peap.c
> +++ b/src/eap_server/eap_server_peap.c
> @@ -182,7 +182,7 @@ static void * eap_peap_init(struct eap_sm *sm)
>         data->state = START;
>         data->crypto_binding = OPTIONAL_BINDING;
>
> -       if (eap_server_tls_ssl_init(sm, &data->ssl, 0, EAP_TYPE_PEAP)) {
> +       if (eap_server_tls_ssl_init(sm, &data->ssl, 1, EAP_TYPE_PEAP)) {
>                 wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL.");
>                 eap_peap_reset(sm, data);
>                 return NULL;
> diff --git a/src/eap_server/eap_server_ttls.c b/src/eap_server/eap_server_ttls.c
> index 53ffa1e..6302a3a 100644
> --- a/src/eap_server/eap_server_ttls.c
> +++ b/src/eap_server/eap_server_ttls.c
> @@ -347,7 +347,7 @@ static void * eap_ttls_init(struct eap_sm *sm)
>         data->ttls_version = EAP_TTLS_VERSION;
>         data->state = START;
>
> -       if (eap_server_tls_ssl_init(sm, &data->ssl, 0, EAP_TYPE_TTLS)) {
> +       if (eap_server_tls_ssl_init(sm, &data->ssl, 1, EAP_TYPE_TTLS)) {
>                 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
>                 eap_ttls_reset(sm, data);
>                 return NULL;
>
> --
> Jouni Malinen                                            PGP id EFC895FA
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap



More information about the Hostap mailing list