EAP-TLS RADIUS login for local user authentication

Bob Friesenhahn bfriesen at simple.dallas.tx.us
Fri Jun 10 14:04:11 PDT 2022

We have an existing application (written in Python) which uses RADIUS 
for user authentication.  To satisfy security/crypto requirements, we 
are requested to use EAP-TLS via RADIUS because plain RADIUS is not 
sufficiently secure.

I have compiled 'wpa_supplicant' with the hope that this would do what 
is needed, but it seems to only do half of what is needed (the EAP-TLS 
login/session part).

In order to satisfy the requirement, it appears that 'hostapd' needs 
to be added like this:

   RADIUS Server <--> hostapd <--> wpa_supplicant <--> LOGIN App

It appears that with some work, a local client app can use 
wpa_supplicant to produce the EAP-TLS login session.

Hostapd responds to EAP-TLS login sessions by creating a RADIUS 

The underlying body of code in 'hostapd' and 'wpa_supplicant' is 
identical.  The problem is that neither application seems to have 
considered this possible requirement.

Is there something I am not aware of which is better than attempting 
to run 'hostapd' and 'wpa_supplicant' on the same system to support 
user authentication?

Is there an example application for initating a local authentication 
via 'wpa_supplicant'?

Bob Friesenhahn
bfriesen at simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
Public Key,     http://www.simplesystems.org/users/bfriesen/public-key.txt

More information about the Hostap mailing list