Configuration of hostapd for: EAP-PEAP/TLS (outer PEAP and inner TLS configuration)

Jouni Malinen jkmaline
Sat Feb 10 19:52:31 PST 2007

On Wed, Jan 17, 2007 at 09:26:56AM +0100, Heiss, Stefan wrote:
> I want to configure hostapd in such a way that it will do outer PEAP and inner TLS configuraiton. 

hostapd does not support this.

> There is actually a example for using TTLS/TLS(outer TTLS and inner TLS authentication) which is:
>  # WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner authentication.
> network={
> ssid="example"


This is not for hostapd, but for wpa_supplicant..

> From this example, I would like to derive the PEAP/TLS configuration, and version one would be: 
> network={
> ssid="example"
> key_mgmt=WPA-EAP
> eap=PEAP
> # Phase1 / outer authentication
> #anonymous_identity=anonymous at <mailto:>  => anonymous identitiy is not required for PEAP therefore leave it out
> ca_cert="/etc/cert/ca.pem"
> # Phase 2 / inner authentication
> phase2="autheap=TLS"

That should be auth=TLS for PEAP (only TTLS has two different types of
inner methods, auth=PAP/CHAP/MSCHAP/MSCHAPV2 and autheap=<eap method>;
that autheap for TTLS is similar to auth with PEAP).

> ca_cert2="/etc/cert/ca2.pem"
> client_cert2="/etc/cer/user.pem"
> private_key2="/etc/cer/user.prv"
> private_key2_passwd="password"
> priority=2

> I wonder which version would do the configuration correct for PEAP/TLS.

The first one was closer. phase2 should be changed, but other than that,
it looked file.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list