EAP-TTLS +PAP tunning

Jouni Malinen j
Wed May 7 01:32:07 PDT 2008


On Tue, May 06, 2008 at 10:56:54AM -0300, Sergio Belkin wrote:

> I have a freeradius server that is working well in  university. We use
> EAP-TTLS and PAP protocols.

> the nm-applet for setting the connection up. But I'd want to find a
> way to automatize it, that it finds the TTLS certificate and verifies
> the server name (I didn't see this feature in Linux). Could you help
> me to do this with wpa_supplicant? (What tools/apps and file config
> should I look?)

Is your server certificate signed by one of the common CAs (i.e.,
something that is included in trusted CA lists) or is this an in-house
self-signed CA (if yes, how is the CA certificate distributed to
clients?)?

wpa_supplicant can be configured to trust a set of CA certificates,
e.g., using a single PEM file with multiple files or using ca_path
parameter to point to a directory of trusted CA certificates. For
example, ca_path="/etc/ssl/certs" would do this on a Gentoo system (that
directory of CA certificates may differ in other distros). subject_match
and altsubject_match parameters can be used to configure requirements
for the authentication server certificate, e.g.,
altsubject_match="DNS:as.example.com".
 
-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list