Mutual TLS authentication in handshake phase of EAP-TTLS

Jouni Malinen j
Wed Mar 3 03:53:16 PST 2010

On Thu, Feb 25, 2010 at 11:42:11AM -0000, Lewis Adam-VNQM87 wrote:
> In EAP-TTLS, the TLS authentication may be mutual; or it may be one-way,
> in which only the server is authenticated to the client.
> My question is, does eapol_test currently allow mutual TLS
> authentication for EAP-TTLS? If so, how do I configure it (or the
> configuration files) to do so? I believe the tunnelled protocol can also
> be TLS but I want to avoid this as I need to have the ability to verify
> users rather than the client (e.g. by doing user/password checks).

You can configure eapol_test to use client certificate/private key
during the TLS handshake in EAP-TTLS by adding the client_cert and
private_key options into the configuration as you would do with
EAP-TLS. In other words, ca_cert will make eapol_test check the server
certificate and private_key/client_cert will make it provide the
information needed for the server to be able to authenticate it.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list