EAP-TTLS authentication

Jouni Malinen j
Tue Aug 11 14:21:00 PDT 2015

On Tue, Aug 11, 2015 at 02:04:13PM -0700, Isaac Konikoff wrote:
> Here is my hostapd log showing a failure when HS2.0 in enabled and a
> success when HS2.0 is disabled. EAP-TTLS used in both cases,
> wpa_supplicant configs also included below.
> Is the failure due to an incorrect EAP method or TLS tunnel fail in phase 1?

> 1439324295.015930: EAP-Identity: Peer identity - hexdump_ascii(len=20):
>      61 6e 6f 6e 79 6d 6f 75 73 40 6d 79 74 65 73 74   anonymous at mytest
>      2e 63 6f 6d                                       .com
> 1439324295.015947: RADIUS SRV: [0x2c] EAP:
> EAP-Response/Identity 'anonymous at mytest.com'
> 1439324295.015952: EAP: EAP entering state SELECT_ACTION
> 1439324295.015957: EAP: getDecision: no more methods available -> FAILURE

The station has been configured to use anonymous at mytest.com as the outer
identity while the authentication server has no user enabled to match
that. Usually the easiest way of enabling EAP-TTLS is to add a wildcard
hostapd.eap_user entry like this:


For more restricted testing cases, you could also add an explicit rule
for that exact "anonymous at mytest.com" string if for some reason you do
not want to enable wildcard matching to enable EAP-TTLS.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list