[PATCH] PEAP peer: allow autheap for EAP-TLS phase2 support

Alexander Clouter alex at digriz.org.uk
Fri Oct 9 10:31:23 EDT 2020


On Fri, 9 Oct 2020, at 13:22, Jouni Malinen wrote:
> Why would this be needed?

As the inner method is EAP-TLS and not a non-EAP method such as MSCHAPv2. If there is an already existing way of doing EAP-TLS inside PEAP then I could not find it in the examples provided with wpa_supplicant, maybe I missed them?

> EAP-PEAP inner method is configured with "auth", not "autheap".

I do not remember auth=*TLS* working for me when I tried the few months ago when I originally posted this.

> The "autheap" special case is needed with
> EAP-TTLS where both EAP and non-EAP inner methods are supported. That is
> not the case with EAP-PEAP.

PEAP supports EAP-TLS as an inner method. I could not get PEAP with EAP-TLS working as an inner method, but I noticed eapol_test/wpa_supplicant does support TTLS/EAP-TLS. I browsed the code, noticed autheap=... being used and cribbed the methodology from there.

If I did something wrong, sorry, I tried, I guessed on what needed to be done based on the existing code I saw already in there and it looks like I made a crappy job of it all. Sorry.

> Furthermore, the commit message would need to include the Signed-off-by:
> line as described in the CONTRIBUTIONS file for me to be able to
> consider applying a patch.

My bad, I will get that added and reposted.


Alexander Clouter

More information about the Hostap mailing list