EAP-TTLS with phase2="autheap=TLS" ?

Jouni Malinen jkmaline at cc.hut.fi
Tue Feb 7 22:03:57 EST 2006


On Tue, Feb 07, 2006 at 05:56:52PM -0500, Andrea G Forte wrote:

> I am confused by the example in the supplicant config file. In particular:
> 
> # WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner
> # authentication.
> network={
>     eap=TTLS
> *  phase2="autheap=TLS" *

> It seems not to be a standard mode (phase2="autheap=TLS"). Earlier in 
> the config file:

What do you mean with a "standard mode"? Both EAP-PEAP and EAP-TTLS can
use multiple different EAP methods inside the tunnel (phase 2). This
particular example is using EAP-TLS for inner authentication.

> there is no mention of this other mode. Also, freeradius does not 
> support it (unless I have done something wrong) saying that TLS inside a 
> TTLS tunnel is not possible.

You are correct about FreeRADIUS not supporting this, but this is a
valid EAP-TTLS configuration (though, certainly not very commonly used).
See eap_testing.txt for RADIUS servers that have been tested
successfully in this mode with wpa_supplicant.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list