Integrated EAP server -- certificate questions

Jouni Malinen jkmaline at cc.hut.fi
Thu Sep 7 22:01:16 EDT 2006


On Thu, Sep 07, 2006 at 05:29:50PM -0700, Chris Zimmermann wrote:
> My questions are regarding configuring the integrated EAP server in  
> hostapd v0.5.5 for EAP-TTLS.
> 
> From hostapd.eap_user
> 
> ># EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-SIM, and EAP-AKA do not use  
> >password option.
> ># EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, EAP-PSK, and EAP-SAKE  
> >require a
> ># password.
> ># EAP-PEAP and EAP-TTLS require Phase 2 configuration.
> 
> ># Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users
> 
> Does this mean that EAP-TTLS clients *must* use a client  
> certificate?  Or can they use a Phase 2 username/password?

No, EAP-TTLS (or PEAP) does not require client certificates. The phase 2
authentication can use username/password with EAP-MD5/MSCHAPv2/GTC.

> It appears that I must use provide a server or a CA certificate to  
> hostapd in order to do any EAP-TLS type EAP method, including EAP- 
> TTLS.  Is this accurate?

You will need to provide both the server certificate and trusted CA
certificate for the authentication to work properly. The certificate
chain from server certificate to the trusted CA certificate is included
in TLS handshake and supplicant (or well, EAP peer) will validate it.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list