Query: auth server bahaviour when presented with unknown user certs (EAP-TLS)

Jouni Malinen j at w1.fi
Thu Nov 27 08:31:46 EST 2008


On Thu, Nov 27, 2008 at 05:22:02PM +0800, Soh Kam Yung wrote:

> Suppose I have a device with two or more user certificates which are
> used to join two or more different EAP-TLS networks.  When I am
> requested to join a EAP-TLS network, I will try to join by passing the
> user certificates one by one to the server using wpa_supplicant (i.e.
> change the "private_key" and "private_key_password" parameters in each
> join attempt) until it succeeds or until I run out of user
> certificates.

Ideally, this would be done be selecting the certificate based on which
certificate server used and what the server asked for in
CertificateRequest..

> What I would like to know is how do authentication servers behave when
> presented with unrecognised user certificates?  Do they just log the
> failed attempts and let the device continue to try to join the
> network?

Implementation specific.. I have not seen servers that would lock the
account based on unexpected certificates, but that does not mean there
aren't any that would.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list