Determining EAP-TLS cipher suite

Jouni Malinen j at
Fri Aug 28 14:28:05 EDT 2009

On Thu, Aug 06, 2009 at 10:35:02AM -0500, Michael Kurecka wrote:
> I've been trying to determine which ciphers are used by hostapd and
> wpa_supplicant with a EAP-TLS configuration. I have a supplicant setup with
> wpa_supplicant, an authenticator setup with hostapd and connected to
> zeroshell as my authentication server (RADIUS). I've been able to determine
> which cipher the client uses in this situation, but I'm trying to better
> understand how it is determined. Which part of the system makes the
> determination of what is supported and what will be used? Is it the
> authenticator, authentication server, certificate, etc.?

If you are using hostapd as an authenticator with and external
authentication server, EAP-TLS is fully transparent to hostapd, i.e.,
the authentication server is in control here.

In TLS, the client sends a list of supported cipher suites and the
server selects which one of these to use (or rejects authentication if
none of the proposed suites are acceptable).

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list