Questions for FIPS certification

Jouni Malinen j at
Fri Aug 28 14:44:34 EDT 2009

On Wed, Jul 01, 2009 at 07:24:31AM -0500, Michael Kurecka wrote:
> We are in the process of developing an AP/Client for FIPS certification. The
> authentication methods used for EAP are at the most, TLS, TTLS and PEAP
> (MSCHAPv2). I've been asked some questions concerning this and was hoping
> this forum might be able to better provide them.
> 1) What TLS, TTLS and PEAP cipher suites are supported?

That depends on which TLS library is used.

> 2) Is client authentication performed during TLS (Part 1 of PEAP) ?

In most cases, PEAP is used without client authentication during TLS
(i.e., server is authenticated in Phase 1 with TLS and client in Phase 2
with username/password).

> 3) Is it possible to disable PEAPv1 and allow only PEAPv2, and if so how
> (peaplabel=2)?

PEAPv2 is not fully supported and it is currently disabled. The version
configuration would be done with peapver=2.

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list