TNC: Use TNC as phase2 method

Jouni Malinen j at w1.fi
Mon Mar 16 04:30:35 EDT 2009


On Mon, Mar 16, 2009 at 04:21:12PM +0900, Masashi Honma wrote:

> I can connect with TNC and MSCHAP.
> wpa_supplicant is configured as below.
> 	phase2="auth=MSCHAP"
> 
> I can connect with TNC and MSCHAPv2 too.
> 	phase2="auth=MSCHAPV2"
> 
> But I can't connect with TNC as phase2 method.
> 	phase2="auth=TNC"

If this is for EAP-TTLS, you will need to use phase2="autheap=TNC" style
configuration for any EAP method since EAP-TTLS supports both non-EAP
and EAP methods as the inner method.

> If phase2 method is not MSCHAPv2, "eap_ttls_process_msg" function
> (in eap_server/eap_ttls.c) calls "eap_ttls_start_tnc" function
> after "eap_ttls_process_phase2" function. When phase2 method = MSCHAP,
> it works. But when phase2 method = TNC, it doesn't work.
> Because TNCS send start frame twice.
> 
> Is TNC as phase2 method not supported ?

hostapd tries to run TNC automatically in sequence inside the tunnel,
i.e., it expects there to be a separate, tunneled authentication
mechanism, too. wpa_supplicant might be able to support EAP-TTLS in a
configuration where both server and client authentication is taken care
of in the phase 1 TLS handshake (i.e., client certificate is used) and
only EAP-TNC is used in phase 2 (i.e., there is no real authentication
method inside the tunnel). However, I don't think hostapd is able to do
this without some modifications.

Anyway, in most use cases, the goal is not to require TNC to be
explicitly configured for the client, but to use it automatically in
phase 2 if the server asks to use TNC.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list