Mutual TLS authentication in handshake phase of EAP-TTLS

Jouni Malinen j at w1.fi
Wed Mar 3 06:53:16 EST 2010


On Thu, Feb 25, 2010 at 11:42:11AM -0000, Lewis Adam-VNQM87 wrote:
> In EAP-TTLS, the TLS authentication may be mutual; or it may be one-way,
> in which only the server is authenticated to the client.
> 
> My question is, does eapol_test currently allow mutual TLS
> authentication for EAP-TTLS? If so, how do I configure it (or the
> configuration files) to do so? I believe the tunnelled protocol can also
> be TLS but I want to avoid this as I need to have the ability to verify
> users rather than the client (e.g. by doing user/password checks).

You can configure eapol_test to use client certificate/private key
during the TLS handshake in EAP-TTLS by adding the client_cert and
private_key options into the configuration as you would do with
EAP-TLS. In other words, ca_cert will make eapol_test check the server
certificate and private_key/client_cert will make it provide the
information needed for the server to be able to authenticate it.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list