Implementing Thesis Project

Jouni Malinen j at w1.fi
Tue Mar 15 08:15:46 EDT 2011


On Wed, Mar 09, 2011 at 08:39:49PM -0700, AltF4 wrote:
> But the TL;DR is that it's an EAP type like TTLS that uses a CA signed
> server side certificate, and no inner (client) authentication. I did
> make a really hackish proof-of-concept out of wpa_supplicant and hostapd
> using some config files. But it's not anything someone would actually
> want to use.
> 
> So I'm looking to make a "proper" implementation. Where would a good
> place to start, aside from just kind of digging through the code? (Which
> I fully intend to do, but I figured I'd ask.)

Is there any particular reason for using another EAP type for this? It
would sound much simpler to just use an existing type like TTLS with a
fixed username/password for this particular purpose. The extension of
binding SSID to the server certificate could (and probably should) be
done completely outside the scope of the EAP method. The EAP method
would just expose the server certificate that was used and after
successfully completed authentication, the upper layer code in the
supplicant would verify that the current SSID matches with the one
encoded in the CN.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list