EAP-TTLS/EAP-TLS hostap configuration
Mr Dash Four
mr.dash.four at googlemail.com
Sat Nov 26 15:26:00 EST 2011
My aim is to configure and use wireless clients using wpa_supplicant to
connect to AP (which has hostapd installed on it - version 1.0-rc1),
which are then authorised via freeRADIUS server (based on another
machine on a separate segment of the network) using the above
After reading the configuration file guides for both the wpa_supplicant
(wpa_supplicant.conf) and hostapd (hostapd.conf) I am at a loss as to
how can this be configured? I am more or less clear with the client side
and wpa_supplicant.conf, but I don't know how to configure the AP on
which the hostap daemon is installed.
The theory of EAP-TTLS/EAP-TLS - at least as far as I understand it -
allows for two phases of authentication and in both phases the
authentication/authorisation is done purely on the basis of certificates
and their various properties (CN, Subject, Issuer etc) - there is *no*
involvement of "passwords" or "shared secrets" in any way (or at least I
don't want to use any!).
In addition, I could use two different sets of certificates (ca, server,
user/client) for each phase. Assuming that is so, I created (just for
the purpose of testing - at least for now) an example
wpa_supplicant.conf (below). What I am struggling with is creating a
similar hostapd.conf configuration file as the template hostapd.conf
included with the hostap package does not have room for the second-phase
certificates to be specified (or at least I could not see any). Is that
feature implemented in hostap, or am I missing something obvious?
In addition, I am asked to use "shared secret"
("auth_server_shared_secret" and "acct_server_shared_secret" options)
for AP authentication to the RADIUS server. My understanding is that I
can also use certificates for that to authenticate AP to the RADIUS
server, isn't that the case? Again, I would like avoiding the use of
"shared secrets" and "passowrds" in any of this and base this purely on
certificates - that is my ultimate aim in this.
Any help and advice on this would be gratefully received, thanks.
# WPA-EAP, EAP-TTLS/EAP-TLS with different CA, server & user
certificates/private keys used for outer and inner authentication.
ap_scan=1 # <- default. Should be ap_scan=2 to deal with hidden APs, not
filter_ssids=1 # Only include configured ones. filter_ssids=0 is the default
bssid=00:11:22:33:44:55 # change only when known from AP
# Phase 1 / outer authentication
AS/emailAddress=ap_server at example.com"
altsubject_match="EMAIL:ap_server at example.com;DNS:dns.example.com;DNS:dns2.example.com"
# Phase 2 / inner authentication
AS/emailAddress=ap_server2 at example.com"
altsubject_match2="EMAIL:ap_server2 at example.com;DNS:dns.example.com;DNS:dns2.example.com"
# priority=10 - not applicable if scan_ssid=1 *and* ap_scan=2.
The larger the number - the higher the priority
# eap_workaround=0 - only enable when everything is configured *and*
More information about the HostAP