EAP-TTLS/EAP-TLS hostap configuration
Mr Dash Four
mr.dash.four at googlemail.com
Sun Nov 27 11:30:06 EST 2011
>> In addition, I could use two different sets of certificates (ca, server,
>> user/client) for each phase. Assuming that is so, I created (just for
>> the purpose of testing - at least for now) an example
>> wpa_supplicant.conf (below). What I am struggling with is creating a
>> similar hostapd.conf configuration file as the template hostapd.conf
>> included with the hostap package does not have room for the second-phase
>> certificates to be specified (or at least I could not see any). Is that
>> feature implemented in hostap, or am I missing something obvious?
> If you are using an external RADIUS server (FreeRADIUS), none of the EAP
> configuration like certificates are used within hostapd.conf, i.e., the
> EAP part is completely transparent to the AP in this case.
I see! So, if I use external RADIUS none of the EAP configuration, apart
from the shared_secret part, is applicable in my case, right? However,
if I decide to use hostapd as RADIUS would I be able to configure it
that way - with (potentially) two separate sets of ca, server & user
certificates for each phase (EAP-TTLS - outer, and then EAP-TLS - inner)?
In addition, is it possible to specify user-authentication matching by
certain certificate attributes (CN, Subject etc), is that implemented in
>> In addition, I am asked to use "shared secret"
>> ("auth_server_shared_secret" and "acct_server_shared_secret" options)
>> for AP authentication to the RADIUS server.
> That's the way RADIUS works.
Yep, I understand that now, though I might consider using a separate
tunnelling for this in order to make sure this part is completely secure
- that provided I go via the freeRADIUS route, which I am not 100% sure yet.
More information about the HostAP