EAP-TTLS authentication

Isaac Konikoff konikofi at candelatech.com
Tue Aug 11 17:53:19 EDT 2015


Thought I had anonymous at mytest.com covered with hostapd.eap_user entry:

"*@mytest.com" TLS,TTLS

but added

* TTLS

and it is now working...thanks!



On 08/11/2015 02:21 PM, Jouni Malinen wrote:
> On Tue, Aug 11, 2015 at 02:04:13PM -0700, Isaac Konikoff wrote:
>> Here is my hostapd log showing a failure when HS2.0 in enabled and a
>> success when HS2.0 is disabled. EAP-TTLS used in both cases,
>> wpa_supplicant configs also included below.
>>
>> Is the failure due to an incorrect EAP method or TLS tunnel fail in phase 1?
>
>> 1439324295.015930: EAP-Identity: Peer identity - hexdump_ascii(len=20):
>>       61 6e 6f 6e 79 6d 6f 75 73 40 6d 79 74 65 73 74   anonymous at mytest
>>       2e 63 6f 6d                                       .com
>> 1439324295.015947: RADIUS SRV: [0x2c 127.0.0.1] EAP:
>> EAP-Response/Identity 'anonymous at mytest.com'
>> 1439324295.015952: EAP: EAP entering state SELECT_ACTION
>> 1439324295.015957: EAP: getDecision: no more methods available -> FAILURE
>
> The station has been configured to use anonymous at mytest.com as the outer
> identity while the authentication server has no user enabled to match
> that. Usually the easiest way of enabling EAP-TTLS is to add a wildcard
> hostapd.eap_user entry like this:
>
> *	TTLS
>
>
> For more restricted testing cases, you could also add an explicit rule
> for that exact "anonymous at mytest.com" string if for some reason you do
> not want to enable wildcard matching to enable EAP-TTLS.
>



More information about the HostAP mailing list