Two Factor Authentication using EAP-TTLS

Kanago, Kerwin kkanago at
Fri Sep 4 12:20:37 EDT 2015

> Date: Thu, 3 Sep 2015 13:59:38 -0700
> From: Paresh Sawant <paresh.sawant at>
> To: hostap at
> Subject: Two Factor Authentication using EAP-TTLS
> Message-ID:
>	<CAJ5GY0f3ixfGPkD3vVkU58P2dkZOjdYjtNNsCEYDTyekvmVwJA at>
> Content-Type: text/plain; charset=UTF-8
> Hi,
> Does hostap configuration support two factor authentication of the client? I'm looking for hostap configuration (as a RADIUS server) that'll allow client to be authenticated using certificate in
> outer phase and some other method e.g. EAP-MSCHAPV2 in the inner phase.

Are you asking if EAP-TTLS and EAP-MSCHAPV is supported or if that's valid two factor auth?

Doing EAP-TTLS as the outer method and EAP-MSCHAPv2 as the inner meets the definition of two 
factor authentication. The certificates for TTLS are "something you have" and MSCHAPv2 relies
on credentials that are "something you know".

Hostap with an external radius server will (so far as I know/have used it) pass whatever EAP it gets to 
RADIUS, so it shouldn't (generally) care what kind of EAP methods you are using.


> Thanks,
> Paresh

More information about the HostAP mailing list