Two Factor Authentication using EAP-TTLS

Kanago, Kerwin kkanago at
Fri Sep 4 13:21:11 EDT 2015

I have more experience with external RAIDUS/EAP servers.
 AFAIK, EAP-TLS and EAP-TTLS standards both support either single direction or mutual authentication.

Enabling mutual auth typically requires a device certificate and CA certificate(s) on both the client and server.
Do you have valid certificates specified for both of these:

# CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS

# Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS

-----Original Message-----
From: Paresh Sawant [mailto:paresh.sawant at] 
Sent: Friday, September 04, 2015 9:58 AM
To: Kanago, Kerwin
Cc: hostap at
Subject: Re: Two Factor Authentication using EAP-TTLS

Thanks for your comments.

I'm using Hostap as a RADIUS server, and wanted to know if there is a way I could configured it to send certificate request to the client during TLS (outer authentication), so this could accomplish first factor of the authentication of the client. What I see with default EAP-TTLS configuration is it performs only server authentication using certificate in first phase.


On Fri, Sep 4, 2015 at 9:20 AM, Kanago, Kerwin <kkanago at> wrote:
>> Date: Thu, 3 Sep 2015 13:59:38 -0700
>> From: Paresh Sawant <paresh.sawant at>
>> To: hostap at
>> Subject: Two Factor Authentication using EAP-TTLS
>> Message-ID:
>> <CAJ5GY0f3ixfGPkD3vVkU58P2dkZOjdYjtNNsCEYDTyekvmVwJA at>
>> Content-Type: text/plain; charset=UTF-8
>> Hi,
>> Does hostap configuration support two factor authentication of the 
>> client? I'm looking for hostap configuration (as a RADIUS server) that'll allow client to be authenticated using certificate in outer phase and some other method e.g. EAP-MSCHAPV2 in the inner phase.
> Are you asking if EAP-TTLS and EAP-MSCHAPV is supported or if that's valid two factor auth?
> Doing EAP-TTLS as the outer method and EAP-MSCHAPv2 as the inner meets 
> the definition of two factor authentication. The certificates for TTLS 
> are "something you have" and MSCHAPv2 relies on credentials that are "something you know".
> Hostap with an external radius server will (so far as I know/have used 
> it) pass whatever EAP it gets to RADIUS, so it shouldn't (generally) care what kind of EAP methods you are using.
> kk
>> Thanks,
>> Paresh
> _______________________________________________
> HostAP mailing list
> HostAP at

More information about the HostAP mailing list