Two Factor Authentication using EAP-TTLS

Paresh Sawant paresh.sawant at gmail.com
Fri Sep 4 13:41:25 EDT 2015


Yes, I have valid certs installed installed on Hostapd side. I could
confirm that by running EAP-TLS or EAP-TTLS.

What I'm not able to do is make Hostapd send certificate request to
the client in the way it does for EAP-TLS configuration.

Thanks,
Paresh

On Fri, Sep 4, 2015 at 10:21 AM, Kanago, Kerwin <kkanago at ciena.com> wrote:
> I have more experience with external RAIDUS/EAP servers.
>  AFAIK, EAP-TLS and EAP-TTLS standards both support either single direction or mutual authentication.
>
> Enabling mutual auth typically requires a device certificate and CA certificate(s) on both the client and server.
> Do you have valid certificates specified for both of these:
>
>
> # CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS
> #ca_cert=/etc/hostapd.ca.pem
>
> # Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS
> #server_cert=/etc/hostapd.server.pem
>
>
>
> -----Original Message-----
> From: Paresh Sawant [mailto:paresh.sawant at gmail.com]
> Sent: Friday, September 04, 2015 9:58 AM
> To: Kanago, Kerwin
> Cc: hostap at lists.shmoo.com
> Subject: Re: Two Factor Authentication using EAP-TTLS
>
> Thanks for your comments.
>
> I'm using Hostap as a RADIUS server, and wanted to know if there is a way I could configured it to send certificate request to the client during TLS (outer authentication), so this could accomplish first factor of the authentication of the client. What I see with default EAP-TTLS configuration is it performs only server authentication using certificate in first phase.
>
>
> Thanks,
> Paresh
>
> On Fri, Sep 4, 2015 at 9:20 AM, Kanago, Kerwin <kkanago at ciena.com> wrote:
>>
>>> Date: Thu, 3 Sep 2015 13:59:38 -0700
>>> From: Paresh Sawant <paresh.sawant at gmail.com>
>>> To: hostap at lists.shmoo.com
>>> Subject: Two Factor Authentication using EAP-TTLS
>>> Message-ID:
>>>
>>> <CAJ5GY0f3ixfGPkD3vVkU58P2dkZOjdYjtNNsCEYDTyekvmVwJA at mail.gmail.com>
>>> Content-Type: text/plain; charset=UTF-8
>>>
>>> Hi,
>>>
>>> Does hostap configuration support two factor authentication of the
>>> client? I'm looking for hostap configuration (as a RADIUS server) that'll allow client to be authenticated using certificate in outer phase and some other method e.g. EAP-MSCHAPV2 in the inner phase.
>>
>> Are you asking if EAP-TTLS and EAP-MSCHAPV is supported or if that's valid two factor auth?
>>
>> Doing EAP-TTLS as the outer method and EAP-MSCHAPv2 as the inner meets
>> the definition of two factor authentication. The certificates for TTLS
>> are "something you have" and MSCHAPv2 relies on credentials that are "something you know".
>>
>> Hostap with an external radius server will (so far as I know/have used
>> it) pass whatever EAP it gets to RADIUS, so it shouldn't (generally) care what kind of EAP methods you are using.
>>
>> kk
>>
>>>
>>> Thanks,
>>> Paresh
>>
>> _______________________________________________
>> HostAP mailing list
>> HostAP at lists.shmoo.com
>> http://lists.shmoo.com/mailman/listinfo/hostap


More information about the HostAP mailing list