Two Factor Authentication using EAP-TTLS
Jouni Malinen
j at w1.fi
Fri Sep 4 15:11:49 EDT 2015
On Fri, Sep 04, 2015 at 10:41:25AM -0700, Paresh Sawant wrote:
> Yes, I have valid certs installed installed on Hostapd side. I could
> confirm that by running EAP-TLS or EAP-TTLS.
>
> What I'm not able to do is make Hostapd send certificate request to
> the client in the way it does for EAP-TLS configuration.
hostapd EAP server is currently hardcoded to not require client
certificate for EAP-TTLS or EAP-PEAP. There is no configuration
parameter for this, but one-line source code change can be used if you
are looking at simply mandating this for every case. That change is to
modify the eap_server_tls_ssl_init() call in eap_peap_init() and
eap_ttls_init() to use verify_peer=1 instead of verify_peer=0. In other
words:
diff --git a/src/eap_server/eap_server_peap.c b/src/eap_server/eap_server_peap.c
index 51062b0..ce37286 100644
--- a/src/eap_server/eap_server_peap.c
+++ b/src/eap_server/eap_server_peap.c
@@ -182,7 +182,7 @@ static void * eap_peap_init(struct eap_sm *sm)
data->state = START;
data->crypto_binding = OPTIONAL_BINDING;
- if (eap_server_tls_ssl_init(sm, &data->ssl, 0, EAP_TYPE_PEAP)) {
+ if (eap_server_tls_ssl_init(sm, &data->ssl, 1, EAP_TYPE_PEAP)) {
wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL.");
eap_peap_reset(sm, data);
return NULL;
diff --git a/src/eap_server/eap_server_ttls.c b/src/eap_server/eap_server_ttls.c
index 53ffa1e..6302a3a 100644
--- a/src/eap_server/eap_server_ttls.c
+++ b/src/eap_server/eap_server_ttls.c
@@ -347,7 +347,7 @@ static void * eap_ttls_init(struct eap_sm *sm)
data->ttls_version = EAP_TTLS_VERSION;
data->state = START;
- if (eap_server_tls_ssl_init(sm, &data->ssl, 0, EAP_TYPE_TTLS)) {
+ if (eap_server_tls_ssl_init(sm, &data->ssl, 1, EAP_TYPE_TTLS)) {
wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
eap_ttls_reset(sm, data);
return NULL;
--
Jouni Malinen PGP id EFC895FA
More information about the HostAP
mailing list