Two Factor Authentication using EAP-TTLS

Jouni Malinen j at
Fri Sep 4 15:11:49 EDT 2015

On Fri, Sep 04, 2015 at 10:41:25AM -0700, Paresh Sawant wrote:
> Yes, I have valid certs installed installed on Hostapd side. I could
> confirm that by running EAP-TLS or EAP-TTLS.
> What I'm not able to do is make Hostapd send certificate request to
> the client in the way it does for EAP-TLS configuration.

hostapd EAP server is currently hardcoded to not require client
certificate for EAP-TTLS or EAP-PEAP. There is no configuration
parameter for this, but one-line source code change can be used if you
are looking at simply mandating this for every case. That change is to
modify the eap_server_tls_ssl_init() call in eap_peap_init() and
eap_ttls_init() to use verify_peer=1 instead of verify_peer=0. In other

diff --git a/src/eap_server/eap_server_peap.c b/src/eap_server/eap_server_peap.c
index 51062b0..ce37286 100644
--- a/src/eap_server/eap_server_peap.c
+++ b/src/eap_server/eap_server_peap.c
@@ -182,7 +182,7 @@ static void * eap_peap_init(struct eap_sm *sm)
 	data->state = START;
 	data->crypto_binding = OPTIONAL_BINDING;
-	if (eap_server_tls_ssl_init(sm, &data->ssl, 0, EAP_TYPE_PEAP)) {
+	if (eap_server_tls_ssl_init(sm, &data->ssl, 1, EAP_TYPE_PEAP)) {
 		wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL.");
 		eap_peap_reset(sm, data);
 		return NULL;
diff --git a/src/eap_server/eap_server_ttls.c b/src/eap_server/eap_server_ttls.c
index 53ffa1e..6302a3a 100644
--- a/src/eap_server/eap_server_ttls.c
+++ b/src/eap_server/eap_server_ttls.c
@@ -347,7 +347,7 @@ static void * eap_ttls_init(struct eap_sm *sm)
 	data->ttls_version = EAP_TTLS_VERSION;
 	data->state = START;
-	if (eap_server_tls_ssl_init(sm, &data->ssl, 0, EAP_TYPE_TTLS)) {
+	if (eap_server_tls_ssl_init(sm, &data->ssl, 1, EAP_TYPE_TTLS)) {
 		wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
 		eap_ttls_reset(sm, data);
 		return NULL;

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list