Well, I think I found the solution. Now I understood the TTLS algorithm. We only need the ca cert in the client and the server cert on the server. We don't need ca cert on server with TTLS. With freeradius we must configure the ca cert on server and because this I thought that ca cert on server was necessary, but with wpasupplicant/hostap isn't necessary. After studing ttls algorithm I undestood the reason why.<br>
<br>With TLS we need configure ca cert both in client and server, and both client and server certs too. <br><br>Now everything is working. :-)<br><br><div class="gmail_quote">On Wed, Jun 25, 2008 at 4:45 PM, Douglas Diniz <<a href="mailto:dgdiniz@gmail.com">dgdiniz@gmail.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi. <br><br>I was using wpa supplicant normally in my work, authenticating with TTLS/Mschapv2. <br>
I changed wpasupplicant code to work as a class, creating a function interface where I send a Eap packet as parameter and the class return another Eap packet as response.<br>
To do this I used the GIT code: <a href="http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=tree" target="_blank">http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=tree</a> , changing some parts of the code based on my needs.<br>
<br>All is working fine, but something is very strange about the certificates.<br>
<br>In eap_example_peer.c the certificates are load as following:<br><br> eap_ctx.eap_config.identity = (u8 *) os_strdup("user");<br> eap_ctx.eap_config.identity_len = 4;<br> eap_ctx.eap_config.password = (u8 *) os_strdup("password");<br>
eap_ctx.eap_config.password_len = 8;<br> eap_ctx.eap_config.ca_cert = (u8 *) os_strdup("ca.pem");<br><br>In eap_example_server.c are loaded as:<br><br> tparams.ca_cert = "ca.pem";<br> tparams.client_cert = "server.pem";<br>
tparams.private_key = "server.key";<br> tparams.private_key_passwd = "whatever";<br><br>This someway works. Then I changed the code to point to my certs:<br><br> peer:<br><br> eap_ctx.eap_config.identity = (u8 *) os_strdup("user");<br>
eap_ctx.eap_config.identity_len = 4;<br> eap_ctx.eap_config.password = (u8 *) os_strdup("password");<br> eap_ctx.eap_config.password_len = 8;<br> eap_ctx.eap_config.ca_cert = (u8 *) os_strdup("/home/douglas/DougTesteWPA/certificates/cacert.pem");<br>
<br> server:<br><br> tparams.ca_cert = "/home/douglas/DougTesteWPA/certificates/cacert.pem";<br> tparams.client_cert = "/home/douglas/DougTesteWPA/certificates/server_keycert.pem";<br> tparams.private_key = "/home/douglas/DougTesteWPA/certificates/server_keycert.pem";<br>
tparams.private_key_passwd = "doug";<br><br>This also works, but the strange is:<br><br>1-) I can change private_key_passwd to any password and the authentication still works!!! This password must be the same used to create the cacert, right?<br>
<br>2-) I can change the server cacert to any other cacert and the authentication still works!!! In TLS/TTLS all Ca's must be the same, right?<br><br>If I change server cert/key or the client ca, the authentication fails. Its seems that I only must have the client cacert and the server cert/key (derived from the client cacert) to authentication works. Then its seems that server cacert and private_key_passwd are not necessary. <br>
The strange is that authentication works. The phase 2 is working normally. If I change the mschapv2 user/password from server or client, authentication fails. Then all is ok. <br><br>Someone knows what is happening?<br><br>
Thanks....<br><br>
</blockquote></div><br>