Two Factor Authentication using EAP-TTLS

On Fri, Sep 04, 2015 at 10:41:25AM -0700, Paresh Sawant wrote:
> Yes, I have valid certs installed installed on Hostapd side. I could
> confirm that by running EAP-TLS or EAP-TTLS.
> 
> What I'm not able to do is make Hostapd send certificate request to
> the client in the way it does for EAP-TLS configuration.

hostapd EAP server is currently hardcoded to not require client
certificate for EAP-TTLS or EAP-PEAP. There is no configuration
parameter for this, but one-line source code change can be used if you
are looking at simply mandating this for every case. That change is to
modify the eap_server_tls_ssl_init() call in eap_peap_init() and
eap_ttls_init() to use verify_peer=1 instead of verify_peer=0. In other
words:

This is what I was looking for. Thanks!

Would it make sense to make it possible through a configuration (with
default value 0) in next release ?

Thanks,
Paresh

On Fri, Sep 4, 2015 at 12:11 PM, Jouni Malinen <j@w1.fi> wrote:
> On Fri, Sep 04, 2015 at 10:41:25AM -0700, Paresh Sawant wrote:
>> Yes, I have valid certs installed installed on Hostapd side. I could
>> confirm that by running EAP-TLS or EAP-TTLS.
>>
>> What I'm not able to do is make Hostapd send certificate request to
>> the client in the way it does for EAP-TLS configuration.
>
> hostapd EAP server is currently hardcoded to not require client
> certificate for EAP-TTLS or EAP-PEAP. There is no configuration
> parameter for this, but one-line source code change can be used if you
> are looking at simply mandating this for every case. That change is to
> modify the eap_server_tls_ssl_init() call in eap_peap_init() and
> eap_ttls_init() to use verify_peer=1 instead of verify_peer=0. In other
> words:
>
>
> diff --git a/src/eap_server/eap_server_peap.c b/src/eap_server/eap_server_peap.c
> index 51062b0..ce37286 100644
> --- a/src/eap_server/eap_server_peap.c
> +++ b/src/eap_server/eap_server_peap.c
> @@ -182,7 +182,7 @@ static void * eap_peap_init(struct eap_sm *sm)
>         data->state = START;
>         data->crypto_binding = OPTIONAL_BINDING;
>
> -       if (eap_server_tls_ssl_init(sm, &data->ssl, 0, EAP_TYPE_PEAP)) {
> +       if (eap_server_tls_ssl_init(sm, &data->ssl, 1, EAP_TYPE_PEAP)) {
>                 wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL.");
>                 eap_peap_reset(sm, data);
>                 return NULL;
> diff --git a/src/eap_server/eap_server_ttls.c b/src/eap_server/eap_server_ttls.c
> index 53ffa1e..6302a3a 100644
> --- a/src/eap_server/eap_server_ttls.c
> +++ b/src/eap_server/eap_server_ttls.c
> @@ -347,7 +347,7 @@ static void * eap_ttls_init(struct eap_sm *sm)
>         data->ttls_version = EAP_TTLS_VERSION;
>         data->state = START;
>
> -       if (eap_server_tls_ssl_init(sm, &data->ssl, 0, EAP_TYPE_TTLS)) {
> +       if (eap_server_tls_ssl_init(sm, &data->ssl, 1, EAP_TYPE_TTLS)) {
>                 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
>                 eap_ttls_reset(sm, data);
>                 return NULL;
>
> --
> Jouni Malinen                                            PGP id EFC895FA
> _______________________________________________
> HostAP mailing list
> HostAP@lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap

On Fri, Sep 04, 2015 at 12:27:12PM -0700, Paresh Sawant wrote:
> Would it make sense to make it possible through a configuration (with
> default value 0) in next release ?

There is currently no convenient mechanism for adding such configuration
parameter. This is unlikely to happen in the next release (which I'd
rather get out sooner than later), but in general, it sounds fine to add
such a configuration parameter.