On Fri, 2003-06-13 at 10:25, Zhou Ping wrote: > Hello, > > I have some problems when implementing the TTLS module. According to the draft, the > client does not need to have a certificate to authenticate itself, which leads to > phase 2 of the protocol. If the client has a proper certificate, then mutual > authentication is achieved and there is no need for phase 2. So I think I have to > modify the eaptls_ack_handler() to handle the Finished message. But how can I know > if the client has already authenticated itself (i.e. it has a certificate)? Maybe I > should also modify some of the callback function? Thanks for any help.
I don't think that's exactly true. If you're using the TTLS EAP-Type, then you have to stick with that and not short-circuit if the client sends a certificate during the first phase. Once phase 1 has completed in TTLS, and the server has authenticated itself, it goes into Phase 2. Phase 2 is handled as a totally new EAP conversation embedded in the TLS-secured context of the first phase. It is in this phase where the client can then choose to either send a certificate or to use one of the other available EAP methods. IOW, if the EAP-Type is TTLS, then there has to be two phases regardless of whether the client authentication is also performed with certificates. -- --Mike -------------------------------- Michael Griego Wireless Network Administrator University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html