I wanted to add a little bit to what I said in this email Part of the reason for not short-circuiting (at least in my understanding) and going through with the full two-phase authentication in TTLS even when certificates are used is so that the identity of the client is not sent in the clear. Since a new EAP conversation is started inside the context of the first one, with the new conversation being encrypted, the true identity of the user is sent in the EAP-Identity response in Phase two. This allows for fully encrypted identification and authorization/authentication of the user.
--Mike On Fri, 2003-06-13 at 12:10, Michael Griego wrote: > On Fri, 2003-06-13 at 10:25, Zhou Ping wrote: > > Hello, > > > > I have some problems when implementing the TTLS module. According to the draft, > > the client does not need to have a certificate to authenticate itself, which leads > > to phase 2 of the protocol. If the client has a proper certificate, then mutual > > authentication is achieved and there is no need for phase 2. So I think I have to > > modify the eaptls_ack_handler() to handle the Finished message. But how can I know > > if the client has already authenticated itself (i.e. it has a certificate)? Maybe > > I should also modify some of the callback function? Thanks for any help. > > I don't think that's exactly true. If you're using the TTLS EAP-Type, > then you have to stick with that and not short-circuit if the client > sends a certificate during the first phase. Once phase 1 has completed > in TTLS, and the server has authenticated itself, it goes into Phase 2. > Phase 2 is handled as a totally new EAP conversation embedded in the > TLS-secured context of the first phase. It is in this phase where the > client can then choose to either send a certificate or to use one of the > other available EAP methods. IOW, if the EAP-Type is TTLS, then there > has to be two phases regardless of whether the client authentication is > also performed with certificates. -- --Mike -------------------------------- Michael Griego Wireless Network Administrator University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
