Problem when implementing TTLS
Hello, I have some problems when implementing the TTLS module. According to the draft, the client does not need to have a certificate to authenticate itself, which leads to phase 2 of the protocol. If the client has a proper certificate, then mutual authentication is achieved and there is no need for phase 2. So I think I have to modify the eaptls_ack_handler() to handle the Finished message. But how can I know if the client has already authenticated itself (i.e. it has a certificate)? Maybe I should also modify some of the callback function? Thanks for any help. regards, Zhou Ping~?????0~??b+?b?¥
Re: Problem when implementing TTLS
On Fri, 2003-06-13 at 10:25, Zhou Ping wrote: Hello, I have some problems when implementing the TTLS module. According to the draft, the client does not need to have a certificate to authenticate itself, which leads to phase 2 of the protocol. If the client has a proper certificate, then mutual authentication is achieved and there is no need for phase 2. So I think I have to modify the eaptls_ack_handler() to handle the Finished message. But how can I know if the client has already authenticated itself (i.e. it has a certificate)? Maybe I should also modify some of the callback function? Thanks for any help. I don't think that's exactly true. If you're using the TTLS EAP-Type, then you have to stick with that and not short-circuit if the client sends a certificate during the first phase. Once phase 1 has completed in TTLS, and the server has authenticated itself, it goes into Phase 2. Phase 2 is handled as a totally new EAP conversation embedded in the TLS-secured context of the first phase. It is in this phase where the client can then choose to either send a certificate or to use one of the other available EAP methods. IOW, if the EAP-Type is TTLS, then there has to be two phases regardless of whether the client authentication is also performed with certificates. -- --Mike Michael Griego Wireless Network Administrator University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem when implementing TTLS
I wanted to add a little bit to what I said in this email Part of the reason for not short-circuiting (at least in my understanding) and going through with the full two-phase authentication in TTLS even when certificates are used is so that the identity of the client is not sent in the clear. Since a new EAP conversation is started inside the context of the first one, with the new conversation being encrypted, the true identity of the user is sent in the EAP-Identity response in Phase two. This allows for fully encrypted identification and authorization/authentication of the user. --Mike On Fri, 2003-06-13 at 12:10, Michael Griego wrote: On Fri, 2003-06-13 at 10:25, Zhou Ping wrote: Hello, I have some problems when implementing the TTLS module. According to the draft, the client does not need to have a certificate to authenticate itself, which leads to phase 2 of the protocol. If the client has a proper certificate, then mutual authentication is achieved and there is no need for phase 2. So I think I have to modify the eaptls_ack_handler() to handle the Finished message. But how can I know if the client has already authenticated itself (i.e. it has a certificate)? Maybe I should also modify some of the callback function? Thanks for any help. I don't think that's exactly true. If you're using the TTLS EAP-Type, then you have to stick with that and not short-circuit if the client sends a certificate during the first phase. Once phase 1 has completed in TTLS, and the server has authenticated itself, it goes into Phase 2. Phase 2 is handled as a totally new EAP conversation embedded in the TLS-secured context of the first phase. It is in this phase where the client can then choose to either send a certificate or to use one of the other available EAP methods. IOW, if the EAP-Type is TTLS, then there has to be two phases regardless of whether the client authentication is also performed with certificates. -- --Mike Michael Griego Wireless Network Administrator University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html