Problem when implementing TTLS

2003-06-13 Thread Zhou Ping 
Hello,

I have some problems when implementing the TTLS module. According to the draft, the 
client does not need to have a certificate to authenticate itself, which leads to 
phase 2 of the protocol. If the client has a proper certificate, then mutual 
authentication is achieved and there is no need for phase 2. So I think I have to 
modify the eaptls_ack_handler() to handle the Finished message. But how can I know if 
the client has already authenticated itself (i.e. it has a certificate)? Maybe I 
should also modify some of the callback function? Thanks for any help.

regards,
Zhou Ping~?????0~??b+?b?¥

Re: Problem when implementing TTLS

2003-06-13 Thread Michael Griego 
On Fri, 2003-06-13 at 10:25, Zhou Ping wrote:
 Hello,
 
 I have some problems when implementing the TTLS module. According to the draft, the 
 client does not need to have a certificate to authenticate itself, which leads to 
 phase 2 of the protocol. If the client has a proper certificate, then mutual 
 authentication is achieved and there is no need for phase 2. So I think I have to 
 modify the eaptls_ack_handler() to handle the Finished message. But how can I know 
 if the client has already authenticated itself (i.e. it has a certificate)? Maybe I 
 should also modify some of the callback function? Thanks for any help.

I don't think that's exactly true.  If you're using the TTLS EAP-Type,
then you have to stick with that and not short-circuit if the client
sends a certificate during the first phase.  Once phase 1 has completed
in TTLS, and the server has authenticated itself, it goes into Phase 2. 
Phase 2 is handled as a totally new EAP conversation embedded in the
TLS-secured context of the first phase.  It is in this phase where the
client can then choose to either send a certificate or to use one of the
other available EAP methods.  IOW, if the EAP-Type is TTLS, then there
has to be two phases regardless of whether the client authentication is
also performed with certificates.

-- 

--Mike


Michael Griego
Wireless Network Administrator
University of Texas at Dallas



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem when implementing TTLS

2003-06-13 Thread Michael Griego 
I wanted to add a little bit to what I said in this email  Part of the
reason for not short-circuiting (at least in my understanding) and going
through with the full two-phase authentication in TTLS even when
certificates are used is so that the identity of the client is not sent
in the clear.  Since a new EAP conversation is started inside the
context of the first one, with the new conversation being encrypted, the
true identity of the user is sent in the EAP-Identity response in Phase
two.  This allows for fully encrypted identification and
authorization/authentication of the user.

--Mike



On Fri, 2003-06-13 at 12:10, Michael Griego wrote:
 On Fri, 2003-06-13 at 10:25, Zhou Ping wrote:
  Hello,
  
  I have some problems when implementing the TTLS module. According to the draft, 
  the client does not need to have a certificate to authenticate itself, which leads 
  to phase 2 of the protocol. If the client has a proper certificate, then mutual 
  authentication is achieved and there is no need for phase 2. So I think I have to 
  modify the eaptls_ack_handler() to handle the Finished message. But how can I know 
  if the client has already authenticated itself (i.e. it has a certificate)? Maybe 
  I should also modify some of the callback function? Thanks for any help.
 
 I don't think that's exactly true.  If you're using the TTLS EAP-Type,
 then you have to stick with that and not short-circuit if the client
 sends a certificate during the first phase.  Once phase 1 has completed
 in TTLS, and the server has authenticated itself, it goes into Phase 2. 
 Phase 2 is handled as a totally new EAP conversation embedded in the
 TLS-secured context of the first phase.  It is in this phase where the
 client can then choose to either send a certificate or to use one of the
 other available EAP methods.  IOW, if the EAP-Type is TTLS, then there
 has to be two phases regardless of whether the client authentication is
 also performed with certificates.
-- 

--Mike


Michael Griego
Wireless Network Administrator
University of Texas at Dallas



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html