hostapd with 802.1X EAP-TLS/TTLS support

Sam Leffler sam at freebsd.org
Thu Jun 18 17:36:07 UTC 2009 

EAP/TLS and TTLS should be configured by default in HEAD.  Not sure what 
is done in RELENG_7.  Regardless you can trivially rebuild hostapd w/ 
the functionality you want by definitions to your src.conf:

HOSTAPD_CFLAGS
HOSTAPD_DPADD
HOSTAPD_LDADD

(looks like you use WPA_SUPPLICANT_* knobs in RELENG_7, check 
usr.sbin/wpa/hostapd/Makefile).

As to what should be enabled by default, I can only say that I tried to 
choose the most common setup as the default.  Choosing this 
configuration also balances between bloat and inclusion of code that 
might not be as well audited and/or tested as other code.  Hence the 
default setup used to be WPA-PSK only but has since grown to include 
various EAP flavors.  My assumption was that anyone building a system 
using these tools would want to go through and choose what they wanted 
anyway so enabling everything was a bad idea.

    Sam


Vladimir Terziev wrote:
> Hi Paul,
>
> is there some special reason behind this? Why the server is made part of
> the main distribution with stripped functionality ?
>
> Also, how can i enable it ?
>
> Thanks,
>
> Vladimir
>
>
> On Thu, 2009-06-18 at 13:55 +0300, Paul B. Mahol wrote:
>   
>> On 6/18/09, Vladimir Terziev <vladimirt at partygaming.com> wrote:
>>     
>>> Hi,
>>>
>>> i try to setup wireless access point at home, based on FreeBSD
>>> 7.2R-i386, ral(4) wireless card and hostpad(8).
>>>
>>> I want my wireless AP to support 802.1x EAP-TLS/TTLS authentication.
>>>       
>> I
>>     
>>> issued a custom SSL certificate for the hostapd(8) and put the
>>>       
>> following
>>     
>>> directives in hostapd.conf:
>>>
>>> eap_server=0
>>> ca_cert=/usr/local/etc/myCA.crt.pem
>>> server_cert=/usr/local/etc/hostapd.server.crt.pem
>>> private_key=/usr/local/etc/hostapd.server.key.pem
>>> private_key_passwd=some_pass
>>>
>>> When i tried to start the hostapd(8) i got the following errors:
>>>
>>> Line 15: unknown configuration item 'eap_server'
>>> Line 16: unknown configuration item 'ca_cert'
>>> Line 17: unknown configuration item 'server_cert'
>>> Line 18: unknown configuration item 'private_key'
>>> Line 19: unknown configuration item 'private_key_passwd'
>>>
>>> Does the stock FreeBSD's hostapd(8) support 802.1X EAP-TLS/TTLS at
>>>       
>> all
>>     
>>> and if "not" why ?
>>>       
>> 802.1X EAP-TLS/TTLS is not enabled by default on FreeBSD's hostapd(8).
>>
>> --
>> Paul
>>
>>
>>     
>
> This email and any attachments are confidential, and may be legally privileged and protected by copyright. If you are not the intended recipient dissemination or copying of this email is prohibited. If you have received this in error, please notify the sender by replying by email and then delete the email completely from your system. 
>
> Any views or opinions are solely those of the sender.  This communication is not intended to form a binding contract unless expressly indicated to the contrary and properly authorised. Any actions taken on the basis of this email are at the recipient's own risk.
>
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
>
>

More information about the freebsd-net mailing list