On Fri, Feb 19, 2016 at 02:53:44PM +0100, gunnaroeh@xxxxxxxxx wrote: > My admin now stated, that protocols must not be predefined but are > negotiated between client and the server. > After the certificate is verified (which is a must) the user > identity must indeed also be checked. > > Therefore he then suggested to use the following configuration: > > key_mgmt=IEEE8021X > eap=TLS > anonymous_identity="..." > ca_cert="/path to certificate.cer" > phase2="auth=peap" > private_key="path to privkey.pem" > identity="..." > password="..." > private_key_passwd="..." This is not valid EAP configuration. Either this needs to use EAP-TLS which does not use the password option or this is some kind of combination of PEAP with client certificate and something in the inner tunnel. I cannot really recommend any specific change here without more details on what exactly the authentication server expects here. phase2 parameter is not used with EAP-TLS (eap=TLS). phase2 value "auth=peap" is not valid with any EAP method. With eap=PEAP, phase2="auth=<name of inner method>" could be used to select which inner method is used. Though, please note that the names of the EAP methods are all in upper case. > The private key and the certificate match each other (checked with > openssl x509 and rsa). I guess the main Problem is now, that the key > is not symlinked to the certificate: If you have a client certificate in a separate file, you need to point to that file with the client_cert parameter. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap