On Oct 22, 2019, at 3:49 PM, dev@xxxxxxxxxxxxxxx wrote: > > we want to use public-key-authentication with WPA2. the appropriate method to use seems to be EAP-GTC (plain, nothing around it needed). it would be nice if this could be done with hostapd without an extra radius server. You asked this question the FreeRADIUS list, too. The answer given there is the same, and is still correct. WPA2-PSK is where the SSID has a fixed password. EAP isn't used there, so you can't use EAP-GTC. WPA2 Enterprise is where EAP is used. Typically PEAP, TTLS, FAST, etc. Unfortunately, EAP-GTC does not provide for deriving the MSK necessary for WPA2 Enterprise to work. Yes, you can likely poke the code to do public key calculations based on an EAP-GTC challenge and password. Yes, you can likely get EAP-GTC authentication to succeed. No, you cannot use this method to get WiFi access via WPA2 Enterprise. A different answer is don't roll your own crypto. You will get it wrong. Use a peer reviewed EAP method. I say this with some experience, as I've been involved in the EAP standards process for over a decade. I was chair of the IETF EMU working group which is in charge of EAP standards for many years. Alan DeKok. _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
