On Tue, Oct 22, 2019 at 09:49:49PM +0200, dev@xxxxxxxxxxxxxxx wrote: > we want to use public-key-authentication with WPA2. the appropriate method to use seems to be EAP-GTC (plain, nothing around it needed). it would be nice if this could be done with hostapd without an extra radius server. for this to work, calling a script to get the (dynamic) challenge, and calling another script for verification (passing at least user-id, challenge, response to it and getting verification result back) would be needed. > > similar for wpa_supplicant, a script called with the challenge, getting the response back would be needed. Can you please clarify what exactly you mean with challenge/response in combination with public key authentication? EAP-GTC inside a EAP-TTLS or PEAP tunnel could be used for challenge/response authentication mechanisms, but I would not call that public key authentication.. If you want to use raw public keys (instead of EAP-TLS with certificates that use public key internally), something like FILS public key authentication could be more appropriate approach. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
