Re: IEEE 802.1X support with Host AP driver

From: Jouni Malinen (
Date: 2002-09-08 15:20:36 UTC

On Fri, Sep 06, 2002 at 06:07:52PM +0300, Jouni Malinen wrote:

> I'm not very familiar with WinXP certificate configuration and EAP/TLS
> seemed to miss something in the client side. I was able to add the
> trusted root certificate and a client certificate, but WinXP did not
> seem to find them when Supplicant needed certificates. Anyway, since the
> authenticator PAE and backend authentication state machines are now
> fully implemented, I would assume that also EAP/TLS would work with
> WinXP--assuming one were able to add suitable certificates for it.

The only problem in this was in incompatible client certificate. After creating my own CA and signing a new client certificate with extented key usage extensions, EAP/TLS is working fine also with WinXP.

FreeRADIUS cvs snapshot versions include support for MS-MPPE-Send-Key and MS-MPPE-Recv-Key generation, so I added support for these also to the Authenticator code in hostapd. Current version of the Authenticator supports generating random default/broadcast WEP key and sending it to the stations using IEEE 802.1X and EAP/TLS. These seemed to work fine both with WinXP and Xsupplicant. Adding support for individual unicast keys should now be quite straightforward since the kernel driver already supports this and it would be enough to just generate a new key, configure it for the kernel driver, and send it to Supplicant. I'm just hoping that the Orinoco driver in WinXP has support for this.  

Jouni Malinen                                            PGP id EFC895FA

This archive was generated by hypermail 2.1.4.