Mutual Authentication with EAP-TTLS/MSCHAPv2

Josh Howlett Josh.Howlett at
Wed Oct 3 11:07:36 CEST 2007

> 1. Does EAP-TTLS with MSCHAPv2 considered as a mutual 
> authentication method?

It is probably best if you read RFC4017 for a full discussion of mutual
authentication in the EAP context.

FWIW, the short answer is "yes, it can be used in this way".

> 2. I understand that the TTLS itself can be mutual, meaning:
> a. The client authenticates the server (via server certificate)


> b. A secured tunnel is created
> c. The server authenticates the client (via client certificate)

Yes, this is possible but not necessary, because as you say...

> d. The client authenticates itself again using MSCHAPv2.

e. The server also authenticates itself using MSCHAPv2. A
challenge-response is piggy-backed on the MSCHAP exchange.

> Does FreeRadius support this kind of Authentication?


> 3. I received a root-certificate and I want to create trusted 
> certificates. 
>             a. Which software can I use sign a certificate 
> with the root-certificate I received?

I doubt you received a root CA certificate. You probably got issued with
a certificate signed by the root or an intermediate CA. However, I'm
speculating - it is probably best to ask whomever provided the
certificate directly. It is essential to understand precisely what is
going on, because it is very easy to make mistakes with PKI...

best regards, josh.

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG

More information about the Freeradius-Users mailing list