EAP-TLS patch for pppd

Home

About EAP-TLS

The Extensible Authentication Protocol (EAP; RFC 3748) is a security protocol that can be used with PPP. It provides a means to plug in multiple optional authentication methods.

Transport Level Security (TLS; RFC 2246) provides for mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. It also provides for optional MPPE encryption.

EAP-TLS (RFC 2716) encapsulates the TLS messages in EAP packets, allowing TLS mutual authentication to be used as a generic EAP mechanism.

Why was it written?

This patch was written to use pppd in a VPN with either PPTP or IPSec/L2TP and allow Windows users to authenticate using smartcards with certificates.

Especially for PPTP VPNs the support of EAP-TLS+MPPE is very important, as it allows for the use of X.509 certificates to authenticate users. This greatly improves security (one might say it actually adds a little security), as the security of the PPTP model is as good as the password/certificate length.

Features

Allow EAP-TLS authentication in pppd
Both client and server mode supported
MPPE encryption support (mostly needed for PPTP VPNs)
CRL handling
up to version 0.91: CRL automatic updating
new in version 0.95: OpenSSL engine support (tested only with a PKCS11 engine)

Notes

This patch was originally was developed by Beniamino Galvani in SPE laboratories with help from Paolo Prandini.
In 2006 I added MPPE encryption support to the patch and in May 2008 I took over the maintenance of the patch from Beniamino. Please do not bother him any longer with questions regarding the EAP-TLS patch.
If you have any comments or questons please contact me at the email address below.

Share and enjoy....

Comments to Jan Just Keijser | lastmod = 05/10/2010 15:20:41 | visitors = 11