EAP-TLS and token hardware support patch for PPPD

The Extensible Authentication Protocol (EAP: RFC 3748) is a security protocol that can be used with PPP. It provides a means to plug in multiple optional authentication methods.

Transport Level Security (TLS: RFC 2246) provides for mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints.

EAP-TLS (RFC 2716) incapsulates the TLS messages in EAP packets, allowing TLS mutual authentication to be used as a generic EAP mechanism.

The hardware Token provide strong security in storing (and also generating) credentials for authentication, such as private keys and personal certificates.

Goal of this patch

This patch was written to use pppd in a VPN with IPSec/L2TP and allow Windows users to authenticate using smartcards with certificates. PKCS12 certificate format is now supported and you can also use an USB Token for the authentication under Linux. If you are interested more in the project it's available a patch to allow pppd (server mode) to communicate with an LDAP server for the client authorization. To get more information about this patch or give some help by leaving tickets write to info@spe.net.

Features

  • Allow EAP-TLS authentication in pppd
  • Both client and server modes supported
  • CRL handling
  • CRL automatic updating
  • PKCS12 certificate format is now supported
  • PKCS15 formatted token hardware support

Documentation

Look at the documentation page to get more informations about the patch, the requirements and the configuration. You'll also find instruction about the download.

Visit the link page for a list of useful links.

Notes

This software was developed in SPE laboratories from an idea of Paolo Prandini.
For everything you may want to know/say about it contact SPE at info@spe.it