diff --git a/tests/hwsim/auth_serv/eap_user.conf b/tests/hwsim/auth_serv/eap_user.conf index 7343f40a3..b5c65f178 100644 --- a/tests/hwsim/auth_serv/eap_user.conf +++ b/tests/hwsim/auth_serv/eap_user.conf @@ -83,6 +83,8 @@ radius_accept_attr=27:d:3 "phase1-user" MSCHAPV2,MD5,GTC "password" +"/C=FI/O=w1.fi/CN=Test User" TLS [2] + "020000000000" MACACL "020000000000" "020000000100" MACACL "020000000100" diff --git a/tests/hwsim/test_eap.py b/tests/hwsim/test_eap.py index f1bf904bd..144e4d314 100644 --- a/tests/hwsim/test_eap.py +++ b/tests/hwsim/test_eap.py @@ -574,3 +574,29 @@ def test_eap_teap_eap_vendor(dev, apdev): anonymous_identity="TEAP", ca_cert="auth_serv/ca.pem", phase2="auth=VENDOR-TEST", pac_file="blob://teap_pac") + +def test_eap_teap_client_cert(dev, apdev): + """EAP-TEAP with client certificate in Phase 1""" + check_eap_capa(dev[0], "TEAP") + params = int_teap_server_params(eap_teap_auth="2") + hapd = hostapd.add_ap(apdev[0], params) + + # verify server accept a client with certificate, but no Phase 2 + # configuration + eap_connect(dev[0], hapd, "TEAP", "user", + anonymous_identity="TEAP", + phase1="teap_provisioning=2", + client_cert="auth_serv/user.pem", + private_key="auth_serv/user.key", + ca_cert="auth_serv/ca.pem", + pac_file="blob://teap_pac") + dev[0].dump_monitor() + res = eap_reauth(dev[0], "TEAP") + if res['tls_session_reused'] != '1': + raise Exception("EAP-TEAP could not use PAC session ticket") + + # verify server accepts a client without certificate + eap_connect(dev[1], hapd, "TEAP", "user", + anonymous_identity="TEAP", password="password", + ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", + pac_file="blob://teap_pac")