Support EAP-TLS

Hello,

I have a requirements from a customer to support 802.1X supplicant over wired LAN.
My system based on FREERTOS v10 + LWIP 2.1.2

Pls advise.

Kind Regards,
Leon.

Hi @leons
Mbed TLS is a TLS stack, and doesn’t support EAP-TLS.

However, you can implement the EAP protocol on top of Mbed TLS, and use the key export feature to export the key material for EAP-TLS.
Note that the key export feature is available on the feature branch, and not on any LTS branch.
You can look at the ssl_client2 example on how the key is derived for EAP-TLS.
Regards,
Mbed TLS Support
Ron

1 Like

Hi Ron,

Thank you for the info.

Best Regards,
Leon.

HI Leon,
You can also look at this article for explamation on the tls_prf feature.
Regards

Hi Ron,

I want to figure out some things,

The 802.1x is Port-Based Network Authentication, running on layer 2. ( there is no port, no IP).
http://www.omnisecu.com/tcpip/how-ieee-802.1x-port-based-authentication-works.php

First of all we have to setup EAPOL . (Start, request, response…).
If I understand correctly, if authenticator sends EAP-TLS start message, the supplicant have to start the SSL session (hello, certificates…) right?
I see mdebTls session (client ssl example), requires socket connection ( tcp layer) .

What I missing?

Kind Regards,
Leon.

Hi Leon,
Mbed TLS has the function mbedtls_ssl_set_bio() where you need to set the relevant bio callbacks of your connection. It doesn’t need to be tcp layer. Mbed TLS is release with a BSD type socket example, however, you can change it to your transport type callback.

You can look as reference how EAP-TLS is implemented in Mbed-OS over Mbed TLS here
Regards,
Ron

Hi Ron,

I can’t find the function: ```
mbedtls_ssl_conf_export_keys_ext_cb

as described in: https://tls.mbed.org/kb/how-to/tls_prf

My package: mbedtls-2.16.3

Kind Regards,
Leon.

Hi Leon,
As mentioned in this comment, this feature is available only in the feature branch (development branch), and not available yet in an officially released version.
Regards,
Ron