(RADIATOR) EAP-TTLS clarification on inner/outer authenticaion.

John McFadden dasjlm at uwo.ca
Wed Aug 13 07:42:07 CDT 2003 

As far as I can tell I've got EAP-TTLS working but I'm still confused 
about the inner vs outer authentication.

I'm using the Funk client.

-the logon name is dasjlm
-authentication protocol is EAP/TTLS
-inner protocol is PAP
-the anonymous name is anonymous


I thought I was suppose to config radius to
-use LDAP to authenticate inner userids - ie: dasjlm.
-use a flat file to authenticate outer userids - ie: anonymous

Based on the logs that seems to be happen but I'd appreciate a few 
comments to verfiy I've set things up correctly
as it appears the "EAPAnonymous" parm refers to INNER authentication.


I've included applicable parts of my config file below.



<Realm INNER>
    <AuthBy FILE>
        # Users must be in this file to get anywhere. In this example,
        # it reques an entry for 'anonymous' which is the standard username
        # in the outer requests, and it also requires an entry for the
        # actual user name who is trying to connect (ie the 'Login name' 
entered
        # in the Funk Odyssey 'Edit Profile Properties' page
        Filename /etc/radiator/users
        EAPTLS_CertificateFile /etc/radiator/cert/ramp2.ramp.its.uwo.ca.cert
        EAPTLS_CAFile /etc/radiator/cert/ramp2.ramp.its.uwo.ca.cert
        EAPTLS_CertificateType PEM
        EAPTLS_PrivateKeyFile /etc/radiator/cert/ramp2.ramp.its.uwo.ca.key
        EAPTLS_PrivateKeyPassword nnnnnnnnnn
        AutoMPPEKeys
        EAPType TTLS
</Realm>





<Realm DEFAULT>
<AuthBy LDAP2>
        Host        129.100.2.39
        AuthDN        cn=directory manager
        AuthPassword    nnnnnnnnn
        AuthAttrDef description,Role,request
        BaseDN        dc=its, dc=uwo, dc=ca
        UsernameAttr    uid
        PasswordAttr    userPassword
        EAPType TTLS
        EAPTLS_CAFile /etc/radiator/cert/ramp2.ramp.its.uwo.ca.cert
        EAPTLS_CertificateFile /etc/radiator/cert/ramp2.ramp.its.uwo.ca.cert
        EAPTLS_CertificateType PEM
        EAPTLS_PrivateKeyFile /etc/radiator/cert/ramp2.ramp.its.uwo.ca.key
        EAPTLS_PrivateKeyPassword nnnnnnnn
        EAPTLS_MaxFragmentSize 1024
        AutoMPPEKeys
        SSLeayTrace 4
        # You can configure the User-Name that will be used for the inner
        # authentication. Defaults to 'anonymous'. This can be useful
        # when proxying the inner authentication. If there is a realm, 
it can
        # be used to choose a local Realm to handle the inner 
authentication.
        # %0 is replaced with the EAP identitiy
        EAPAnonymous anonymous at INNER
</AuthBy>



</Realm>


Thanks JLM

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list