[RADIATOR] Help required with EAP TTLS

Aman Arneja arneja.aman at gmail.com
Mon Jan 10 00:11:55 CST 2011


Thanx Heikki

2 more questions from my clients are as follows

1.) When we talk about about Client auth in phase 1, what we meant was that
can there be an EAP TLS Mutual authentication in phase 1 ( Server auth +
Client auth)

2.) Also does radiator support Key Agility extensions as defined at
http://tools.ietf.org/html/draft-hanna-eap-ttls-agility-00

With respect to method chaining and other questions, my client is in the
process of building a client side implementation and thus wanted to know
what all is supported, specially since we have zeroed in on buying radiator
server we just wanted to atleast match u guys in configuration.

Thanx

Aman Arneja



On Sat, Jan 8, 2011 at 3:10 PM, Heikki Vatiainen <hvn at open.com.au> wrote:

> On 01/07/2011 01:51 PM, Aman Arneja wrote:
>
> > I also need some information regarding your ttls support since i am
> looking
> > at a radius server that can service both SIM and TTLS requests, i need
> the
> > answers to the following questions.
>
> Good questions. Please see below for answers.
>
> > Features
> > Non-EAP inner methods - Which methods are supported?
>
> There are plenty: the basic ones are PAP, CHAP, MSCHAP ja MSCHAPv2.
>
> The way Radiator has been built makes supporting different inner methods
> easy. The inner method messages are dispatched as new RADIUS messages
> and can be handled in the configuration as their own, not within TTLS.
>
> In other words there is a lot of flexibility with the inner protocols,
> and the ones mentioned above are usually supported and used by clients.
>
> Do you have any specific methods in mind?
>
> > Client auth during phase 1 - Supported, Not/Supported
>
> Supported. The phase 1 message is available for authentication. You can
> for example, first validate MAC address or check WLAN SSID in the outer
> request and only then proceed to continue with phase 2.
>
> > Can identity privacy be explicitly enabled or disabled - on the client
> side
> > Can session resumption be explicitly enabled or disable - on the client
> side
>
> Yes for both. The outer identity can be different from the inner
> identity. Session resumption is supported by Radiator by default and can
> be disabled from the client side.
>
> > Method chaining in Phase 2
>
> For this you would need to use Radiator with e.g., EAP-FAST where method
> chaining has been well defined. With TTLS methods can in theory be
> chained with clever configuration, but I do not think Radiator has been
> tested or used in such a configuration.
>
> If you have something specific in mind, please let us know.
>
> > Allowing tunnel method as inner method (FAST, PEAP)
>
> This may not been ever tested and I can not verify if this works. If you
> know a client that can do this, we would be very interested to know
> about it.
>
> > Also if you have any competitor analysis on this , like with free radius
> > etc, that would be great !!
>
> Please take a look Radiator technical information at
> http://www.open.com.au/radiator/technical.html
>
> I will check what analysis type of information we may also have.
>
> > Thanx
> >
> > Aman Arneja
>
> Thanks!
>
> Heikki Vatiainen
>
> --
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20110110/4553aa68/attachment.html 


More information about the radiator mailing list