[RADIATOR] Help required with EAP TTLS

Mon Jan 10 04:54:36 CST 2011

Hello Aman,

On Monday 10 January 2011 04:11:55 pm Aman Arneja wrote:
> Thanx Heikki
>
> 2 more questions from my clients are as follows
>
> 1.) When we talk about about Client auth in phase 1, what we meant was that
> can there be an EAP TLS Mutual authentication in phase 1 ( Server auth +
> Client auth)

Yes, EAP-LS requires that by default.
With EAP-TTLS and EAP-PEAP it is not required by default, but it can be 
enabled by setting 
EAPTLS_RequireClientCert

>
> 2.) Also does radiator support Key Agility extensions as defined at
> http://tools.ietf.org/html/draft-hanna-eap-ttls-agility-00

No.

>
> With respect to method chaining and other questions, my client is in the
> process of building a client side implementation and thus wanted to know
> what all is supported, specially since we have zeroed in on buying radiator
> server we just wanted to atleast match u guys in configuration.

Hope that helps.
Cheers.

>
> Thanx
>
> Aman Arneja
>
> On Sat, Jan 8, 2011 at 3:10 PM, Heikki Vatiainen <hvn at open.com.au> wrote:
> > On 01/07/2011 01:51 PM, Aman Arneja wrote:
> > > I also need some information regarding your ttls support since i am
> >
> > looking
> >
> > > at a radius server that can service both SIM and TTLS requests, i need
> >
> > the
> >
> > > answers to the following questions.
> >
> > Good questions. Please see below for answers.
> >
> > > Features
> > > Non-EAP inner methods - Which methods are supported?
> >
> > There are plenty: the basic ones are PAP, CHAP, MSCHAP ja MSCHAPv2.
> >
> > The way Radiator has been built makes supporting different inner methods
> > easy. The inner method messages are dispatched as new RADIUS messages
> > and can be handled in the configuration as their own, not within TTLS.
> >
> > In other words there is a lot of flexibility with the inner protocols,
> > and the ones mentioned above are usually supported and used by clients.
> >
> > Do you have any specific methods in mind?
> >
> > > Client auth during phase 1 - Supported, Not/Supported
> >
> > Supported. The phase 1 message is available for authentication. You can
> > for example, first validate MAC address or check WLAN SSID in the outer
> > request and only then proceed to continue with phase 2.
> >
> > > Can identity privacy be explicitly enabled or disabled - on the client
> >
> > side
> >
> > > Can session resumption be explicitly enabled or disable - on the client
> >
> > side
> >
> > Yes for both. The outer identity can be different from the inner
> > identity. Session resumption is supported by Radiator by default and can
> > be disabled from the client side.
> >
> > > Method chaining in Phase 2
> >
> > For this you would need to use Radiator with e.g., EAP-FAST where method
> > chaining has been well defined. With TTLS methods can in theory be
> > chained with clever configuration, but I do not think Radiator has been
> > tested or used in such a configuration.
> >
> > If you have something specific in mind, please let us know.
> >
> > > Allowing tunnel method as inner method (FAST, PEAP)
> >
> > This may not been ever tested and I can not verify if this works. If you
> > know a client that can do this, we would be very interested to know
> > about it.
> >
> > > Also if you have any competitor analysis on this , like with free
> > > radius etc, that would be great !!
> >
> > Please take a look Radiator technical information at
> > http://www.open.com.au/radiator/technical.html
> >
> > I will check what analysis type of information we may also have.
> >
> > > Thanx
> > >
> > > Aman Arneja
> >
> > Thanks!
> >
> > Heikki Vatiainen
> >
> > --
> > Heikki Vatiainen <hvn at open.com.au>
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> > NetWare etc.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.