[RADIATOR] Help required with EAP TTLS
Mike McCauley
mikem at open.com.au
Mon Jan 10 04:54:36 CST 2011
Hello Aman,
On Monday 10 January 2011 04:11:55 pm Aman Arneja wrote:
> Thanx Heikki
>
> 2 more questions from my clients are as follows
>
> 1.) When we talk about about Client auth in phase 1, what we meant was that
> can there be an EAP TLS Mutual authentication in phase 1 ( Server auth +
> Client auth)
Yes, EAP-LS requires that by default.
With EAP-TTLS and EAP-PEAP it is not required by default, but it can be
enabled by setting
EAPTLS_RequireClientCert
>
> 2.) Also does radiator support Key Agility extensions as defined at
> http://tools.ietf.org/html/draft-hanna-eap-ttls-agility-00
No.
>
> With respect to method chaining and other questions, my client is in the
> process of building a client side implementation and thus wanted to know
> what all is supported, specially since we have zeroed in on buying radiator
> server we just wanted to atleast match u guys in configuration.
Hope that helps.
Cheers.
>
> Thanx
>
> Aman Arneja
>
> On Sat, Jan 8, 2011 at 3:10 PM, Heikki Vatiainen <hvn at open.com.au> wrote:
> > On 01/07/2011 01:51 PM, Aman Arneja wrote:
> > > I also need some information regarding your ttls support since i am
> >
> > looking
> >
> > > at a radius server that can service both SIM and TTLS requests, i need
> >
> > the
> >
> > > answers to the following questions.
> >
> > Good questions. Please see below for answers.
> >
> > > Features
> > > Non-EAP inner methods - Which methods are supported?
> >
> > There are plenty: the basic ones are PAP, CHAP, MSCHAP ja MSCHAPv2.
> >
> > The way Radiator has been built makes supporting different inner methods
> > easy. The inner method messages are dispatched as new RADIUS messages
> > and can be handled in the configuration as their own, not within TTLS.
> >
> > In other words there is a lot of flexibility with the inner protocols,
> > and the ones mentioned above are usually supported and used by clients.
> >
> > Do you have any specific methods in mind?
> >
> > > Client auth during phase 1 - Supported, Not/Supported
> >
> > Supported. The phase 1 message is available for authentication. You can
> > for example, first validate MAC address or check WLAN SSID in the outer
> > request and only then proceed to continue with phase 2.
> >
> > > Can identity privacy be explicitly enabled or disabled - on the client
> >
> > side
> >
> > > Can session resumption be explicitly enabled or disable - on the client
> >
> > side
> >
> > Yes for both. The outer identity can be different from the inner
> > identity. Session resumption is supported by Radiator by default and can
> > be disabled from the client side.
> >
> > > Method chaining in Phase 2
> >
> > For this you would need to use Radiator with e.g., EAP-FAST where method
> > chaining has been well defined. With TTLS methods can in theory be
> > chained with clever configuration, but I do not think Radiator has been
> > tested or used in such a configuration.
> >
> > If you have something specific in mind, please let us know.
> >
> > > Allowing tunnel method as inner method (FAST, PEAP)
> >
> > This may not been ever tested and I can not verify if this works. If you
> > know a client that can do this, we would be very interested to know
> > about it.
> >
> > > Also if you have any competitor analysis on this , like with free
> > > radius etc, that would be great !!
> >
> > Please take a look Radiator technical information at
> > http://www.open.com.au/radiator/technical.html
> >
> > I will check what analysis type of information we may also have.
> >
> > > Thanx
> > >
> > > Aman Arneja
> >
> > Thanks!
> >
> > Heikki Vatiainen
> >
> > --
> > Heikki Vatiainen <hvn at open.com.au>
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> > NetWare etc.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
More information about the radiator
mailing list