418
| Reference
Amigopod 3.7
| Deployment Guide
module.eap_tls
= no
Enables EAP-TLS module.
The following functions onfigure digital certificates for EAP-TLS. If
the private key and certificate are located in the same file, then
private_key_file and certificate_file must contain the same filename.
eap.tls.private_key_password
=
not set
eap.tls.private_key_file
= "${raddbdir}/certs/cert-srv.pem"
eap.tls.certificate_file
= "${raddbdir}/certs/cert-srv.pem"
eap.tls.dh_file
= "${raddbdir}/certs/dh"
eap.tls.random_file
=
"${raddbdir}/certs/random"
eap.tls.CA_file
= "${raddbdir}/certs/demoCA/cacert.pem"
Trusted root CA list.
eap.tls.fragment_size
= 1024
This can never exceed the size of a RADIUS packet (4096
bytes), and is preferably half that, to accommodate other
attributes in the RADIUS packet. On most APs the maximum
packet length is configured between 1500 – 1600. In these
cases, fragment size should be 1024 or less.
eap.tls.include_length
= yes
If set to yes, the total length of the message is included in every
packet we send. If set to no, total length of the message is
included only in the first packet of a fragment series.
eap.tls.check_crl
= yes
Check the Certificate Revocation List.
eap.tls.check_cert_cn
=
not set
If check_cert_cn is set, the value will be xlat'ed and checked
against the CN in the client certificate. If the values do not
match, the certificate verification will fail, rejecting the user.
module.eap_ttls
= no
The TTLS module implements the EAP-TTLS protocol, which can
be described as EAP inside of Diameter, inside of TLS, inside of
EAP, inside of RADIUS.
The TTLS module needs the TLS module to be installed and
configured, in order to use the TLS tunnel inside of the EAP packet.
You will still need to configure the TLS module, even if you do not
want to deploy EAP-TLS in your network. Users will not be able to
request EAP-TLS, as it requires them to have a client certificate.
EAP-TTLS does not require a client
certificate.
eap.ttls.default_eap_type
= md5
The tunneled EAP session needs a default EAP type which is
separate from the one for the non-tunneled EAP module. Inside of
the TTLS tunnel, we recommend using EAP-MD5. If the request
does not contain an EAP conversation, then this configuration entry
is ignored.
eap.ttls.copy_request_to_tunnel
= no
The tunneled authentication request does not usually contain
useful attributes like Calling-Station-Id, etc. These attributes are
outside of the tunnel, and are normally unavailable to the
tunneled authentication request.
By setting this configuration entry to ‘yes’, any attribute which is
not in the tunneled authentication request, but which is available
outside of the tunnel, is copied to the tunneled request.
eap.ttls.use_tunneled_reply
= no
The reply attributes sent to the NAS are usually based on the
name of the user ‘outside’ of the tunnel (usually ‘anonymous’). If
you want to send the reply attributes based on the username
inside of the tunnel, then set this configuration entry to ‘yes’,
and the reply to the NAS will be taken from the reply to the
tunneled request.
Table 53
Optional EAP Module Options (Continued)
Function
Description
Summary of Contents for Amigopod 3.7
Page 1: ...Amigopod 3 7 Deployment Guide...
Page 14: ...14 Amigopod 3 7 Deployment Guide...
Page 30: ...30 Management Overview Amigopod 3 7 Deployment Guide...
Page 108: ...108 RADIUS Services Amigopod 3 7 Deployment Guide...
Page 132: ...132 Operator Logins Amigopod 3 7 Deployment Guide...
Page 240: ...240 Guest Management Amigopod 3 7 Deployment Guide...
Page 332: ...332 Administrator Tasks Amigopod 3 7 Deployment Guide...
Page 336: ...336 Administrator Tasks Amigopod 3 7 Deployment Guide...
Page 345: ...Amigopod 3 7 Deployment Guide Hotspot Manager 345...
Page 362: ...362 High Availability Services Amigopod 3 7 Deployment Guide...