ClearPass Guest 3.9 | Deployment Guide
Reference |
493
The following EAP module options are usually not required, as EAP configuration can be performed using
the WebUI. For EAP documentation,
See
“EAP and 802.1X Authentication and Certificate
Management”
in the RADIUS Services chapter for further details.
Table 62
Optional EAP Module Options
Function
Description
advanced.eap
= 1
Enable additional EAP types in the EAP Configuration form.
module.eap
= yes
Extensible Authentication Protocol authentication.
eap.default_eap_type
= md5
Invoke the default supported EAP type when EAP-Identity response
is received. The incoming EAP messages DO NOT specify which
EAP type they will be using, so it MUST be set here. Only one
default EAP type may be used at a time. If the EAP-Type attribute is
set by another module, then that EAP type takes precedence over
the default type configured here.
eap.timer_expire
= 60
A list is maintained to correlate EAP-Response packets with EAP-
Request packets. After a configurable length of time, entries in the
list expire, and are deleted.
eap.ignore_unknown_eap_types
= no
There are many EAP types, but the server has support for only a
limited subset. If the server receives a request for an EAP type it
does not support, then it normally rejects the request. By setting
this configuration to “yes”, you can tell the server to instead keep
processing the request. Another module MUST then be configured
to proxy the request to another RADIUS server which supports that
EAP type. If another module is NOT configured to handle the
request, then the request will still end up being rejected.
eap.cisco_accounting_username_bug
= no Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given a
User-Name attribute in an Access-Accept, it copies one more byte
than it should. Work around this issue by adding an extra zero byte.
module.eap_md5
= yes
Enables “md5” EAP type. EAP-MD5 authentication is not
recommended for wireless connections. It is insecure, and does not
provide for dynamic WEP keys.
module.eap_leap
= yes
Cisco LEAP. LEAP is not recommended for use in new
deployments. Cisco LEAP uses the MS-CHAP algorithm (but not
the MS-CHAP attributes) to perform its authentication. As a result,
LEAP requires access to the plain-text User-Password, or the NT-
Password attributes. “System” authentication is impossible with
LEAP.
module.eap_gtc
= yes
Generic Token Card. Currently, this is only permitted inside of EAP-
TTLS, or EAP-PEAP. The module "challenges" the user with text,
and the response from the user is taken to be the User-Password.
Proxying the tunneled EAP-GTC session is a bad idea: the users
password will go over the wire in plain text, for anyone to see.
eap.gtc.challenge
= "Password: "
The default challenge string, which many clients ignore.
eap.gtc.auth_type
= PAP
The plain-text response which comes back is put into a User-
Password attribute, and passed to another module for
authentication. This allows the EAP-GTC response to be checked
against plain-text, or encrypted passwords. If you specify “Local”
instead of “PAP”, then the module will look for a User-Password
configured for the request, and do the authentication itself.
Содержание ClearPass Guest 3.9
Страница 1: ...ClearPass Guest 3 9 Deployment Guide ...
Страница 32: ...32 Management Overview ClearPass Guest 3 9 Deployment Guide ...
Страница 178: ...178 RADIUS Services ClearPass Guest 3 9 Deployment Guide ...
Страница 316: ...316 Guest Management ClearPass Guest 3 9 Deployment Guide ...
Страница 328: ...328 Report Management ClearPass Guest 3 9 Deployment Guide Figure 46 Components of the Report Editor Report Type ...
Страница 410: ...410 Administrator Tasks ClearPass Guest 3 9 Deployment Guide ...
Страница 414: ...414 Administrator Tasks ClearPass Guest 3 9 Deployment Guide ...
Страница 423: ...ClearPass Guest 3 9 Deployment Guide Hotspot Manager 423 ...
Страница 440: ...440 High Availability Services ClearPass Guest 3 9 Deployment Guide ...
Страница 518: ...518 Index ClearPass Guest 3 9 Deployment Guide ...