ttlsauth.aut File

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]

Steel Belted Radius Carrier 7.0 Reference Guide > EAP Configuration Files > ttlsauth.aut File
ttlsauth.aut File

NOTE: Use the SBR Administrator to maintain settings in the ttlsauth.aut file. Do not edit the ttlsauth.aut file manually.

Settings for the EAP-TTLS authentication method are stored in the ttlsauth.aut file. The ttlsauth.aut configuration file is read each time the Steel-Belted Radius Carrier server receives a HUP signal.

[Bootstrap] Section

The [Bootstrap] section of the ttlsauth.aut file (Table 111) specifies information that Steel-Belted Radius Carrier uses to load the EAP-TTLS authentication method.

Table 111: ttlsauth.aut [Bootstrap] Syntax

Parameter

Function

LibraryName

Specifies the name of the EAP-TTLS module. Default value is ttlsauth.so. Do not change this unless you are advised to do so by Juniper Networks Technical Support.

Enable

Specifies whether the EAP-TTLS authentication module is enabled.

If set to 0, EAP-TTLS is disabled, and the EAP-TTLS authentication method does not appear in the Authentication Methods list displayed in the Authentication Policies>Order of Methods panel in SBR Administrator.

If set to 1, EAP-TTLS is enabled.

Default value is 0.

InitializationString

Specifies the name of the authentication method to appear in the Authentication Methods list displayed in the Authentication Policies>Order of Methods panel in SBR Administrator.

The name of each authentication method must be unique. If you create additional .aut files to implement authentication against multiple databases, the InitializationString value in each file must specify a unique method name.

Default value is EAP-TTLS.

[Server_Settings] Section

The [Server_Settings] section (Table 112) lets you configure the basic operation of the EAP-TTLS plug-in.

Table 112: ttlsauth.aut [Server_Settings] Syntax

Parameter

Function

TLS_Message_Fragment_Length

Specifies the maximum size TTLS message length that may be generated during each iteration of the TTLS exchange. This value affects the number of RADIUS challenge/response round-trips required to conclude the TLS exchange. A value of 1400 may result in 6 round-trips, while a value of 500 may result in 15 round-trips.

Some Access Points may have problems with RADIUS responses or EAP messages that exceed the size of one Ethernet frame (1500 bytes including IP/UDP headers).

Minimum value is 500.

Maximum value is 4096.

Default value is 1020, which prevents the RADIUS challenge response (carried in a UDP packet) from exceeding one Ethernet frame.

Return_MPPE_Keys

Setting this attribute to 1 causes the module to include RADIUS MS-MPPE-Send-Key and MS-MPPE-Recv-Key attributes in the final RADIUS Accept response sent to the Access Point. This is necessary for the Access Point to key the WEP encryption.

If the Access Point is authenticating only end users and WEP is not being used, this attribute may be set to 0.

For the optional WiMAX mobility module, set this to 0.

Default value is 1.

DH_Prime_Bits

Specifies the size of the prime number that the module uses for Diffie-Hellman exponentiation. Selecting a larger prime number makes the system less susceptible to certain types of attacks but requires more CPU processing to compute the Diffie-Hellman key agreement operation.

Valid values are 512, 1024, 1536, 2048, 3072, and 4096.

Default value is 1024.

Cipher_Suites

Specifies the TLS cipher suites (in order of preference) that the server is to use. These cipher suites are documented in RFC 2246, "The TLS Protocol Version 1," and other TLS-related RFCs and draft RFCs.

Default value is: 0x16, 0x13, 0x66, 0x15, 0x12, 0x0a, 0x05, 0x04, 0x07, and 0x09.

Require_Client_Certificate

If set to 1, specifies that the client must provide a certificate as part of the TTLS exchange.

If set to 0, no client certificate is required.

Default value is 0.

[Inner_Authentication] Section

The [Inner_Authentication] section (Table 113) lets you specify the way in which the inner authentication step is to operate.

Table 113: ttlsauth.aut [Inner_Authentication] Syntax

Parameter

Function

Directed_Realm

Omitting this setting causes the inner authentication request to be handled like any other request received from a RAS.

Specifying the name of a directed realm causes the request to be routed based on the methods listed in the directed realm.

Default is to process the inner authentication through standard request processing.

[Request Filters] Section

Request filters (Table 114) affect the attributes of inner authentication requests.

NOTE: The filters named in these settings must be defined in the filter.ini file.

Table 114: ttlsauth.aut [Request Filters] Syntax

Parameter

Function

Transfer_Outer_Attribs_to_New

This filter affects only a new inner authentication request (rather than continuations of previous requests).

If this filter is specified, all attributes from the outer request are transferred to the inner request and this filter is applied. The transfer occurs and the filter is applied before any attributes specified in the inner authentication are added to the request.

If this filter is not specified, no attributes from the outer request are transferred to the inner request.

Transfer_Outer_Attribs_to_Continue

This filter affects only a continued inner authentication request (rather than the first inner authentication request).

If this filter is specified, all attributes from the outer request are transferred to the inner request and this filter is applied. The transfer occurs and the filter is applied before any attributes specified in the inner authentication are added to the request.

If this filter is not specified, no attributes from the outer request are transferred to the inner request.

Edit_New

This filter affects only a new inner authentication request (rather than continuations of previous requests).

If this filter is specified, it is applied to the inner request that is the cumulative result of attributes transferred from the outer request (see Transfer_Outer_Attribs_To_New in this table) and attributes included in the inner authentication request sent through the tunnel by the client.

If this filter is not specified, the request remains unaltered.

Edit_Continue

This filter affects only a continued inner authentication request (rather than a new inner authentication request).

If this filter is specified, it is applied to the inner request that is the cumulative result of attributes transferred from the outer request (see Transfer_Outer_Attribs_To_Continue in this table) and attributes included in the inner authentication request sent through the tunnel by the client.

If this filter is not specified, the request remains unaltered.

[Response Filters] Section

Response filters (Table 115) affect the attributes in the responses returned to authentication requests

NOTE: The filters named in these settings must be defined in the filter.ini file.

Table 115: ttlsauth.aut [Response Filters] Syntax

Parameter

Function

Transfer_Inner_Attribs_To_Accept

This filter affects only an outer Access-Accept response that is sent back to a network access device.

If this filter is specified, the filter is applied to the inner authentication response and all resulting attributes are transferred to the outer authentication response.

If this filter is not specified, no inner authentication response attributes are transferred to the outer authentication response.

Transfer_Inner_Attribs_To_Reject

This filter affects only an outer Access-Reject response that is sent back to a network access device.

If this filter is specified, the filter is applied to the inner authentication response and all resulting attributes are transferred to the outer authentication response.

If this filter is not specified, no inner authentication response attributes are transferred to the outer authentication response.

[CRL_Checking] Section

The [CRL_Checking] section (Table 116) lets you specify settings that control how Steel-Belted Radius Carrier performs certificate revocation list (CRL) checking.

Table 116: ttlsauth.aut [CRL_Checking] Syntax

Parameter

Function

Enable

If set to 1, specifies that CRL checking is enabled for EAP-TTLS.

Default value is 0.

Retrieval_Timeout

Specifies the time (in seconds) that EAP-TTLS waits for a CRL checking transaction to complete when the CRL check involves a CRL retrieval. When CRL retrieval takes longer than the specified time, the user's authentication request is rejected.

Default value is 5 seconds.

Expiration_Grace_Period

Specifies the time (in seconds) after expiration during which a CRL is still considered acceptable. EAP-TTLS always attempts to retrieve a new CRL when it is presented with a certificate chain and it finds an expired CRL in its cache.

If set to 0 (strict expiration mode), EAP-TTLS does not accept a CRL that has expired.

If set to a value greater than 0 (lax expiration mode), EAP-TTLS considers the expired CRL as an acceptable stand-in from the time the CRL expires to the time the grace period ends.

Default value is 0 (strict expiration mode).

Allow_Missing_CDP_ Attribute

Specifies whether the omission of a CDP attribute in a non-root certificate is acceptable. Without a CDP attribute, EAP-TLS does not know how to retrieve a CRL and cannot perform a revocation check on the certificate.

If set to 0, EAP-TLS does not accept a CRL with a missing CDP attribute.

If set to 1, EAP-TLS allows such certificates and skips CRL checking for them.

Default value is 1.

Default_LDAP_Server_ Name

Specifies what LDAP server name to use if the CDP contains a value that begins with the string //ldap:\\\. This style of CDP (generated by some CAs) does not include the identity of the LDAP server.

Specify the name of the LDAP that contains the CRLs if you expect to encounter certificates with this style CDP. If you do not specify a server name and such certificates are encountered, CRL retrieval fails.

[Session_Resumption] Section

The [Session_Resumption] section (Table 117) lets you specify whether session resumption is permitted and under what conditions session resumption is performed.

NOTE: For session resumption to work, the network access device must be configured to handle the Session-Timeout return list attribute, because the network access device must be able to tell the client to reauthenticate after the session timer has expired.

Table 117: ttlsauth.aut [Session_Resumption] Syntax

Parameter

Function

Session_Timeout

Set this attribute to the maximum number of seconds you want the client to remain connected to the network access device before having to reauthenticate.

If set to a number greater than 0, the lesser of this value and the remaining resumption limit (see description below) is sent in a Session-Limit attribute to the network access device on the RADIUS Access Accept response.

If set to 0, no Session-Limit attribute is generated by the plug-in. This does not prevent the authentication methods performing secondary authorization from providing a value for this attribute.

Default value is 0.

Entering a value such as 600 (10 minutes) does not necessarily cause a full reauthentication to occur every 10 minutes. You can configure the resumption limit to make most reauthentications fast and computationally cheap.

Termination_Action

Specifies the value to return for the Termination-Action attribute sent for an accepted client. This is a standard attribute supported by most Access Points and determines what happens when the session timeout is reached.Valid values are:

-1: Do not send the attribute.

0: Send the Termination-Action attribute with a value of 0.

1: Send the Termination-Action attribute with a value of 1.

Default value is -1. This does not prevent the authentication methods performing secondary authorization from providing a value for this attribute.

Resumption_Limit

Set this attribute to the maximum number of seconds you want the client to be able to reauthenticate using the TLS session resumption feature.

This type of reauthentication is fast and computationally cheap. It does, however, depend on previous authentications and may not be considered as secure as a complete (computationally expensive) authentication. Specifying a value of 0 disables the session resumption feature.

Default value is 0.

[Integrity_Settings]

The [Integrity_Settings] section (Table 118) specifies the list of quarantine profiles that can be used by the optional Endpoint Assurance Server software to specify how to process users designated for isolation.
[Integrity_Settings]
;Quarantine_Profiles=QUARANTINE QUARANTINE2
Table 118: ttlsauth.aut [Integrity_Settings] Syntax

Parameter

Function

Quarantine_Profiles

Identifies the list of Steel-Belted Radius Carrier profiles that can be assigned to users designated for isolation by the Endpoint Assurance Server software.

To enter more than one profile name, enter each name on the same line, separating the profile names with a space.

Default value is no quarantine profiles.

Sample ttlsauth.aut File
[Bootstrap]
LibraryName=ttlsauth.so
Enable=1
InitializationString=EAP-TTLS
; Maximum TLS Message fragment length EAP-TLS handles.
TLS_Message_Fragment_Length = 1020
; Indicates whether the EAP-TLS module should return the
; MS-MPPE-Send-Key and MS-MPPE-Recv-Key attribute upon successful
; authentication of user.
Return_MPPE_Keys = 1
; Size of the prime to use for DH modular exponentiation.
DH_Prime_Bits = 1536
; TLS cipher suites (in order of preference)
; that the server is to use.
Cipher_Suites = 0x16, 0x13, 0x66, 0x15, 0x12, 0x0a, 0x05, 0x04, 0x07, 0x09
[Inner_Authentication]
; Specifies how inner authentication routing operates.
Directed_Realm = ttls_realm
[Request_Filters]
Transfer_Outer_Attribs_to_New = My_Xfer_Out_New_Filter
Transfer_Outer_Attribs_to_Continue = My_Xfer_Out_Con_Filter
Edit_New = My_Edit_New_Filter
Edit_Continue = My_Continue_Filter
[Response_Filters]
Transfer_Inner_Attribs_To_Accept = My_Xfer_Acc_Filter
Transfer_Inner_Attribs_To_Reject = My_Xfer_Rej_Filter
[Session_Resumption]
; Maximum length of time (in seconds) the NAD/AP allows 
; the session to persist before the client is asked
; to reauthenticate.
Session_Timeout = 600
; Value to return for the Termination-Action attribute sent
; sent in an accepted client.
Termination_Action = 0
; Maximum length of time (in seconds) during which an authentication
; request that seeks to resume a previous TLS session is
; considered acceptable.
Resumption_Limit = 3600
[Integrity_Settings]
; Specifies the list of valid quarantine profiles, which can be used
; by the Endpoint Assurance Server to specify isolated access.
; The default is no valid quarantine profiles.
;Quarantine_Profiles=QUARANTINE
For this to work, you must also provide the following settings in the [EAP-TTLS] section of the eap.ini file:
First-Handle-Via-Auto-EAP = 0
EAP-Type = TTLS

Parameter	Function
LibraryName	Specifies the name of the EAP-TTLS module. Default value is ttlsauth.so. Do not change this unless you are advised to do so by Juniper Networks Technical Support.
Enable	Specifies whether the EAP-TTLS authentication module is enabled. If set to 0, EAP-TTLS is disabled, and the EAP-TTLS authentication method does not appear in the Authentication Methods list displayed in the Authentication Policies>Order of Methods panel in SBR Administrator. If set to 1, EAP-TTLS is enabled. Default value is 0.
InitializationString	Specifies the name of the authentication method to appear in the Authentication Methods list displayed in the Authentication Policies>Order of Methods panel in SBR Administrator. The name of each authentication method must be unique. If you create additional .aut files to implement authentication against multiple databases, the InitializationString value in each file must specify a unique method name. Default value is EAP-TTLS.

Parameter	Function
TLS_Message_Fragment_Length	Specifies the maximum size TTLS message length that may be generated during each iteration of the TTLS exchange. This value affects the number of RADIUS challenge/response round-trips required to conclude the TLS exchange. A value of 1400 may result in 6 round-trips, while a value of 500 may result in 15 round-trips. Some Access Points may have problems with RADIUS responses or EAP messages that exceed the size of one Ethernet frame (1500 bytes including IP/UDP headers). Minimum value is 500. Maximum value is 4096. Default value is 1020, which prevents the RADIUS challenge response (carried in a UDP packet) from exceeding one Ethernet frame.
Return_MPPE_Keys	Setting this attribute to 1 causes the module to include RADIUS MS-MPPE-Send-Key and MS-MPPE-Recv-Key attributes in the final RADIUS Accept response sent to the Access Point. This is necessary for the Access Point to key the WEP encryption. If the Access Point is authenticating only end users and WEP is not being used, this attribute may be set to 0. For the optional WiMAX mobility module, set this to 0. Default value is 1.
DH_Prime_Bits	Specifies the size of the prime number that the module uses for Diffie-Hellman exponentiation. Selecting a larger prime number makes the system less susceptible to certain types of attacks but requires more CPU processing to compute the Diffie-Hellman key agreement operation. Valid values are 512, 1024, 1536, 2048, 3072, and 4096. Default value is 1024.
Cipher_Suites	Specifies the TLS cipher suites (in order of preference) that the server is to use. These cipher suites are documented in RFC 2246, "The TLS Protocol Version 1," and other TLS-related RFCs and draft RFCs. Default value is: 0x16, 0x13, 0x66, 0x15, 0x12, 0x0a, 0x05, 0x04, 0x07, and 0x09.
Require_Client_Certificate	If set to 1, specifies that the client must provide a certificate as part of the TTLS exchange. If set to 0, no client certificate is required. Default value is 0.

Parameter	Function
Directed_Realm	Omitting this setting causes the inner authentication request to be handled like any other request received from a RAS. Specifying the name of a directed realm causes the request to be routed based on the methods listed in the directed realm. Default is to process the inner authentication through standard request processing.

Parameter	Function
Transfer_Outer_Attribs_to_New	This filter affects only a new inner authentication request (rather than continuations of previous requests). If this filter is specified, all attributes from the outer request are transferred to the inner request and this filter is applied. The transfer occurs and the filter is applied before any attributes specified in the inner authentication are added to the request. If this filter is not specified, no attributes from the outer request are transferred to the inner request.
Transfer_Outer_Attribs_to_Continue	This filter affects only a continued inner authentication request (rather than the first inner authentication request). If this filter is specified, all attributes from the outer request are transferred to the inner request and this filter is applied. The transfer occurs and the filter is applied before any attributes specified in the inner authentication are added to the request. If this filter is not specified, no attributes from the outer request are transferred to the inner request.
Edit_New	This filter affects only a new inner authentication request (rather than continuations of previous requests). If this filter is specified, it is applied to the inner request that is the cumulative result of attributes transferred from the outer request (see Transfer_Outer_Attribs_To_New in this table) and attributes included in the inner authentication request sent through the tunnel by the client. If this filter is not specified, the request remains unaltered.
Edit_Continue	This filter affects only a continued inner authentication request (rather than a new inner authentication request). If this filter is specified, it is applied to the inner request that is the cumulative result of attributes transferred from the outer request (see Transfer_Outer_Attribs_To_Continue in this table) and attributes included in the inner authentication request sent through the tunnel by the client. If this filter is not specified, the request remains unaltered.

Parameter	Function
Transfer_Inner_Attribs_To_Accept	This filter affects only an outer Access-Accept response that is sent back to a network access device. If this filter is specified, the filter is applied to the inner authentication response and all resulting attributes are transferred to the outer authentication response. If this filter is not specified, no inner authentication response attributes are transferred to the outer authentication response.
Transfer_Inner_Attribs_To_Reject	This filter affects only an outer Access-Reject response that is sent back to a network access device. If this filter is specified, the filter is applied to the inner authentication response and all resulting attributes are transferred to the outer authentication response. If this filter is not specified, no inner authentication response attributes are transferred to the outer authentication response.

Parameter	Function
Enable	If set to 1, specifies that CRL checking is enabled for EAP-TTLS. Default value is 0.
Retrieval_Timeout	Specifies the time (in seconds) that EAP-TTLS waits for a CRL checking transaction to complete when the CRL check involves a CRL retrieval. When CRL retrieval takes longer than the specified time, the user's authentication request is rejected. Default value is 5 seconds.
Expiration_Grace_Period	Specifies the time (in seconds) after expiration during which a CRL is still considered acceptable. EAP-TTLS always attempts to retrieve a new CRL when it is presented with a certificate chain and it finds an expired CRL in its cache. If set to 0 (strict expiration mode), EAP-TTLS does not accept a CRL that has expired. If set to a value greater than 0 (lax expiration mode), EAP-TTLS considers the expired CRL as an acceptable stand-in from the time the CRL expires to the time the grace period ends. Default value is 0 (strict expiration mode).
Allow_Missing_CDP_ Attribute	Specifies whether the omission of a CDP attribute in a non-root certificate is acceptable. Without a CDP attribute, EAP-TLS does not know how to retrieve a CRL and cannot perform a revocation check on the certificate. If set to 0, EAP-TLS does not accept a CRL with a missing CDP attribute. If set to 1, EAP-TLS allows such certificates and skips CRL checking for them. Default value is 1.
Default_LDAP_Server_ Name	Specifies what LDAP server name to use if the CDP contains a value that begins with the string //ldap:\\\. This style of CDP (generated by some CAs) does not include the identity of the LDAP server. Specify the name of the LDAP that contains the CRLs if you expect to encounter certificates with this style CDP. If you do not specify a server name and such certificates are encountered, CRL retrieval fails.

Parameter	Function
Session_Timeout	Set this attribute to the maximum number of seconds you want the client to remain connected to the network access device before having to reauthenticate. If set to a number greater than 0, the lesser of this value and the remaining resumption limit (see description below) is sent in a Session-Limit attribute to the network access device on the RADIUS Access Accept response. If set to 0, no Session-Limit attribute is generated by the plug-in. This does not prevent the authentication methods performing secondary authorization from providing a value for this attribute. Default value is 0. Entering a value such as 600 (10 minutes) does not necessarily cause a full reauthentication to occur every 10 minutes. You can configure the resumption limit to make most reauthentications fast and computationally cheap.
Termination_Action	Specifies the value to return for the Termination-Action attribute sent for an accepted client. This is a standard attribute supported by most Access Points and determines what happens when the session timeout is reached.Valid values are: -1: Do not send the attribute. 0: Send the Termination-Action attribute with a value of 0. 1: Send the Termination-Action attribute with a value of 1. Default value is -1. This does not prevent the authentication methods performing secondary authorization from providing a value for this attribute.
Resumption_Limit	Set this attribute to the maximum number of seconds you want the client to be able to reauthenticate using the TLS session resumption feature. This type of reauthentication is fast and computationally cheap. It does, however, depend on previous authentications and may not be considered as secure as a complete (computationally expensive) authentication. Specifying a value of 0 disables the session resumption feature. Default value is 0.

Parameter	Function
Quarantine_Profiles	Identifies the list of Steel-Belted Radius Carrier profiles that can be assigned to users designated for isolation by the Endpoint Assurance Server software. To enter more than one profile name, enter each name on the same line, separating the profile names with a space. Default value is no quarantine profiles.

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]