Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
  
[+] Expand All
[-] Collapse All

tlsauth.aut File

Note: Use the Web GUI to maintain settings in the tlsauth.aut file. Do not edit the tlsauth.aut file manually.

Settings for the EAP-TLS authentication method are stored in the tlsauth.aut file. The tlsauth.aut configuration file is read each time the Steel-Belted Radius Carrier server receives a SIGHUP (1) signal.

[Server_Settings] Section

The [Server_Settings] section contains the settings that control the basic operation of the EAP-TLS authentication method.

Cipher_Suites Parameter

The Cipher_Suites parameter defined in the tlsauth.aut [Server_Settings] section, specifies the cipher suites (in order of preference) that the server uses for EAP-TLS. When SBR Carrier receives a TLS message, it compares the cipher suites in the client message to the cipher suites defined in this parameter. A match is selected based on both type (for example DSS) and order of preference defined in the client cipher suite list. If no match is found, SBR Carrier returns a handshake failure alert and closes the connection. Following are several examples of the cipher suite selection process:

Example 1

SBR Carrier cipher suite list defined in Cipher_Suites parameter:
0x003C,0x003D,0x0067,0x006B,0x0039,0x0038,0x0033,
0x0035,0x002F,0x000a,0x0005,0x0004,0x0007

Client cipher suite list:
0x0040,0x0033,0x0032,0x0016,0x0013,0x0066,
0x0035,0x002f,0x0015,0x0012,0x000a,0x0005

Match found: 0x0033

In this example SBR Carrier selects 0x0033 because it is the first algorithm listed in the client cipher suite list that is also listed in the SBR Carrier cipher suite list, and because the type is also a match.

Example 2

SBR Carrier cipher suite list defined in Cipher_Suites parameter:

0x003C,0x003D,0x0067

Client cipher suite list:
0x0039,0x0033,0x0032,0x0016,0x0013,0x0066,0x0035,
0x002f,0x0015,0x0012,0x000a,0x0005

Match found: No match found, results in handshake failure.

Table 117: tlsauth.aut [Server_Settings] Syntax

Parameter

Function

TLS_Message_Fragment_Length

Maximum TLS message length that may be generated during each iteration of the TLS exchange. Anecdotal evidence suggests that some Access Points may have problems with RADIUS responses or EAP messages that exceed the size of one Ethernet frame (1500 bytes including IP/UDP headers).

The default value (1020) prevents the RADIUS challenge response (carried in a UDP packet) from exceeding one Ethernet frame. This is likely to be the safest setting.

Setting a smaller value affects the number of RADIUS challenge/response round-trips required to conclude the TLS exchange. While a value of 1400 may result in 6 round-trips, a value of 500 may result in 15 round-trips.

The minimum value is 500.

Verify_User_Name_Is_Principal_Name

Certificates issued by Microsoft's Windows 2000 Certificate Server typically include a Subject Alternative Name/Other Name attribute, where Principal Name is set to something like user@certtest.acme.com.

The Windows XP client that supports EAP-TLS in conjunction with 802.1X extracts this attribute value from the client's certificate and uses it to respond to the Access Point's EAP Identity Request. The Access Point, in turn, packages up this value as the RADIUS User-Name attribute in requests it sends to a RADIUS server.

  • If set to 1, the EAP-TLS module verifies that the contents of the RADIUS User-Name attribute match the 'Principal Name' of the certificate used to authenticate the user.
  • If set to 0, no such check is performed. Set the value to 0 if the certificates do not include a 'Principal Name' or if the client being used does not report the contents of 'Principal Name' as the user's identity in response to an EAP Identity Request.

Default value is 0.

Return_MPPE_Keys

Setting this attribute to 1 causes the EAP-TLS module to include RADIUS MS-MPPE-Send-Key and MS-MPPE-Recv-Key attributes in the final RADIUS Accept response sent to the Access Point. This is necessary for the Access Point to key the WEP encryption. If the Access Point is authenticating only end users and WEP is not being used, this attribute may be set to 0.

Default value is 1.

DH_Prime_Bits

Specifies the size of the prime number that the module uses for Diffie-Hellman exponentiation. Selecting a larger prime number makes the system less susceptible to certain types of attacks but requires more CPU processing to compute the Diffie-Hellman key agreement operation.

Valid values are 512, 1024, 1536, 2048, 3072, and 4096.

Default value is 1024.

TLS_Protocol_Version

Specifies the TLS protocol version on which the server expects the client to initiate the handshake process. The value can be one of the following:

  • 31—TLS protocol version 1.0
  • 32—TLS protocol version 1.1
  • 33—TLS protocol version 1.2

Default value is 31.

If you set a value other than 31, 32, or 33, then the default TLS protocol version 1.0 (31) is considered.

Challenge_Timeout

This parameter defines the timeout (in seconds) for a particular challenge request.

Minimum value for the parameter is 1 second.

Maximum value should be less than or equal to the value specified in the Max_Transactions_Seconds parameter.

Default value is 30.

Max_Transaction_Seconds

This parameter defines the maximum timeout (in seconds) for a transaction.

Minimum value for the parameter is 1 second.

Maximum value for the parameter is 3600 seconds.

Default value is 120.

Cipher_Suites

Specifies the TLS cipher suites (in order of preference) that the server is to use. These cipher suites are documented in RFC 2246, The TLS Protocol Version 1, RFC 4346, The TLS Protocol Version 1.1, and RFC 5246, The TLS Protocol Version 1.2.

Default value is: 0x003C,0x003D,0x0067,0x006B,0x0039,0x0038,
0x0033,0x0035,0x002F,0x000a,0x0005,0x0004,0x0007.

See Table 111 for the list of tested cipher suites and their TLS protocol versions.

For more information see Cipher_Suites Parameter.

Profile

Specifies a profile that is to be used to select attributes sent back on an Access-Accept.

By default, additional attributes are not sent back.

Verify_Client_Certificate_Published

Specifies that the EAP-TLS module checks that the client certificate is published in Active Directory for account users.

Default value is 0 (disabled).

[CRL_Checking] Section

The [CRL_Checking] section (Table 118) lets you specify settings that control how Steel-Belted Radius Carrier performs certificate revocation list (CRL) checking.

Table 118: tlsauth.aut [CRL_Checking] Syntax

Parameter

Function

Enable

Specifies whether CRL checking is enabled.

Default value is 0 (disabled).

Retrieval_Timeout

Specifies the time (in seconds) that EAP-TLS waits for a CRL checking transaction to complete when the CRL check involves a CRL retrieval. When CRL retrieval takes longer than the specified time, the user's authentication request is rejected.

Default value is 5 seconds.

Expiration_Grace_Period

Specifies the time (in seconds) after expiration during which a CRL is still considered acceptable. EAP-TLS always attempts to retrieve a new CRL when it is presented with a certificate chain and it finds an expired CRL in its cache.

  • If set to 0 (strict expiration mode), EAP-TLS does not accept a CRL that has expired.
  • If set to a value greater than 0 (lax expiration mode), EAP-TLS considers the expired CRL an acceptable stand-in from the time the CRL expires to the time the grace period ends.

Default value is 0 (strict expiration mode).

Allow_Missing_CDP_Attribute

Specifies whether the omission of a CDP attribute in a non-root certificate is acceptable. Without a CDP attribute, EAP-TLS does not know how to retrieve a CRL and cannot perform a revocation check on the certificate.

  • If set to false, EAP-TLS does not accept a CRL with a missing CDP attribute.
  • If set to true, EAP-TLS allows such certificates and skips CRL checking for them.

Default value is true.

Default_LDAP_Server_Name

Specifies what LDAP server name to use if the CDP contains a value that begins with the string //ldap:\\\. This style of CDP (generated by some CAs) does not include the identity of the LDAP server.

Specify the name of the LDAP that contains the CRLs if you expect to encounter certificates with this style CDP. If you do not specify a server name and such certificates are encountered, the CRL retrieval fails.

Enable_CRL_Cache_Timeout

Specifies whether CRL cache timeout is enabled. Valid values are:

  • If set to 0, the CRL is refreshed whenever it expires.
  • If set to 1, the CRL begins to expire when the age of the CRL in the cache exceeds the number of hours specified in the CRL_Cache_Timeout_period parameter or when the scheduled CRL expiration time occurs, whichever comes first.

After a CRL has expired (because its scheduled expiration time has passed or because the CRL cache has timed out), Steel-Belted Radius Carrier uses the expiration grace period to determine whether to use the current CRL.

CRL_Cache_Timeout_Period

Specifies the maximum age, in hours, that a CRL can exist in the cache before it begins to expire.

  • If you enter 0, Steel-Belted Radius Carrier always regards the CRL in the cache as expired and downloads a new CRL every time it receives a client certificate request.
  • If you enter a number greater than 0, the CRL begins to expire when the age of the CRL in the cache exceeds the number of hours specified in this parameter or when the scheduled CRL expiration time occurs, whichever comes first.

Note: You must set Enable_CRL_Cache_Timeout to 1 or the CRL_Cache_Timeout_Period parameter is ignored.

  

LDAP_Bind_Version

Enables the selection of the LDAP protocol when binding to an LDAP server (2 or 3)

The default is 2 (LDAP version 2)

[Session_Resumption] Section

The [Session_Resumption] section (Table 119) lets you specify whether session resumption is permitted and under what conditions session resumption is performed.

Note: For session resumption to work, the network access server must be configured to handle the Session-Timeout return list attribute, because the network access server must be able to tell the client to reauthenticate after the session timer has expired.

Table 119: tlsauth.aut [Session_Resumption] Syntax

Parameter

Function

Session_Timeout

Set this attribute to the maximum number of seconds you want the client to remain connected to the network access server before having to reauthenticate.

  • If set to a number greater than 0, the lesser of this value and the remaining resumption limit (see description below) is sent in a Session-Limit attribute to the RADIUS client on the RADIUS Access Accept response.
  • If set to 0, no Session-Limit attribute is generated by the plug-in. This does not prevent the authentication methods performing secondary authorization from providing a value for this attribute.

Default value is 0.

Entering a value such as 600 (10 minutes) does not necessarily cause a full reauthentication to occur every 10 minutes. You can configure the resumption limit to make most reauthentications fast and computationally cheap.

Termination_Action

Specifies the value to return for the Termination-Action attribute sent for an accepted client. This is a standard attribute supported by most Access Points and determines what happens when the session timeout is reached. Valid values are:

  • -1: Do not send the attribute.
  • 0: Send the Termination-Action attribute with a value of 0.
  • 1: Send the Termination-Action attribute with a value of 1.

Default value is -1. This does not prevent the authentication methods performing secondary authorization from providing a value for this attribute.

Resumption_Limit

Set this attribute to the maximum number of seconds you want the client to be able to reauthenticate using the TLS session resumption feature.

This type of reauthentication is fast and computationally cheap. It does, however, depend on previous authentications and may not be considered as secure as a complete (computationally expensive) authentication. Specifying a value of 0 disables the session resumption feature.

Default value is 0.

Sample tlsauth.aut File

You must set Enable_CRL_Cache_Timeout to 1
or the CRL_Cache_Timeout_Period parameter is
ignored.

[Server_Settings]
; Note that all trusted root certificates
; must have a .der file extension and
; must be placed in the ROOT directory
; immediately below the directory
; containing the SBR 'radius' daemon and
; the radius.ini file.

; Indicates the maximum TLS Message fragment
; length EAP-TLS handles. If not
; specified, this parameter defaults to 1020.
; It can be set as high as 4096,
; but sizes over 1400 bytes are likely to cause
; fragmentation of the UDP packet
; carrying the message and some RADIUS client
; may be incapable of dealing with
; this fragmentation.
;TLS_Message_Fragment_Length = 1020

; Indicates whether or not the EAP-TLS module
; it to check whether the User Name
; provided in the RADIUS request matches the
; principal name in the client's
; certificate. The default is not to perform
; this check.
;Verify_User_Name_Is_Principal_Name = 0

; Indicates whether or not the EAP-TLS module
; should return the
; MS-MPPE-Send-Key and MS-MPPE-Recv-Key
; attribute upon successfully
; authenticating the user. The default is
; to return these attributes.
;Return_MPPE_Keys = 1

; Specifies the size of the prime to use
; for DH modular exponentiation. The
; choices are 512, 1024, 1536, 2048, 3072
; and 4096. The default is 1024 bits.
;DH_Prime_Bits = 1024

; Specifies the TLS cipher suites that the server is to use. These cipher suites
; are documented in RFC 2246 and other TLS related RFCs or draft RFCs.
;Cipher_Suites = 0x003C,0x003D,0x0067,0x006B,0x0039,0x0038,0x0033,0x0035,0x002F,0x000a,0x0005,0x0004,0x0007

; Specifies the TLS Protocol Version on which the server expects client to
; initiate the handshake process. Allowed values are 31, 32 and 33.
;TLS_Protocol_Version = 31

; Specifies a profile that is to be used
; to select attributes sent back on an
; Access-Accept. The default is not to send
; any additional attributes.
; Profile =<profile-name>

[CRL_Checking]
; Specifies whether CRL checking is to be enabled.
; The default is to disable CRL checking.
; Enable = 0

; Specifies the time (in seconds) that EAP-TLS
; waits for a CRL checking
; transaction to complete when the CRL check
; involves a CRL retrieval. When
; CRL retrieval takes longer than the
; specified time, the user's authentication
; request results in a reject. The
; default value is 5 seconds.
; Retrieval_Timeout = 5

; Specifies the time (in seconds) after
; expiration during which a CRL is
; still considered acceptable. EAP-TLS
; always attempts to retrieve a
; new CRL when it is presented with a
; certificate chain and it finds an
; expired CRL in its cache. EAP-TLS
; considers the expired CRL as an
; acceptable stand-in from the time the
; CRL expires to the time the grace
; period ends.
; Expiration_Grace_Period = 0

; Specifies whether the omission of a
; CDP attribute in a non-root certificate
; is acceptable. Without a CDP attribute,
; EAP-TLS does not know where to
; retrieve a CRL from and is not
; able to perform a revocation check on
; the certificate. The default is allow
; such certificates and to skip CRL
; checking for them.
; Allow_Missing_CDP_Attribute = 1

; Specifies what LDAP server name to
; use if the CDP contains a value that
; begins with the string "//ldap:\\\".
; This style of CDP (generated by some
; CAs does not include the identity of
; the LDAP server. Specify the name of
; the LDAP that contains the CRLs if you
; expect to encounter certificates
; with this style CDP. If you don't specify
; a server name and such certificates
; are encountered, the CRL retrieval fails.
; Default_LDAP_Server_Name = 

[Session_Resumption]
; Specifies the maximum length of time (in seconds)
; the RAS/AP is
; instructed to allow the session to persist
; before the client is asked
; to reauthenticate. Specifying a 0
; causes the Session-Timeout attribute
; not to be generated by the plug-in. The default is 0.
;Session_Timeout = 0

; Specifies the value to return for the
; Termination-Action attribute
; sent in an accepted client. If omitted in
; this file, the Termination-Action
; attribute is not sent.
Termination_Action = 0

; Specifies the length of time (in seconds)
; during which an authentication
; request that seeks to resume a previous TLS
; session is considered
; acceptable. Specifying 0 causes session
; resumption support to be
; disabled. The default is 0.
Resumption_Limit = 3600

Modified: 2017-09-27