Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
  
[+] Expand All
[-] Collapse All

ttlsauth.aut File

Note: Use the Web GUI to maintain settings in the ttlsauth.aut file. Do not edit the ttlsauth.aut file manually.

Settings for the EAP-TTLS authentication method are stored in the ttlsauth.aut file. The ttlsauth.aut configuration file is read each time the Steel-Belted Radius Carrier server receives a SIGHUP (1) signal.

[Bootstrap] Section

The [Bootstrap] section of the ttlsauth.aut file (Table 124) specifies information that Steel-Belted Radius Carrier uses to load the EAP-TTLS authentication method.

Table 124: ttlsauth.aut [Bootstrap] Syntax

Parameter

Function

LibraryName

Specifies the name of the executable binary that implements the EAP-TTLS method. Default value is ttlsauth.so.

Enable

Specifies whether the EAP-TTLS authentication module is enabled.

  • If set to 0, EAP-TTLS is disabled.
  • If set to 1, EAP-TTLS is enabled.

Default value is 0.

InitializationString

Specifies the name of the EAP-TTLS authentication method.

The name of each authentication method must be unique. If you create additional .aut files to implement authentication against multiple databases, the InitializationString value in each file must specify a unique method name.

Default value is EAP-TTLS.

[Server_Settings] Section

The [Server_Settings] section (Table 125) lets you configure the basic operation of the EAP-TTLS plug-in.

Cipher_Suites Parameter

The Cipher_Suites parameter defined in the ttlsauth.aut [Server_Settings] section, specifies the TLS cipher suites (in order of preference) that the server uses for TTLS. When SBR Carrier receives a TTLS message, it compares the cipher suites in the client message to the cipher suites defined in this parameter. A match is selected based on both type (for example DSS) and order of preference defined in the client cipher suite list. If no match is found, SBR Carrier returns a handshake failure alert and closes the connection. Following are several examples of the cipher suite selection process:

Example 1

SBR Carrier cipher suite list defined in Cipher_Suites parameter:
0x003C,0x003D,0x0067,0x006B,0x0039,0x0038,0x0033,
0x0035,0x002F,0x000a,0x0005,0x0004,0x0007

Client cipher suite list:
0x0040,0x0033,0x0032,0x0016,0x0013,0x0066,0x0035,
0x002f,0x0015,0x0012,0x000a,0x0005

Match found: 0x0033

In this example SBR Carrier selects 0x0033 because it is the first algorithm listed in the client cipher suite list that is also listed in the SBR Carrier cipher suite list, and because the type is also a match.

Example 2

SBR Carrier cipher suite list defined in Cipher_Suites parameter:

0x003C,0x003D,0x0067

Client cipher suite list:
0x0039,0x0033,0x0032,0x0016,0x0013,0x0066,
0x0035,0x002f,0x0015,0x0012,0x000a,0x0005

Match found: No match found, results in handshake failure.

Table 125: ttlsauth.aut [Server_Settings] Syntax

Parameter

Function

TLS_Message_Fragment_Length

Specifies the maximum size TTLS message length that may be generated during each iteration of the TTLS exchange. This value affects the number of RADIUS challenge/response round-trips required to conclude the TLS exchange. A value of 1400 may result in 6 round-trips, while a value of 500 may result in 15 round-trips.

Some Access Points may have problems with RADIUS responses or EAP messages that exceed the size of one Ethernet frame (1500 bytes including IP/UDP headers).

Minimum value is 500.

Maximum value is 4096.

Default value is 1020, which prevents the RADIUS challenge response (carried in a UDP packet) from exceeding one Ethernet frame.

Return_MPPE_Keys

Setting this attribute to 1 causes the module to include RADIUS MS-MPPE-Send-Key and MS-MPPE-Recv-Key attributes in the final RADIUS Accept response sent to the Access Point. This is necessary for the Access Point to key the WEP encryption.

If the Access Point is authenticating only end users and WEP is not being used, this attribute may be set to 0.

For the optional WiMAX mobility module, set this to 0.

Default value is 1.

TLS_Protocol_Version

Specifies the TLS protocol version on which the server expects the client to initiate the handshake process. The value can be one of the following:

  • 31—TLS protocol version 1.0
  • 32—TLS protocol version 1.1
  • 33—TLS protocol version 1.2

Default value is 31.

If you set a value other than 31, 32, or 33, then the default TLS protocol version 1.0 (31) is considered.

DH_Prime_Bits

Specifies the size of the prime number that the module uses for Diffie-Hellman exponentiation. Selecting a larger prime number makes the system less susceptible to certain types of attacks but requires more CPU processing to compute the Diffie-Hellman key agreement operation.

Valid values are 512, 1024, 1536, 2048, 3072, and 4096.

Default value is 1024.

Cipher_Suites

Specifies the TLS cipher suites (in order of preference) that the server uses. These cipher suites are documented in RFC 2246, The TLS Protocol Version 1, RFC 4346, The TLS Protocol Version 1.1, and RFC 5246, The TLS Protocol Version 1.2.

For more information see Cipher_Suites Parameter.

Default value is: 0x003C,0x003D,0x0067,0x006B,0x0039,0x0038,0x0033,
0x0035,0x002F,0x000a,0x0005,0x0004,0x0007.

See Table 111 for the list of tested cipher suites and their TLS protocol versions.

Require_Client_Certificate

  • If set to 1, specifies that the client must provide a certificate as part of the TTLS exchange.
  • If set to 0, no client certificate is required.

Default value is 0.

[Inner_Authentication] Section

The [Inner_Authentication] section (Table 126) lets you specify the way in which the inner authentication step is to operate.

Table 126: ttlsauth.aut [Inner_Authentication] Syntax

Parameter

Function

Directed_Realm

Omitting this setting causes the inner authentication request to be handled like any other request received from a RAS.

Specifying the name of a directed realm causes the request to be routed based on the methods listed in the directed realm.

Default is to process the inner authentication through standard request processing.

[Request_Filters] Section

Request filters (Table 127) affect the attributes of inner authentication requests.

Note: The filters named in these settings must be defined in the filter.ini file.

Table 127: ttlsauth.aut [Request_Filters] Syntax

Parameter

Function

Transfer_Outer_Attribs_to_New

This filter affects only a new inner authentication request (rather than continuations of previous requests).

If this filter is specified, all attributes from the outer request are transferred to the inner request and this filter is applied. The transfer occurs and the filter is applied before any attributes specified in the inner authentication are added to the request.

If this filter is not specified, no attributes from the outer request are transferred to the inner request.

Transfer_Outer_Attribs_to_Continue

This filter affects only a continued inner authentication request (rather than the first inner authentication request).

If this filter is specified, all attributes from the outer request are transferred to the inner request and this filter is applied. The transfer occurs and the filter is applied before any attributes specified in the inner authentication are added to the request.

If this filter is not specified, no attributes from the outer request are transferred to the inner request.

Edit_New

This filter affects only a new inner authentication request (rather than continuations of previous requests).

If this filter is specified, it is applied to the inner request that is the cumulative result of attributes transferred from the outer request (see Transfer_Outer_Attribs_To_New in this table) and attributes included in the inner authentication request sent through the tunnel by the client.

If this filter is not specified, the request remains unaltered.

Edit_Continue

This filter affects only a continued inner authentication request (rather than a new inner authentication request).

If this filter is specified, it is applied to the inner request that is the cumulative result of attributes transferred from the outer request (see Transfer_Outer_Attribs_To_Continue in this table) and attributes included in the inner authentication request sent through the tunnel by the client.

If this filter is not specified, the request remains unaltered.

[Response_Filters] Section

Response filters (Table 128) affect the attributes in the responses returned to authentication requests

Note: The filters named in these settings must be defined in the filter.ini file.

Table 128: ttlsauth.aut [Response_Filters] Syntax

Parameter

Function

Transfer_Inner_Attribs_To_Accept

This filter affects only an outer Access-Accept response that is sent back to a network access server.

If this filter is specified, the filter is applied to the inner authentication response and all resulting attributes are transferred to the outer authentication response.

If this filter is not specified, no inner authentication response attributes are transferred to the outer authentication response.

Transfer_Inner_Attribs_To_Reject

This filter affects only an outer Access-Reject response that is sent back to a network access server.

If this filter is specified, the filter is applied to the inner authentication response and all resulting attributes are transferred to the outer authentication response.

If this filter is not specified, no inner authentication response attributes are transferred to the outer authentication response.

[CRL_Checking] Section

The [CRL_Checking] section (Table 129) lets you specify settings that control how Steel-Belted Radius Carrier performs certificate revocation list (CRL) checking.

Table 129: ttlsauth.aut [CRL_Checking] Syntax

Parameter

Function

Enable

If set to 1, the CRL checking is enabled for EAP-TTLS.

Default value is 0.

Retrieval_Timeout

Specifies the time (in seconds) that EAP-TTLS waits for a CRL checking transaction to complete when the CRL check involves a CRL retrieval. When CRL retrieval takes longer than the specified time, the user's authentication request is rejected.

Default value is 5 seconds.

Expiration_Grace_Period

Specifies the time (in seconds) after expiration during which a CRL is still considered acceptable. EAP-TTLS always attempts to retrieve a new CRL when it is presented with a certificate chain and it finds an expired CRL in its cache.

  • If set to 0 (strict expiration mode), EAP-TTLS does not accept a CRL that has expired.
  • If set to a value greater than 0 (lax expiration mode), EAP-TTLS considers the expired CRL as an acceptable stand-in from the time the CRL expires to the time the grace period ends.

Default value is 0 (strict expiration mode).

Allow_Missing_CDP_ Attribute

Specifies whether the omission of a CDP attribute in a non-root certificate is acceptable. Without a CDP attribute, EAP-TLS does not know how to retrieve a CRL and cannot perform a revocation check on the certificate.

  • If set to 0, EAP-TLS does not accept a CRL with a missing CDP attribute.
  • If set to 1, EAP-TLS allows such certificates and skips CRL checking for them.

Default value is 1.

Enable_CRL_Cache_Timeout

Specifies whether CRL cache timeout is enabled. Valid values are:

  • If set to 0, the CRL is refreshed whenever the CRL in the cache expires.
  • If set to 1, the CRL begins to expire when the age of the CRL in the cache exceeds the number of hours specified in the CRL_Cache_Timeout_period parameter or when the scheduled CRL expiration time occurs, whichever comes first.

Default value is 0.

After a CRL has expired (because its scheduled expiration time has passed or because the CRL cache has timed out), Steel-Belted Radius Carrier uses the expiration grace period to determine whether to use the current CRL.

CRL_Cache_Timeout_Period

Specifies the maximum time period (in hours) that a CRL can exist in the cache before it begins to expire.

  • If you enter 0, Steel-Belted Radius Carrier always regards the CRL in the cache as expired and downloads a new CRL every time it receives a client certificate request.
  • If you enter a number greater than 0, the CRL begins to expire when the age of the CRL in the cache exceeds the number of hours specified in this parameter or when the scheduled CRL expiration time occurs, whichever comes first.

Default value is 168 hours.

Note: You must set Enable_CRL_Cache_Timeout to 1 or the CRL_Cache_Timeout_Period parameter is ignored.

Default_LDAP_Server_ Name

Specifies what LDAP server name to use if the CDP contains a value that begins with the string //ldap:\\\. This style of CDP (generated by some CAs) does not include the identity of the LDAP server.

Specify the name of the LDAP that contains the CRLs if you expect to encounter certificates with this style CDP. If you do not specify a server name and such certificates are encountered, CRL retrieval fails.

LDAP_Bind_Version

Enables the selection of the LDAP protocol when binding to an LDAP server (2 or 3)

The default is 2 (LDAP version 2)

[Session_Resumption] Section

The [Session_Resumption] section (Table 130) lets you specify whether session resumption is permitted and under what conditions session resumption is performed.

Note: For session resumption to work, the network access server must be configured to handle the Session-Timeout return list attribute, because the network access server must be able to tell the client to reauthenticate after the session timer has expired.

Table 130: ttlsauth.aut [Session_Resumption] Syntax

Parameter

Function

Session_Timeout

Set this attribute to the maximum number of seconds you want the client to remain connected to the network access server before having to reauthenticate.

  • If set to a number greater than 0, the lesser of this value and the remaining resumption limit (see description below) is sent in a Session-Limit attribute to the network access server on the RADIUS Access Accept response.
  • If set to 0, no Session-Limit attribute is generated by the plug-in. This does not prevent the authentication methods performing secondary authorization from providing a value for this attribute.

Default value is 0.

Entering a value such as 600 (10 minutes) does not necessarily cause a full reauthentication to occur every 10 minutes. You can configure the resumption limit to make most reauthentications fast and computationally cheap.

Termination_Action

Specifies the value to return for the Termination-Action attribute sent for an accepted client. This is a standard attribute supported by most Access Points and determines what happens when the session timeout is reached. Valid values are:

  • -1: Do not send the attribute.
  • 0: Send the Termination-Action attribute with a value of 0.
  • 1: Send the Termination-Action attribute with a value of 1.

Default value is -1. This does not prevent the authentication methods performing secondary authorization from providing a value for this attribute.

Resumption_Limit

Set this attribute to the maximum number of seconds you want the client to be able to reauthenticate using the TLS session resumption feature.

This type of reauthentication is fast and computationally cheap. It does, however, depend on previous authentications and may not be considered as secure as a complete (computationally expensive) authentication. Specifying a value of 0 disables the session resumption feature.

Default value is 0.

Sample ttlsauth.aut File

[Bootstrap]
LibraryName=ttlsauth.so
Enable=1
InitializationString=EAP-TTLS

; Maximum TLS Message fragment length EAP-TLS handles.
TLS_Message_Fragment_Length = 1020

; Indicates whether the EAP-TLS module should return the
; MS-MPPE-Send-Key and MS-MPPE-Recv-Key attribute upon successful
; authentication of user.
Return_MPPE_Keys = 1

; Size of the prime to use for DH modular exponentiation.
DH_Prime_Bits = 1536
; TLS cipher suites (in order of preference)
; that the server is to use.
Cipher_Suites = 0x003C,0x003D,0x0067,0x006B,0x0039,0x0038,0x0033,0x0035,0x002F,0x000a,0x0005,0x0004,0x0007
; Specifies the TLS Protocol Version on which the server expects client to initiate the handshake process. 
TLS_Protocol_Version = 31

[Inner_Authentication]
; Specifies how inner authentication routing operates.
Directed_Realm = ttls_realm

[Request_Filters]
Transfer_Outer_Attribs_to_New = My_Xfer_Out_New_Filter
Transfer_Outer_Attribs_to_Continue = My_Xfer_Out_Con_Filter
Edit_New = My_Edit_New_Filter
Edit_Continue = My_Continue_Filter

[Response_Filters]
Transfer_Inner_Attribs_To_Accept = My_Xfer_Acc_Filter
Transfer_Inner_Attribs_To_Reject = My_Xfer_Rej_Filter

[Session_Resumption]
; Maximum length of time (in seconds) the NAD/AP allows
; the session to persist before the client is asked
; to reauthenticate.
Session_Timeout = 600

; Value to return for the Termination-Action attribute sent
; sent in an accepted client.
Termination_Action = 0

; Maximum length of time (in seconds) during which an authentication
; request that seeks to resume a previous TLS session is
; considered acceptable.
Resumption_Limit = 3600

For this to work, you must also provide the following settings in the [EAP-TTLS] section of the eap.ini file:

First-Handle-Via-Auto-EAP = 0
EAP-Type = TTLS

Modified: 2017-09-27