Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

EAP-TLS Authentication Protocol

 

The EAP-TLS (Transport Layer Security) protocol requires that both user and authentication server have certificates for mutual authentication. While the mechanism is very strong, it requires that the corporation that deploys it maintain a certificate infrastructure for all of its users.

EAP-TLS can be deployed as an authentication method or as an automatic EAP helper.

  • When EAP-TLS is deployed as an authentication method, it appears in the Authentication Methods page in Web GUI. You can use the Authentication Methods page to enable the EAP-TLS method and specify its sequence relative to other authentication methods SBR Carrier uses.

    When EAP-TLS is deployed as an authentication method, you can configure it to perform CRL checking. When CRL checking is enabled, EAP-TLS confirms that the client’s certificate chain traces back to one of the trusted root certificates installed at initialization and checks the serial number of each certificate in the chain against the contents of CRLs to verify that none of the certificates in the chain have been revoked.

    You can configure the tlsauth.aut file to call a fixed profile when TLS-EAP is used. This profile specifies the attributes that are sent back in response to a successful authentication.

    You cannot use secondary authorization when EAP-TLS is deployed as an authentication method.

  • When EAP-TLS is deployed as an automatic EAP helper, you must list TLS in the EAP-Type list of an authentication method. When EAP-TLS is triggered, the tlsauth authentication goes through the TLS handshake required by the EAP-TLS specification. Assuming the user provides a certificate that the server can verify against a list of trusted root certificates, the EAP-TLS part of the exchange concludes successfully.

    You may not want to grant access to your network to every user with a trusted certificate. By enabling the optional secondary authorization feature of the tlsauth plug-in, you can have SBR Carrier authorize users with valid certificates on a case-by-case basis. Secondary authorization also allows you to include user-specific attributes in an Access-Accept response; these attributes can be used to communicate options that are to be active for a user’s connection to the NAD. Without secondary authorization, the only attributes returned on an Access-Accept are those generated by the tlsauth plug-in itself (termination-action and session-limit).

    If you enable the TLS authentication method, secondary authorizations must be performed by local authentication methods (they cannot be proxied). The authentication method you select for secondary authorizations must be able to authenticate users in a single pass; it cannot challenge the authorization request and request additional information. The username employed during secondary authorization is derived from a field in the user’s certificate. Because a user’s certificate does not include a password, you must configure tlsauth to make the secondary authorization request with no password or with a fixed password.

    If you configure secondary authorization with no password, your selected authentication method must be capable of handling requests that do not include passwords; the only authentication methods that support this style of authentication and ship with SBR Carrier are Native User, LDAP and SQL. If you configure secondary authorization with a fixed password, you can use any authentication method that supports PAP authentication. In this configuration all user records must have the same fixed password.

Configuring EAP-TLS as an EAP Authentication Method

Configuring EAP-TLS as an EAP Authentication Method

Note

A valid server certificate must be in place on the SBR Carrier server before you configure the EAP-TLS authentication protocol. For information about configuring certificates, see Certificates.

To configure EAP-TLS as an authentication method using the Web GUI:

  1. Select RADIUS Configuration > Authentication Policies > EAP Methods.

    The EAP Methods List page (Figure 92) appears.

    Figure 92: EAP Methods List Page
    EAP Methods List Page

  2. Select EAP-TLS.

    The Selected EAP Method: EAP-TLS pane (Figure 93) appears.

    Figure 93: Selected EAP Method: EAP-TLS Pane
    Selected EAP Method: EAP-TLS Pane

  3. Select the Enable EAP-TLS Method check box to enable the EAP-TLS method.

    Note

    You can also enable the EAP-TLS method by using the EAP Methods List page. In the EAP Methods List page, click the Status column of the EAP-TLS entry, select the appeared check box, and click Apply.

  4. Configure client certificate validation for the EAP-TLS protocol. For more information about configuring client certificate validation, see Configuring Client Certificate Validation—EAP-TLS.

  5. Configure session resumption for the EAP-TLS protocol. For more information about configuring session resumption, see Configuring Session Resumption—EAP-TLS.

  6. Configure advanced server settings for the EAP-TLS protocol. For more information about configuring advanced server settings, see Configuring Advanced Server Settings—EAP-TLS.

  7. Click Save to save the configuration.

Configuring Client Certificate Validation—EAP-TLS

Configuring Client Certificate Validation—EAP-TLS

Client certificate validation settings enable you to specify how SBR Carrier performs CRL checking.

To configure client certificate validation for the EAP-TLS protocol using the Web GUI:

  1. In the Selected EAP Method: EAP-TLS pane, click the Client Certificate Validation tab (Figure 94).

    Figure 94: EAP-TLS—Client Certificate Validation
    EAP-TLS—Client Certificate Validation

  2. Select the Enable CRL Checking check box to enable certificate revocation list checking.

  3. In the Retrieval Timeout field, enter the number of seconds you want EAP-TLS to wait for the CRL checking transaction to complete.

    When CRL retrieval takes longer than the specified time, the user's authentication request is rejected.

  4. In the Expiration Grace Period field, enter the number of seconds a CRL is still considered acceptable after it has expired.

    EAP-TLS always attempts to retrieve a new CRL when it is presented with a certificate chain and it finds an expired CRL in its cache.

    • If you enter 0 to specify strict expiration mode, EAP-TLS rejects an expired CRL.

    • If you enter a value greater than 0, lax expiration mode is used. An expired CRL is acceptable if the time it expired is within the specified grace period.

  5. Select the Allow Missing CDP Attribute check box if you want to enable SBR Carrier to accept a non-root certificate without a CDP attribute.

    Without a CDP attribute, EAP-TLS cannot retrieve a CRL and cannot perform a revocation check on the certificate.

    If you select the Allow Missing CDP Attribute check box, EAP-TLS accepts such certificates and skips CRL checking for them.

    If you clear the Allow Missing CDP Attribute check box, EAP-TLS does not accept a CRL with a missing CDP attribute.

  6. If you want to specify a CRL cache timeout period, select the CRL Cache Timeout Period check box and enter the number of hours in the CRL Cache Timeout Period field.

    • If you do not enable this setting, the CRL is refreshed whenever it expires.

    • If you enable this setting and enter 0, SBR Carrier always regards the CRL in the cache as expired and downloads a new CRL every time it receives a client certificate request.

    • If you enable this setting and enter a number greater than 0, the CRL begins to expire when the age of the CRL in the cache exceeds the number of hours specified in this field or when the scheduled CRL expiration time occurs, whichever comes first.

    After a CRL has expired (because its scheduled expiration time has passed or because the CRL cache has timed out), SBR Carrier uses the expiration grace period to determine whether to use the current CRL.

  7. Enter the name of the LDAP server to use if the CDP contains a value that begins with the string //ldap:\\\ in the Default LDAP Server Name field.

    CDPs generated by some CAs do not include the identity of the LDAP server. If you expect to encounter certificates with this style CDP, specify the name of the LDAP server that contains the CRLs.

    If you do not specify a server name and such certificates are encountered, the CRL retrieval fails.

  8. Select the Verify that Client Certificates are Published to User Accounts check box.

  9. If you want the EAP-TLS plug-in to add four attributes to the outer request before the secondary authorization check is performed, select the Include Certificate Info check box.

    When the Include Certificate Info check box is selected, SBR Carrier adds the following attributes to the request:

    • The Funk-Peer-Cert-Subject attribute contains the value of the Subject attribute in the client certificate.

    • The Funk-Peer-Cert-Principal attribute contains the value of the principal name (subject alternate name or other name) attribute of the client certificate.

    • The Funk-Peer-Cert-Issuer attribute contains the value of the Issuer attribute in the client certificate.

    • The Funk-Peer-Cert-Hash attribute contains a hexadecimal ASCII representation of the SHA1 hash of the client certificate.

    These attributes are ignored if the authentication method that performs the authentication check does not use them.

Configuring Session Resumption—EAP-TLS

Configuring Session Resumption—EAP-TLS

Session resumption settings control whether and under what circumstances session resumption is permitted.

Note

For session resumption to work, the NAD must be configured to handle the Session-Timeout return list attribute, so that the NAD can notify the client to reauthenticate after the session timer has expired.

To configure session resumption for the EAP-TLS protocol using the Web GUI:

  1. In the Selected EAP Method: EAP-TLS pane, click the Session Resumption tab (Figure 95).

    Figure 95: EAP-TLS—Session Resumption
    EAP-TLS—Session Resumption

  2. In the Session Timeout(In Seconds) field, enter the maximum number of seconds you want the client to remain connected to the NAD before having to reauthenticate.

    If you enter a number greater than 0, the lesser of this value and the remaining resumption limit is sent in a Session-Timeout attribute to the RADIUS client on the RADIUS Access-Accept response.

    If you enter 0, a Session-Timeout attribute is not generated directly. A 0 does not prevent the authentication methods that perform secondary authorization from providing a value.

    Entering a value such as 600 seconds (10 minutes) does not necessarily cause a full reauthentication to occur every 10 minutes. You can configure the resumption limit to make most reauthentications fast and computationally efficient.

    Best Practice

    Using the Resumption Limit Option Effectively

    Two scenarios where the resumption limit can be used effectively:

    • In a wireless environment, the client is moving between access points. The resumption limit can be tuned to make the handover between access points smoother by not forcing a complete reauthorization that requires repeated verification of user information.

      When the new access point queries SBR Carrier, the server replies that the session ID is already valid. Because it is known to be good, repeating the inner authentication is not required, which saves some time. The access point acknowledges the reauthorization not required message and the session continues.

    • Another use for resumption limit occurs when the server ordinarily requires the client to reauthorize every 10 minutes or so, to ensure the client is still connected. Setting the resumption limit to 3600 seconds with a session timeout of 600 seconds means that the interval reauthorizations are fast and efficient, and a complete reauthorization is required just once an hour instead of every 10 minutes.

  3. In the Termination Action field, enter the value to be returned in a Termination-Action attribute.

    The Termination-Action attribute is a standard attribute supported by most access points and determines what happens when the session timeout is reached. Valid values are:

    • -1: Do not send the attribute, the default. This does not prevent the authentication methods performing secondary authorization from providing a value.

    • 0: Send the Termination-Action attribute with a value of 0.

    • 1: Send the Termination-Action attribute with a value of 1.

  4. Enter the maximum number of seconds you want the client to be able to reauthenticate using the TLS session resumption feature in the Resumption Limit(In Seconds) field.

    This type of reauthentication is fast and computationally efficient. It does, however, depend on previous authentications and is not as secure as a complete (but computationally expensive) authentication. Specifying a value of 0 disables the session resumption feature.

    Best Practice

    Using the Resumption Limit Option Effectively

    Two scenarios where the resumption limit can be used effectively:

    • In a wireless environment, the client is moving between access points. The resumption limit can be tuned to make the handover between access points smoother by not forcing a complete reauthorization that requires repeated verification of user information.

      When the new access point queries SBR Carrier, the server replies that the session ID is already valid. Because it is known to be good, repeating the inner authentication is not required, which saves some time. The access point acknowledges the reauthorization not required message and the session continues.

    • Another use for resumption limit occurs when the server ordinarily requires the client to reauthorize every 10 minutes or so, to ensure the client is still connected. Setting the resumption limit to 3600 seconds with a session timeout of 600 seconds means that the interval reauthorizations are fast and efficient, and a complete reauthorization is required just once an hour instead of every 10 minutes.

Configuring Advanced Server Settings—EAP-TLS

Configuring Advanced Server Settings—EAP-TLS

You use advanced server settings to specify the manner in which the inner authentication step operates.

To configure advanced server settings for the EAP-TLS protocol using the Web GUI:

  1. In the Selected EAP Method: EAP-TLS pane, click the Advanced Server Settings tab (Figure 96).

    Figure 96: EAP-TLS—Advanced Server Settings
    EAP-TLS—Advanced Server Settings

  2. In the TLS Message Fragment Length field, enter the maximum length of the TLS message that may be generated during each iteration of the TLS exchange.

    Enter a number in the range 500 through 4096 bytes.

    • The default length for TLS messages is 1020 bytes, which prevents the RADIUS challenge response (carried in a UDP packet) from exceeding one Ethernet frame.

    • Some access points may have problems with RADIUS responses or EAP messages that exceed the size of one Ethernet frame (1500 bytes including IP/UDP headers).

  3. In the Max Transaction Time field, enter the maximum number of seconds you want for the EAP-TLS authentication sequence to complete.

    • Enter a value in the range 1 through 3600 seconds. The default value is 120 seconds.

    • If the authentication sequence takes longer than this setting, user authentication is terminated.

  4. In the Challenge Timeout field, enter the number of seconds after which a challenge request times out.

    You can enter a value greater than or equal to 1 second, but this value must not exceed the value specified in the Max Transaction Time field. The default value is 30 seconds.

  5. Select the Return MPPE Keys check box to specify whether the TLS authentication method includes RADIUS MS-MPPE-Send-Key and MS-MPPE-Recv-Key attributes in the final RADIUS Access-Accept response sent to the access point.

    Disable this option for WiMAX.

    Select this check box if the access point needs to key the Wired Equivalent Privacy (WEP) encryption. If the access point is authenticating only end users and WEP is not being used, you can clear this check box.

  6. Use the TLS Protocol Version list to specify the TLS protocol version on which the server expects the client to initiate the handshake process.

    Valid values are TLSv1, TLSv1.1, and TLSv1.2.

  7. Use the DH Prime Bits list to specify the number of bits in the prime number that the module uses for Diffie-Hellman exponentiation.

    Selecting a longer prime number makes the system less susceptible to certain types of attacks but requires more CPU processing to compute the Diffie-Hellman key agreement operation.

    Valid values are 512, 1024, 1536, 2048, 3072, and 4096 bits.

  8. In the Cipher Suites field, enter the TLS cipher suites (in order of preference) that the server is to use.

    These cipher suites are documented in RFC 2246, The TLS Protocol Version 1, RFC 4346, The TLS Protocol Version 1.1, and RFC 5246, The TLS Protocol Version 1.2.

    The default value is: 0x0067,0x006B,0xC030,0xC028,0xC014,0xC013.

    Table 36 lists the tested cipher suites and their TLS protocol versions.

    Table 36: Tested Cipher Suites

    Tested Cipher Suites

    TLS Protocol Version

    0xC013

    TLS 1.0

    0xC014

    TLS 1.0

    0x003C

    TLS 1.2

    0x003D

    TLS 1.2

    0x0067

    TLS 1.2

    0x006B

    TLS 1.2

    0x009C

    TLS 1.2

    0x009D

    TLS 1.2

    0x009E

    TLS 1.2

    0x009F

    TLS 1.2

    0xC027

    TLS 1.2

    0xC028

    TLS 1.2

    0xC02F

    TLS 1.2

    0xC030

    TLS 1.2

    Note

    SBR Carrier does not provide support for TLSv1.3.

    SBR Carrier supports the following weak cipher suites: 0x002F, 0x0033, 0x0035 ,0x0039, 0x003C, and 0x003D. These weak ciphers are not supported by default and need to be configured in the Cipher Suites field.

  9. Select the Verify User Name is Principal check box to verify whether the username is used as the principal name (subject alternate name or other name) of the client certificate.

  10. If you want to associate a profile with the EAP-TLS protocol, select the Use Profile check box and use the Use Profile list to select the profile.

Configuring EAP-TLS as an Automatic EAP Helper

Configuring EAP-TLS as an Automatic EAP Helper

Note

You must configure the server certificate for the SBR Carrier server before you use the EAP TLS helper. For information about configuring your server certificate, see Configuring Server Certificates.

To configure EAP-TLS as an EAP helper using the Web GUI:

  1. Select RADIUS Configuration > Authentication Policies > EAP Methods.

    The EAP Methods List page (Figure 92) appears.

  2. Select EAP-TLS Helper.

    The Selected EAP Method: EAP-TLS Helper pane (Figure 97) appears.

    Figure 97: Selected EAP Method: EAP-TLS Helper Pane
    Selected EAP Method: EAP-TLS Helper Pane

  3. Select the Enable EAP-TLS Helper Method check box to enable the EAP-TLS helper method.

    Note

    You can also enable the EAP-TLS helper method by using the EAP Methods List page. In the EAP Methods List page, click the Status column of the EAP-TLS Helper entry, select the appeared check box, and click Apply.

  4. Configure client certificate validation for the EAP-TLS helper protocol. For more information about configuring client certificate validation, see Configuring Client Certificate Validation—EAP-TLS Helper.

  5. Configure secondary authorization for the EAP-TLS helper protocol. For more information about configuring secondary authorization, see Configuring Secondary Authentication—EAP-TLS Helper.

  6. Configure session resumption for the EAP-TLS helper protocol. For more information about configuring session resumption, see Configuring Session Resumption—EAP-TLS Helper.

  7. Configure advanced server settings for the EAP-TLS helper protocol. For more information about configuring advanced server settings, see Configuring Advanced Server Settings—EAP-TLS Helper.

  8. Click Save to save the configuration.

Configuring Client Certificate Validation—EAP-TLS Helper

Configuring Client Certificate Validation—EAP-TLS Helper

You use client certificate validation settings to specify how SBR Carrier performs CRL checking.

To configure client certification validation for the EAP-TLS helper protocol using the Web GUI:

  1. In the Selected EAP Method: EAP-TLS Helper pane, click the Client Certificate Validation tab (Figure 98).

    Figure 98: EAP-TLS Helper—Client Certificate Validation
    EAP-TLS Helper—Client Certificate Validation

  2. Select the Enable CRL Checking check box to enable CRL checking.

  3. In the Retrieval Timeout field, enter the number of seconds you want the EAP-TLS helper to wait for a CRL retrieval transaction to complete.

    When CRL retrieval takes longer than the specified time, the user's authentication request is rejected.

  4. The Expiration Grace Period field contains the number of seconds during which an expired CRL may still be accepted.

    The EAP-TLS helper always attempts to retrieve a new CRL when it is presented with a certificate chain and it finds an expired CRL in its cache.

    • If you enter 0 to specify strict expiration mode, the EAP-TLS helper does not accept an expired CRL.

    • If you enter a value greater than 0 (lax expiration mode), the EAP-TLS helper considers the expired CRL as an acceptable stand-in from the time the CRL expires to the time the grace period ends.

  5. Select the Allow Missing CDP Attribute check box if you want SBR Carrier to accept a non-root certificate that does not have a CDP attribute.

    Without a CDP attribute, the EAP-TLS helper cannot retrieve a CRL and cannot perform a revocation check on the certificate.

    If you select the Allow Missing CDP Attribute check box, the EAP-TLS helper accepts such certificates and skips CRL checking for them.

    If you clear the Allow Missing CDP Attribute check box, the EAP-TLS helper does not accept a CRL with a missing CDP attribute.

  6. If you want to specify a CRL cache timeout period, select the CRL Cache Timeout Period check box and enter the number of hours in the CRL Cache Timeout Period field.

    • If you do not enable this setting, the CRL is refreshed whenever it expires.

    • If you enable this setting and enter 0, SBR Carrier always regards the CRL in the cache as expired and downloads a new CRL every time it receives a client certificate request.

    • If you enable this setting and enter a number greater than 0, the CRL begins to expire when the age of the CRL in the cache exceeds the number of hours specified in this field or when the scheduled CRL expiration time occurs, whichever comes first.

      After a CRL has expired because its scheduled expiration time has passed or because the CRL cache has timed out), SBR Carrier uses the expiration grace period to determine whether to use the current CRL.

  7. If the CDP contains a value that begins with the string //ldap:\\\, enter the name of the LDAP server to use in the Default LDAP Server Name field.

    CDPs generated by some CAs do not include the identity of the LDAP server. If you expect to encounter certificates with this style CDP, specify the name of the LDAP server that contains the CRLs.

    If you do not specify a server name and such certificates are encountered, the CRL retrieval fails.

Configuring Secondary Authentication—EAP-TLS Helper

Configuring Secondary Authentication—EAP-TLS Helper

You use secondary authorization settings to specify whether secondary authorization is performed and, if it is, what information is used in the secondary authorization request.

To configure secondary authentication for the EAP-TLS helper protocol using the Web GUI:

  1. In the Selected EAP Method: EAP-TLS Helper pane, click the Secondary Authorization tab (Figure 99).

    Figure 99: EAP-TLS Helper—Secondary Authorization
    EAP-TLS Helper—Secondary Authorization

  2. Select the Enable Secondary Authorization check box to enable secondary authorization checking.

    If secondary authorization is disabled, the EAP-TLS plug-in accepts the user upon proof of ownership of a private key that matches a valid certificate.

    If secondary authorization is enabled, a secondary authorization check against a traditional authentication method such as an SQL plug-in is performed.

  3. For User Name Source, select one of the following option buttons: Subject CN name, Principal Name, User-Name, and Calling-Station-Id. After the EAP-TLS module has concluded its processing, it may still defer to a traditional authentication method (core or plug-in) for final authorization. To do so, that method must provide a username and password to the traditional authentication method.

    Note

    User-Name and Calling-Station-Id are only available for inner authentication.

    • If you select the Subject CN option button, the EAP-TLS module parses the Subject attribute of the client's certificate for the least significant 'CN=' and takes the value of this attribute (for example, 'George Washington') as the username being passed to the traditional authentication method.

    • If you select the Principal Name option button, the EAP-TLS module uses the principal name (subject alternate name or other name) from the client certificate (for example, joe@acme.com) as the username being passed to the traditional authentication method.

    • If you select the User-Name option button, the EAP-TLS module uses the RADIUS username to the traditional authentication method. This is available only for inner authentication.

    • If you select the Calling-Station-Id option button, the EAP-TLS module uses the calling station ID as the username being passed to the traditional authentication method. This is available only for inner authentication.

  4. If you plan to use secondary authorization against an authentication method (for example, LDAP) that cannot be configured to ignore the lack of user credentials, specify a fixed password that the plug-in uses on all secondary authorization checks in the Fixed Password field.

    By default, the secondary authorization check includes a username but no other user credentials because no password or similar credential for the client is available at the conclusion of the TLS handshake. Some authentication methods (Native User, LDAP, and SQL) can be configured to not require user credentials.

  5. If you want the EAP-TLS plug-in to add four attributes to the request before the secondary authorization check is performed, select the Include Certificate Info check box.

    When the Include Certificate Info check box is selected, SBR Carrier adds the following attributes to the request:

    • The Funk-Peer-Cert-Subject attribute contains the value of the Subject attribute in the client certificate.

    • The Funk-Peer-Cert-Principal attribute contains the value of the principal name (subject alternate name or other name) attribute of the client certificate.

    • The Funk-Peer-Cert-Issuer attribute contains the value of the Issuer attribute in the client certificate.

    • The Funk-Peer-Cert-Hash attribute contains a hexadecimal ASCII representation of the SHA1 hash of the client certificate.

      These attributes are ignored if the authentication method that performs the authentication check does not use them.

  6. You can use the inner authentication settings to specify the way in which the inner authentication process operates.

    Note

    The inner authentication settings is applicable only for PAP authentication.

    To configure inner authentication settings:

    • Select the Use Inner Radius check box to enable inner authentication when secondary authorization is enabled.

    • Select the Edit Inner Request check box and select the filter you want to use from the drop-down list.

      This filter affects the inner authentication request. The filter can be used to modify attributes to influence routing of the inner authentication through editing an attribute and selecting a realm.

    • Select the Edit Outer Response check box and select the filter you want to use from the drop-down list.

      This filter is used to edit attributes in the inner authentication response.

      • If this filter is specified, the filter is applied to the inner authentication response and all resulting attributes are transferred to the outer authentication response.

      • If this filter is not specified, no inner authentication response attributes are transferred to the outer authentication response.

    • Enter the attribute name that contains the profile name in the Profile Attribute field.

      This profile name is present in the attribute returned from the inner authentication response. If the profile name is not available in the SBR, an Access-Reject message is sent.

    • Enter the directed or proxy realm name in the Realm field.

      If a realm name is configured in the SBR, all inner authentications are forwarded to the realm. If a realm name is not configured, then standard authentication takes place as defined in the proxy.ini file.

Configuring Session Resumption—EAP-TLS Helper

Configuring Session Resumption—EAP-TLS Helper

You use session resumption settings to specify under what circumstances session resumption is performed.

Note

For session resumption to work, the NAD must be configured to handle the Session-Timeout return list attribute, so that the NAD can notify the client to reauthenticate after the session timer has expired.

To configure session resumption for the EAP-TLS helper protocol using the Web GUI:

  1. In the Selected EAP Method: EAP-TLS Helper pane, click the Session Resumption tab (Figure 100).

    Figure 100: EAP-TLS Helper—Session Resumption
    EAP-TLS Helper—Session Resumption

  2. In the Session Timeout(In Seconds) field, enter the number of seconds the client may remain connected to the NAD before having to reauthenticate.

    If you enter a number greater than 0, the lesser of this value and the remaining resumption limit is sent in a Session-Timeout attribute to the RADIUS client on the RADIUS Access-Accept response.

    If you enter 0, a Session-Timeout attribute is not generated. This does not prevent the authentication methods performing secondary authorization from providing a value for this attribute.

    Entering a value such as 600 seconds (10 minutes) does not necessarily cause a full reauthentication to occur every 10 minutes. You can configure the resumption limit to make most reauthentications fast and computationally efficient.

  3. Enter the value to be returned in a Termination-Action attribute in the Termination Action field.

    The Termination-Action attribute is a standard attribute supported by most access points and determines what happens when the session timeout is reached. Valid values are:

    • -1: Do not send the attribute; the default value. This does not prevent any authentication method that performs secondary authorization from providing a value for this attribute.

    • 0: Send the Termination-Action attribute with a value of 0.

    • 1: Send the Termination-Action attribute with a value of 1.

  4. Enter the maximum number of seconds you want the client to be able to reauthenticate using the TLS session resumption feature in the Resumption Limit(In Seconds) field.

    This type of reauthentication is fast and computationally efficient. It does, however, depend on previous authentications and is not as secure as a complete (computationally expensive) authentication. Specifying a value of 0 disables the session resumption feature.

    Best Practice

    Using the Resumption Limit Option Effectively

    Two scenarios where the resumption limit can be used effectively:

    • In a wireless environment, the client is moving between access points. The resumption limit can be tuned to make the handover between access points smoother by not forcing a complete reauthorization that requires repeated verification of user information.

      When the new access point queries SBR Carrier, the server replies that the session ID is already valid. Because it is known to be good, repeating the inner authentication is not required, which saves some time. The access point acknowledges the reauthorization not required message and the session continues.

    • Another use for resumption limit occurs when the server ordinarily requires the client to reauthorize every 10 minutes or so, to ensure the client is still connected. Setting the resumption limit to 3600 seconds with a session timeout of 600 seconds means that the interval reauthorizations are fast and efficient, and a complete reauthorization is required just once an hour instead of every 10 minutes.

Configuring Advanced Server Settings—EAP-TLS Helper

Configuring Advanced Server Settings—EAP-TLS Helper

You use advanced server settings to specify the manner in which the inner authentication step operates.

To configure advanced server settings for the EAP-TLS helper protocol using the Web GUI:

  1. In the Selected EAP Method: EAP-TLS Helper pane, click the Advanced Server Settings tab (Figure 101).

    Figure 101: EAP-TLS Helper—Advanced Server Settings
    EAP-TLS Helper—Advanced Server Settings

  2. In the TLS Message Fragment Length field, enter the maximum length of the TLS message that may be generated during each iteration of the TLS exchange.

    Enter a number in the range 500 through 4096 bytes. This value affects the number of RADIUS challenge or response round-trips required to conclude the TLS exchange.

    Some access points may have problems with RADIUS responses or EAP messages that exceed the size of one Ethernet frame (1500 bytes including IP/UDP headers).

    The default length for TLS messages is 1020 bytes, which prevents the RADIUS challenge response (carried in a UDP packet) from exceeding one Ethernet frame.

  3. In the Max Transaction Time field, enter the maximum number of seconds you want for the EAP-TLS helper authentication sequence to complete.

    • Enter a value in the range 1 through 3600 seconds. The default value is 120 seconds.

    • If the authentication sequence takes longer than this setting, user authentication is terminated.

  4. In the Challenge Timeout field, enter the number of seconds after which a challenge request times out.

    You can enter a value greater than or equal to 1 second, but this value must not exceed the value specified in the Max Transaction Time field. The default value is 30 seconds.

  5. Select the Return MPPE Keys check box to specify whether the EAP-TLS helper includes RADIUS MS-MPPE-Send-Key and MS-MPPE-Recv-Key attributes in the final RADIUS Access-Accept response sent to the access point.

    Enable this option if the access point needs to key the WEP encryption. If the access point is authenticating only end users and WEP is not being used, you can clear this check box.

  6. Use the TLS Protocol Version list to specify the TLS protocol version on which the server expects the client to initiate the handshake process.

    Valid values are TLSv1, TLSv1.1, and TLSv1.2.

  7. Use the DH Prime Bits list to specify the number of bits in the prime number that the module uses for Diffie-Hellman exponentiation.

    Selecting a longer prime number makes the system less susceptible to certain types of attacks but requires more CPU processing to compute the Diffie-Hellman key agreement operation.

    Valid values are 512, 1024, 1536, 2048, 3072, and 4096 bits.

  8. In the Cipher Suites field, enter the TLS cipher suites (in order of preference) that the server is to use.

    These cipher suites are documented in RFC 2246, The TLS Protocol Version 1, RFC 4346, The TLS Protocol Version 1.1, and RFC 5246, The TLS Protocol Version 1.2.

    The default value is: 0x0067,0x006B,0xC030,0xC028,0xC014,0xC013.

    See Table 36 for the list of tested cipher suites and their TLS protocol versions.