tlsauth.aut File
Use the Web GUI to maintain settings in the tlsauth.aut file. Do not edit the tlsauth.aut file manually.
Settings for the EAP-TLS authentication method are stored in the tlsauth.aut file. The tlsauth.aut configuration file is read each time the Steel-Belted Radius Carrier server receives a SIGHUP (1) signal.
[Server_Settings] Section
[Server_Settings] Section
The [Server_Settings] section contains the settings that control the basic operation of the EAP-TLS authentication method.
Cipher_Suites Parameter
Cipher_Suites Parameter
The Cipher_Suites parameter defined in the tlsauth.aut [Server_Settings] section, specifies the cipher suites (in order of preference) that the server uses for EAP-TLS. When SBR Carrier receives a TLS message, it compares the cipher suites in the client message to the cipher suites defined in this parameter. A match is selected based on both type (for example DSS) and order of preference defined in the client cipher suite list. If no match is found, SBR Carrier returns a handshake failure alert and closes the connection. Following are several examples of the cipher suite selection process:
Example 1
SBR Carrier cipher suite list defined in Cipher_Suites parameter:
0xC00A,0xC014,0xC019,0xC009,0xC013,
0x00AF,0x00B9,0xC035,0xC09A
Client cipher suite list:
0x0040,0x0033,0x0032,0x0016,0x0013,0x0066,
0x0035,0x002f,0x0015,0x0012,0x000a,0x0005,0xC014
Match found: 0xC014
In this example SBR Carrier selects 0xC014 because it is the first algorithm listed in the client cipher suite list that is also listed in the SBR Carrier cipher suite list, and because the type is also a match.
Example 2
SBR Carrier cipher suite list defined in Cipher_Suites parameter:
0xC00A,0xC014,0xC019
Client cipher suite list:
0x0039,0x0033,0x0032,0x0016,0x0013,0x0066,0x0035,
0x002f,0x0015,0x0012,0x000a,0x0005
Match found: No match found, results in handshake failure.
Table 118: tlsauth.aut [Server_Settings] Syntax
Parameter | Function |
---|---|
TLS_Message_Fragment_Length | Maximum TLS message length that may be generated during each iteration of the TLS exchange. Anecdotal evidence suggests that some Access Points may have problems with RADIUS responses or EAP messages that exceed the size of one Ethernet frame (1500 bytes including IP/UDP headers). The default value (1020) prevents the RADIUS challenge response (carried in a UDP packet) from exceeding one Ethernet frame. This is likely to be the safest setting. Setting a smaller value affects the number of RADIUS challenge/response round-trips required to conclude the TLS exchange. While a value of 1400 may result in 6 round-trips, a value of 500 may result in 15 round-trips. The minimum value is 500. |
Verify_User_Name_Is_Principal_Name | Certificates issued by Microsoft's Windows 2000 Certificate Server typically include a Subject Alternative Name/Other Name attribute, where Principal Name is set to something like user@certtest.acme.com. The Windows XP client that supports EAP-TLS in conjunction with 802.1X extracts this attribute value from the client's certificate and uses it to respond to the Access Point's EAP Identity Request. The Access Point, in turn, packages up this value as the RADIUS User-Name attribute in requests it sends to a RADIUS server.
Default value is 0. |
Return_MPPE_Keys | Setting this attribute to 1 causes the EAP-TLS module to include RADIUS MS-MPPE-Send-Key and MS-MPPE-Recv-Key attributes in the final RADIUS Accept response sent to the Access Point. This is necessary for the Access Point to key the WEP encryption. If the Access Point is authenticating only end users and WEP is not being used, this attribute may be set to 0. Default value is 1. |
DH_Prime_Bits | Specifies the size of the prime number that the module uses for Diffie-Hellman exponentiation. Selecting a larger prime number makes the system less susceptible to certain types of attacks but requires more CPU processing to compute the Diffie-Hellman key agreement operation. Valid values are 512, 1024, 1536, 2048, 3072, and 4096. Default value is 1024. |
TLS_Protocol_Version | Specifies the TLS protocol version on which the server expects the client to initiate the handshake process. The value can be one of the following:
Default value is 31. If you set a value other than 31, 32, or 33, then the default TLS protocol version 1.0 (31) is considered. |
Challenge_Timeout | This parameter defines the timeout (in seconds) for a particular challenge request. Minimum value for the parameter is 1 second. Maximum value should be less than or equal to the value specified in the Max_Transactions_Seconds parameter. Default value is 30. |
Max_Transaction_Seconds | This parameter defines the maximum timeout (in seconds) for a transaction. Minimum value for the parameter is 1 second. Maximum value for the parameter is 3600 seconds. Default value is 120. |
Cipher_Suites | Specifies the TLS cipher suites (in order of preference) that the server is to use. These cipher suites are documented in RFC 2246, The TLS Protocol Version 1, RFC 4346, The TLS Protocol Version 1.1, and RFC 5246, The TLS Protocol Version 1.2. Default value is: 0x0067,0x006B,0xC030,0xC028,0xC014,0xC013. See Table 112 for the list of tested cipher suites and their TLS protocol versions. For more information see Cipher_Suites Parameter. |
Profile | Specifies a profile that is to be used to select attributes sent back on an Access-Accept. By default, additional attributes are not sent back. |
Verify_Client_Certificate_Published | Specifies that the EAP-TLS module checks that the client certificate is published in Active Directory for account users. Default value is 0 (disabled). |
[CRL_Checking] Section
[CRL_Checking] Section
The [CRL_Checking] section (Table 119) lets you specify settings that control how Steel-Belted Radius Carrier performs certificate revocation list (CRL) checking.
Table 119: tlsauth.aut [CRL_Checking] Syntax
Parameter | Function |
---|---|
Enable | Specifies whether CRL checking is enabled. Default value is 0 (disabled). |
Retrieval_Timeout | Specifies the time (in seconds) that EAP-TLS waits for a CRL checking transaction to complete when the CRL check involves a CRL retrieval. When CRL retrieval takes longer than the specified time, the user's authentication request is rejected. Default value is 5 seconds. |
Expiration_Grace_Period | Specifies the time (in seconds) after expiration during which a CRL is still considered acceptable. EAP-TLS always attempts to retrieve a new CRL when it is presented with a certificate chain and it finds an expired CRL in its cache.
Default value is 0 (strict expiration mode). |
Allow_Missing_CDP_Attribute | Specifies whether the omission of a CDP attribute in a non-root certificate is acceptable. Without a CDP attribute, EAP-TLS does not know how to retrieve a CRL and cannot perform a revocation check on the certificate.
Default value is true. |
Default_LDAP_Server_Name | Specifies what LDAP server name to use if the CDP contains a value that begins with the string //ldap:\\\. This style of CDP (generated by some CAs) does not include the identity of the LDAP server. Specify the name of the LDAP that contains the CRLs if you expect to encounter certificates with this style CDP. If you do not specify a server name and such certificates are encountered, the CRL retrieval fails. |
Enable_CRL_Cache_Timeout | Specifies whether CRL cache timeout is enabled. Valid values are:
After a CRL has expired (because its scheduled expiration time has passed or because the CRL cache has timed out), Steel-Belted Radius Carrier uses the expiration grace period to determine whether to use the current CRL. |
CRL_Cache_Timeout_Period | Specifies the maximum age, in hours, that a CRL can exist in the cache before it begins to expire.
Note: You must set Enable_CRL_Cache_Timeout to 1 or the CRL_Cache_Timeout_Period parameter is ignored. |
LDAP_Bind_Version | Enables the selection of the LDAP protocol when binding to an LDAP server (2 or 3) The default is 2 (LDAP version 2) |
[Session_Resumption] Section
[Session_Resumption] Section
The [Session_Resumption] section (Table 120) lets you specify whether session resumption is permitted and under what conditions session resumption is performed.
For session resumption to work, the network access server must be configured to handle the Session-Timeout return list attribute, because the network access server must be able to tell the client to reauthenticate after the session timer has expired.
Table 120: tlsauth.aut [Session_Resumption] Syntax
Parameter | Function |
---|---|
Session_Timeout | Set this attribute to the maximum number of seconds you want the client to remain connected to the network access server before having to reauthenticate.
Default value is 0. Entering a value such as 600 (10 minutes) does not necessarily cause a full reauthentication to occur every 10 minutes. You can configure the resumption limit to make most reauthentications fast and computationally cheap. |
Termination_Action | Specifies the value to return for the Termination-Action attribute sent for an accepted client. This is a standard attribute supported by most Access Points and determines what happens when the session timeout is reached. Valid values are:
Default value is -1. This does not prevent the authentication methods performing secondary authorization from providing a value for this attribute. |
Resumption_Limit | Set this attribute to the maximum number of seconds you want the client to be able to reauthenticate using the TLS session resumption feature. This type of reauthentication is fast and computationally cheap. It does, however, depend on previous authentications and may not be considered as secure as a complete (computationally expensive) authentication. Specifying a value of 0 disables the session resumption feature. Default value is 0. |
Sample tlsauth.aut File
Sample tlsauth.aut File
You must set Enable_CRL_Cache_Timeout to 1 or the CRL_Cache_Timeout_Period parameter is ignored. [Server_Settings] ; Note that all trusted root certificates ; must have a .der file extension and ; must be placed in the ROOT directory ; immediately below the directory ; containing the SBR 'radius' daemon and ; the radius.ini file. ; Indicates the maximum TLS Message fragment ; length EAP-TLS handles. If not ; specified, this parameter defaults to 1020. ; It can be set as high as 4096, ; but sizes over 1400 bytes are likely to cause ; fragmentation of the UDP packet ; carrying the message and some RADIUS client ; may be incapable of dealing with ; this fragmentation. ;TLS_Message_Fragment_Length = 1020 ; Indicates whether or not the EAP-TLS module ; it to check whether the User Name ; provided in the RADIUS request matches the ; principal name in the client's ; certificate. The default is not to perform ; this check. ;Verify_User_Name_Is_Principal_Name = 0 ; Indicates whether or not the EAP-TLS module ; should return the ; MS-MPPE-Send-Key and MS-MPPE-Recv-Key ; attribute upon successfully ; authenticating the user. The default is ; to return these attributes. ;Return_MPPE_Keys = 1 ; Specifies the size of the prime to use ; for DH modular exponentiation. The ; choices are 512, 1024, 1536, 2048, 3072 ; and 4096. The default is 1024 bits. ;DH_Prime_Bits = 1024 ; Specifies the TLS cipher suites that the server is to use. These cipher suites ; are documented in RFC 2246 and other TLS related RFCs or draft RFCs. ;Cipher_Suites = 0x0067,0x006B,0xC030,0xC028,0xC014,0xC013 ; Specifies the TLS Protocol Version on which the server expects client to ; initiate the handshake process. Allowed values are 31, 32 and 33. ;TLS_Protocol_Version = 31 ; Specifies a profile that is to be used ; to select attributes sent back on an ; Access-Accept. The default is not to send ; any additional attributes. ; Profile =<profile-name> [CRL_Checking] ; Specifies whether CRL checking is to be enabled. ; The default is to disable CRL checking. ; Enable = 0 ; Specifies the time (in seconds) that EAP-TLS ; waits for a CRL checking ; transaction to complete when the CRL check ; involves a CRL retrieval. When ; CRL retrieval takes longer than the ; specified time, the user's authentication ; request results in a reject. The ; default value is 5 seconds. ; Retrieval_Timeout = 5 ; Specifies the time (in seconds) after ; expiration during which a CRL is ; still considered acceptable. EAP-TLS ; always attempts to retrieve a ; new CRL when it is presented with a ; certificate chain and it finds an ; expired CRL in its cache. EAP-TLS ; considers the expired CRL as an ; acceptable stand-in from the time the ; CRL expires to the time the grace ; period ends. ; Expiration_Grace_Period = 0 ; Specifies whether the omission of a ; CDP attribute in a non-root certificate ; is acceptable. Without a CDP attribute, ; EAP-TLS does not know where to ; retrieve a CRL from and is not ; able to perform a revocation check on ; the certificate. The default is allow ; such certificates and to skip CRL ; checking for them. ; Allow_Missing_CDP_Attribute = 1 ; Specifies what LDAP server name to ; use if the CDP contains a value that ; begins with the string "//ldap:\\\". ; This style of CDP (generated by some ; CAs does not include the identity of ; the LDAP server. Specify the name of ; the LDAP that contains the CRLs if you ; expect to encounter certificates ; with this style CDP. If you don't specify ; a server name and such certificates ; are encountered, the CRL retrieval fails. ; Default_LDAP_Server_Name = [Session_Resumption] ; Specifies the maximum length of time (in seconds) ; the RAS/AP is ; instructed to allow the session to persist ; before the client is asked ; to reauthenticate. Specifying a 0 ; causes the Session-Timeout attribute ; not to be generated by the plug-in. The default is 0. ;Session_Timeout = 0 ; Specifies the value to return for the ; Termination-Action attribute ; sent in an accepted client. If omitted in ; this file, the Termination-Action ; attribute is not sent. Termination_Action = 0 ; Specifies the length of time (in seconds) ; during which an authentication ; request that seeks to resume a previous TLS ; session is considered ; acceptable. Specifying 0 causes session ; resumption support to be ; disabled. The default is 0. Resumption_Limit = 3600