Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

peapauth.aut File

 

Settings for the EAP-PEAP plug-in are stored in the peapauth.aut file. The peapauth.aut configuration file is read each time the Steel-Belted Radius Carrier server receives a SIGHUP (1) signal.

Note

Use the Web GUI to maintain settings in the peapauth.aut file. Do not edit the peapauth.aut file manually.

[Bootstrap] Section

[Bootstrap] Section

The [Bootstrap] section of the peapauth.aut file (Table 111) specifies information that Steel-Belted Radius Carrier uses to load the EAP-PEAP authentication method.

Table 111: peapauth.aut [Bootstrap] Syntax

Parameter

Function

LibraryName

Specifies the name of the executable binary that implements the EAP-PEAP module. Default value is peapauth.so.

Enable

Specifies whether the EAP-PEAP authentication module is enabled.

  • If set to 0, EAP-PEAP is disabled.

  • If set to 1, EAP-PEAP is enabled.

Default value is 0.

InitializationString

Specifies the name of the EAP-PEAP.

The name of each authentication method must be unique. If you create additional .aut files to implement authentication against multiple databases, the InitializationString value in each file must specify a unique method name.

Default value is EAP-PEAP.

[Server_Settings] Section

[Server_Settings] Section

The [Server_Settings] section (Table 113) lets you configure the basic operation of the EAP-PEAP plug-in.

Cipher_Suites Parameter

Cipher_Suites Parameter

The Cipher_Suites parameter defined in the peapauth.aut [Server_Settings] section, specifies the cipher suites (in order of preference) that the server uses for EAP-PEAP. Table 112 lists the tested cipher suites and their TLS protocol versions.

Table 112: Tested Cipher Suites

Tested Cipher Suites

TLS Protocol Version

0xC013

TLS 1.0

0xC014

TLS 1.0

0x003C

TLS 1.2

0x003D

TLS 1.2

0x0067

TLS 1.2

0x006B

TLS 1.2

0x009C

TLS 1.2

0x009D

TLS 1.2

0x009E

TLS 1.2

0x009F

TLS 1.2

0xC027

TLS 1.2

0xC028

TLS 1.2

0xC02F

TLS 1.2

0xC030

TLS 1.2

Note

SBR Carrier does not provide support for TLSv1.3.

SBR Carrier supports the following weak cipher suites: 0x002F, 0x0033, 0x0035 ,0x0039, 0x003C, and 0x003D. These weak ciphers are not supported by default and need to be defined in the Cipher_Suites parameter.

When SBR Carrier receives a PEAP message, it compares the cipher suites in the client message to the cipher suites defined in this parameter. A match is selected based on both type (for example DSS) and order of preference defined in the client cipher suite list. If no match is found, SBR Carrier returns a handshake failure alert and closes the connection. Following are several examples of the cipher suite selection process:

Example 1

SBR Carrier cipher suite list defined in Cipher_Suites parameter:

0xC00A,0xC014,0xC019,0xC009,0xC013,

0x00AF,0x00B9,0xC035,0xC09A

Client cipher suite list:

0x0040,0x0033,0x0032,0x0016,0x0013,0x0066,

0x0035,0x002f,0x0015,0x0012,0x000a,0x0005,0xC014

Match found: 0xC014

In this example SBR Carrier selects 0xC014 because it is the first algorithm listed in the client cipher suite list that is also listed in the SBR Carrier cipher suite list, and because the type is also a match.

Example 2

SBR Carrier cipher suite list defined in Cipher_Suites parameter:

0xC00A,0xC014,0xC019

Client cipher suite list:

0x0039,0x0033,0x0032,0x0016,0x0013,0x0066,0x0035,

0x002f,0x0015,0x0012,0x000a,0x0005

Match found: No match found, results in handshake failure.

Table 113: peapauth.aut [Server_Settings] Syntax

Parameter

Function

TLS_Message_Fragment_Length

Set to the maximum size TLS message length that may be generated during each iteration of the TLS exchange.

Some Access Points may have problems with RADIUS responses or EAP messages that exceed the size of one Ethernet frame (1500 bytes including IP/UDP headers).

The default value (1020) prevents the RADIUS challenge response (carried in a UDP packet) from exceeding one Ethernet frame. This is likely to be the safest setting.

Setting a smaller value affects the number of RADIUS challenge/response round-trips required to conclude the TLS exchange. While a value of 1400 may result in 6 round-trips, a value of 500 may result in 15 round-trips.

The minimum value is 500.

Return_MPPE_Keys

Setting this attribute to 1 causes the module to include RADIUS MS-MPPE-Send-Key and MS-MPPE-Recv-Key attributes in the final RADIUS Accept response sent to the Access Point. This is necessary for the Access Point to key the WEP encryption.

If the Access Point is authenticating only end users and WEP is not being used, this attribute may be set to 0.

Default value is 1.

Challenge_Timeout

This parameter defines the timeout (in seconds) for a particular challenge request.

Minimum value for the parameter is 1 second.

Maximum value should be less than or equal to the value specified in the Max_Transactions_Seconds parameter.

Default value is 30.

Max_Transaction_Seconds

This parameter defines the maximum timeout (in seconds) for a transaction.

Minimum value for the parameter is 1 second.

Maximum value for the parameter is 3600 seconds.

Default value is 120.

TLS_Protocol_Version

Specifies the TLS protocol version on which the server expects the client to initiate the handshake process. The value can be one of the following:

  • 31—TLS protocol version 1.0

  • 32—TLS protocol version 1.1

  • 33—TLS protocol version 1.2

Default value is 31.

If you set a value other than 31, 32, or 33, then the default TLS protocol version 1.0 (31) is considered.

DH_Prime_Bits

Specifies the size of the prime number that the module uses for Diffie-Hellman exponentiation. Selecting a larger prime number makes the system less susceptible to certain types of attacks but requires more CPU processing to compute the Diffie-Hellman key agreement operation.

Valid values are 512, 1024, 1536, 2048, 3072, and 4096.

Default value is 1024.

Cipher_Suites

Specifies the TLS cipher suites (in order of preference) that the server is to use. These cipher suites are documented in RFC 2246, The TLS Protocol Version 1, RFC 4346, The TLS Protocol Version 1.1, and RFC 5246, The TLS Protocol Version 1.2.

Default value is: 0x0067,0x006B,0xC030,0xC028,0xC014,0xC013.

See Table 112 for the list of tested cipher suites and their TLS protocol versions.

For more information see Cipher_Suites Parameter.

PEAP_Min_Version

Specifies the minimum version of the PEAP protocol that the server negotiates:

  • If set to 0, the server negotiates version 0.

  • If set to 1, the server negotiates version 1.

Default value is 0.

Note: The value entered in this setting must be less than or equal to the value entered for the PEAP_Max_Version setting.

PEAP_Max_Version

Specifies the maximum version of the PEAP protocol that the server negotiates:

  • If set to 0, the server negotiates version 0.

  • If set to 1, the server negotiates version 1.

Default value is 1.

Note: The value entered in this parameter must be equal to or greater than the value entered for PEAP_Min_Version.

[Inner_Authentication] Section

[Inner_Authentication] Section

The [Inner_Authentication] section (Table 114) lets you specify the way in which the inner authentication step is to operate.

Table 114: peapauth.aut [Inner_Authentication] Syntax

Parameter

Function

Directed_Realm

Omitting this setting causes the inner authentication request to be handled like any other request received from a RAS.

Specifying the name of a directed realm causes the request to be routed based on the methods listed in the directed realm.

Default is to process the inner authentication through standard request processing.

Note

The filters named in these settings must be defined in the filter.ini file.

[Request Filters] Section

[Request Filters] Section

Request filters (Table 115) affect the attributes of inner authentication requests.

Table 115: peapauth.aut [Request Filters] Syntax

Parameter

Function

Transfer_Outer_Attribs_to_New

This filter affects only a new inner authentication request (rather than continuations of previous requests).

If this filter is specified, all attributes from the outer request are transferred to the inner request and this filter is applied. The transfer occurs and the filter is applied before any attributes specified in the inner authentication are added to the request.

If this filter is not specified, no attributes from the outer request are transferred to the inner request.

Transfer_Outer_Attribs_to_Continue

This filter affects only a continued inner authentication request (rather than the first inner authentication request).

If this filter is specified, all attributes from the outer request are transferred to the inner request and this filter is applied. The transfer occurs and the filter is applied before any attributes specified in the inner authentication are added to the request.

If this filter is not specified, no attributes from the outer request are transferred to the inner request.

Edit_New

This filter affects only a new inner authentication request (rather than continuations of previous requests).

If this filter is specified, it is applied to the inner request that is the cumulative result of attributes transferred from the outer request (see Transfer_Outer_Attribs_To_New in this table) and attributes included in the inner authentication request sent through the tunnel by the client.

If this filter is not specified, the request remains unaltered.

Edit_Continue

This filter affects only a continued inner authentication request (rather than a new inner authentication request).

If this filter is specified, it is applied to the inner request that is the cumulative result of attributes transferred from the outer request (see Transfer_Outer_Attribs_To_Continue in this table) and attributes included in the inner authentication request sent through the tunnel by the client.

If this filter is not specified, the request remains unaltered.

Note

The filters named in these settings must be defined in the filter.ini file.

[Response Filters] Section

[Response Filters] Section

Response filters (Table 116) affect the attributes in the responses returned to authentication requests

Table 116: peapauth.aut [Response Filters] Syntax

Parameter

Function

Transfer_Inner_Attribs_To_Accept

This filter affects only an outer Access-Accept response that is sent back to a network access server.

If this filter is specified, the filter is applied to the inner authentication response and all resulting attributes are transferred to the outer authentication response.

If this filter is not specified, no inner authentication response attributes are transferred to the outer authentication response.

Transfer_Inner_Attribs_To_Reject

This filter affects only an outer Access-Reject response that is sent back to a network access server.

If this filter is specified, the filter is applied to the inner authentication response and all resulting attributes are transferred to the outer authentication response.

If this filter is not specified, no inner authentication response attributes are transferred to the outer authentication response.

Note

The filters named in these settings must be defined in the filter.ini file.

[Session_Resumption] Section

[Session_Resumption] Section

The [Session_Resumption] section (Table 117) lets you specify whether session resumption is permitted and under what conditions session resumption is performed.

Note

For session resumption to work, the network access server must be configured to handle the Session-Timeout return list attribute, because the network access server must be able to tell the client to reauthenticate after the session timer has expired.

Table 117: peapauth.aut [Session_Resumption] Syntax

Parameter

Function

Session_Timeout

Set this attribute to the maximum number of seconds you want the client to remain connected to the network access server before having to reauthenticate.

  • If set to a number greater than 0, the lesser of this value and the remaining resumption limit (see description below) is sent in a Session-Limit attribute to the RADIUS client on the RADIUS Access Accept response.

  • If set to 0, no Session-Limit attribute is generated by the plug-in. This does not prevent the authentication methods performing secondary authorization from providing a value for this attribute.

    Default value is 0.

    Entering a value such as 600 (10 minutes) does not necessarily cause a full reauthentication to occur every 10 minutes. You can configure the resumption limit to make most reauthentications fast and computationally cheap.

Termination_Action

Specifies the value to return for the Termination-Action attribute sent for an accepted client. This is a standard attribute supported by most Access Points and determines what happens when the session timeout is reached. Valid values are:

  • -1: Do not send the attribute.

  • 0: Send the Termination-Action attribute with a value of 0.

  • 1: Send the Termination-Action attribute with a value of 1.

Default value is -1. This does not prevent the authentication methods performing secondary authorization from providing a value for this attribute.

Resumption_Limit

Set this attribute to the maximum number of seconds you want the client to be able to reauthenticate using the TLS session resumption feature.

This type of reauthentication is fast and computationally cheap. It does, however, depend on previous authentications and may not be considered as secure as a complete (computationally expensive) authentication. Specifying a value of 0 disables the session resumption feature.

Default value is 0.