ttlsauth.aut File
Use the Web GUI to maintain settings in the ttlsauth.aut file. Do not edit the ttlsauth.aut file manually.
Settings for the EAP-TTLS authentication method are stored in the ttlsauth.aut file. The ttlsauth.aut configuration file is read each time the Steel-Belted Radius Carrier server receives a SIGHUP (1) signal.
[Bootstrap] Section
[Bootstrap] Section
The [Bootstrap] section of the ttlsauth.aut file (Table 125) specifies information that Steel-Belted Radius Carrier uses to load the EAP-TTLS authentication method.
Table 125: ttlsauth.aut [Bootstrap] Syntax
Parameter | Function |
---|---|
LibraryName | Specifies the name of the executable binary that implements the EAP-TTLS method. Default value is ttlsauth.so. |
Enable | Specifies whether the EAP-TTLS authentication module is enabled.
Default value is 0. |
InitializationString | Specifies the name of the EAP-TTLS authentication method. The name of each authentication method must be unique. If you create additional .aut files to implement authentication against multiple databases, the InitializationString value in each file must specify a unique method name. Default value is EAP-TTLS. |
[Server_Settings] Section
[Server_Settings] Section
The [Server_Settings] section (Table 126) lets you configure the basic operation of the EAP-TTLS plug-in.
Cipher_Suites Parameter
Cipher_Suites Parameter
The Cipher_Suites parameter defined in the ttlsauth.aut [Server_Settings] section, specifies the TLS cipher suites (in order of preference) that the server uses for TTLS. When SBR Carrier receives a TTLS message, it compares the cipher suites in the client message to the cipher suites defined in this parameter. A match is selected based on both type (for example DSS) and order of preference defined in the client cipher suite list. If no match is found, SBR Carrier returns a handshake failure alert and closes the connection. Following are several examples of the cipher suite selection process:
Example 1
SBR Carrier cipher suite list defined in Cipher_Suites parameter:
0xC00A,0xC014,0xC019,0xC009,0xC013,
0x00AF,0x00B9,0xC035,0xC09A
Client cipher suite list:
0x0040,0x0033,0x0032,0x0016,0x0013,0x0066,0x0035,
0x002f,0x0015,0x0012,0x000a,0x0005,0xC014
Match found: 0xC014
In this example SBR Carrier selects 0xC014 because it is the first algorithm listed in the client cipher suite list that is also listed in the SBR Carrier cipher suite list, and because the type is also a match.
Example 2
SBR Carrier cipher suite list defined in Cipher_Suites parameter:
0xC00A,0xC014,0xC019
Client cipher suite list:
0x0039,0x0033,0x0032,0x0016,0x0013,0x0066,
0x0035,0x002f,0x0015,0x0012,0x000a,0x0005
Match found: No match found, results in handshake failure.
Table 126: ttlsauth.aut [Server_Settings] Syntax
Parameter | Function |
---|---|
TLS_Message_Fragment_Length | Specifies the maximum size TTLS message length that may be generated during each iteration of the TTLS exchange. This value affects the number of RADIUS challenge/response round-trips required to conclude the TLS exchange. A value of 1400 may result in 6 round-trips, while a value of 500 may result in 15 round-trips. Some Access Points may have problems with RADIUS responses or EAP messages that exceed the size of one Ethernet frame (1500 bytes including IP/UDP headers). Minimum value is 500. Maximum value is 4096. Default value is 1020, which prevents the RADIUS challenge response (carried in a UDP packet) from exceeding one Ethernet frame. |
Return_MPPE_Keys | Setting this attribute to 1 causes the module to include RADIUS MS-MPPE-Send-Key and MS-MPPE-Recv-Key attributes in the final RADIUS Accept response sent to the Access Point. This is necessary for the Access Point to key the WEP encryption. If the Access Point is authenticating only end users and WEP is not being used, this attribute may be set to 0. For the optional WiMAX mobility module, set this to 0. Default value is 1. |
TLS_Protocol_Version | Specifies the TLS protocol version on which the server expects the client to initiate the handshake process. The value can be one of the following:
Default value is 31. If you set a value other than 31, 32, or 33, then the default TLS protocol version 1.0 (31) is considered. |
DH_Prime_Bits | Specifies the size of the prime number that the module uses for Diffie-Hellman exponentiation. Selecting a larger prime number makes the system less susceptible to certain types of attacks but requires more CPU processing to compute the Diffie-Hellman key agreement operation. Valid values are 512, 1024, 1536, 2048, 3072, and 4096. Default value is 1024. |
Cipher_Suites | Specifies the TLS cipher suites (in order of preference) that the server uses. These cipher suites are documented in RFC 2246, The TLS Protocol Version 1, RFC 4346, The TLS Protocol Version 1.1, and RFC 5246, The TLS Protocol Version 1.2. For more information see Cipher_Suites Parameter. Default value is: 0x0067,0x006B,0xC030,0xC028,0xC014,0xC013. See Table 112 for the list of tested cipher suites and their TLS protocol versions. |
Require_Client_Certificate |
Default value is 0. |
[Inner_Authentication] Section
[Inner_Authentication] Section
The [Inner_Authentication] section (Table 127) lets you specify the way in which the inner authentication step is to operate.
Table 127: ttlsauth.aut [Inner_Authentication] Syntax
Parameter | Function |
---|---|
Directed_Realm | Omitting this setting causes the inner authentication request to be handled like any other request received from a RAS. Specifying the name of a directed realm causes the request to be routed based on the methods listed in the directed realm. Default is to process the inner authentication through standard request processing. |
[Request_Filters] Section
[Request_Filters] Section
Request filters (Table 128) affect the attributes of inner authentication requests.
The filters named in these settings must be defined in the filter.ini file.
Table 128: ttlsauth.aut [Request_Filters] Syntax
Parameter | Function |
---|---|
Transfer_Outer_Attribs_to_New | This filter affects only a new inner authentication request (rather than continuations of previous requests). If this filter is specified, all attributes from the outer request are transferred to the inner request and this filter is applied. The transfer occurs and the filter is applied before any attributes specified in the inner authentication are added to the request. If this filter is not specified, no attributes from the outer request are transferred to the inner request. |
Transfer_Outer_Attribs_to_Continue | This filter affects only a continued inner authentication request (rather than the first inner authentication request). If this filter is specified, all attributes from the outer request are transferred to the inner request and this filter is applied. The transfer occurs and the filter is applied before any attributes specified in the inner authentication are added to the request. If this filter is not specified, no attributes from the outer request are transferred to the inner request. |
Edit_New | This filter affects only a new inner authentication request (rather than continuations of previous requests). If this filter is specified, it is applied to the inner request that is the cumulative result of attributes transferred from the outer request (see Transfer_Outer_Attribs_To_New in this table) and attributes included in the inner authentication request sent through the tunnel by the client. If this filter is not specified, the request remains unaltered. |
Edit_Continue | This filter affects only a continued inner authentication request (rather than a new inner authentication request). If this filter is specified, it is applied to the inner request that is the cumulative result of attributes transferred from the outer request (see Transfer_Outer_Attribs_To_Continue in this table) and attributes included in the inner authentication request sent through the tunnel by the client. If this filter is not specified, the request remains unaltered. |
[Response_Filters] Section
[Response_Filters] Section
Response filters (Table 129) affect the attributes in the responses returned to authentication requests
The filters named in these settings must be defined in the filter.ini file.
Table 129: ttlsauth.aut [Response_Filters] Syntax
Parameter | Function |
---|---|
Transfer_Inner_Attribs_To_Accept | This filter affects only an outer Access-Accept response that is sent back to a network access server. If this filter is specified, the filter is applied to the inner authentication response and all resulting attributes are transferred to the outer authentication response. If this filter is not specified, no inner authentication response attributes are transferred to the outer authentication response. |
Transfer_Inner_Attribs_To_Reject | This filter affects only an outer Access-Reject response that is sent back to a network access server. If this filter is specified, the filter is applied to the inner authentication response and all resulting attributes are transferred to the outer authentication response. If this filter is not specified, no inner authentication response attributes are transferred to the outer authentication response. |
[CRL_Checking] Section
[CRL_Checking] Section
The [CRL_Checking] section (Table 130) lets you specify settings that control how Steel-Belted Radius Carrier performs certificate revocation list (CRL) checking.
Table 130: ttlsauth.aut [CRL_Checking] Syntax
Parameter | Function |
---|---|
Enable | If set to 1, the CRL checking is enabled for EAP-TTLS. Default value is 0. |
Retrieval_Timeout | Specifies the time (in seconds) that EAP-TTLS waits for a CRL checking transaction to complete when the CRL check involves a CRL retrieval. When CRL retrieval takes longer than the specified time, the user's authentication request is rejected. Default value is 5 seconds. |
Expiration_Grace_Period | Specifies the time (in seconds) after expiration during which a CRL is still considered acceptable. EAP-TTLS always attempts to retrieve a new CRL when it is presented with a certificate chain and it finds an expired CRL in its cache.
Default value is 0 (strict expiration mode). |
Allow_Missing_CDP_ Attribute | Specifies whether the omission of a CDP attribute in a non-root certificate is acceptable. Without a CDP attribute, EAP-TLS does not know how to retrieve a CRL and cannot perform a revocation check on the certificate.
Default value is 1. |
Enable_CRL_Cache_Timeout | Specifies whether CRL cache timeout is enabled. Valid values are:
Default value is 0. After a CRL has expired (because its scheduled expiration time has passed or because the CRL cache has timed out), Steel-Belted Radius Carrier uses the expiration grace period to determine whether to use the current CRL. |
CRL_Cache_Timeout_Period | Specifies the maximum time period (in hours) that a CRL can exist in the cache before it begins to expire.
Default value is 168 hours. Note: You must set Enable_CRL_Cache_Timeout to 1 or the CRL_Cache_Timeout_Period parameter is ignored. |
Default_LDAP_Server_ Name | Specifies what LDAP server name to use if the CDP contains a value that begins with the string //ldap:\\\. This style of CDP (generated by some CAs) does not include the identity of the LDAP server. Specify the name of the LDAP that contains the CRLs if you expect to encounter certificates with this style CDP. If you do not specify a server name and such certificates are encountered, CRL retrieval fails. |
LDAP_Bind_Version | Enables the selection of the LDAP protocol when binding to an LDAP server (2 or 3) The default is 2 (LDAP version 2) |
[Session_Resumption] Section
[Session_Resumption] Section
The [Session_Resumption] section (Table 131) lets you specify whether session resumption is permitted and under what conditions session resumption is performed.
For session resumption to work, the network access server must be configured to handle the Session-Timeout return list attribute, because the network access server must be able to tell the client to reauthenticate after the session timer has expired.
Table 131: ttlsauth.aut [Session_Resumption] Syntax
Parameter | Function |
---|---|
Session_Timeout | Set this attribute to the maximum number of seconds you want the client to remain connected to the network access server before having to reauthenticate.
Default value is 0. Entering a value such as 600 (10 minutes) does not necessarily cause a full reauthentication to occur every 10 minutes. You can configure the resumption limit to make most reauthentications fast and computationally cheap. |
Termination_Action | Specifies the value to return for the Termination-Action attribute sent for an accepted client. This is a standard attribute supported by most Access Points and determines what happens when the session timeout is reached. Valid values are:
Default value is -1. This does not prevent the authentication methods performing secondary authorization from providing a value for this attribute. |
Resumption_Limit | Set this attribute to the maximum number of seconds you want the client to be able to reauthenticate using the TLS session resumption feature. This type of reauthentication is fast and computationally cheap. It does, however, depend on previous authentications and may not be considered as secure as a complete (computationally expensive) authentication. Specifying a value of 0 disables the session resumption feature. Default value is 0. |
Sample ttlsauth.aut File
Sample ttlsauth.aut File
[Bootstrap] LibraryName=ttlsauth.so Enable=1 InitializationString=EAP-TTLS ; Maximum TLS Message fragment length EAP-TLS handles. TLS_Message_Fragment_Length = 1020 ; Indicates whether the EAP-TLS module should return the ; MS-MPPE-Send-Key and MS-MPPE-Recv-Key attribute upon successful ; authentication of user. Return_MPPE_Keys = 1 ; Size of the prime to use for DH modular exponentiation. DH_Prime_Bits = 1536 ; TLS cipher suites (in order of preference) ; that the server is to use. Cipher_Suites = 0x0067,0x006B,0xC030,0xC028,0xC014,0xC013 ; Specifies the TLS Protocol Version on which the server expects client to initiate the handshake process. TLS_Protocol_Version = 31 [Inner_Authentication] ; Specifies how inner authentication routing operates. Directed_Realm = ttls_realm [Request_Filters] Transfer_Outer_Attribs_to_New = My_Xfer_Out_New_Filter Transfer_Outer_Attribs_to_Continue = My_Xfer_Out_Con_Filter Edit_New = My_Edit_New_Filter Edit_Continue = My_Continue_Filter [Response_Filters] Transfer_Inner_Attribs_To_Accept = My_Xfer_Acc_Filter Transfer_Inner_Attribs_To_Reject = My_Xfer_Rej_Filter [Session_Resumption] ; Maximum length of time (in seconds) the NAD/AP allows ; the session to persist before the client is asked ; to reauthenticate. Session_Timeout = 600 ; Value to return for the Termination-Action attribute sent ; sent in an accepted client. Termination_Action = 0 ; Maximum length of time (in seconds) during which an authentication ; request that seeks to resume a previous TLS session is ; considered acceptable. Resumption_Limit = 3600
For this to work, you must also provide the following settings in the [EAP-TTLS] section of the eap.ini file:
First-Handle-Via-Auto-EAP = 0 EAP-Type = TTLS