[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


EAP-TLS Authentication Protocol

The EAP-TLS (Transport Layer Security) protocol requires that both user and authentication server have certificates for mutual authentication. While the mechanism is very strong, it requires that the corporation that deploys it maintain a certificate infrastructure for all of its users.

EAP-TLS can be deployed as an authentication method or as an automatic EAP helper.

When EAP-TLS is deployed as an authentication method, you can configure it to perform certificate revocation list (CRL) checking. When CRL checking is enabled, EAP-TLS confirms that the client's certificate chain traces back to one of the trusted root certificates installed at initialization and checks the serial number of each certificate in the chain against the contents of CRLs to verify that none of the certificates in the chain have been revoked.

You can configure the tlsauth.aut file to call a fixed profile when TLS-EAP is used. This profile specifies the attributes that are sent back in response to a successful authentication.

You cannot use secondary authorization when EAP-TLS is deployed as an authentication method.

You may not want to grant access to your network to every user with a trusted certificate. By enabling the optional secondary authorization feature of the tlsauth plugin, you can have Steel-Belted Radius Carrier authorize users with valid certificates on a case-by-case basis. Secondary authorization also allows you to include user-specific attributes in an Access-Accept response; these attributes can be used to communicate options that are to be active for a user's connection to the NAD. Without secondary authorization, the only attributes returned on an Access-Accept are those generated by the tlsauth plug-in itself (termination-action and session-limit).

If you enable the TLS authentication method, secondary authorizations must be performed by local authentication methods (they cannot be proxied). The authentication method you select for secondary authorizations must be able to authenticate users in a single pass; it cannot challenge the authorization request and request additional information. The username employed during secondary authorization is derived from a field in the user's certificate. Because a user's certificate does not include a password, you must configure tlsauth to make the secondary authorization request with no password or with a fixed password.

If you configure secondary authorization with no password, your selected authentication method must be capable of handling requests that do not include passwords; the only authentication methods that support this style of authentication and ship with Steel-Belted Radius Carrier are Native User, LDAP and SQL. If you configure secondary authorization with a fixed password, you can use any authentication method that supports PAP authentication. In this configuration all user records must have the same fixed password.

Configuring EAP-TLS as an EAP Authentication Method

NOTE: A valid server certificate must be in place on the Steel-Belted Radius Carrier server before you configure the EAP-TLS authentication protocol. For information on configuring certificates, see Certificates189.


To configure EAP-TLS as an authentication method:

  1. Select Authentication Policies > EAP Methods to open the EAP Methods panel (Figure 88).

Figure 88: EAP Methods Panel

  1. Activate the Enable check box for the EAP-TLS authentication method.
  2. Select the EAP-TLS entry and click the Edit button on the toolbar (or double-click the EAP-TLS entry).

The Edit TLS Authentication Method dialog (Figure 89) opens.


Figure 89: Edit TLS Authentication Method Dialog

  1. Use the tabs in the Edit TLS Authentication Method dialog to configure:

Each configuration task is described separately in the sections that follow.

Configuring Client Certificate Validation

Client certificate validation settings enable you to specify how Steel-Belted Radius Carrier performs certificate revocation list (CRL) checking.

To configure client certificate validation for the EAP-TLS protocol:

  1. Click the Client Certificate Validation tab (Figure 90) in the Edit TLS Authentication Method dialog.

Figure 90: TLS Client Certificate Validation Tab

  1. Activate the Enable CRL Checking check box to enable certificate revocation list checking.
  2. In the Retrieval Timeout field, enter the number of seconds you want EAP-TLS to wait for the CRL checking transaction to complete.

When CRL retrieval takes longer than the specified time, the user's authentication request is rejected.

  1. In the Expiration Grace Period field, enter the number of seconds a CRL is still considered acceptable after it has expired .

EAP-TLS always attempts to retrieve a new CRL when it is presented with a certificate chain and it finds an expired CRL in its cache.

  1. Activate the Allow Missing CDP Attribute check box if you want to enable Steel-Belted Radius Carrier to accept a non-root certificate without a CDP attribute.

Without a CDP attribute, EAP-TLS cannot retrieve a CRL and cannot perform a revocation check on the certificate.

If you activate the Allow Missing CDP Attribute check box, EAP-TLS accepts such certificates and skips CRL checking for them.

If you clear the Allow Missing CDP Attribute check box, EAP-TLS does not accept a CRL with a missing CDP attribute.

  1. If you want to specify a CRL cache timeout period, activate the CRL Cache Timeout Period check box and enter the number of hours in the timeout period in the hours field.

After a CRL has expired (because its scheduled expiration time has passed or because the CRL cache has timed out), Steel-Belted Radius Carrier uses the expiration grace period to determine whether to use the current CRL.

  1. Enter the name of the LDAP server to use if the CDP contains a value that begins with the string //ldap:\\\ in the Default LDAP Server Name field.

CDPs generated by some CAs do not include the identity of the LDAP server. If you expect to encounter certificates with this style CDP, specify the name of the LDAP server that contains the CRLs.

If you do not specify a server name and such certificates are encountered, the CRL retrieval fails.

  1. Activate the Verify that Client Certificates are published to user accounts check box.

Configuring Session Resumption

Session resumption settings control whether and under what circumstances session resumption is permitted.

NOTE: For session resumption to work, the NAD must be configured to handle the Session-Timeout return list attribute, so that the NAD can notify the client to reauthenticate after the session timer has expired.


To configure session resumption for the EAP-TLS protocol:

  1. Click the Session Resumption tab in the Edit TLS Authentication Method dialog (Figure 91).

Figure 91: Session Resumption Tab

  1. Enter the maximum number of seconds you want the client to remain connected to the network access device before having to reauthenticate in the Session TImeout field.

If you enter a number greater than 0, the lesser of this value and the remaining resumption limit is sent in a Session-Limit attribute to the RADIUS client on the RADIUS Access-Accept response.

If you enter 0, a Session-Limit attribute is not generated directly. A 0 does not prevent the authentication methods that perform secondary authorization from providing a value.

Entering a value such as 600 (10 minutes) does not necessarily cause a full reauthentication to occur every 10 minutes. You can configure the resumption limit to make most reauthentications fast and computationally efficient.


BEST PRACTICE: Using the Resumption Limit Option Effectively

Two scenarios where the Resumption Limit can be used effectively:

  • In a wireless environment, the client is moving between access points. The Resumption Limit can be tuned to make the handover between access points smoother by not forcing a complete reauthorization that requires repeated verification of user information.

When the new access point queries Steel-Belted Radius Carrier, the server replies that the session ID is already valid. Because it is known to be good, repeating the inner authentication is not required, which saves some time. The access point acknowledges the reauthorization not required message and the session continues.

  • Another use for Resumption Limit occurs when the server ordinarily requires the client to reauthorize every 10 minutes or so, to ensure the client is still connected. Setting the Resumption Limit to 3600 with a Session Timeout of 600 means that the interval reauthorizations are fast and efficient, and a complete reauthorization is required just once an hour instead of every 10 minutes.

  1. Enter the value that you want returned in a Termination-Action attribute in the Termination Action field.

The Termination-Action attribute is a standard attribute supported by most access points and determines what happens when the session timeout is reached. Valid values are:

  1. Enter the maximum number of seconds you want the client to be able to reauthenticate using the TLS session resumption feature in the Resumption Limit field.

This type of reauthentication is fast and computationally efficient. It does, however, depend on previous authentications and is not as secure as a complete (but computationally expensive) authentication. Specifying a value of 0 disables the session resumption feature. (See the Best Practice Using the Resumption Limit Option Effectively.)

Configuring Advanced Server Settings

You use advanced server settings to specify the manner in which the inner authentication step operates. To configure advanced server settings for the EAP-TLS protocol:

  1. Click the Advanced Server Settings tab in the Edit TLS Authentication Method dialog (Figure 92).

Figure 92: TLS Advanced Server Settings Tab

  1. In the TLS Message Fragment Length field, enter the maximum length of the TLS message that may be generated during each iteration of the TLS exchange.

Enter a number in the range 500-4096.

  1. Enable the Return MPPE Keys check box to specify whether the TLS authentication method includes RADIUS MS-MPPE-Send-Key and MS-MPPE-Recv-Key attributes in the final RADIUS Access-Accept response sent to the Access Point.

Disable this option for WiMAX.

Enable this option if the Access Point needs to key the WEP encryption. If the Access Point is authenticating only end users and WEP is not being used, you can clear this check box.

  1. Use the DH Prime Bits list to specify the number of bits in the prime number that the module uses for Diffie-Hellman exponentiation.

Selecting a longer prime number makes the system less susceptible to certain types of attacks but requires more CPU processing to compute the Diffie-Hellman key agreement operation.

Valid values are 512, 1024, 1536, 2048, 3072, and 4096.

  1. Enter the TLS cipher suites (in order of preference) that the server is to use in the Cipher Suites field.

These cipher suites are documented in RFC 2246, The TLS Protocol Version 1.

The default value is: 0x16,0x13,0x66,0x15,0x12,0x0a,0x05,0x04,0x07,0x09.

  1. If the CDP contains a value that begins with the string //ldap:\\\, enter the name of the LDAP server to use in the Default LDAP Server Name field.

CDPs generated by some CAs do not include the identity of the LDAP server. If you expect to encounter certificates with this style CDP, specify the name of the LDAP server that contains the CRLs.

If you do not specify a server name and such certificates are encountered, the CRL retrieval fails.

  1. Activate the Verify that Client Certificates are published to user accounts check box.

Configuring EAP-TLS as an Automatic EAP Helper

NOTE: You must configure the server certificate for the Steel-Belted Radius Carrier server before you use the EAP TLS helper. For information on configuring your server certificate, see Configuring Server Certificates191.


To configure EAP-TLS as an EAP helper:

  1. Select Authentication Policies > EAP Methods to open the EAP Methods panel (Figure 93).

Figure 93: EAP Methods Panel

  1. Activate the Enable check box for the EAP-TLS Helper method.
  2. Select the EAP-TLS Helper entry and click the Edit button on the toolbar (or double-click the EAP-TLS Helper entry).

You are prompted to save changes.

  1. Click Yes.

The Edit TLS EAP Helper Method dialog (Figure 94) opens.


Figure 94: Edit TLS EAP Helper Method Dialog

  1. Use the tabs in the Edit TLS EAP Helper Method dialog to configure these settings:

Each configuration task is described separately in the sections that follow.

Configuring Client Certificate Validation

You use client certificate validation settings to specify how Steel-Belted Radius Carrier performs certificate revocation list (CRL) checking.


Figure 95: TLS EAP Helper Client Certificate Tab

To configure client certification validation for the TLS EAP helper protocol:

  1. Click the Client Certificate Validation tab in the Edit TLS EAP Helper Method dialog.
  2. Activate the Enable CRL Checking check box to enable CRL checking.
  3. In the Retrieval Timeout field, enter the number of seconds you want the TLS EAP helper to wait for a CRL retrieval transaction to complete.

When CRL retrieval takes longer than the specified time, the user's authentication request is rejected.

  1. The Expiration Grace Period field contains the number of seconds during which an expired CRL may still be accepted.

The TLS EAP helper always attempts to retrieve a new CRL when it is presented with a certificate chain and it finds an expired CRL in its cache.

  1. Activate the Allow Missing CDP Attribute check box if you want Steel-Belted Radius Carrier to accept a non-root certificate that does not have a CDP attribute.

Without a CDP attribute, the TLS EAP helper cannot retrieve a CRL and cannot perform a revocation check on the certificate.

If you activate the Allow Missing CDP Attribute check box, the TLS EAP helper accepts such certificates and skips CRL checking for them.

If you clear the Allow Missing CDP Attribute check box, the TLS EAP helper does not accept a CRL with a missing CDP attribute.

  1. If you want to specify a CRL cache timeout period, activate the CRL Cache Timeout Period check box and enter the number of hours in the timeout period in the hours field.

After a CRL has expired because its scheduled expiration time has passed or because the CRL cache has timed out), Steel-Belted Radius Carrier uses the expiration grace period to determine whether to use the current CRL.

  1. If the CDP contains a value that begins with the string //ldap:\\\, enter the name of the LDAP server to use in the Default LDAP Server Name field.

CDPs generated by some CAs do not include the identity of the LDAP server. If you expect to encounter certificates with this style CDP, specify the name of the LDAP server that contains the CRLs.

If you do not specify a server name and such certificates are encountered, the CRL retrieval fails.

Configuring Secondary Authentication

You use secondary authorization settings to specify whether secondary authorization is performed and, if it is, what information is used in the secondary authorization request.

To configure secondary authentication for the TLS EAP helper protocol:

  1. Click the Secondary Authorization tab in the Edit TLS EAP Helper Method dialog (Figure 96).

Figure 96: Secondary AuthorizationTab
  1. Activate the Enable Secondary Authorization check box to enable secondary authorization checking.

If secondary authorization is disabled, the EAP-TLS plug-in accepts the user upon proof of ownership of a private key that matches a valid certificate.

If secondary authorization is enabled, a secondary authorization check against a traditional authentication method such as an SQL plug-in is performed.

  1. Specify whether to convert a username to a Subject CN name or a Principal Name. After the EAP-TLS module has concluded its processing, it may still defer to a traditional authentication method (core or plug-in) for final authorization. To do so, that method must provide a username and password to the traditional authentication method.
  1. If you plan to use secondary authorization against an authentication method (for example, LDAP) that cannot be configured to ignore the lack of user credentials, specify a fixed password that the plug-in uses on all secondary authorization checks in the Fixed Password field.

By default, the secondary authorization check includes a username but no other user credentials, because no password or similar credential for the client is available at the conclusion of the TLS handshake. Some authentication methods (Native User, LDAP, and SQL) can be configured to not require user credentials.

  1. If you want the EAP-TLS plug-in to add four attributes to the request before the secondary authorization check is performed, activate the Include Certificate Info check box.

When the Include Certificate Info check box is active, Steel-Belted Radius Carrier adds the following attributes to the request:

These attributes are ignored if the authentication method that performs the authentication check does not use them.

Configuring Session Resumption

You use session resumption settings to specify under what circumstances session resumption is performed.

NOTE: For session resumption to work, the NAD must be configured to handle the Session-Timeout return list attribute, so that the NAD can notify the client to reauthenticate after the session timer has expired.


To configure session resumption for the TLS EAP helper protocol:

  1. Click the Session Resumption tab in the Edit TLS EAP Helper Method dialog (Figure 97).

Figure 97: EAP Helper Session Resumption Tab
  1. Enter the number of seconds the client may remain connected to the network access device before having to reauthenticate in the Session TImeout field.

If you enter a number greater than 0, the lesser of this value and the remaining resumption limit is sent in a Session-Limit attribute to the RADIUS client on the RADIUS Access-Accept response.

If you enter 0, a Session-Limit attribute is not generated. This does not prevent the authentication methods performing secondary authorization from providing a value for this attribute.

Entering a value such as 600 (10 minutes) does not necessarily cause a full reauthentication to occur every 10 minutes. You can configure the resumption limit to make most reauthentications fast and computationally efficient.

  1. Enter the value that you want returned in a Termination-Action attribute in the Termination Action field.

The Termination-Action attribute is a standard attribute supported by most access points and determines what happens when the session timeout is reached. Valid values are:

  1. Enter the maximum number of seconds you want the client to be able to reauthenticate using the TLS session resumption feature in the Resumption Limit field.

This type of reauthentication is fast and computationally efficient. It does, however, depend on previous authentications and is not as secure as a complete (computationally expensive) authentication. Specifying a value of 0 disables the session resumption feature. (See the Best Practice Using the Resumption Limit Option Effectively.)

Configuring Advanced Server Settings

You use advanced server settings to specify the manner in which the inner authentication step operates. To configure advanced server settings for the TLS EAP helper protocol:

  1. Click the Advanced Server Settings tab in the Edit TLS EAP Helper Method dialog (Figure 98).

Figure 98: TLS EAP Helper Advanced Server Settings Tab
  1. In the TLS Message Fragment Length field, enter the maximum length of the TLS message that may be generated during each iteration of the TLS exchange.

Enter a number in the range 500-4096. This value affects the number of RADIUS challenge/response round-trips required to conclude the TLS exchange.

Some access points may have problems with RADIUS responses or EAP messages that exceed the size of one Ethernet frame (1500 bytes including IP/UDP headers).

The default length for TLS messages is 1020 bytes, which prevents the RADIUS challenge response (carried in a UDP packet) from exceeding one Ethernet frame.

  1. Enter the maximum number of seconds you want for the EAP authentication sequence in the Max Transaction Time field.

If the authentication sequence takes longer than this setting, the user authentication is aborted.

  1. Enable the Return MPPE Keys check box to specify whether the TLS EAP helper includes RADIUS MS-MPPE-Send-Key and MS-MPPE-Recv-Key attributes in the final RADIUS Access-Accept response sent to the Access Point.

Enable this option if the Access Point needs to key the WEP encryption. If the Access Point is authenticating only end users and WEP is not being used, you can clear this check box.

  1. Use the DH Prime Bits list to specify the number of bits in the prime number that the module uses for Diffie-Hellman exponentiation.

Selecting a longer prime number makes the system less susceptible to certain types of attacks but requires more CPU processing to compute the Diffie-Hellman key agreement operation.

Valid values are 512, 1024, 1536, 2048, 3072, and 4096 bits.

  1. Enter the TLS cipher suites (in order of preference) that the server is to use in the Cipher Suites field.

These cipher suites are documented in RFC 2246, The TLS Protocol Version 1.

Default value is 0x16,0x13,0x66,0x15,0x12,0x0a,0x05,0x04,0x07,0x09 .


[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]