Re: EAP-TTLS configuration with PAP inner

Tue, 23 Feb 2010 02:35:50 -0800 

Hi

Thanks for the quck reply.

Hi,


We tend to use a anonym...@realm identity for the EAP outer ID, in our
current radius server this is defined in a users file and has the format
of anonymous Encrypted-Password=nevermatch is there a similar thing in
freeradius and where should this be defined ?

IIRC, this is just so that the user 'anonymous' is never treated as a real
user so no real challenges regarding this ID are sent to the LDAP or SQL 
backend?

We've never had to define an 'anonymous' username anywhere in FreeRADIUS
config for this to not be a problem....basically, if you have anonym...@realm
then FreeRADIUS suffic/realm/prefix code will note the realm part and proxy
it through..and its its EAP it'll be proxied to the inner-tunnel (from then
on the InnerID is what matters!)


Thanks I will try and configure this.



In the eap.conf file under the ttls section it asks for "
default_eap_type = tls" if I am using a pap password for the inner that
comes from a ldap server should I comment this section out ? Or will the
server ignore it ?

thats the default EAP type and hence the one that is initially challenged... if
you want to optimize things then set it to you most commonly used method....we 
have
it as 'peap' here but you'll be EAP-TTLS/PAP'ing? so that'd be 'ttls'


I thought it should be ttls but I found this to be a little confusing

"The tunneled EAP session needs a default
                        #  EAP type which is separate from the one for
                        #  the non-tunneled EAP module.  Inside of the
                        #  TTLS tunnel, we recommend using EAP-MD5.
                        #  If the request does not contain an EAP
                        #  conversation, then this configuration entry
                        #  is ignored.

as I have  eap {
                         default_eap_type = ttls

Thanks

Colin


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
-----------------------------------------------------------------------


Colin Byelong                             Email: c.byel...@ucl.ac.uk
Senior Network Development Officer
Network Group
Information Systems Division
University College London
Gower Street                              Phone: 020 7679-2572
London WC1E 6BT
------------------------------------------------------------------------

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to