More services
BAT54-Rail/F..
Release
7.54
06/08
12.10
Extensions to the RADIUS server
513
D EAP/TTLS, defined in draft-ietf-pppext-eap-ttls-05.txt. TTLS is based on
TLS; it does not make use of client certificates and it utilizes the existing
TLS tunnel to authenticate the client. The LCOS RADIUS server supports
the following TTLS methods:
D PAP
D CHAP
D MSCHAP
D MSCHAPv2
D EAP, preferably EAP/MD5
D EAP/PEAPv0, defined in draft-kamath-pppext-peapv0-00.txt. Similar to
TTLS, PEAP is based on TLS and works with an EAP negotiation inside
the TLS tunnel.
Note: Please note that although PEAP enables the use of any authentication
method, the LCOS RADIUS server only supports MSCHAPv2 for tunnel-
ing.
At this time, authentication methods cannot be suppressed. The EAP suppli-
cant and the RADIUS server negotiate the EAP method with the standard
EAP mechanism. Clients requesting a non-EAP method will be rejected by
the RADIUS server.
12.10.3RADIUS forwarding
In the case of multi-layer EAP protocols such as TTLS or PEAP, the actual
"internal" authentication can be carried out by a separate RADIUS server.
Thus an existing RADIUS server can continue to be operated to provide user
tables, even though it is not EAP(/TLS) capable itself. In this situation the
TLS/TTLS/PEAP tunnel is managed from the LCOS RADIUS server.
The configuration of multi-layer protocols of this type is an element of a gen-
eral method for the forwarding of RADIUS requests, whereby a LCOS RADI-
US server can also be used as a RADIUS proxy. The concept of "realms" is
the basis for request forwarding and the proxy function. A realm is a charac-
ter string which defines the validity of a range of user accounts. Once de-
fined, the realm is a suffix to the user name separated by an @ character as
follows:
user@realm
The realm can be seen as a pointer to the RADIUS server where the user
account is managed. The realm is removed from the string prior to the search
of the RADIUS server's user table. Realms allow entire networks which are
mutually trustworthy to work with common RADIUS servers located in part-
ner networks, and to authenticate users who move between these networks.
To Next Page
Loading...
Need help?
General
