(RADIATOR) EAP-TTLS clarification on inner/outer authenticaion.

[John McFadden]

As far as I can tell I've got EAP-TTLS working but I'm still confused 
about the inner vs outer authentication.

I'm using the Funk client.

-the logon name is dasjlm
-authentication protocol is EAP/TTLS
-inner protocol is PAP
-the anonymous name is anonymous
I thought I was suppose to config radius to
-use LDAP to authenticate inner userids - ie: dasjlm.
-use a flat file to authenticate outer userids - ie: anonymous
Based on the logs that seems to be happen but I'd appreciate a few 
comments to verfiy I've set things up correctly
as it appears the "EAPAnonymous" parm refers to INNER authentication.

I've included applicable parts of my config file below.



<Realm INNER>
   <AuthBy FILE>
       # Users must be in this file to get anywhere. In this example,
       # it reques an entry for 'anonymous' which is the standard username
       # in the outer requests, and it also requires an entry for the
       # actual user name who is trying to connect (ie the 'Login name' 
entered
       # in the Funk Odyssey 'Edit Profile Properties' page
       Filename /etc/radiator/users
       EAPTLS_CertificateFile /etc/radiator/cert/ramp2.ramp.its.uwo.ca.cert
       EAPTLS_CAFile /etc/radiator/cert/ramp2.ramp.its.uwo.ca.cert
       EAPTLS_CertificateType PEM
       EAPTLS_PrivateKeyFile /etc/radiator/cert/ramp2.ramp.its.uwo.ca.key
       EAPTLS_PrivateKeyPassword nnnnnnnnnn
       AutoMPPEKeys
       EAPType TTLS
</Realm>





<Realm DEFAULT>
<AuthBy LDAP2>
       Host        129.100.2.39
       AuthDN        cn=directory manager
       AuthPassword    nnnnnnnnn
       AuthAttrDef description,Role,request
       BaseDN        dc=its, dc=uwo, dc=ca
       UsernameAttr    uid
       PasswordAttr    userPassword
       EAPType TTLS
       EAPTLS_CAFile /etc/radiator/cert/ramp2.ramp.its.uwo.ca.cert
       EAPTLS_CertificateFile /etc/radiator/cert/ramp2.ramp.its.uwo.ca.cert
       EAPTLS_CertificateType PEM
       EAPTLS_PrivateKeyFile /etc/radiator/cert/ramp2.ramp.its.uwo.ca.key
       EAPTLS_PrivateKeyPassword nnnnnnnn
       EAPTLS_MaxFragmentSize 1024
       AutoMPPEKeys
       SSLeayTrace 4
       # You can configure the User-Name that will be used for the inner
       # authentication. Defaults to 'anonymous'. This can be useful
       # when proxying the inner authentication. If there is a realm, 
it can
       # be used to choose a local Realm to handle the inner 
authentication.
       # %0 is replaced with the EAP identitiy
       EAPAnonymous [EMAIL PROTECTED]
</AuthBy>



</Realm>

Thanks JLM

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.