17.6. EAP TTLS Previous topic Parent topic Child topic Next topic

Like EAP TLS (see Section 17.4. EAP TLS), EAP TTLS uses Public Key Infrastructure (PKI) digital certificates. Unlike TLS, it only uses a Server Certificate so the client can validate the server, and then establish a secure, encrypted communications channel with the RADIUS server. When this channel is established, it is used to tunnel conventional RADIUS attributes, such as User-Name, User-Password etc. to the RADIUS server. Radiator converts each of these so-called ‘inner requests’ into a new RADIUS request which can be authenticated by any supported AuthBy method. So EAP TTLS authentication happens in 2 phases following these basic steps:
  1. The EAP TTLS client and RADIUS server establish a communications channel via the RADIUS protocol.
  2. The RADIUS server sends its Server PKI Certificate to the client.
  3. The client verifies that the server certificate is valid and is the correct certificate for the RADIUS server it is communicating with. It uses the Root Certificate of the Certificate Authority that issued the Server Certificate to validate the Server Certificate. (Root Certificates for most Public Certificate Authorities are built in to most clients. If the Server Certificate was issued by a Private Certificate Authority, the client requires a copy of the Root Certificate to be installed in order to validate the Server Certificate.)
  4. If the client validates the server certificate, it then sends the real user name and password in a RADIUS request through the encrypted TLS tunnel. Any conventional RADIUS authentication system may be used depending on the client configuration, such as PAP, CHAP, MSCHAP, MSCHAPV2 etc.
  5. Radiator converts this ‘inner’ request into a new RADIUS request and dispatches it to the first matching Realm or Handler clause, where it can be handled by one or more AuthBy clauses. To assist in discriminating TTLS inner requests, each inner request is tagged with the pseudo-attribute TunnelledByTTLS set to 1.
  6. The result of the inner authentication is sent back to the client through the TLS tunnel.
In order to use EAP TTLS, you must install a unique Server Certificate on your RADIUS server host, and configure Radiator to use it. For more information about Public and Private certificates and how to obtain them, see Section 17.4. EAP TLS. EAP TTLS does support dynamic WEP keys.
You can configure Radiator to handle the inner and outer requests in separate Handler or Realm clauses. You can also configure Radiator to proxy the inner RADIUS requests to another RADIUS server, which means that Radiator can server as a gateway between EAP TTLS clients and a non-EAP enabled RADIUS server.