Like EAP TLS (see
Section 17.4. EAP TLS),
EAP TTLS uses Public Key Infrastructure (PKI) digital certificates. Unlike
TLS, it only uses a Server Certificate so the client can validate the
server, and then establish a secure, encrypted communications channel with
the RADIUS server. When this channel is established, it is used to tunnel
conventional RADIUS attributes, such as User-Name, User-Password etc. to
the RADIUS server. Radiator converts each of these so-called ‘inner
requests’ into a new RADIUS request which can be authenticated by any
supported AuthBy method. So EAP TTLS authentication happens in 2 phases
following these basic steps:
- The EAP TTLS client and RADIUS server establish a communications
channel via the RADIUS protocol.
- The RADIUS server sends its Server PKI Certificate to the
client.
- The client verifies that the server certificate is valid and is
the correct certificate for the RADIUS server it is communicating
with. It uses the Root Certificate of the Certificate Authority that
issued the Server Certificate to validate the Server Certificate.
(Root Certificates for most Public Certificate Authorities are built
in to most clients. If the Server Certificate was issued by a Private
Certificate Authority, the client requires a copy of the Root
Certificate to be installed in order to validate the Server
Certificate.)
- If the client validates the server certificate, it then sends the
real user name and password in a RADIUS request through the encrypted
TLS tunnel. Any conventional RADIUS authentication system may be used
depending on the client configuration, such as PAP, CHAP, MSCHAP,
MSCHAPV2 etc.
- Radiator converts this ‘inner’ request into a new RADIUS request
and dispatches it to the first matching Realm or Handler clause, where
it can be handled by one or more AuthBy clauses. To assist in
discriminating TTLS inner requests, each inner request is tagged with
the pseudo-attribute TunnelledByTTLS set to 1.
- The result of the inner authentication is sent back to the client
through the TLS tunnel.
In order to use EAP TTLS, you must install a unique Server
Certificate on your RADIUS server host, and configure Radiator to use it.
For more information about Public and Private certificates and how to
obtain them, see
Section 17.4. EAP TLS. EAP TTLS does
support dynamic WEP keys.
You can configure Radiator to handle the
inner and outer requests in separate Handler or Realm clauses. You can
also configure Radiator to proxy the inner RADIUS requests to another
RADIUS server, which means that Radiator can server as a gateway between
EAP TTLS clients and a non-EAP enabled RADIUS server.