Previous page Section 3.10. EAP configuration Section 3.10.1. EAPType (160 / 1691)   Table of Contents Section 3.10.2. EAPContextTimeout Next page

3.10.1. EAPType Previous topic Parent topic Child topic Next topic

This optional parameter specifies which EAP authentication methods are permitted when EAP authentication is requested by the NAS. See RFCs 3748, 5216, and 2433 for more details. When an EAP identity request is received, Radiator replies with the first EAP type given. If the NAS requests another type, it is permitted only if it appears in EAPType list. It is ignored and has no effect unless EAP authentication is requested. This parameter is not set by default, which means that Radiator does not perform EAP authentication by default. The allowed values for EAPType are given by the following table.

Table 6. Allowed values for EAPType

EAPType Explanation
MD5 This is the default value. Use MD5-Challenge as per RFC 3748. This can be used with any authentication method that provides a plaintext password, such as <AuthBy FILE>, <AuthBy SQL>, and <AuthBy LDAP2>. See goodies/eap_md5.cfg for example configuration. MD5-Challenge is an old alias for MD5.  
OTP Use One-time-password authentication as per RFC 3748. This requires a one-time password authenticator such as <AuthBy OTP>. One-Time-Password is an old alias for OTP.
GTC Use Generic Token authentication as per RFC 3748. This requires a token-based authenticator such as <AuthBy OTP>, <AuthBy ACE>, or <AuthBy RSAAM>. Generic-Token is an old alias for GTC.
TLS Use Transport Layer Security (TLS). This can be used with any authentication method. TLS checks that the client certificate is valid and has a short enough certificate chain to the root certificate. It requires an SSL certificate for the server and one on each client requiring authentication. See goodies/eap_tls.cfg for example configuration.
TTLS Use Tunnelled TLS as required by Funk Odyssey wireless clients. This can be used with any authentication method. TTLS does not usually involve a client certificate, but the client may be configured to check the server's SSL certificate. See goodies/eap_ttls.cfg for example configuration.
PEAP Use PEAP tunnel as used by Windows XP and others. This can be used with any authentication method. See goodies/eap_peap.cfg for example configuration.
LEAP This is compatible with Cisco LEAP authentication, a proprietary authentication protocol. LEAP requires an authenticator that supplies plaintext passwords, such as <AuthBy FILE>, <AuthBy SQL>, or <AuthBy LDAP2>, or MSCHAPV2, such as <AuthBy LSA>.
SIM Use EAP-SIM which authenticates against SIM cards. This requires the additional EAP-SIM bundle from Radiator Software.
AKA Use EAP-AKA. This requires the additional EAP-SIM bundle from Radiator Software, which contains support for EAP-AKA.
AKA-PRIME Use EAP-AKA'. This requires the additional EAP-SIM bundle from Radiator Software, which contains support for EAP-AKA'.
MSCHAP-V2 Use EAP-MSCHAPV2, which is commonly tunneled inside PEAP
TNC Support EAP-TNC, a protocol for assessing the security posture of end points.
FAST Use EAP-FAST, a rarely-used protocol from Cisco.
PAX Use EAP-PAX (Password Authenticated Exchange)
PSK Use EAP-PSK (Pre-Shared Key).
PWD Use EAP-pwd, a method which uses a shared password for authentication.
Previous page Section 3.10. EAP configuration Section 3.10.1. EAPType (160 / 1691)   Table of Contents Section 3.10.2. EAPContextTimeout Next page