3.8.1. EAPType Previous topic Parent topic Child topic Next topic

This optional parameter specifies which EAP authentication methods are permitted when EAP authentication is requested by the NAS. See RFCs 3748, 5216, and 2433 for more details. When an EAP identity request is received, Radiator replies with the first EAP type given. If the NAS requests another type, it is permitted only if it appears in EAPType list. It is ignored and has no effect unless EAP authentication is requested. The allowed values for EAPType are given by the following table.

Table 6. Allowed values for EAPType

EAPType Explanation
MD5, MD5-Challenge This is the default value. Use MD5-Challenge as per RFC 3748. This can be used with any authentication method that provides a plaintext password, such as <AuthBy FILE>, <AuthBy SQL>, and <AuthBy LDAP>. See goodies/eap_md5.cfg for example configuration.  
One-Time-Password Use One-time-password authentication as per RFC 3748. This requires a one-time password authenticator such as <AuthBy OPIE> or <AuthBy OTP>.
Generic-Token Use Generic Token authentication as per RFC 3748. This requires a token-based authenticator such as <AuthBy OPIE>, <AuthBy OTP>, <AuthBy ACE>, or <AuthBy RSAMOBILE>.
TLS Use Transport Layer Security (TLS). This can be used with any authentication method. TLS checks that the client certificate is valid and has a short enough certificate chain to the root certificate. It requires an SSL certificate for the server and one on each client requiring authentication. See goodies/eap_tls.cfg for example configuration.
TTLS Use Tunnelled TLS as required by Funk Odyssey wireless clients. This can be used with any authentication method. TTLS does not usually involve a client certificate, but the client may be configured to check the server's SSL certificate. See goodies/eap_ttls.cfg for example configuration.
PEAP Use PEAP tunnel as used by Windows XP and others. This can be used with any authentication method. See goodies/eap_peap.cfg for example configuration.
LEAP This is compatible with Cisco LEAP authentication, a proprietary authentication protocol. LEAP requires an authenticator that supplies plaintext passwords, such as <AuthBy FILE>, <AuthBy SQL>, or <AuthBy LDAP>, or MSCHAPV2, such as <AuthBy LSA>.
SIM Use EAP-SIM which authenticates against SIM cards. This requires the additional EAP-SIM bundle from Open System Consultants.
AKA Use EAP-AKA. This rrequires the additional EAP-SIM bundle from Open System Consultants, which contains support for EAP-AKA.
AKA-PRIME Use EAP-AKA'. This requires the additional EAP-SIM bundle from Open System Consultants, which contains support for EAP-AKA'.
MSCHAP-V2 Use EAP-MSCHAPV2, which is commonly tunneled inside PEAP
TNC Support EAP-TNC, a protocol for assessing the security posture of end points.
FAST Use EAP-FAST, a rarely-used protocol from Cisco.
PAX Use EAP-PAX (Password Authenticated Exchange)
PSK Use EAP-PSK (Pre-Shared Key).
PWD Use EAP-pwd, a method which uses a shared password for authentication.
This is not set by default, which means that Radiator does not perform EAP authentication by default.