rlm_eap_ttls

Synopsis

The TTLS module implements the EAP-TTLS protocol, which can be described as EAP inside of Diameter, inside of TLS, inside of EAP, inside of RADIUS.

Surprisingly, it works quite well.

Processing Sections

None. This is a sub-module of eap, and cannot be used on its own.

Expansions

None.

Directives

copy_request_to_tunnel
Syntax

copy_request_to_tunnel = boolean

Default

no

Description

The tunneled authentication request does not usually contain useful attributes like Calling-Station-Id, etc. These attributes are outside of the tunnel. By setting this configuration entry to yes, any attribute which is not in the tunneled authentication request, but which is available outside of the tunnel, is copied to the tunneled request.

This directive should be set to yes only for compatibility. In version 2 and later, the outer attributes can be referred to from the inner session, by using outer.request:Attribute-Name. See the unlang documentation for more information on attribute references.

allowed values: {no, yes}

default_eap_type
Syntax

default_eap_type = string

Default

md5

Description

The tunneled EAP session needs a default EAP type which is separate from the one for the non-tunneled EAP module. Inside of the TTLS tunnel, we recommend using EAP-MD5. If the request does not contain an EAP conversation, then this configuration entry is ignored.

include_length
Syntax

include_length = boolean

Default

yes

Description

This common has the same meaning, the same overwrites, and the same field as the tls configuration.

require_client_cert
Syntax

require_client_cert = boolean

Default

yes

Description

Unlike EAP-TLS, EAP-TTLS does not require a client certificate. However, you can require one by setting the following option. You can also override this option by setting EAP-TLS-Require-Client-Cert = Yes in the control items for a request.

tls
Syntax

tls = string

Default: tls_common

Description

Points to the common TLS configuration, which is documented in tls-common.

use_tunneled_reply
Syntax

use_tunneled_reply = boolean

Default

no

Description

The reply attributes sent to the NAS are usually based on the name of the user outside of the tunnel (usually anonymous). If you want to send the reply attributes based on the user name inside of the tunnel, then set this configuration entry to yes, and the reply to the NAS will be taken from the reply to the tunnelled request. allowed values: {no, yes}

virtual_server
Syntax

virtual_server = string

Default

inner-tunnel

Description

The inner tunnelled request can be sent through a virtual server constructed specifically for this purpose. If this entry is commented out, the inner tunnelled request will be sent through the virtual server that processed the outer requests.