rlm_eap_ttls

copy_request_to_tunnel = boolean

no

The tunneled authentication request does not usually contain useful attributes like Calling-Station-Id, etc. These attributes are outside of the tunnel. By setting this configuration entry to yes, any attribute which is not in the tunneled authentication request, but which is available outside of the tunnel, is copied to the tunneled request.

default_eap_type = string

md5

The tunneled EAP session needs a default EAP type which is separate from the one for the non-tunneled EAP module. Inside of the TTLS tunnel, we recommend using EAP-MD5. If the request does not contain an EAP conversation, then this configuration entry is ignored.

include_length = boolean

yes

This common has the same meaning, the same overwrites, and the same field as the tls configuration.

require_client_cert = boolean

yes

Unlike EAP-TLS, EAP-TTLS does not require a client certificate. However, you can require one by setting the following option. You can also override this option by setting EAP-TLS-Require-Client-Cert = Yes in the control items for a request.

tls = string

Points to the common TLS configuration, which is documented in tls-common.

use_tunneled_reply = boolean

no

The reply attributes sent to the NAS are usually based on the name of the user outside of the tunnel (usually anonymous). If you want to send the reply attributes based on the user name inside of the tunnel, then set this configuration entry to yes, and the reply to the NAS will be taken from the reply to the tunnelled request. allowed values: {no, yes}

virtual_server = string

inner-tunnel

The inner tunnelled request can be sent through a virtual server constructed specifically for this purpose. If this entry is commented out, the inner tunnelled request will be sent through the virtual server that processed the outer requests.