Dell PowerConnect W Clearpass 100 Software 3.7 Deployment Guide - Page 417
Optional EAP Module Options Continued
View all Dell PowerConnect W Clearpass 100 Software manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 417 highlights
Table 53 Optional EAP Module Options (Continued) Function Description eap.default_eap_type = md5 Invoke the default supported EAP type when EAP-Identity response is received. The incoming EAP messages DO NOT specify which EAP type they will be using, so it MUST be set here. Only one default EAP type may be used at a time. If the EAP-Type attribute is set by another module, then that EAP type takes precedence over the default type configured here. eap.timer_expire = 60 A list is maintained to correlate EAP-Response packets with EAPRequest packets. After a configurable length of time, entries in the list expire, and are deleted. eap.ignore_unknown_eap_types = no There are many EAP types, but the server has support for only a limited subset. If the server receives a request for an EAP type it does not support, then it normally rejects the request. By setting this configuration to "yes", you can tell the server to instead keep processing the request. Another module MUST then be configured to proxy the request to another RADIUS server which supports that EAP type. If another module is NOT configured to handle the request, then the request will still end up being rejected. eap.cisco_accounting_username_bug = no Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given a User-Name attribute in an Access-Accept, it copies one more byte than it should. Work around this issue by adding an extra zero byte. module.eap_md5 = yes Enables "md5" EAP type. EAP-MD5 authentication is not recommended for wireless connections. It is insecure, and does not provide for dynamic WEP keys. module.eap_leap = yes Cisco LEAP. LEAP is not recommended for use in new deployments. Cisco LEAP uses the MS-CHAP algorithm (but not the MS-CHAP attributes) to perform its authentication. As a result, LEAP requires access to the plain-text User-Password, or the NTPassword attributes. "System" authentication is impossible with LEAP. module.eap_gtc = yes Generic Token Card. Currently, this is only permitted inside of EAPTTLS, or EAP-PEAP. The module "challenges" the user with text, and the response from the user is taken to be the User-Password. Proxying the tunneled EAP-GTC session is a bad idea: the users password will go over the wire in plain text, for anyone to see. eap.gtc.challenge = "Password: " The default challenge string, which many clients ignore. eap.gtc.auth_type= PAP The plain-text response which comes back is put into a UserPassword attribute, and passed to another module for authentication. This allows the EAP-GTC response to be checked against plain-text, or encrypted passwords. If you specify "Local" instead of "PAP", then the module will look for a User-Password configured for the request, and do the authentication itself. Amigopod 3.7 | Deployment Guide Reference | 417