IMPORTANT:The RADIUS EAP-TTLS-PAP Options policy is not available in Advanced Authentication as a Service (SaaS) version

In this policy, you can configure the Advanced Authentication server to support the secure EAP-TTLS/PAP communication for RADIUS authentication.

In EAP/TTLS with PAP communication protocol, when a user tries to connect to the network, the client initiates communication with the network and confirms the network after the mutual authentication (server to client as well as client to server).

Once the client identifies and confirms the server certificate, the user’s credentials are sent in an encrypted EAP tunnel. After the confirmation, the user’s credentials are sent to the network for validation.

With this policy, you can implement EAP-TTLS-PAP protocol for RADIUS authentication and protect against eavesdropping as the user’s identity (user name and password) is passed through the encrypted tunnel.

The Use default settings is enabled in this policy, by default, and Advanced Authentication server uses the auto-generated server certificate for RADIUS channel encryption.

To configure RADIUS EAP-TTLS-PAP options, perform the following steps:

  1. Set Use default settings to OFF to allow Advanced Authentication server to use the valid CA certificate for RADIUS authentication.

  2. Click Choose file adjacent to CA certificate and upload the valid authority certificate in .pem or .crt format.

  3. Click Choose file adjacent to Server certificate with key to upload the valid server certificate in the .pem or .crt format.

    NOTE:You can generate a trusted server certificate using FreeRadius server. For more information, see TTLS. To understand different attributes of a certificate, see Certificates.

  4. Specify the key to decrypt the server private key in Private key password.

  5. Set Require client certificate to ON to enable the RADIUS server to validate the client certificate for establishing the secured connection. By default, the Require client certificate is set to OFF and the RADIUS server does not validate the client certificate during RADIUS authentication.Click Save.

After you save the configuration, ensure to view the RADIUS Server Log and verify whether the configuration is accurate or not. If the log displays a message, Ready to process request then the configuration is valid.

The following table describes the possible error message in RADIUS Server Log and the respective reason:

Error Message

Possible Cause

Instantiation failed for module eap

The certificate or the password key is incorrect.

Failed reading private key file

Incorrect private key.

Failed reading Trusted root CA list

Uploaded certificate file is not valid

no start line

Invalid server certificate or the certificate is not encrypted using a private key.