Table 62 Optional Eap Module Options - Aruba Networks PowerConnect W Clearpass 100 Software Deployment Manual

The following EAP module options are usually not required, as EAP configuration can be performed using
the WebUI. For EAP documentation, See
Management"

Table 62 Optional EAP Module Options

Function
advanced.eap = 1
module.eap = yes
eap.default_eap_type = md5
eap.timer_expire = 60
eap.ignore_unknown_eap_types = no
eap.cisco_accounting_username_bug = no Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given a
module.eap_md5 = yes
module.eap_leap = yes
module.eap_gtc = yes
eap.gtc.challenge = "Password: "
eap.gtc.auth_type= PAP
ClearPass Guest 3.9 | Deployment Guide
in the RADIUS Services chapter for further details.
"EAP and 802.1X Authentication and Certificate
Description
Enable additional EAP types in the EAP Configuration form.
Extensible Authentication Protocol authentication.
Invoke the default supported EAP type when EAP-Identity response
is received. The incoming EAP messages DO NOT specify which
EAP type they will be using, so it MUST be set here. Only one
default EAP type may be used at a time. If the EAP-Type attribute is
set by another module, then that EAP type takes precedence over
the default type configured here.
A list is maintained to correlate EAP-Response packets with EAP-
Request packets. After a configurable length of time, entries in the
list expire, and are deleted.
There are many EAP types, but the server has support for only a
limited subset. If the server receives a request for an EAP type it
does not support, then it normally rejects the request. By setting
this configuration to "yes", you can tell the server to instead keep
processing the request. Another module MUST then be configured
to proxy the request to another RADIUS server which supports that
EAP type. If another module is NOT configured to handle the
request, then the request will still end up being rejected.
User-Name attribute in an Access-Accept, it copies one more byte
than it should. Work around this issue by adding an extra zero byte.
Enables "md5" EAP type. EAP-MD5 authentication is not
recommended for wireless connections. It is insecure, and does not
provide for dynamic WEP keys.
Cisco LEAP. LEAP is not recommended for use in new
deployments. Cisco LEAP uses the MS-CHAP algorithm (but not
the MS-CHAP attributes) to perform its authentication. As a result,
LEAP requires access to the plain-text User-Password, or the NT-
Password attributes. "System" authentication is impossible with
LEAP.
Generic Token Card. Currently, this is only permitted inside of EAP-
TTLS, or EAP-PEAP. The module "challenges" the user with text,
and the response from the user is taken to be the User-Password.
Proxying the tunneled EAP-GTC session is a bad idea: the users
password will go over the wire in plain text, for anyone to see.
The default challenge string, which many clients ignore.
The plain-text response which comes back is put into a User-
Password attribute, and passed to another module for
authentication. This allows the EAP-GTC response to be checked
against plain-text, or encrypted passwords. If you specify "Local"
instead of "PAP", then the module will look for a User-Password
configured for the request, and do the authentication itself.
Reference | 493