- eap-tls
- Example action call
- eap-ttls
- Example action call for TTLS with PAP
- Example action call for TTLS with MSCHAPv2
- Example action call for TTLS with inner EAP-MSCHAPv2
- eap-peap
- Example action call
- eap-teap
- Example action call for TEAP with PAP
- Example action call for TEAP with inner EAP-MSCHAPv2
- tls
- Example action call
- Statements
Use eap { ... } action to handle incoming EAP requests. Each method block handles one outer EAP type. TLS-based methods such as eap-tls, eap-ttls, eap-peap, and eap-teap define a tls { ... } block and can then run additional action calls for inner authentication or post-authentication processing.
Use eap { ... } to group one or more supported EAP methods.
Example action call:
@execute {
eap {
eap-tls {
tls {
certificate "EAP_SERVER_CERT";
certificate_key "EAP_SERVER_KEY";
client_ca_certificate "EAP_SERVER_CLIENT_CA";
require_client_certificate true;
}
}
eap-ttls {
tls {
certificate "EAP_SERVER_CERT";
certificate_key "EAP_SERVER_KEY";
require_client_certificate false;
}
@authentication {
backend {
name "JSON_USERS";
query "FIND_USER";
}
pap;
}
}
}
}
Use stronger methods first when you support multiple methods in the same policy.
eap-tls
Use eap-tls for certificate-based mutual authentication. The server presents its certificate, and the client must also present a valid certificate.
Example action call
@execute {
eap {
eap-tls {
tls {
certificate_key "EAP_SERVER_KEY";
certificate "EAP_SERVER_CERT";
client_ca_certificate "EAP_SERVER_CLIENT_CA";
require_client_certificate true;
}
@post-authentication {
invoke "LOG_AUTHENTICATION";
}
}
}
}
eap-ttls
Use eap-ttls when you want a TLS tunnel with inner authentication. The supported inner methods are:
papmschapv2eap { eap-mschapv2 { ... } }
The outer server certificate is always validated by the client. The server does not require a client certificate in the tested TTLS examples.
Example action call for TTLS with PAP
@execute {
eap {
eap-ttls {
tls {
certificate_key "EAP_SERVER_KEY";
certificate "EAP_SERVER_CERT";
require_client_certificate false;
}
@authentication {
backend {
name "JSON_USERS";
query "FIND_USER";
}
pap;
}
@post-authentication {
invoke "LOG_AUTHENTICATION";
}
}
}
}
Example action call for TTLS with MSCHAPv2
@execute {
eap {
eap-ttls {
tls {
certificate_key "EAP_SERVER_KEY";
certificate "EAP_SERVER_CERT";
require_client_certificate false;
}
@authentication {
backend {
name "JSON_USERS";
query "FIND_USER";
}
mschapv2;
}
@post-authentication {
invoke "LOG_AUTHENTICATION";
}
}
}
}
Example action call for TTLS with inner EAP-MSCHAPv2
@execute {
eap {
eap-ttls {
tls {
certificate_key "EAP_SERVER_KEY";
certificate "EAP_SERVER_CERT";
require_client_certificate false;
}
@authentication {
eap {
eap-mschapv2 {
@authentication {
backend {
name "JSON_USERS";
query "FIND_USER";
}
mschapv2;
}
}
}
}
@post-authentication {
invoke "LOG_AUTHENTICATION";
}
}
}
}
eap-peap
Use eap-peap for a TLS tunnel with inner EAP authentication.
Example action call
@execute {
eap {
eap-peap {
tls {
certificate_key "EAP_SERVER_KEY";
certificate "EAP_SERVER_CERT";
require_client_certificate false;
}
@authentication {
eap {
eap-mschapv2 {
@authentication {
backend {
name "JSON_USERS";
query "FIND_USER";
}
mschapv2;
}
@post-authentication {
invoke "LOG_AUTHENTICATION";
}
}
}
}
}
}
}
eap-teap
Use eap-teap for Tunnel Extensible Authentication Protocol (TEAP). Supports
these inner methods:
papmschapv2eap { eap-mschapv2 { ... } }
Example action call for TEAP with PAP
@execute {
eap {
eap-teap {
tls {
certificate_key "EAP_SERVER_KEY";
certificate "EAP_SERVER_CERT";
require_client_certificate false;
}
@authentication {
eap-teap-identity-type user;
challenge "Enter user password?";
backend {
name "JSON_USERS";
query "FIND_USER";
}
pap;
}
@post-authentication {
invoke "LOG_AUTHENTICATION";
}
}
}
}
Example action call for TEAP with inner EAP-MSCHAPv2
@execute {
eap {
eap-teap {
tls {
certificate_key "EAP_SERVER_KEY";
certificate "EAP_SERVER_CERT";
require_client_certificate false;
}
@authentication {
eap-teap-identity-type user;
challenge "Enter user password?";
backend {
name "JSON_USERS";
query "FIND_USER";
}
eap {
eap-mschapv2 {
@authentication {
backend {
name "JSON_USERS";
query "FIND_USER";
}
mschapv2;
}
}
}
}
@post-authentication {
invoke "LOG_AUTHENTICATION";
}
}
}
}
tls
The tls { ... } block is shared by the TLS-based EAP methods shown on this page.
Example action call
tls {
certificate "EAP_SERVER_CERT";
certificate_key "EAP_SERVER_KEY";
# client_ca_certificate "EAP_SERVER_CLIENT_CA";
# require_client_certificate false;
}
Statements
| Statement | Required | Notes |
|---|---|---|
certificate | Yes | Server certificate reference. |
certificate_key | Yes | Matching private key reference. |
client_ca_certificate | No | Needed when validating client certificates. |
require_client_certificate | No | Set to true for EAP-TLS. Commonly false for TTLS, PEAP, and TEAP password tunneling. |
- eap-tls
- Example action call
- eap-ttls
- Example action call for TTLS with PAP
- Example action call for TTLS with MSCHAPv2
- Example action call for TTLS with inner EAP-MSCHAPv2
- eap-peap
- Example action call
- eap-teap
- Example action call for TEAP with PAP
- Example action call for TEAP with inner EAP-MSCHAPv2
- tls
- Example action call
- Statements