162 lines
4.4 KiB
Plaintext
162 lines
4.4 KiB
Plaintext
# -*- text -*-
|
|
#
|
|
# $Id: 0a26c9c1672823e46219d831e2be18890450c2a7 $
|
|
|
|
#
|
|
# Sample configuration for an EAP module that occurs *inside*
|
|
# of a tunneled method. It is used to limit the EAP types that
|
|
# can occur inside of the inner tunnel.
|
|
#
|
|
# See also raddb/sites-available/inner-tunnel
|
|
#
|
|
# To use this module, edit raddb/sites-available/inner-tunnel, and
|
|
# replace the references to "eap" with "inner-eap".
|
|
#
|
|
# See raddb/eap.conf for full documentation on the meaning of the
|
|
# configuration entries here.
|
|
#
|
|
eap inner-eap {
|
|
# This is the best choice for PEAP.
|
|
default_eap_type = mschapv2
|
|
timer_expire = 60
|
|
|
|
# This should be the same as the outer eap "max sessions"
|
|
max_sessions = 2048
|
|
|
|
# Supported EAP-types
|
|
md5 {
|
|
}
|
|
|
|
gtc {
|
|
# The default challenge, which many clients
|
|
# ignore..
|
|
#challenge = "Password: "
|
|
|
|
auth_type = PAP
|
|
}
|
|
|
|
mschapv2 {
|
|
}
|
|
|
|
# No TTLS or PEAP configuration should be listed here.
|
|
|
|
## EAP-TLS
|
|
#
|
|
# You SHOULD use different certificates than are used
|
|
# for the outer EAP configuration!
|
|
#
|
|
# Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental.
|
|
#
|
|
tls {
|
|
#
|
|
# These is used to simplify later configurations.
|
|
#
|
|
certdir = ${confdir}/certs
|
|
cadir = ${confdir}/certs
|
|
|
|
private_key_password = whatever
|
|
private_key_file = ${certdir}/server.pem
|
|
|
|
# If Private key & Certificate are located in
|
|
# the same file, then private_key_file &
|
|
# certificate_file must contain the same file
|
|
# name.
|
|
#
|
|
# If CA_file (below) is not used, then the
|
|
# certificate_file below MUST include not
|
|
# only the server certificate, but ALSO all
|
|
# of the CA certificates used to sign the
|
|
# server certificate.
|
|
certificate_file = ${certdir}/server.pem
|
|
|
|
# Trusted Root CA list
|
|
#
|
|
# ALL of the CA's in this list will be trusted
|
|
# to issue client certificates for authentication.
|
|
#
|
|
# In general, you should use self-signed
|
|
# certificates for 802.1x (EAP) authentication.
|
|
# In that case, this CA file should contain
|
|
# *one* CA certificate.
|
|
#
|
|
# This parameter is used only for EAP-TLS,
|
|
# when you issue client certificates. If you do
|
|
# not use client certificates, and you do not want
|
|
# to permit EAP-TLS authentication, then delete
|
|
# this configuration item.
|
|
CA_file = ${cadir}/ca.pem
|
|
|
|
#
|
|
# For DH cipher suites to work, you have to
|
|
# run OpenSSL to create the DH file first:
|
|
#
|
|
# openssl dhparam -out certs/dh 1024
|
|
#
|
|
dh_file = ${certdir}/dh
|
|
random_file = ${certdir}/random
|
|
|
|
#
|
|
# This can never exceed the size of a RADIUS
|
|
# packet (4096 bytes), and is preferably half
|
|
# that, to accomodate other attributes in
|
|
# RADIUS packet. On most APs the MAX packet
|
|
# length is configured between 1500 - 1600
|
|
# In these cases, fragment size should be
|
|
# 1024 or less.
|
|
#
|
|
# fragment_size = 1024
|
|
|
|
# include_length is a flag which is
|
|
# by default set to yes If set to
|
|
# yes, Total Length of the message is
|
|
# included in EVERY packet we send.
|
|
# If set to no, Total Length of the
|
|
# message is included ONLY in the
|
|
# First packet of a fragment series.
|
|
#
|
|
# include_length = yes
|
|
|
|
# Check the Certificate Revocation List
|
|
#
|
|
# 1) Copy CA certificates and CRLs to same directory.
|
|
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
|
|
# 'c_rehash' is OpenSSL's command.
|
|
# 3) uncomment the line below.
|
|
# 5) Restart radiusd
|
|
# check_crl = yes
|
|
# CA_path = /path/to/directory/with/ca_certs/and/crls/
|
|
|
|
#
|
|
# If check_cert_issuer is set, the value will
|
|
# be checked against the DN of the issuer in
|
|
# the client certificate. If the values do not
|
|
# match, the cerficate verification will fail,
|
|
# rejecting the user.
|
|
#
|
|
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
|
|
|
|
#
|
|
# If check_cert_cn is set, the value will
|
|
# be xlat'ed and checked against the CN
|
|
# in the client certificate. If the values
|
|
# do not match, the certificate verification
|
|
# will fail rejecting the user.
|
|
#
|
|
# This check is done only if the previous
|
|
# "check_cert_issuer" is not set, or if
|
|
# the check succeeds.
|
|
#
|
|
# check_cert_cn = %{User-Name}
|
|
#
|
|
# Set this option to specify the allowed
|
|
# TLS cipher suites. The format is listed
|
|
# in "man 1 ciphers".
|
|
cipher_list = "DEFAULT"
|
|
|
|
#
|
|
# The session resumption / fast reauthentication
|
|
# cache CANNOT be used for inner sessions.
|
|
#
|
|
}
|
|
}
|