| 4 |
- |
1 |
# -*- text -*-
|
|
|
2 |
##
|
|
|
3 |
## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
|
|
|
4 |
##
|
| 34 |
- |
5 |
## $Id: 95bebe4d25ef13871fb201ba540ed008078dab07 $
|
| 4 |
- |
6 |
|
|
|
7 |
#######################################################################
|
|
|
8 |
#
|
|
|
9 |
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
|
|
|
10 |
# is smart enough to figure this out on its own. The most
|
|
|
11 |
# common side effect of setting 'Auth-Type := EAP' is that the
|
|
|
12 |
# users then cannot use ANY other authentication method.
|
|
|
13 |
#
|
|
|
14 |
# EAP types NOT listed here may be supported via the "eap2" module.
|
|
|
15 |
# See experimental.conf for documentation.
|
|
|
16 |
#
|
|
|
17 |
eap {
|
|
|
18 |
# Invoke the default supported EAP type when
|
|
|
19 |
# EAP-Identity response is received.
|
|
|
20 |
#
|
|
|
21 |
# The incoming EAP messages DO NOT specify which EAP
|
|
|
22 |
# type they will be using, so it MUST be set here.
|
|
|
23 |
#
|
|
|
24 |
# For now, only one default EAP type may be used at a time.
|
|
|
25 |
#
|
|
|
26 |
# If the EAP-Type attribute is set by another module,
|
|
|
27 |
# then that EAP type takes precedence over the
|
|
|
28 |
# default type configured here.
|
|
|
29 |
#
|
|
|
30 |
default_eap_type = md5
|
|
|
31 |
|
|
|
32 |
# A list is maintained to correlate EAP-Response
|
|
|
33 |
# packets with EAP-Request packets. After a
|
|
|
34 |
# configurable length of time, entries in the list
|
|
|
35 |
# expire, and are deleted.
|
|
|
36 |
#
|
|
|
37 |
timer_expire = 60
|
|
|
38 |
|
|
|
39 |
# There are many EAP types, but the server has support
|
|
|
40 |
# for only a limited subset. If the server receives
|
|
|
41 |
# a request for an EAP type it does not support, then
|
|
|
42 |
# it normally rejects the request. By setting this
|
|
|
43 |
# configuration to "yes", you can tell the server to
|
|
|
44 |
# instead keep processing the request. Another module
|
|
|
45 |
# MUST then be configured to proxy the request to
|
|
|
46 |
# another RADIUS server which supports that EAP type.
|
|
|
47 |
#
|
|
|
48 |
# If another module is NOT configured to handle the
|
|
|
49 |
# request, then the request will still end up being
|
|
|
50 |
# rejected.
|
|
|
51 |
ignore_unknown_eap_types = no
|
|
|
52 |
|
|
|
53 |
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
|
|
|
54 |
# a User-Name attribute in an Access-Accept, it copies one
|
|
|
55 |
# more byte than it should.
|
|
|
56 |
#
|
|
|
57 |
# We can work around it by configurably adding an extra
|
|
|
58 |
# zero byte.
|
|
|
59 |
cisco_accounting_username_bug = no
|
|
|
60 |
|
|
|
61 |
#
|
|
|
62 |
# Help prevent DoS attacks by limiting the number of
|
| 34 |
- |
63 |
# sessions that the server is tracking. For simplicity,
|
|
|
64 |
# this is taken from the "max_requests" directive in
|
|
|
65 |
# radiusd.conf.
|
|
|
66 |
max_sessions = ${max_requests}
|
| 4 |
- |
67 |
|
|
|
68 |
# Supported EAP-types
|
|
|
69 |
|
|
|
70 |
#
|
|
|
71 |
# We do NOT recommend using EAP-MD5 authentication
|
|
|
72 |
# for wireless connections. It is insecure, and does
|
|
|
73 |
# not provide for dynamic WEP keys.
|
|
|
74 |
#
|
|
|
75 |
md5 {
|
|
|
76 |
}
|
|
|
77 |
|
|
|
78 |
# Cisco LEAP
|
|
|
79 |
#
|
|
|
80 |
# We do not recommend using LEAP in new deployments. See:
|
|
|
81 |
# http://www.securiteam.com/tools/5TP012ACKE.html
|
|
|
82 |
#
|
|
|
83 |
# Cisco LEAP uses the MS-CHAP algorithm (but not
|
|
|
84 |
# the MS-CHAP attributes) to perform it's authentication.
|
|
|
85 |
#
|
|
|
86 |
# As a result, LEAP *requires* access to the plain-text
|
|
|
87 |
# User-Password, or the NT-Password attributes.
|
|
|
88 |
# 'System' authentication is impossible with LEAP.
|
|
|
89 |
#
|
|
|
90 |
leap {
|
|
|
91 |
}
|
|
|
92 |
|
|
|
93 |
# Generic Token Card.
|
|
|
94 |
#
|
|
|
95 |
# Currently, this is only permitted inside of EAP-TTLS,
|
|
|
96 |
# or EAP-PEAP. The module "challenges" the user with
|
|
|
97 |
# text, and the response from the user is taken to be
|
|
|
98 |
# the User-Password.
|
|
|
99 |
#
|
|
|
100 |
# Proxying the tunneled EAP-GTC session is a bad idea,
|
|
|
101 |
# the users password will go over the wire in plain-text,
|
|
|
102 |
# for anyone to see.
|
|
|
103 |
#
|
|
|
104 |
gtc {
|
|
|
105 |
# The default challenge, which many clients
|
|
|
106 |
# ignore..
|
|
|
107 |
#challenge = "Password: "
|
|
|
108 |
|
|
|
109 |
# The plain-text response which comes back
|
|
|
110 |
# is put into a User-Password attribute,
|
|
|
111 |
# and passed to another module for
|
|
|
112 |
# authentication. This allows the EAP-GTC
|
|
|
113 |
# response to be checked against plain-text,
|
|
|
114 |
# or crypt'd passwords.
|
|
|
115 |
#
|
|
|
116 |
# If you say "Local" instead of "PAP", then
|
|
|
117 |
# the module will look for a User-Password
|
|
|
118 |
# configured for the request, and do the
|
|
|
119 |
# authentication itself.
|
|
|
120 |
#
|
|
|
121 |
auth_type = PAP
|
|
|
122 |
}
|
|
|
123 |
|
|
|
124 |
## EAP-TLS
|
|
|
125 |
#
|
|
|
126 |
# See raddb/certs/README for additional comments
|
|
|
127 |
# on certificates.
|
|
|
128 |
#
|
|
|
129 |
# If OpenSSL was not found at the time the server was
|
|
|
130 |
# built, the "tls", "ttls", and "peap" sections will
|
|
|
131 |
# be ignored.
|
|
|
132 |
#
|
|
|
133 |
# Otherwise, when the server first starts in debugging
|
|
|
134 |
# mode, test certificates will be created. See the
|
|
|
135 |
# "make_cert_command" below for details, and the README
|
|
|
136 |
# file in raddb/certs
|
|
|
137 |
#
|
|
|
138 |
# These test certificates SHOULD NOT be used in a normal
|
|
|
139 |
# deployment. They are created only to make it easier
|
|
|
140 |
# to install the server, and to perform some simple
|
|
|
141 |
# tests with EAP-TLS, TTLS, or PEAP.
|
|
|
142 |
#
|
|
|
143 |
# See also:
|
|
|
144 |
#
|
|
|
145 |
# http://www.dslreports.com/forum/remark,9286052~mode=flat
|
|
|
146 |
#
|
|
|
147 |
# Note that you should NOT use a globally known CA here!
|
|
|
148 |
# e.g. using a Verisign cert as a "known CA" means that
|
|
|
149 |
# ANYONE who has a certificate signed by them can
|
|
|
150 |
# authenticate via EAP-TLS! This is likely not what you want.
|
|
|
151 |
tls {
|
|
|
152 |
#
|
|
|
153 |
# These is used to simplify later configurations.
|
|
|
154 |
#
|
|
|
155 |
certdir = ${confdir}/certs
|
|
|
156 |
cadir = ${confdir}/certs
|
|
|
157 |
|
|
|
158 |
private_key_password = whatever
|
|
|
159 |
private_key_file = ${certdir}/server.pem
|
|
|
160 |
|
|
|
161 |
# If Private key & Certificate are located in
|
|
|
162 |
# the same file, then private_key_file &
|
|
|
163 |
# certificate_file must contain the same file
|
|
|
164 |
# name.
|
|
|
165 |
#
|
|
|
166 |
# If CA_file (below) is not used, then the
|
|
|
167 |
# certificate_file below MUST include not
|
|
|
168 |
# only the server certificate, but ALSO all
|
|
|
169 |
# of the CA certificates used to sign the
|
|
|
170 |
# server certificate.
|
|
|
171 |
certificate_file = ${certdir}/server.pem
|
|
|
172 |
|
|
|
173 |
# Trusted Root CA list
|
|
|
174 |
#
|
|
|
175 |
# ALL of the CA's in this list will be trusted
|
|
|
176 |
# to issue client certificates for authentication.
|
|
|
177 |
#
|
|
|
178 |
# In general, you should use self-signed
|
|
|
179 |
# certificates for 802.1x (EAP) authentication.
|
|
|
180 |
# In that case, this CA file should contain
|
|
|
181 |
# *one* CA certificate.
|
|
|
182 |
#
|
|
|
183 |
# This parameter is used only for EAP-TLS,
|
|
|
184 |
# when you issue client certificates. If you do
|
|
|
185 |
# not use client certificates, and you do not want
|
|
|
186 |
# to permit EAP-TLS authentication, then delete
|
|
|
187 |
# this configuration item.
|
|
|
188 |
CA_file = ${cadir}/ca.pem
|
|
|
189 |
|
|
|
190 |
#
|
|
|
191 |
# For DH cipher suites to work, you have to
|
|
|
192 |
# run OpenSSL to create the DH file first:
|
|
|
193 |
#
|
|
|
194 |
# openssl dhparam -out certs/dh 1024
|
|
|
195 |
#
|
|
|
196 |
dh_file = ${certdir}/dh
|
|
|
197 |
|
|
|
198 |
#
|
| 34 |
- |
199 |
# If your system doesn't have /dev/urandom,
|
|
|
200 |
# you will need to create this file, and
|
|
|
201 |
# periodically change its contents.
|
|
|
202 |
#
|
|
|
203 |
# For security reasons, FreeRADIUS doesn't
|
|
|
204 |
# write to files in its configuration
|
|
|
205 |
# directory.
|
|
|
206 |
#
|
|
|
207 |
# random_file = ${certdir}/random
|
|
|
208 |
|
|
|
209 |
#
|
| 4 |
- |
210 |
# This can never exceed the size of a RADIUS
|
|
|
211 |
# packet (4096 bytes), and is preferably half
|
|
|
212 |
# that, to accomodate other attributes in
|
|
|
213 |
# RADIUS packet. On most APs the MAX packet
|
|
|
214 |
# length is configured between 1500 - 1600
|
|
|
215 |
# In these cases, fragment size should be
|
|
|
216 |
# 1024 or less.
|
|
|
217 |
#
|
|
|
218 |
# fragment_size = 1024
|
|
|
219 |
|
|
|
220 |
# include_length is a flag which is
|
|
|
221 |
# by default set to yes If set to
|
|
|
222 |
# yes, Total Length of the message is
|
|
|
223 |
# included in EVERY packet we send.
|
|
|
224 |
# If set to no, Total Length of the
|
|
|
225 |
# message is included ONLY in the
|
|
|
226 |
# First packet of a fragment series.
|
|
|
227 |
#
|
|
|
228 |
# include_length = yes
|
|
|
229 |
|
|
|
230 |
# Check the Certificate Revocation List
|
|
|
231 |
#
|
|
|
232 |
# 1) Copy CA certificates and CRLs to same directory.
|
|
|
233 |
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
|
|
|
234 |
# 'c_rehash' is OpenSSL's command.
|
|
|
235 |
# 3) uncomment the line below.
|
|
|
236 |
# 5) Restart radiusd
|
|
|
237 |
# check_crl = yes
|
|
|
238 |
CA_path = ${cadir}
|
|
|
239 |
|
|
|
240 |
#
|
|
|
241 |
# If check_cert_issuer is set, the value will
|
|
|
242 |
# be checked against the DN of the issuer in
|
|
|
243 |
# the client certificate. If the values do not
|
|
|
244 |
# match, the cerficate verification will fail,
|
|
|
245 |
# rejecting the user.
|
|
|
246 |
#
|
|
|
247 |
# In 2.1.10 and later, this check can be done
|
|
|
248 |
# more generally by checking the value of the
|
|
|
249 |
# TLS-Client-Cert-Issuer attribute. This check
|
|
|
250 |
# can be done via any mechanism you choose.
|
|
|
251 |
#
|
|
|
252 |
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
|
|
|
253 |
|
|
|
254 |
#
|
|
|
255 |
# If check_cert_cn is set, the value will
|
|
|
256 |
# be xlat'ed and checked against the CN
|
|
|
257 |
# in the client certificate. If the values
|
|
|
258 |
# do not match, the certificate verification
|
|
|
259 |
# will fail rejecting the user.
|
|
|
260 |
#
|
|
|
261 |
# This check is done only if the previous
|
|
|
262 |
# "check_cert_issuer" is not set, or if
|
|
|
263 |
# the check succeeds.
|
|
|
264 |
#
|
|
|
265 |
# In 2.1.10 and later, this check can be done
|
|
|
266 |
# more generally by checking the value of the
|
|
|
267 |
# TLS-Client-Cert-CN attribute. This check
|
|
|
268 |
# can be done via any mechanism you choose.
|
|
|
269 |
#
|
|
|
270 |
# check_cert_cn = %{User-Name}
|
|
|
271 |
#
|
|
|
272 |
# Set this option to specify the allowed
|
|
|
273 |
# TLS cipher suites. The format is listed
|
|
|
274 |
# in "man 1 ciphers".
|
|
|
275 |
cipher_list = "DEFAULT"
|
|
|
276 |
|
|
|
277 |
#
|
| 34 |
- |
278 |
# As part of checking a client certificate, the EAP-TLS
|
|
|
279 |
# sets some attributes such as TLS-Client-Cert-CN. This
|
|
|
280 |
# virtual server has access to these attributes, and can
|
|
|
281 |
# be used to accept or reject the request.
|
|
|
282 |
#
|
|
|
283 |
# virtual_server = check-eap-tls
|
| 4 |
- |
284 |
|
|
|
285 |
# This command creates the initial "snake oil"
|
|
|
286 |
# certificates when the server is run as root,
|
|
|
287 |
# and via "radiusd -X".
|
|
|
288 |
#
|
|
|
289 |
# As of 2.1.11, it *also* checks the server
|
|
|
290 |
# certificate for validity, including expiration.
|
|
|
291 |
# This means that radiusd will refuse to start
|
|
|
292 |
# when the certificate has expired. The alternative
|
|
|
293 |
# is to have the 802.1X clients refuse to connect
|
|
|
294 |
# when they discover the certificate has expired.
|
|
|
295 |
#
|
|
|
296 |
# Debugging client issues is hard, so it's better
|
|
|
297 |
# for the server to print out an error message,
|
|
|
298 |
# and refuse to start.
|
|
|
299 |
#
|
|
|
300 |
# Redhat RPM's run the bootstrap certificate creation
|
|
|
301 |
# as part of the RPM install (not upgrade), therefore
|
|
|
302 |
# the make_cert_command is commented out.
|
|
|
303 |
#
|
|
|
304 |
#make_cert_command = "${certdir}/bootstrap"
|
|
|
305 |
|
|
|
306 |
#
|
|
|
307 |
# Elliptical cryptography configuration
|
|
|
308 |
#
|
|
|
309 |
# Only for OpenSSL >= 0.9.8.f
|
|
|
310 |
#
|
|
|
311 |
ecdh_curve = "prime256v1"
|
|
|
312 |
|
|
|
313 |
#
|
|
|
314 |
# Session resumption / fast reauthentication
|
|
|
315 |
# cache.
|
|
|
316 |
#
|
|
|
317 |
# The cache contains the following information:
|
|
|
318 |
#
|
|
|
319 |
# session Id - unique identifier, managed by SSL
|
|
|
320 |
# User-Name - from the Access-Accept
|
|
|
321 |
# Stripped-User-Name - from the Access-Request
|
|
|
322 |
# Cached-Session-Policy - from the Access-Accept
|
|
|
323 |
#
|
|
|
324 |
# The "Cached-Session-Policy" is the name of a
|
|
|
325 |
# policy which should be applied to the cached
|
|
|
326 |
# session. This policy can be used to assign
|
|
|
327 |
# VLANs, IP addresses, etc. It serves as a useful
|
|
|
328 |
# way to re-apply the policy from the original
|
|
|
329 |
# Access-Accept to the subsequent Access-Accept
|
|
|
330 |
# for the cached session.
|
|
|
331 |
#
|
|
|
332 |
# On session resumption, these attributes are
|
|
|
333 |
# copied from the cache, and placed into the
|
|
|
334 |
# reply list.
|
|
|
335 |
#
|
|
|
336 |
# You probably also want "use_tunneled_reply = yes"
|
|
|
337 |
# when using fast session resumption.
|
|
|
338 |
#
|
|
|
339 |
cache {
|
|
|
340 |
#
|
|
|
341 |
# Enable it. The default is "no".
|
|
|
342 |
# Deleting the entire "cache" subsection
|
|
|
343 |
# Also disables caching.
|
|
|
344 |
#
|
|
|
345 |
# You can disallow resumption for a
|
|
|
346 |
# particular user by adding the following
|
|
|
347 |
# attribute to the control item list:
|
|
|
348 |
#
|
|
|
349 |
# Allow-Session-Resumption = No
|
|
|
350 |
#
|
|
|
351 |
# If "enable = no" below, you CANNOT
|
|
|
352 |
# enable resumption for just one user
|
|
|
353 |
# by setting the above attribute to "yes".
|
|
|
354 |
#
|
|
|
355 |
enable = no
|
|
|
356 |
|
|
|
357 |
#
|
|
|
358 |
# Lifetime of the cached entries, in hours.
|
|
|
359 |
# The sessions will be deleted after this
|
|
|
360 |
# time.
|
|
|
361 |
#
|
|
|
362 |
lifetime = 24 # hours
|
|
|
363 |
|
|
|
364 |
#
|
|
|
365 |
# The maximum number of entries in the
|
|
|
366 |
# cache. Set to "0" for "infinite".
|
|
|
367 |
#
|
|
|
368 |
# This could be set to the number of users
|
|
|
369 |
# who are logged in... which can be a LOT.
|
|
|
370 |
#
|
|
|
371 |
max_entries = 255
|
|
|
372 |
}
|
|
|
373 |
|
|
|
374 |
#
|
|
|
375 |
# As of version 2.1.10, client certificates can be
|
|
|
376 |
# validated via an external command. This allows
|
|
|
377 |
# dynamic CRLs or OCSP to be used.
|
|
|
378 |
#
|
|
|
379 |
# This configuration is commented out in the
|
|
|
380 |
# default configuration. Uncomment it, and configure
|
|
|
381 |
# the correct paths below to enable it.
|
|
|
382 |
#
|
|
|
383 |
verify {
|
|
|
384 |
# A temporary directory where the client
|
|
|
385 |
# certificates are stored. This directory
|
|
|
386 |
# MUST be owned by the UID of the server,
|
|
|
387 |
# and MUST not be accessible by any other
|
|
|
388 |
# users. When the server starts, it will do
|
|
|
389 |
# "chmod go-rwx" on the directory, for
|
|
|
390 |
# security reasons. The directory MUST
|
|
|
391 |
# exist when the server starts.
|
|
|
392 |
#
|
|
|
393 |
# You should also delete all of the files
|
|
|
394 |
# in the directory when the server starts.
|
|
|
395 |
# tmpdir = /tmp/radiusd
|
|
|
396 |
|
|
|
397 |
# The command used to verify the client cert.
|
|
|
398 |
# We recommend using the OpenSSL command-line
|
|
|
399 |
# tool.
|
|
|
400 |
#
|
|
|
401 |
# The ${..CA_path} text is a reference to
|
|
|
402 |
# the CA_path variable defined above.
|
|
|
403 |
#
|
|
|
404 |
# The %{TLS-Client-Cert-Filename} is the name
|
|
|
405 |
# of the temporary file containing the cert
|
|
|
406 |
# in PEM format. This file is automatically
|
|
|
407 |
# deleted by the server when the command
|
|
|
408 |
# returns.
|
|
|
409 |
# client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
|
|
|
410 |
}
|
|
|
411 |
|
|
|
412 |
#
|
|
|
413 |
# OCSP Configuration
|
|
|
414 |
# Certificates can be verified against an OCSP
|
|
|
415 |
# Responder. This makes it possible to immediately
|
|
|
416 |
# revoke certificates without the distribution of
|
|
|
417 |
# new Certificate Revokation Lists (CRLs).
|
|
|
418 |
#
|
|
|
419 |
ocsp {
|
|
|
420 |
#
|
|
|
421 |
# Enable it. The default is "no".
|
|
|
422 |
# Deleting the entire "ocsp" subsection
|
|
|
423 |
# Also disables ocsp checking
|
|
|
424 |
#
|
|
|
425 |
enable = no
|
|
|
426 |
|
|
|
427 |
#
|
|
|
428 |
# The OCSP Responder URL can be automatically
|
|
|
429 |
# extracted from the certificate in question.
|
|
|
430 |
# To override the OCSP Responder URL set
|
|
|
431 |
# "override_cert_url = yes".
|
|
|
432 |
#
|
|
|
433 |
override_cert_url = yes
|
|
|
434 |
|
|
|
435 |
#
|
|
|
436 |
# If the OCSP Responder address is not
|
|
|
437 |
# extracted from the certificate, the
|
|
|
438 |
# URL can be defined here.
|
|
|
439 |
|
|
|
440 |
#
|
|
|
441 |
# Limitation: Currently the HTTP
|
|
|
442 |
# Request is not sending the "Host: "
|
|
|
443 |
# information to the web-server. This
|
|
|
444 |
# can be a problem if the OCSP
|
|
|
445 |
# Responder is running as a vhost.
|
|
|
446 |
#
|
|
|
447 |
url = "http://127.0.0.1/ocsp/"
|
| 34 |
- |
448 |
|
|
|
449 |
#
|
|
|
450 |
# If the OCSP Responder can not cope with nonce
|
|
|
451 |
# in the request, then it can be disabled here.
|
|
|
452 |
#
|
|
|
453 |
# For security reasons, disabling this option
|
|
|
454 |
# is not recommended as nonce protects against
|
|
|
455 |
# replay attacks.
|
|
|
456 |
#
|
|
|
457 |
# Note that Microsoft AD Certificate Services OCSP
|
|
|
458 |
# Responder does not enable nonce by default. It is
|
|
|
459 |
# more secure to enable nonce on the responder than
|
|
|
460 |
# to disable it in the query here.
|
|
|
461 |
# See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
|
|
|
462 |
#
|
|
|
463 |
# use_nonce = yes
|
|
|
464 |
|
|
|
465 |
#
|
|
|
466 |
# Number of seconds before giving up waiting
|
|
|
467 |
# for OCSP response. 0 uses system default.
|
|
|
468 |
#
|
|
|
469 |
# timeout = 0
|
|
|
470 |
|
|
|
471 |
#
|
|
|
472 |
# Normally an error in querying the OCSP
|
|
|
473 |
# responder (no response from server, server did
|
|
|
474 |
# not understand the request, etc) will result in
|
|
|
475 |
# a validation failure.
|
|
|
476 |
#
|
|
|
477 |
# To treat these errors as 'soft' failures and
|
|
|
478 |
# still accept the certificate, enable this
|
|
|
479 |
# option.
|
|
|
480 |
#
|
|
|
481 |
# Warning: this may enable clients with revoked
|
|
|
482 |
# certificates to connect if the OCSP responder
|
|
|
483 |
# is not available. Use with caution.
|
|
|
484 |
#
|
|
|
485 |
# softfail = no
|
| 4 |
- |
486 |
}
|
|
|
487 |
}
|
|
|
488 |
|
|
|
489 |
# The TTLS module implements the EAP-TTLS protocol,
|
|
|
490 |
# which can be described as EAP inside of Diameter,
|
|
|
491 |
# inside of TLS, inside of EAP, inside of RADIUS...
|
|
|
492 |
#
|
|
|
493 |
# Surprisingly, it works quite well.
|
|
|
494 |
#
|
|
|
495 |
# The TTLS module needs the TLS module to be installed
|
|
|
496 |
# and configured, in order to use the TLS tunnel
|
|
|
497 |
# inside of the EAP packet. You will still need to
|
|
|
498 |
# configure the TLS module, even if you do not want
|
|
|
499 |
# to deploy EAP-TLS in your network. Users will not
|
|
|
500 |
# be able to request EAP-TLS, as it requires them to
|
|
|
501 |
# have a client certificate. EAP-TTLS does not
|
|
|
502 |
# require a client certificate.
|
|
|
503 |
#
|
|
|
504 |
# You can make TTLS require a client cert by setting
|
|
|
505 |
#
|
|
|
506 |
# EAP-TLS-Require-Client-Cert = Yes
|
|
|
507 |
#
|
|
|
508 |
# in the control items for a request.
|
|
|
509 |
#
|
|
|
510 |
ttls {
|
|
|
511 |
# The tunneled EAP session needs a default
|
|
|
512 |
# EAP type which is separate from the one for
|
|
|
513 |
# the non-tunneled EAP module. Inside of the
|
|
|
514 |
# TTLS tunnel, we recommend using EAP-MD5.
|
|
|
515 |
# If the request does not contain an EAP
|
|
|
516 |
# conversation, then this configuration entry
|
|
|
517 |
# is ignored.
|
|
|
518 |
default_eap_type = md5
|
|
|
519 |
|
|
|
520 |
# The tunneled authentication request does
|
|
|
521 |
# not usually contain useful attributes
|
|
|
522 |
# like 'Calling-Station-Id', etc. These
|
|
|
523 |
# attributes are outside of the tunnel,
|
|
|
524 |
# and normally unavailable to the tunneled
|
|
|
525 |
# authentication request.
|
|
|
526 |
#
|
|
|
527 |
# By setting this configuration entry to
|
|
|
528 |
# 'yes', any attribute which NOT in the
|
|
|
529 |
# tunneled authentication request, but
|
|
|
530 |
# which IS available outside of the tunnel,
|
|
|
531 |
# is copied to the tunneled request.
|
|
|
532 |
#
|
|
|
533 |
# allowed values: {no, yes}
|
|
|
534 |
copy_request_to_tunnel = no
|
|
|
535 |
|
|
|
536 |
# The reply attributes sent to the NAS are
|
|
|
537 |
# usually based on the name of the user
|
|
|
538 |
# 'outside' of the tunnel (usually
|
|
|
539 |
# 'anonymous'). If you want to send the
|
|
|
540 |
# reply attributes based on the user name
|
|
|
541 |
# inside of the tunnel, then set this
|
|
|
542 |
# configuration entry to 'yes', and the reply
|
|
|
543 |
# to the NAS will be taken from the reply to
|
|
|
544 |
# the tunneled request.
|
|
|
545 |
#
|
|
|
546 |
# allowed values: {no, yes}
|
|
|
547 |
use_tunneled_reply = no
|
|
|
548 |
|
|
|
549 |
#
|
|
|
550 |
# The inner tunneled request can be sent
|
|
|
551 |
# through a virtual server constructed
|
|
|
552 |
# specifically for this purpose.
|
|
|
553 |
#
|
|
|
554 |
# If this entry is commented out, the inner
|
|
|
555 |
# tunneled request will be sent through
|
|
|
556 |
# the virtual server that processed the
|
|
|
557 |
# outer requests.
|
|
|
558 |
#
|
|
|
559 |
virtual_server = "inner-tunnel"
|
|
|
560 |
|
|
|
561 |
# This has the same meaning as the
|
|
|
562 |
# same field in the "tls" module, above.
|
|
|
563 |
# The default value here is "yes".
|
|
|
564 |
# include_length = yes
|
|
|
565 |
}
|
|
|
566 |
|
|
|
567 |
##################################################
|
|
|
568 |
#
|
|
|
569 |
# !!!!! WARNINGS for Windows compatibility !!!!!
|
|
|
570 |
#
|
|
|
571 |
##################################################
|
|
|
572 |
#
|
|
|
573 |
# If you see the server send an Access-Challenge,
|
|
|
574 |
# and the client never sends another Access-Request,
|
|
|
575 |
# then
|
|
|
576 |
#
|
|
|
577 |
# STOP!
|
|
|
578 |
#
|
|
|
579 |
# The server certificate has to have special OID's
|
|
|
580 |
# in it, or else the Microsoft clients will silently
|
|
|
581 |
# fail. See the "scripts/xpextensions" file for
|
|
|
582 |
# details, and the following page:
|
|
|
583 |
#
|
|
|
584 |
# http://support.microsoft.com/kb/814394/en-us
|
|
|
585 |
#
|
|
|
586 |
# For additional Windows XP SP2 issues, see:
|
|
|
587 |
#
|
|
|
588 |
# http://support.microsoft.com/kb/885453/en-us
|
|
|
589 |
#
|
|
|
590 |
#
|
|
|
591 |
# If is still doesn't work, and you're using Samba,
|
|
|
592 |
# you may be encountering a Samba bug. See:
|
|
|
593 |
#
|
|
|
594 |
# https://bugzilla.samba.org/show_bug.cgi?id=6563
|
|
|
595 |
#
|
|
|
596 |
# Note that we do not necessarily agree with their
|
|
|
597 |
# explanation... but the fix does appear to work.
|
|
|
598 |
#
|
|
|
599 |
##################################################
|
|
|
600 |
|
|
|
601 |
#
|
|
|
602 |
# The tunneled EAP session needs a default EAP type
|
|
|
603 |
# which is separate from the one for the non-tunneled
|
|
|
604 |
# EAP module. Inside of the TLS/PEAP tunnel, we
|
|
|
605 |
# recommend using EAP-MS-CHAPv2.
|
|
|
606 |
#
|
|
|
607 |
# The PEAP module needs the TLS module to be installed
|
|
|
608 |
# and configured, in order to use the TLS tunnel
|
|
|
609 |
# inside of the EAP packet. You will still need to
|
|
|
610 |
# configure the TLS module, even if you do not want
|
|
|
611 |
# to deploy EAP-TLS in your network. Users will not
|
|
|
612 |
# be able to request EAP-TLS, as it requires them to
|
|
|
613 |
# have a client certificate. EAP-PEAP does not
|
|
|
614 |
# require a client certificate.
|
|
|
615 |
#
|
|
|
616 |
#
|
|
|
617 |
# You can make PEAP require a client cert by setting
|
|
|
618 |
#
|
|
|
619 |
# EAP-TLS-Require-Client-Cert = Yes
|
|
|
620 |
#
|
|
|
621 |
# in the control items for a request.
|
|
|
622 |
#
|
|
|
623 |
peap {
|
|
|
624 |
# The tunneled EAP session needs a default
|
|
|
625 |
# EAP type which is separate from the one for
|
|
|
626 |
# the non-tunneled EAP module. Inside of the
|
|
|
627 |
# PEAP tunnel, we recommend using MS-CHAPv2,
|
|
|
628 |
# as that is the default type supported by
|
|
|
629 |
# Windows clients.
|
|
|
630 |
default_eap_type = mschapv2
|
|
|
631 |
|
|
|
632 |
# the PEAP module also has these configuration
|
|
|
633 |
# items, which are the same as for TTLS.
|
|
|
634 |
copy_request_to_tunnel = no
|
|
|
635 |
use_tunneled_reply = no
|
|
|
636 |
|
|
|
637 |
# When the tunneled session is proxied, the
|
|
|
638 |
# home server may not understand EAP-MSCHAP-V2.
|
|
|
639 |
# Set this entry to "no" to proxy the tunneled
|
|
|
640 |
# EAP-MSCHAP-V2 as normal MSCHAPv2.
|
|
|
641 |
# proxy_tunneled_request_as_eap = yes
|
|
|
642 |
|
|
|
643 |
#
|
|
|
644 |
# The inner tunneled request can be sent
|
|
|
645 |
# through a virtual server constructed
|
|
|
646 |
# specifically for this purpose.
|
|
|
647 |
#
|
|
|
648 |
# If this entry is commented out, the inner
|
|
|
649 |
# tunneled request will be sent through
|
|
|
650 |
# the virtual server that processed the
|
|
|
651 |
# outer requests.
|
|
|
652 |
#
|
|
|
653 |
virtual_server = "inner-tunnel"
|
|
|
654 |
|
|
|
655 |
# This option enables support for MS-SoH
|
|
|
656 |
# see doc/SoH.txt for more info.
|
|
|
657 |
# It is disabled by default.
|
|
|
658 |
#
|
|
|
659 |
# soh = yes
|
|
|
660 |
|
|
|
661 |
#
|
|
|
662 |
# The SoH reply will be turned into a request which
|
|
|
663 |
# can be sent to a specific virtual server:
|
|
|
664 |
#
|
|
|
665 |
# soh_virtual_server = "soh-server"
|
|
|
666 |
}
|
|
|
667 |
|
|
|
668 |
#
|
|
|
669 |
# This takes no configuration.
|
|
|
670 |
#
|
|
|
671 |
# Note that it is the EAP MS-CHAPv2 sub-module, not
|
|
|
672 |
# the main 'mschap' module.
|
|
|
673 |
#
|
|
|
674 |
# Note also that in order for this sub-module to work,
|
|
|
675 |
# the main 'mschap' module MUST ALSO be configured.
|
|
|
676 |
#
|
|
|
677 |
# This module is the *Microsoft* implementation of MS-CHAPv2
|
|
|
678 |
# in EAP. There is another (incompatible) implementation
|
|
|
679 |
# of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
|
|
|
680 |
# currently support.
|
|
|
681 |
#
|
|
|
682 |
mschapv2 {
|
|
|
683 |
# Prior to version 2.1.11, the module never
|
|
|
684 |
# sent the MS-CHAP-Error message to the
|
|
|
685 |
# client. This worked, but it had issues
|
|
|
686 |
# when the cached password was wrong. The
|
|
|
687 |
# server *should* send "E=691 R=0" to the
|
|
|
688 |
# client, which tells it to prompt the user
|
|
|
689 |
# for a new password.
|
|
|
690 |
#
|
|
|
691 |
# The default is to behave as in 2.1.10 and
|
|
|
692 |
# earlier, which is known to work. If you
|
|
|
693 |
# set "send_error = yes", then the error
|
|
|
694 |
# message will be sent back to the client.
|
|
|
695 |
# This *may* help some clients work better,
|
|
|
696 |
# but *may* also cause other clients to stop
|
|
|
697 |
# working.
|
|
|
698 |
#
|
|
|
699 |
# send_error = no
|
|
|
700 |
}
|
|
|
701 |
}
|