Go to most recent revision | Blame | Compare with Previous | Last modification | View Log | RSS feed
# -*- text -*-## $Id$## Sample configuration for an EAP module that occurs *inside*# of a tunneled method. It is used to limit the EAP types that# can occur inside of the inner tunnel.## See also raddb/sites-available/inner-tunnel## To use this module, edit raddb/sites-available/inner-tunnel, and# replace the references to "eap" with "inner-eap".## See raddb/eap.conf for full documentation on the meaning of the# configuration entries here.#eap inner-eap {# This is the best choice for PEAP.default_eap_type = mschapv2timer_expire = 60# This should be the same as the outer eap "max sessions"max_sessions = 2048# Supported EAP-typesmd5 {}gtc {# The default challenge, which many clients# ignore..#challenge = "Password: "auth_type = PAP}mschapv2 {}# No TTLS or PEAP configuration should be listed here.## EAP-TLS## You SHOULD use different certificates than are used# for the outer EAP configuration!## Support for PEAP/TLS and RFC 5176 TLS/TLS is experimental.#tls {## These is used to simplify later configurations.#certdir = ${confdir}/certscadir = ${confdir}/certsprivate_key_password = whateverprivate_key_file = ${certdir}/server.pem# If Private key & Certificate are located in# the same file, then private_key_file &# certificate_file must contain the same file# name.## If CA_file (below) is not used, then the# certificate_file below MUST include not# only the server certificate, but ALSO all# of the CA certificates used to sign the# server certificate.certificate_file = ${certdir}/server.pem# Trusted Root CA list## ALL of the CA's in this list will be trusted# to issue client certificates for authentication.## In general, you should use self-signed# certificates for 802.1x (EAP) authentication.# In that case, this CA file should contain# *one* CA certificate.## This parameter is used only for EAP-TLS,# when you issue client certificates. If you do# not use client certificates, and you do not want# to permit EAP-TLS authentication, then delete# this configuration item.CA_file = ${cadir}/ca.pem## For DH cipher suites to work, you have to# run OpenSSL to create the DH file first:## openssl dhparam -out certs/dh 1024#dh_file = ${certdir}/dhrandom_file = ${certdir}/random## This can never exceed the size of a RADIUS# packet (4096 bytes), and is preferably half# that, to accomodate other attributes in# RADIUS packet. On most APs the MAX packet# length is configured between 1500 - 1600# In these cases, fragment size should be# 1024 or less.## fragment_size = 1024# include_length is a flag which is# by default set to yes If set to# yes, Total Length of the message is# included in EVERY packet we send.# If set to no, Total Length of the# message is included ONLY in the# First packet of a fragment series.## include_length = yes# Check the Certificate Revocation List## 1) Copy CA certificates and CRLs to same directory.# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.# 'c_rehash' is OpenSSL's command.# 3) uncomment the line below.# 5) Restart radiusd# check_crl = yes# CA_path = /path/to/directory/with/ca_certs/and/crls/## If check_cert_issuer is set, the value will# be checked against the DN of the issuer in# the client certificate. If the values do not# match, the cerficate verification will fail,# rejecting the user.## check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"## If check_cert_cn is set, the value will# be xlat'ed and checked against the CN# in the client certificate. If the values# do not match, the certificate verification# will fail rejecting the user.## This check is done only if the previous# "check_cert_issuer" is not set, or if# the check succeeds.## check_cert_cn = %{User-Name}## Set this option to specify the allowed# TLS cipher suites. The format is listed# in "man 1 ciphers".cipher_list = "DEFAULT"## The session resumption / fast reauthentication# cache CANNOT be used for inner sessions.#}}